Closed Bug 1672482 Opened 4 months ago Closed 4 months ago

Crash in [@ __getdents64] on the RDD process when watching H264 video.

Categories

(Core :: Security: Process Sandboxing, defect)

Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
84 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- unaffected
firefox82 --- unaffected
firefox83 --- unaffected
firefox84 + fixed

People

(Reporter: emilio, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/548e8c78-3b33-44e4-8857-c85bb0201021

Reason: SIGSYS

Top 10 frames of crashing thread:

0 libc.so.6 __getdents64 /usr/src/debug/glibc-2.32/dirent/../sysdeps/unix/sysv/linux/getdents64.c:32
1 libc.so.6 __readdir64 /usr/src/debug/glibc-2.32/dirent/../sysdeps/posix/readdir.c:65
2 libc.so.6 __get_nprocs_conf /usr/src/debug/glibc-2.32/misc/../sysdeps/unix/sysv/linux/getsysstats.c:248
3 libc.so.6 __sysconf /usr/src/debug/glibc-2.32/posix/../sysdeps/unix/sysv/linux/x86/sysconf.c:36
4 libnspr4.so PR_GetNumberOfProcessors nsprpub/pr/src/misc/prsystem.c:254
5 libxul.so mozilla::FFmpegVideoDecoder<46465650>::InitCodecContext dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:415
6 libxul.so mozilla::FFmpegDataDecoder<46465650>::InitDecoder dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp:96
7 libxul.so mozilla::FFmpegVideoDecoder<46465650>::Init dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:385
8 libxul.so mozilla::detail::ProxyFunctionRunnable<mozilla::MediaDataDecoderProxy::Init xpcom/threads/MozPromise.h:1564
9 libxul.so mozilla::TaskQueue::Runner::Run xpcom/threads/TaskQueue.cpp:158

I think since it takes an FD this might be ok, but let me know if this
somehow doesn't cut it and a more nuanced fix is needed.

Since stuff like PR_GetNumberOfProcessors() uses it with some glibc
versions, which is pretty basic functionality, we probably need to make
it work in all processes.

Duplicate of this bug: 1672483

BTW, this can't happen with default preferences value.

OS: Unspecified → Linux

(In reply to Jean-Yves Avenard [:jya] from comment #3)

BTW, this can't happen with default preferences value.

This was totally happening on a default profile with MOZ_ENABLE_WAYLAND=1, what am I missing?

Flags: needinfo?(jyavenard)

This is the top crash on the 10/21 Linux nightlies, with 74%(!!!) of all crashes.

Why don't we land this patch?

Having said that, while a crash will be reported by the crash reporter, it will not crash the browser nor the tab.

It will just fall-back to decoding in content.

Flags: needinfo?(jyavenard)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #4)

(In reply to Jean-Yves Avenard [:jya] from comment #3)

BTW, this can't happen with default preferences value.

This was totally happening on a default profile with MOZ_ENABLE_WAYLAND=1, what am I missing?

Yes my bad. I got confused by your comment that it was happening when playing h264. But that's not the case, it's the vp9 decoder that is crashing. We query the number of CPU to set how many threads can be use by the decoder.

What is surprising, is how come those wasn't caught by our auto test coverage, it would have hit that code all the time.

I tested on Ubuntu and I see no such crashes.

Flags: needinfo?(gpascutto)

From Jed's comment it sounds like this will need followups.

Flags: needinfo?(gpascutto)

(In reply to Jean-Yves Avenard [:jya] from comment #8)

What is surprising, is how come those wasn't caught by our auto test coverage, it would have hit that code all the time.

Looks like PR_GetNumberOfProcessors first tries to parse /sys/devices/system/cpu/present, and if that doesn't work falls back to sysconf( _SC_NPROCESSORS_CONF ). The latter then counts the number of cpu* subdirectories of /sys/devices/system/cpu which is what calls readdir. I guess we don't have to fall back in automation?

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c7244c1d3b5
Move getdents allowance to SandboxPolicyCommon. r=jld,gcp
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Blocks: 1673173
You need to log in before you can comment on or make changes to this bug.