Open Bug 1928414 Opened 1 month ago Updated 7 days ago

SIGILL crash on launch on Linux arm64(armv8.3-A)

Categories

(Core :: Gecko Profiler, defect, P3)

Firefox 132
defect

Tracking

()

UNCONFIRMED

People

(Reporter: chitaotao, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0

Steps to reproduce:

Open Firefox.

Actual results:

Either directly crashed with Illegal Instruction (core dumped), or the window opens but every tab crashes.

This problem also occurs on earlier versions, it does not limit to Firefox 132.
My system is Debian sid, I managed to get a backtrace with debuginfod using gdb.

(gdb) r
Starting program: /usr/bin/firefox
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff74ff120 (LWP 15417)]
[Thread 0x7ff74ff120 (LWP 15417) exited]
[New Thread 0x7ff74ff120 (LWP 15434)]
[New Thread 0x7fea0ff120 (LWP 15435)]
[New Thread 0x7fe98ef120 (LWP 15436)]
[Detaching after fork from child process 15437]
[New Thread 0x7fe90df120 (LWP 15438)]
[New Thread 0x7fe88cf120 (LWP 15439)]
[Detaching after vfork from child process 15440]
[New Thread 0x7fe86bf120 (LWP 15443)]
[New Thread 0x7f63dff120 (LWP 15444)]
[New Thread 0x7f63daf120 (LWP 15445)]
[New Thread 0x7f63d5f120 (LWP 15446)]
[New Thread 0x7f63d0f120 (LWP 15447)]
[New Thread 0x7f63cbf120 (LWP 15448)]
[New Thread 0x7f63c6f120 (LWP 15449)]
[New Thread 0x7f63c1f120 (LWP 15450)]
[New Thread 0x7f63bcf120 (LWP 15451)]
[New Thread 0x7f63b7f120 (LWP 15452)]
[New Thread 0x7f638ff120 (LWP 15453)]
[New Thread 0x7f62cff120 (LWP 15454)]
[New Thread 0x7f624ef120 (LWP 15455)]
[New Thread 0x7f61cdf120 (LWP 15456)]
[Detaching after fork from child process 15457]
[New Thread 0x7f63b2f120 (LWP 15458)]
[Thread 0x7f61cdf120 (LWP 15456) exited]
[New Thread 0x7f63875120 (LWP 15473)]
[New Thread 0x7f62e4a120 (LWP 15474)]
[New Thread 0x7f614cf120 (LWP 15475)]
[New Thread 0x7f6147f120 (LWP 15476)]
[New Thread 0x7f61cdf120 (LWP 15477)]
[New Thread 0x7f5feff120 (LWP 15478)]
[New Thread 0x7f5fcf1120 (LWP 15479)]
[New Thread 0x7f5fae3120 (LWP 15480)]
[New Thread 0x7f5f8d5120 (LWP 15481)]
[New Thread 0x7f5f6c7120 (LWP 15482)]

