Crash in je_free | swrast_dri.so@0x438a90

RESOLVED DUPLICATE of bug 1312678

Status

()

defect
--
major
RESOLVED DUPLICATE of bug 1312678
3 years ago
3 years ago

People

(Reporter: milan, Unassigned)

Tracking

({crash, regression})

52 Branch
All
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox49 unaffected, firefox50 unaffected, firefox51 unaffected, firefox52 fixed)

Details

(Whiteboard: sb+, crash signature)

Attachments

(1 attachment)

22.80 KB, application/vnd.oasis.opendocument.text
Details
+++ This bug was initially created as a clone of Bug #1290896 +++

This bug was filed from the Socorro interface and is 
report bp-57b785b8-0756-43de-9da7-40dce2160801.
=============================================================

[Note]:
This crash is reproducible only on Ubuntu platform, on Firefox 50.0a1 build and with E10s enabled.

Ciprian was able to reproduce this issue again on latest Nightly 52.0a1 (2016-10-19), using STR from comment 0. Also this is reproducibile by playing one of the WebGL Samples (e.g. "Aquarium") from here: http://webglsamples.org/
Note: Ciprian used the same machine and OS mentioned by Mihai in bug 1290896 comment 9. 

See Crash Signature: https://crash-stats.mozilla.com/report/index/81282b10-329c-4b50-8a4e-fb9182161020

-- I run mozregression for a regression range and this are the results (although I'm not sure what regressed this):
 Last good revision: da986c9f1f723af1e0c44f4ccd4cddd5fb6084e8
 First bad revision: d8e1f5cf0a70a53e8a5532809096a0a5bf729196
 Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=da986c9f1f723af1e0c44f4ccd4cddd5fb6084e8&tochange=d8e1f5cf0a70a53e8a5532809096a0a5bf729196

[Affected versions]:
Firefox 50.0a1 (2016-07-31)

[Affected platforms]:
Ubuntu 16.04 x64

[Steps to reproduce]:
1. Visit https://s3.amazonaws.com/mozilla-games/tmp/2015-08-28-emunittest_0.4-AngryBots-u5.1.3f1_hg-e1.34.6-release-prof/index.html?playback

[Expected result]:
The video is correctly played.

[Actual result]:
The tab is crashing after the Unity page is loaded.

[Regression range]:
Last good revision: c676d55b6b006a2edb37c7c29c64e69f7cb8012a
First bad revision: 23140396a80eb27ff586c41fdc1cad62c875c9b1
Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c676d55b6b006a2edb37c7c29c64e69f7cb8012a&tochange=23140396a80eb27ff586c41fdc1cad62c875c9b1

Looks like the following bug has the changes which introduced the regression:
https://bugzilla.mozilla.org/show_bug.cgi?id=742434
:gcp, in Bug 1290896, the issue was readlink(), based on the regression range it seems this problem got reintroduced with the introduction of the filebroker for all file system access.

According to the manpage of readlink():
"readlink() does not append a null byte to buf.  It will truncate the contents (to a length of bufsiz characters)"

so even if the content can be read from the file, it may be the case that not the full content is returned to the child and therefore something similar to Bug 1290896 is happening based on missing information.

[1] is where readlink() is called on the parent side, it uses |respBuf| which is limited to 4096+1 bytes, see [2]

Which may not be enough to read the CPU features as :jld mentioned in Bug 1290896 Comment 12.

[1] http://searchfox.org/mozilla-central/rev/e3e8571c5378ac92663d4f583ccc4ad0a3019716/security/sandbox/linux/broker/SandboxBroker.cpp#673
[2] http://searchfox.org/mozilla-central/rev/e3e8571c5378ac92663d4f583ccc4ad0a3019716/security/sandbox/linux/broker/SandboxBroker.cpp#438
Flags: needinfo?(jld)
Flags: needinfo?(gpascutto)
(In reply to Julian Hector [:tedd] [:jhector] from comment #2)
> :gcp, in Bug 1290896, the issue was readlink(), based on the regression
> range it seems this problem got reintroduced with the introduction of the
> filebroker for all file system access.
> 
> According to the manpage of readlink():
> "readlink() does not append a null byte to buf.  It will truncate the
> contents (to a length of bufsiz characters)"
> 
> so even if the content can be read from the file, 

readlink does not read the file contents, does it? Just the value of the link, i.e. the pointed-to-file?
Flags: needinfo?(gpascutto)
The useful thing here would be to run Nightly with MOZ_SANDBOX_VERBOSE=1, reproduce the problem by running the WebGL things and put the log of that (all the sandboxing things that will be spammed to the console) somewhere.
Flags: needinfo?(mihai.boldan)
(In reply to Julian Hector [:tedd] [:jhector] from comment #2)
> Which may not be enough to read the CPU features as :jld mentioned in Bug
> 1290896 Comment 12.

The problem has nothing to do with reading CPU features, as pointed out here: https://bugzilla.mozilla.org/show_bug.cgi?id=1290896#c14

The problem is that LLVM 3.8.0 thinks that Skylake chips have AVX512 and *doesn't* actually check the CPU features (which would reveal it's not true).
Yes :gcp you are right, it doesn't read the content of the file (I was confusing something there), so this can't be the issue.

It is interesting that it was "fixed" once readlink() was allowed in seccomp, and now is troubling us again.
Flags: needinfo?(jld)
(In reply to Julian Hector [:tedd] [:jhector] from comment #6)
> It is interesting that it was "fixed" once readlink() was allowed in
> seccomp, and now is troubling us again.

The driver is likely trying to write to a place that's blocked. realpath() breaking it is a good indication it's trying to do filesystem access.
Posted file Console logs.odt
(In reply to Gian-Carlo Pascutto [:gcp] from comment #4)
> The useful thing here would be to run Nightly with MOZ_SANDBOX_VERBOSE=1,
> reproduce the problem by running the WebGL things and put the log of that
> (all the sandboxing things that will be spammed to the console) somewhere.

Hi Gian-Carlo,

Here are the logs from the console after reproducing the crash. Please let me know if there is any other information needed.

Note that the crash was reproduced on the same machine as in Bug 1290896 Comment 9 and on Latest Nightly build.
Flags: needinfo?(mihai.boldan) → needinfo?(gpascutto)
This looks like the important part:

Sandbox: SandboxBroker: denied op=0 rflags=2000002 perms=3 path=/dev/dri/card1 for pid=26419 error="No such file or directory"
Sandbox: Rejected errno -13 op 0 flags 02000002 path /dev/dri/card1
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(gpascutto)
Resolution: --- → DUPLICATE
Duplicate of bug: 1312678
You need to log in before you can comment on or make changes to this bug.