Closed
Bug 1312894
Opened 8 years ago
Closed 8 years ago
Crash in je_free | swrast_dri.so@0x438a90
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1312678
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | unaffected |
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | fixed |
People
(Reporter: milan, Unassigned)
References
Details
(Keywords: crash, regression, Whiteboard: sb+)
Crash Data
Attachments
(1 file)
|
22.80 KB,
application/vnd.oasis.opendocument.text
|
Details |
+++ This bug was initially created as a clone of Bug #1290896 +++
This bug was filed from the Socorro interface and is
report bp-57b785b8-0756-43de-9da7-40dce2160801.
=============================================================
[Note]:
This crash is reproducible only on Ubuntu platform, on Firefox 50.0a1 build and with E10s enabled.
Ciprian was able to reproduce this issue again on latest Nightly 52.0a1 (2016-10-19), using STR from comment 0. Also this is reproducibile by playing one of the WebGL Samples (e.g. "Aquarium") from here: http://webglsamples.org/
Note: Ciprian used the same machine and OS mentioned by Mihai in bug 1290896 comment 9.
See Crash Signature: https://crash-stats.mozilla.com/report/index/81282b10-329c-4b50-8a4e-fb9182161020
-- I run mozregression for a regression range and this are the results (although I'm not sure what regressed this):
Last good revision: da986c9f1f723af1e0c44f4ccd4cddd5fb6084e8
First bad revision: d8e1f5cf0a70a53e8a5532809096a0a5bf729196
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=da986c9f1f723af1e0c44f4ccd4cddd5fb6084e8&tochange=d8e1f5cf0a70a53e8a5532809096a0a5bf729196
[Affected versions]:
Firefox 50.0a1 (2016-07-31)
[Affected platforms]:
Ubuntu 16.04 x64
[Steps to reproduce]:
1. Visit https://s3.amazonaws.com/mozilla-games/tmp/2015-08-28-emunittest_0.4-AngryBots-u5.1.3f1_hg-e1.34.6-release-prof/index.html?playback
[Expected result]:
The video is correctly played.
[Actual result]:
The tab is crashing after the Unity page is loaded.
[Regression range]:
Last good revision: c676d55b6b006a2edb37c7c29c64e69f7cb8012a
First bad revision: 23140396a80eb27ff586c41fdc1cad62c875c9b1
Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c676d55b6b006a2edb37c7c29c64e69f7cb8012a&tochange=23140396a80eb27ff586c41fdc1cad62c875c9b1
Looks like the following bug has the changes which introduced the regression:
https://bugzilla.mozilla.org/show_bug.cgi?id=742434
|
Reporter | |
Updated•8 years ago
|
|
|
Reporter | |
Comment 1•8 years ago
|
||
New bug based on bug 1290896 comment 29.
|
||
Comment 2•8 years ago
|
||
:gcp, in Bug 1290896, the issue was readlink(), based on the regression range it seems this problem got reintroduced with the introduction of the filebroker for all file system access.
According to the manpage of readlink():
"readlink() does not append a null byte to buf. It will truncate the contents (to a length of bufsiz characters)"
so even if the content can be read from the file, it may be the case that not the full content is returned to the child and therefore something similar to Bug 1290896 is happening based on missing information.
[1] is where readlink() is called on the parent side, it uses |respBuf| which is limited to 4096+1 bytes, see [2]
Which may not be enough to read the CPU features as :jld mentioned in Bug 1290896 Comment 12.
[1] http://searchfox.org/mozilla-central/rev/e3e8571c5378ac92663d4f583ccc4ad0a3019716/security/sandbox/linux/broker/SandboxBroker.cpp#673
[2] http://searchfox.org/mozilla-central/rev/e3e8571c5378ac92663d4f583ccc4ad0a3019716/security/sandbox/linux/broker/SandboxBroker.cpp#438
Flags: needinfo?(jld)
Flags: needinfo?(gpascutto)
|
||
Comment 3•8 years ago
|
||
(In reply to Julian Hector [:tedd] [:jhector] from comment #2)
> :gcp, in Bug 1290896, the issue was readlink(), based on the regression
> range it seems this problem got reintroduced with the introduction of the
> filebroker for all file system access.
>
> According to the manpage of readlink():
> "readlink() does not append a null byte to buf. It will truncate the
> contents (to a length of bufsiz characters)"
>
> so even if the content can be read from the file,
readlink does not read the file contents, does it? Just the value of the link, i.e. the pointed-to-file?
Flags: needinfo?(gpascutto)
|
|
||
Comment 4•8 years ago
|
||
The useful thing here would be to run Nightly with MOZ_SANDBOX_VERBOSE=1, reproduce the problem by running the WebGL things and put the log of that (all the sandboxing things that will be spammed to the console) somewhere.
Flags: needinfo?(mihai.boldan)
|
|
||
Comment 5•8 years ago
|
||
(In reply to Julian Hector [:tedd] [:jhector] from comment #2)
> Which may not be enough to read the CPU features as :jld mentioned in Bug
> 1290896 Comment 12.
The problem has nothing to do with reading CPU features, as pointed out here: https://bugzilla.mozilla.org/show_bug.cgi?id=1290896#c14
The problem is that LLVM 3.8.0 thinks that Skylake chips have AVX512 and *doesn't* actually check the CPU features (which would reveal it's not true).
|
|
||
Comment 6•8 years ago
|
||
Yes :gcp you are right, it doesn't read the content of the file (I was confusing something there), so this can't be the issue.
It is interesting that it was "fixed" once readlink() was allowed in seccomp, and now is troubling us again.
Flags: needinfo?(jld)
|
|
||
Comment 7•8 years ago
|
||
(In reply to Julian Hector [:tedd] [:jhector] from comment #6)
> It is interesting that it was "fixed" once readlink() was allowed in
> seccomp, and now is troubling us again.
The driver is likely trying to write to a place that's blocked. realpath() breaking it is a good indication it's trying to do filesystem access.
|
||
Updated•8 years ago
|
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
|
||
Comment 8•8 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #4)
> The useful thing here would be to run Nightly with MOZ_SANDBOX_VERBOSE=1,
> reproduce the problem by running the WebGL things and put the log of that
> (all the sandboxing things that will be spammed to the console) somewhere.
Hi Gian-Carlo,
Here are the logs from the console after reproducing the crash. Please let me know if there is any other information needed.
Note that the crash was reproduced on the same machine as in Bug 1290896 Comment 9 and on Latest Nightly build.
Flags: needinfo?(mihai.boldan) → needinfo?(gpascutto)
|
||
Comment 9•8 years ago
|
||
This looks like the important part:
Sandbox: SandboxBroker: denied op=0 rflags=2000002 perms=3 path=/dev/dri/card1 for pid=26419 error="No such file or directory"
Sandbox: Rejected errno -13 op 0 flags 02000002 path /dev/dri/card1
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965
|
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(gpascutto)
Resolution: --- → DUPLICATE
|
||
Comment 11•8 years ago
|
||
Marking fixed in 52 per bug 1312678
You need to log in
before you can comment on or make changes to this bug.
Description
•