Thread 32 "firefox" received signal SIGILL, Illegal instruction.
[Switching to Thread 0x7f5f6c7120 (LWP 15482)]
Downloading source file /build/reproducible-path/gcc-14-14.2.0/build/aarch64-linux-gnu/libgcc/../../../src/libgcc/config/aarch64/aarch64-unwind.h
0x0000007ff7c67210 in aarch64_demangle_return_addr (fs=0x2ad37fef3d9a70,
context=0x7f5f6c5880, addr_word=<optimized out>)
at ../../../src/libgcc/config/aarch64/aarch64-unwind.h:75
warning: 75 ../../../src/libgcc/config/aarch64/aarch64-unwind.h: 没有那个文件或目录
0x0000007ff7c67208 <uw_update_context+296>: aa1503f1 mov x17, x21
0x0000007ff7c6720c <uw_update_context+300>: aa1403f0 mov x16, x20
=> 0x0000007ff7c67210 <uw_update_context+304>: d503219f autia1716
0x0000007ff7c67214 <uw_update_context+308>: aa1103f5 mov x21, x17
(gdb) set pagination on
(gdb) bt full
#0 0x0000007ff7c67210 in aarch64_demangle_return_addr (fs=0x2ad37fef3d9a70,
context=0x7f5f6c5880, addr_word=<optimized out>)
at ../../../src/libgcc/config/aarch64/aarch64-unwind.h:75
salt = 547061785920
addr = <optimized out>
reg = 34
addr = <optimized out>
reg = <optimized out>
salt = <optimized out>
#1 uw_update_context (context=context@entry=0x7f5f6c5880,
fs=fs@entry=0x7f5f6c5c40) at ../../../src/libgcc/unwind-dw2.c:1287
ret_addr = <optimized out>
ra = <optimized out>
#2 0x0000007ff7c67b3c [PAC] in _Unwind_Backtrace (
trace=0x55555ac400 <unwind_callback(_Unwind_Context*, void*)>,
trace_argument=0x7f5f6c6018) at ../../../src/libgcc/unwind.inc:326
fs = {regs = {reg = {{loc = {reg = 0, offset = 0, exp = 0x0}}, {loc = {
reg = 18446744073709551584, offset = -32,
exp = 0xffffffffffffffe0 <error: Cannot access memory at address 0xffffffffffffffe0>}}, {loc = {reg = 18446744073709551592, offset = -24,
exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}, {loc = {reg = 18446744073709551600, offset = -16,
--Type <RET> for more, q to quit, c to continue without paging--
ss 0xfffffffffffffff0>}}, {loc = {reg = 18446744073709551608, offset = -8, exp = 0xfffffffffffffff8 <error: Cannot access memory at address 0xfffffffffffffff8>}}, {loc = {
reg = 18446744073709551472, offset = -144, exp = 0xffffffffffffff70 <error: Cannot access memory at address 0xffffffffffffff70>}}, {loc = {reg = 18446744073709551480,
offset = -136, exp = 0xffffffffffffff78 <error: Cannot access memory at address 0xffffffffffffff78>}}, {loc = {reg = 18446744073709551488, offset = -128,
exp = 0xffffffffffffff80 <error: Cannot access memory at address 0xffffffffffffff80>}}, {loc = {reg = 18446744073709551496, offset = -120,
exp = 0xffffffffffffff88 <error: Cannot access memory at address 0xffffffffffffff88>}}, {loc = {reg = 18446744073709551504, offset = -112,
exp = 0xffffffffffffff90 <error: Cannot access memory at address 0xffffffffffffff90>}}, {loc = {reg = 18446744073709551512, offset = -104,
exp = 0xffffffffffffff98 <error: Cannot access memory at address 0xffffffffffffff98>}}, {loc = {reg = 18446744073709551520, offset = -96,
exp = 0xffffffffffffffa0 <error: Cannot access memory at address 0xffffffffffffffa0>}}, {loc = {reg = 18446744073709551528, offset = -88,
