Crash in SetCurrentProcessSandbox → BroadcastSetThreadSandbox while stability testing

RESOLVED FIXED in Firefox OS v2.0

Status

()

Core
Security
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Greg Grisco, Assigned: jld)

Tracking

({crash})

unspecified
2.1 S1 (1aug)
ARM
Gonk (Firefox OS)
crash
Points:
---
Bug Flags:
in-moztrap -

Firefox Tracking Flags

(blocking-b2g:2.0+, firefox32 wontfix, firefox33 unaffected, firefox34 unaffected, b2g-v1.4 wontfix, b2g-v2.0 fixed, b2g-v2.1 unaffected)

Details

(Whiteboard: [b2g-crash][caf-crash 272][caf priority: p1][CR 693894], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
[Blocking Requested - why for this release]:

Same as bug 1038900 which was marked fixed, but crash is still happening.
Created attachment 8464765 [details]
EXTRA file attachment
Created attachment 8464766 [details]
decoded minidump
(Reporter)

Comment 3

3 years ago
Hi Jed, can you take a look at this one?
(Reporter)

Updated

3 years ago
Flags: needinfo?(jld)

Updated

3 years ago
Keywords: crash

Updated

3 years ago
blocking-b2g: 2.0? → 2.0+
(Assignee)

Comment 4

3 years ago
This is an entirely different crash from bug 1038900, and I think I know what's going on.  These messages:

07-30 08:12:49.546  3510  3515 E Sandbox : SANDBOX DISABLED FOR DMD!  See bug 956961.
[...]
07-30 08:12:49.566  3416  3416 E Sandbox : SANDBOX DISABLED FOR DMD!  See bug 956961.

are being logged from an asynchronous signal handler, with logging code that isn't async signal safe.  This wasn't as much of an issue for the SIGSYS handler, because at that point we're already about to crash and things can't get much worse — but this is not that.  I conjecture that this caused a deadlock due to reentrant use of malloc, and that this is why these two messages occur back-to-back (note the thread ids):

07-30 08:13:00.646  3432  3432 E Sandbox : Thread 3495 unresponsive for 10 seconds.  Killing process.
07-30 08:13:00.646  3432  3495 E Sandbox : SANDBOX DISABLED FOR DMD!  See bug 956961.

This should affect DMD builds only.  Also, bug 956961 removed that code so 2.1 is unaffected (and any fix for this will need to be landed directly on 2.0).

The fix is simple: do the DMD check once ahead of time instead of in the routine that runs once for each thread.
Assignee: nobody → jld
status-b2g-v2.1: --- → unaffected
status-firefox33: --- → unaffected
status-firefox34: --- → unaffected
Flags: needinfo?(jld)
Summary: Crash in SetCurrentProcessSandbox while stability testing → Crash in SetCurrentProcessSandbox → BroadcastSetThreadSandbox while stability testing
Observed on: 

Device: msm8610
Gonk Version: AU_LINUX_GECKO_B2G_KK_3.6.01.04.00.000.043
Moz BuildID: 20140721000201
B2G Version: 2.0
Gecko Version: 32.0a2
Gaia:  http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=8cb1a949f2e9650bb2c5598e78a6f24a58bbaf97
Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=5f27d3ee3ccf01ac91a3efacb5e3e22ea62fd73c
(Assignee)

Comment 6

3 years ago
Created attachment 8465118 [details] [diff] [review]
Lift sandbox disablement checks out of async signal context.

I moved the other getenv call as well — it might not be part of the problem, but it also doesn't belong there.
Attachment #8465118 - Flags: review?(gdestuynder)
Comment on attachment 8465118 [details] [diff] [review]
Lift sandbox disablement checks out of async signal context.

Review of attachment 8465118 [details] [diff] [review]:
-----------------------------------------------------------------

That reasoning sounds right to me, too. Code looks good.
Attachment #8465118 - Flags: review?(gdestuynder) → review+
(Assignee)

Comment 8

3 years ago
https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/85ec57090a25
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Assignee)

Updated

3 years ago
status-b2g-v1.4: --- → wontfix
status-b2g-v2.0: --- → fixed
status-firefox32: --- → wontfix
Target Milestone: --- → 2.1 S1 (1aug)
Flags: in-moztrap?(ychung)
No STR is present to create test case to address bug.
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(ktucker)
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Flags: in-moztrap?(ychung)
Flags: in-moztrap-
You need to log in before you can comment on or make changes to this bug.