Attempting to use WebGL with Intel graphics under Linux results in crash

RESOLVED FIXED in Firefox 50

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: wgianopoulos, Unassigned)

Tracking

(Blocks 1 bug, {regression})

Trunk
mozilla50
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 fixed)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Visiting either http://html5test.com or https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html results in a sandbox violation and browser crash during the test for WebGL capability.

I verified bug 742434 as the culprit via backout.
(Reporter)

Updated

3 years ago
Blocks: 1280415
(Reporter)

Comment 2

3 years ago
This only seems to happen on my laptop with Intel graphics those with AMD graphics do NOT crash.
Summary: Attempting to use WebGL under Linux results in crash → Attempting to use WebGL with Intel graphics under Linux results in crash
(Reporter)

Comment 3

3 years ago
Here is the output showing the sandbox errors:

libGL error: MESA-LOADER: could not create udev device for fd 38
libGL error: MESA-LOADER: could not create udev device for fd 38
ATTENTION: default value of option force_s3tc_enable overridden by environment.
Sandbox: seccomp sandbox violation: pid 18323, syscall 319, args 139999292218373 3 0 0 139998546444288 7883677795399066671.  Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: syscall[/lib64/libc.so.6 +0xfcff9]
Sandbox: frame #02: xshmfence_alloc_shm[/lib64/libxshmfence.so.1 +0xa6d]
Sandbox: frame #03: ???[/lib64/libGL.so.1 +0x4e214]
Sandbox: frame #04: ???[/usr/lib64/dri/i965_dri.so +0x378498]
Sandbox: frame #05: ???[/usr/lib64/dri/i965_dri.so +0x378811]
Sandbox: frame #06: ???[/usr/lib64/dri/i965_dri.so +0x378900]
Sandbox: frame #07: ???[/usr/lib64/dri/i965_dri.so +0x327a56]
Sandbox: frame #08: ???[/lib64/libGL.so.1 +0x4886a]
Sandbox: frame #09: glXMakeCurrentReadSGI[/lib64/libGL.so.1 +0x1be95]
Sandbox: frame #10: ???[/home/wag/wg9s_64/libxul.so +0x129afe9]
Sandbox: frame #11: ???[/home/wag/wg9s_64/libxul.so +0x12b9caf]
Sandbox: frame #12: ???[/home/wag/wg9s_64/libxul.so +0x12bb002]
Sandbox: frame #13: ???[/home/wag/wg9s_64/libxul.so +0x129a4ae]
Sandbox: frame #14: ???[/home/wag/wg9s_64/libxul.so +0x129ba70]
Sandbox: frame #15: ???[/home/wag/wg9s_64/libxul.so +0x129c057]
Sandbox: frame #16: ???[/home/wag/wg9s_64/libxul.so +0x129c0cc]
Sandbox: frame #17: ???[/home/wag/wg9s_64/libxul.so +0x129bd14]
Sandbox: frame #18: ???[/home/wag/wg9s_64/libxul.so +0x129c028]
Sandbox: frame #19: ???[/home/wag/wg9s_64/libxul.so +0x129c257]
Sandbox: frame #20: ???[/home/wag/wg9s_64/libxul.so +0x1a9b8b9]
Sandbox: frame #21: ???[/home/wag/wg9s_64/libxul.so +0x1a9cff2]
Sandbox: frame #22: ???[/home/wag/wg9s_64/libxul.so +0x1a9d334]
Sandbox: frame #23: ???[/home/wag/wg9s_64/libxul.so +0x1a9d748]
Sandbox: frame #24: ???[/home/wag/wg9s_64/libxul.so +0x1a67065]
Sandbox: frame #25: ???[/home/wag/wg9s_64/libxul.so +0x1a7668e]
Sandbox: frame #26: ???[/home/wag/wg9s_64/libxul.so +0x1b4c5d0]
Sandbox: frame #27: ???[/home/wag/wg9s_64/libxul.so +0x19e525a]
Sandbox: frame #28: ???[/home/wag/wg9s_64/libxul.so +0x1a3fb45]
Sandbox: frame #29: ???[/home/wag/wg9s_64/libxul.so +0x2e30fa2]
Sandbox: frame #30: ???[/home/wag/wg9s_64/libxul.so +0x2e2b896]
Sandbox: frame #31: ???[/home/wag/wg9s_64/libxul.so +0x2e30bd8]
Sandbox: frame #32: ???[/home/wag/wg9s_64/libxul.so +0x2e30df3]
Sandbox: frame #33: ???[/home/wag/wg9s_64/libxul.so +0x2e31740]
Sandbox: frame #34: ???[/home/wag/wg9s_64/libxul.so +0x2ae12d4]
Sandbox: frame #35: ??? (???:???)
Sandbox: end of stack.
Sandbox: JS frame 0: testWebGL.prototype.initialize http://html5test.com/scripts/6/engine.js line 2962
Sandbox: JS frame 1: testWebGL http://html5test.com/scripts/6/engine.js line 2948
Sandbox: JS frame 2: test.prototype.initialize http://html5test.com/scripts/6/engine.js line 3831
Sandbox: JS frame 3: test http://html5test.com/scripts/6/engine.js line 3747
Sandbox: JS frame 4: start http://html5test.com/ line 257
Sandbox: JS frame 5: (anonymous) http://html5test.com/ line 252
Sandbox: JS frame 6: wait http://html5test.com/ line 211
[Parent 18273] WARNING: pipe error (68): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320
[Parent 18273] WARNING: pipe error (60): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320
[Parent 18273] WARNING: pipe error (57): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320