exp = 0xffffffffffffffa8 <error: Cannot access memory at address 0xffffffffffffffa8>}}, {loc = {reg = 18446744073709551536, offset = -80,
exp = 0xffffffffffffffb0 <error: Cannot access memory at address 0xffffffffffffffb0>}}, {loc = {reg = 18446744073709551544, offset = -72,
exp = 0xffffffffffffffb8 <error: Cannot access memory at address 0xffffffffffffffb8>}}, {loc = {reg = 18446744073709551552, offset = -64,
exp = 0xffffffffffffffc0 <error: Cannot access memory at address 0xffffffffffffffc0>}}, {loc = {reg = 18446744073709551560, offset = -56,
exp = 0xffffffffffffffc8 <error: Cannot access memory at address 0xffffffffffffffc8>}}, {loc = {reg = 18446744073709551568, offset = -48,
exp = 0xffffffffffffffd0 <error: Cannot access memory at address 0xffffffffffffffd0>}}, {loc = {reg = 18446744073709551576, offset = -40,
exp = 0xffffffffffffffd8 <error: Cannot access memory at address 0xffffffffffffffd8>}}, {loc = {reg = 18446744073709551552, offset = -64,
exp = 0xffffffffffffffc0 <error: Cannot access memory at address 0xffffffffffffffc0>}}, {loc = {reg = 18446744073709551560, offset = -56,
exp = 0xffffffffffffffc8 <error: Cannot access memory at address 0xffffffffffffffc8>}}, {loc = {reg = 18446744073709551568, offset = -48,
exp = 0xffffffffffffffd0 <error: Cannot access memory at address 0xffffffffffffffd0>}}, {loc = {reg = 18446744073709551576, offset = -40,
exp = 0xffffffffffffffd8 <error: Cannot access memory at address 0xffffffffffffffd8>}}, {loc = {reg = 18446744073709551584, offset = -32,
exp = 0xffffffffffffffe0 <error: Cannot access memory at address 0xffffffffffffffe0>}}, {loc = {reg = 18446744073709551592, offset = -24,
exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}, {loc = {reg = 18446744073709551600, offset = -16,
exp = 0xfffffffffffffff0 <error: Cannot access memory at address 0xfffffffffffffff0>}}, {loc = {reg = 18446744073709551584, offset = -32,
exp = 0xffffffffffffffe0 <error: Cannot access memory at address 0xffffffffffffffe0>}}, {loc = {reg = 18446744073709551592, offset = -24,
exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}, {loc = {reg = 18446744073709551600, offset = -16,
exp = 0xfffffffffffffff0 <error: Cannot access memory at address 0xfffffffffffffff0>}}, {loc = {reg = 18446744073709551456, offset = -160,
exp = 0xffffffffffffff60 <error: Cannot access memory at address 0xffffffffffffff60>}}, {loc = {reg = 18446744073709551464, offset = -152,
exp = 0xffffffffffffff68 <error: Cannot access memory at address 0xffffffffffffff68>}}, {loc = {reg = 0, offset = 0, exp = 0x0}} <repeats 67 times>},
how = "\000", '\001' <repeats 18 times>, "\000\000\000\000\000\000\000\000\000\000\001\001\000\000\000\006", '\000' <repeats 62 times>, cfa_how = CFA_REG_OFFSET, prev = 0x0,
cfa_offset = 672, cfa_reg = 31, cfa_exp = 0x0}, pc = 0x7ff7fcfb78 <_dl_tlsdesc_dynamic+264>, personality = 0x0, data_align = -8, code_align = 4, retaddr_column = 30,
fde_encoding = 27 '\033', lsda_encoding = 255 '\377', saw_z = 1 '\001', signal_frame = 0 '\000', eh_ptr = 0x0}
context = {reg = {0x0, 0x7f5f6c6520, 0x7f5f6c6528, 0x7f5f6c6530, 0x7f5f6c6538, 0x7f5f6c64b0, 0x7f5f6c64b8, 0x7f5f6c64c0, 0x7f5f6c64c8, 0x7f5f6c64d0, 0x7f5f6c64d8, 0x7f5f6c64e0,
0x7f5f6c64e8, 0x7f5f6c64f0, 0x7f5f6c64f8, 0x7f5f6c6500, 0x7f5f6c6508, 0x7f5f6c6510, 0x7f5f6c6518, 0x7f5f6c6260, 0x7f5f6c6268, 0x7f5f6c6270, 0x7f5f6c6278, 0x7f5f6c6280,
0x7f5f6c6288, 0x7f5f6c6290, 0x7f5f6c61e0, 0x7f5f6c61e8, 0x7f5f6c61f0, 0x7f5f6c64a0, 0x7f5f6c64a8, 0x0 <repeats 41 times>, 0x7f5f6c5840, 0x7f5f6c5848, 0x7f5f6c5850,
0x7f5f6c5858, 0x7f5f6c5860, 0x7f5f6c5868, 0x7f5f6c5870, 0x7f5f6c5878, 0x0 <repeats 18 times>}, cfa = 0x7f5f6c6540, ra = 0x7ff7fcfb30 <_dl_tlsdesc_dynamic+192>, lsda = 0x0,
bases = {tbase = 0x0, dbase = 0x0, func = 0x7ff7fcfa70 <_dl_tlsdesc_dynamic>}, flags = 4611686018427387904, version = 0, args_size = 0, by_value = '\000' <repeats 97 times>}
code = _URC_NO_REASON
#3 0x00000055555ac68c [PAC] in MozStackWalk (aCallback=<optimized out>, aFirstFramePC=<optimized out>, aMaxFrames=<optimized out>, aClosure=<optimized out>)
at ./mozglue/misc/StackWalk.cpp:842
info = {callback = 0x555555d900 <StackTrace::StackWalkCallback(unsigned int, void*, void*, void*)>, skipper = {mSkipUntilAddr = 0}, maxFrames = 16, numFrames = 4,
closure = 0x7f5f6c6080}
#4 0x000000555555e6e4 [PAC] in StackTrace::Fill (this=0x7f5f6c6080) at ./memory/build/PHC.cpp:240
No locals.
#5 MaybePageAlloc (aArenaId=..., aReqSize=<optimized out>, aAlignment=<optimized out>, aZero=false) at ./memory/build/PHC.cpp:1439
disable = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
allocStack = {<mozilla::phc::StackTrace> = {static kMaxFrames = 16, mLength = 4, mPcs = {
0x555555e6e4 <MaybePageAlloc(mozilla::Maybe<unsigned long> const&, size_t, size_t, bool)+132>, 0x5555569af0 <malloc(size_t)+624>, 0x7ff7fcc664 <tls_get_addr_tail+436>,
0x7ff7fcfb30 <_dl_tlsdesc_dynamic+192>, 0x0, 0x0, 0x0, 0x7ff7ae1a1c <__printf_buffer+332>, 0x0, 0x0, 0xa, 0x20, 0x0, 0xffffffe0, 0x7f5f6c6603,
0x7f5f6c7860}}, <No data fields>}
lock = <optimized out>
now = <optimized out>
newAllocDelay = <optimized out>
mb_index = <optimized out>
index = <optimized out>
pagePtr = <optimized out>
ok = <optimized out>
usableSize = <optimized out>
ptr = <optimized out>
#6 0x0000005555569af0 [PAC] in PageMalloc (aArenaId=..., aReqSize=1312) at ./build-browser/dist/include/mozilla/MaybeStorageBase.h:66
ptr = <optimized out>
ptr = <optimized out>
#7 MozJemallocPHC::malloc (aReqSize=1312) at ./memory/build/PHC.cpp:1564
No locals.
#8 malloc (arg1=1312) at ./memory/build/malloc_decls.h:51
No locals.
#9 0x0000007ff7fcc664 [PAC] in malloc (size=1312) at ../include/rtld-malloc.h:56
No locals.
#10 allocate_dtv_entry (size=1312, alignment=16) at ./elf/dl-tls.c:715
ptr = <optimized out>
alloc_size = <optimized out>
start = <optimized out>
aligned = <optimized out>
alloc_size = <optimized out>
start = <optimized out>
aligned = <optimized out>
ptr = <optimized out>
#11 allocate_and_init (map=0x7ff7873e00) at ./elf/dl-tls.c:744
result = <optimized out>
result = <optimized out>