###!!! [Parent][MessageChannel] Error: (msgtype=0x2C007D,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
(Reporter)

Updated

3 years ago
Crash Signature: [@ libc-2.23.so@0xfcff9 ]
Duplicate of this bug: 1285497
(Reporter)

Comment 6

3 years ago
Yes I just had a crash at 123greetings.com trying to send a Birthday card.  Perhaps it is just intel graphics related.
(In reply to Bill Gianopoulos [:WG9s] from comment #6)
> Yes I just had a crash at 123greetings.com trying to send a Birthday card. 
> Perhaps it is just intel graphics related.

what version of linux are you using ?
(Reporter)

Comment 8

3 years ago
(In reply to Ludovic Hirlimann [:Usul] from comment #7)
> (In reply to Bill Gianopoulos [:WG9s] from comment #6)
> > Yes I just had a crash at 123greetings.com trying to send a Birthday card. 
> > Perhaps it is just intel graphics related.
> 
> what version of linux are you using ?

fedora 24

Comment 9

3 years ago
Just wanted to confirm that with seccomp-bpf enabled for content, everything works fine for me with Nvidia proprietary driver on an 4.4.14 kernel, no crashes.
Video, Audio, WebGL1 WebGL2, MathML, canvas, no problems so far.

Seccomp-BPF (System Call Filtering)	true
Seccomp Thread Synchronization	true
User Namespaces	false
Content Process Sandboxing	true
Media Plugin Sandboxing	true

Device ID	GeForce GTX 650 Ti BOOST/PCIe/SSE2
Driver Version	4.5.0 NVIDIA 364.19

User Agent 	Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
OS 	Linux 4.4.14-3-MANJARO
Build ID 	20160707083343
(Reporter)

Comment 10

3 years ago
OK so definitely seems to be intel only.
(Reporter)

Comment 11

3 years ago
In any event just go to about:config and set security.sandbox.content.level to 0, then restart the browser and all should be well again
We'll need to whitelist memfd_create. Luckily, that doesn't look like a potentially evil system call.
Reading the manpage, this syscall appears to be pretty innocent
and in fact used to protect shmem users against exploits.

MozReview-Commit-ID: 7UE6hyDiC6H
Attachment #8769214 - Flags: review?(julian.r.hector)
Comment on attachment 8769214 [details] [diff] [review]
Whitelist memfd_create (used for Sealed Files IPC)

Review of attachment 8769214 [details] [diff] [review]:
-----------------------------------------------------------------

lgtm
Attachment #8769214 - Flags: review?(julian.r.hector) → review+
Duplicate of this bug: 1285296
No longer blocks: desktop-seccomp
(In reply to Gian-Carlo Pascutto [:gcp] from comment #14)
> Reading the manpage, this syscall appears to be pretty innocent
> and in fact used to protect shmem users against exploits.

It's also much easier for sandboxing to allow it (as seen here) than the classical open+unlink, so we'd like to *encourage* its use, if anything.  (See also: bug 1146416 and https://crbug.com/415681#c48.)  Unfortunately, it's still relatively new, so its availability can't be assumed.
(Reporter)

Comment 19

3 years ago
(In reply to Gian-Carlo Pascutto [:gcp] from comment #17)
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=ef1fcbf9e2ae

Thanks for coming up with a fix so quickly.  Unfortunately I am at my weekend place so wont be able to do extensive testing on the system with Intel graphics until Monday.
(Reporter)

Comment 20

3 years ago
(In reply to Bill Gianopoulos [:WG9s] from comment #19)
> (In reply to Gian-Carlo Pascutto [:gcp] from comment #17)
> > https://treeherder.mozilla.org/#/jobs?repo=try&revision=ef1fcbf9e2ae
> 
> Thanks for coming up with a fix so quickly.  Unfortunately I am at my
> weekend place so wont be able to do extensive testing on the system with
> Intel graphics until Monday.

Came home early because of inclement weather so was able to test today.  I was able to run the html5test.com ans well as the webgl conformance tests and browser cards on 123greetings.com all of which crash without this patch.

This patch seems to fix all the issues I had seen before.
Duplicate of this bug: 1285920

Comment 25

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/a22656e76df7
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Crash Signature: [@ libc-2.23.so@0xfcff9 ] → [@ libc-2.23.so@0xfcff9 ] [@ libc-2.23.so@0xe3269 ] [@ libc-2.22.so@0xfc7a9 ] [@ libc-2.22.so@0xe4a59 ] [@ libc-2.23.so@0xe36c9 ] [@ libc-2.23.so@0x100fa9 ] [@ libc-2.23.so@0xe38f9 ] [@ libc-2.23.so@0xe5599 ] [@ libc-2.22.so@0xe4e49 ] [@ libc-2.23.so@0x10…
Some of these signatures are still active on Fx50, although in low volume. The following is based on the last ~3 months of crash data, after the fix landed on 2016-07-11.

  +-----------------------+----------------------------+--------------------+-------------+
  | SIGNATURE             | CRASH STATS                | OVERVIEW           | LAST CRASH  |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xfcff9  | http://tinyurl.com/h47djjc | 52.0a1: 0 crashes  | 2016-07-18  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 29 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b: 0 crashes   |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe3269  | http://tinyurl.com/hnjqyw5 | 52.0a1: 0 crashes  | 2016-09-29  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 49 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b3: 0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.22.so@0xfc7a9  | http://tinyurl.com/zff8j5b | 52.0a1: 0 crashes  | 2016-07-12  |	
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 17 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.22.so@0xe4a59  | http://tinyurl.com/zgckqp6 | 52.0a1: 0 crashes  | 2016-07-12  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 7 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe36c9  | http://tinyurl.com/hutkky6 | 52.0a1: 0 crashes  | n/a         |
  |                       |                            | 51.0a1: 0 crashes  |             |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 0 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0x100fa9 | http://tinyurl.com/zv7wrrd | 52.0a1: 0 crashes  | n/a         |
  |                       |                            | 51.0a1: 0 crashes  |             |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 0 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe38f9  | http://tinyurl.com/z8eaufs | 52.0a1: 0 crashes  | 2016-07-13  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 3 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe5599  | http://tinyurl.com/hcgs2rl | 52.0a1: 0 crashes  | 2016-07-11  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  | 	                  |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 7 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.22.so@0xe4e49  | http://tinyurl.com/jsuyuxf | 52.0a1: 0 crashes  | 2016-07-11  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 5 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0x100c19 | http://tinyurl.com/zffp4fv | 52.0a1: 0 crashes  | 2016-07-23  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 12 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
Crash Signature: [@ libc-2.23.so@0xfcff9 ] [@ libc-2.23.so@0xe3269 ] [@ libc-2.22.so@0xfc7a9 ] [@ libc-2.22.so@0xe4a59 ] [@ libc-2.23.so@0xe36c9 ] [@ libc-2.23.so@0x100fa9 ] [@ libc-2.23.so@0xe38f9 ] [@ libc-2.23.so@0xe5599 ] [@ libc-2.22.so@0xe4e49 ] [@ libc-2.23.so@0x10… → [@ libc-2.23.so@0xfcff9 ] [@ libc-2.23.so@0xe3269 ] [@ libc-2.22.so@0xfc7a9 ] [@ libc-2.22.so@0xe4a59 ] [@ libc-2.23.so@0xe36c9 ] [@ libc-2.23.so@0x100fa9 ] [@ libc-2.23.so@0xe38f9 ] [@ libc-2.23.so@0xe5599 ] [@ libc-2.22.so@0xe4e49 ] [@ libc-2.23.so@0x10…
You need to log in before you can comment on or make changes to this bug.