#12 tls_get_addr_tail (ti=0x7ff7834a80, dtv=0x7ff7862aa0, the_map=0x7ff7873e00) at ./elf/dl-tls.c:955
result = <optimized out>
PRETTY_FUNCTION = "tls_get_addr_tail"
#13 0x0000007ff7fcfb30 [PAC] in _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:223
No locals.
#14 0x0000007fef3d9a70 [PAC] in mozilla::detail::ThreadLocalNativeStorage<mozilla::profiler::ThreadRegistration*>::get (this=<optimized out>)
at ./build-browser/dist/include/mozilla/ThreadLocal.h:181
No locals.
#15 mozilla::detail::ThreadLocal<mozilla::profiler::ThreadRegistration*, mozilla::detail::ThreadLocalNativeStorage>::get (this=<optimized out>)
at ./build-browser/dist/include/mozilla/ThreadLocal.h:226
--Type <RET> for more, q to quit, c to continue without paging--
No locals.
#16 mozilla::profiler::ThreadRegistration::RegisterThread (aName=0x0, aStackTop=aStackTop@entry=0x7f5f6c65f8) at ./tools/profiler/core/ProfilerThreadRegistration.cpp:124
rootRegistration = <optimized out>
tls = <optimized out>
tr = <optimized out>
#17 0x0000007fef3d9c34 [PAC] in profiler_register_thread (aName=<optimized out>, aGuessStackTop=aGuessStackTop@entry=0x7f5f6c65f8) at ./tools/profiler/core/platform.cpp:7095
No locals.
#18 0x0000007feb4b41e0 in mozilla::AutoProfilerRegisterThread::AutoProfilerRegisterThread (this=0x7f5f6c65f8, aName=<optimized out>) at ./build-browser/dist/include/GeckoProfiler.h:413
No locals.
#19 mozilla::TaskController::RunPoolThread (this=0x7ff78376a0, aThread=0x7f601290a0) at ./xpcom/threads/TaskController.cpp:334
threadName = {<nsTString<char>> = {<nsTSubstring<char>> = {<mozilla::detail::nsTStringRepr<char>> = {static kMaxCapacity = 282584257676671,
mData = 0x7f5f6c6624 "TaskController #5", mLength = {static kMax = 2147483646, mLength = 17}, mDataFlags = 17, mClassFlags = 3}, <No data fields>}, <No data fields>},
static kStorageSize = 64, mInlineCapacity = {static kMax = 2147483646, mLength = 63}, mStorage = "TaskController #5", '\000' <repeats 46 times>}
raiiObject334 = {<No data fields>}
lock = {mLock = @0x7ff7831e80}
#20 0x0000007ff6cbb3a0 [PAC] in _pt_root (arg=0x7f62d42b80) at ptthread.c:201
rv = <optimized out>
thred = 0x7f62d42b80
detached = 0
id = <optimized out>
tid = <optimized out>
#21 0x000000555556cd68 [PAC] in set_alt_signal_stack_and_start (params=<optimized out>) at ./mozglue/interposers/pthread_create_interposer.cpp:81
__cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {20480, 547061790012, 547061786968, 549621544800, 549616417536, 17, 547059638272, 547061788960, 547059638272, 0,
547061787056, 6884070946115083046, 4294967295, 6884071057888407914, 0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0}}, __pad = {0x7f5f6c6880, 0x0, 0x562b22d6024e9c00,
0x7f5f6c69b0}}
__cancel_routine = <optimized out>
__cancel_arg = <optimized out>
__not_first_call = <optimized out>
start_routine = <optimized out>
arg = <optimized out>
thread_rv = 0x0
kSigStackSize = 20480
alt_stack_mem = 0x7ff6816000
alt_stack = {mem = 0x7ff6816000, size = 20480}
#22 0x0000007ff7b0fe84 [PAC] in start_thread (arg=0x7ff7ff3760) at ./nptl/pthread_create.c:447
ret = <optimized out>
pd = 0x7ff7ff3760
out = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {547059703808, 2088960, 547061786968, 549621544800, 549616417536, 17, 547059638272, 547061788960, 547059638272, 0, 547061787056,
6884071060424157774, 0, 6884071057888411162, 0, 0, 0, 0, 0, 0, 0, 0}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0,
canceltype = 0}}}
not_first_call = 0
#23 0x0000007ff7b770cc [PAC] in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone3.S:76
No locals.
(gdb)

Expected results:

Firefox working.

The Bugbug bot thinks this bug should belong to the 'Core::Gecko Profiler' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Gecko Profiler
Product: Firefox → Core

The severity field is not set for this bug.
:canova, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(canaltinova)

It seems like we are crashing inside the libgcc which is weird. Can you reproduce this consistently? Also it's crashing inside ThreadLocalNativeStorage::get it doesn't sound like it's related to the profiler.

Severity: -- → S3
Flags: needinfo?(canaltinova)
Priority: -- → P3

I can report that under debian:sid running under qemu, firefox 133.0 would still crash but not always, sometimes on startup and sometimes opening tabs, console showing:
qemu: uncaught target signal 4 (Illegal instruction) - core dumped minidump analyzer failed: while reading minidump [Parent 17586, IPC I/O Parent] WARNING: process 17959 exited on signal 4: file ./ipc/chromium/src/base/process_util_posix.cc:335 qemu: uncaught target signal 4 (Illegal instruction) - core dumped minidump analyzer failed: while reading minidump [Parent 17586, IPC I/O Parent] WARNING: process 17981 exited on signal 4: file ./ipc/chromium/src/base/process_util_posix.cc:335

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: