Firefox compiled with gcc has `about:newtab` crashing
Categories
(Core :: XPCOM, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox144 | + | fixed |
| firefox145 | + | fixed |
| firefox146 | + | fixed |
People
(Reporter: manuel, Assigned: sergesanspaille)
References
(Regression)
Details
(Keywords: regression)
Crash Data
Attachments
(3 files, 2 obsolete files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-release+
|
Details | Review |
when compiling with gcc
https://github.com/emilio/mozconfigs/blob/80b5d3014ab2469accd7a491471d96bf2596455a/mozconfigs/gcc
export CC="/usr/bin/gcc"
export CXX="/usr/bin/g++"
export AS="/usr/bin/gcc"
My platform: Linux
I do get the
Gah. Your tab just crashed.
We can help!Choose Restore This Tab to reload the page.
page. I don't see the crash in about:crashes. I didn't encouter tabs crashing on other sites / about: pages.
Not sure what a good way of providing a stack trace would be.
|
Reporter | |
Updated•6 months ago
|
|
||
Comment 1•6 months ago
|
||
FWIW I can repro. I took a look and it seems like a miscompilation to me.
We're crashing when freeing an AutoTArray's mHdr, which shouldn't be freed because it's on the stack.
On initialization, according to GDB, instead of the expected mLength = 0, mCapacity = 8, mIsAutoBuf = 1, I see mLength = 8, mCapacity = 0, mIsAutoBuf = 0.
This is the relevant array fwiw: https://searchfox.org/firefox-main/rev/6cd61ea1ff39887da8f4dc1080a96c01f0c70ef8/layout/generic/nsBlockFrame.cpp#1358
And this is the state right after init, which is not good:
(rr) p iter.mStack.mAutoBuf
$20 = {mHdr = {mLength = 8, mCapacity = 0, mIsAutoArray = 0}, {
mStorage = '\000' <repeats 25 times>,
This is the relevant code which is fairly recent. Martin do you still build FF with GCC? If so you might want to route this along.
I can trivially reproduce this with the following mozconfig:
export CC="/usr/bin/gcc"
export CXX="/usr/bin/g++"
export AS="/usr/bin/gcc"
And GCC 15.2.1 20250813
|
|
||
Comment 2•6 months ago
|
||
Would be worth testing a debug build to see if the outcome is different...
|
||
Comment 3•6 months ago
|
||
Yes, Fedora builds Firefox with GCC (gcc-15.2.1-1.fc42.x86_64 on my system).
|
|
||
Comment 4•6 months ago
|
||
I can try to build latest trunk with it, Fedora builds releases only with GCC.
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Comment 6•6 months ago
|
||
We see first crashes on Aug 19.
It looks related to this GCC update: https://bodhi.fedoraproject.org/updates/FEDORA-2025-483b46505e
https://koji.fedoraproject.org/koji/buildinfo?buildID=2787285
Built on Aug 09.
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Comment 7•6 months ago
|
||
Downstream report - https://bugzilla.redhat.com/show_bug.cgi?id=2403472
|
|
||
Comment 8•6 months ago
|
||
Emilio, how do you reproduce it? Which distro? Can you share your .mozbuild? I can't reproduce.
Thanks.
|
|
||
Comment 10•6 months ago
|
||
Yes, I can reproduce it with the provided .mozconfig.
|
||
Comment 11•6 months ago
|
||
Basically only a "+1", but nonetheless: openSUSE is also building with GCC15 and we are also experiencing tab-crashes for new tabs.
|
|
||
Comment 12•6 months ago
•
|
||
Can't reproduce with opt+debug, looks like opt only. But I see that on Fedora 42 too / gcc-15.2.1-1.fc42.x86_64.
|
||
Updated•6 months ago
|
|
|
||
Comment 14•6 months ago
|
||
We have reports form Fedora only - looks related to Fedora provided GCC. This doesn't affects Mozilla official Linux builds.
|
|
Reporter | |
Comment 15•6 months ago
|
||
looks related to Fedora provided GCC
I'm on Archlinux, so seems like general GCC related bug not just Fedora provided GCC (not sure if that implied that you have patches on top of gcc)? Doesn't change the fact that Mozilla offical Linux builds aren't affected
|
||
Comment 16•6 months ago
|
||
[Tracking Requested - why for this release]:
See here in the comment:
https://lwn.net/Articles/1041915/
It impacts distro rebuild of Firefox.
Mike, Serge, I am sure you both love misscompilation bugs ;)
|
|
||
Comment 17•6 months ago
|
||
Looking at it right now.
|
||
Comment 19•6 months ago
|
||
Stable repro:
- (optional, if you want to generate the repro file yourself) pyinstrument -r html -o repro.html [any python script]
- wget https://bugzilla.redhat.com/attachment.cgi?id=2109364 -O repro.html
- firefox --profile /path/to/fresh/profile ./repro.html
- see crash
|
||
Comment 20•6 months ago
|
||
Copying crash signatures from duplicate bugs.
|
||
Updated•6 months ago
|
|
|
||
Comment 21•6 months ago
|
||
The bug is marked as tracked for firefox144 (release). However, the bug still isn't assigned.
:jstutte, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
||
Comment 22•6 months ago
|
||
I'm experiencing the same problem on Exherbo Linux, adding the additional info since only GCC 15 has been mentioned here that I'm building Firefox with GCC 14.3.0 and I'm experiencing the crashes not only with the new tab but also when trying to use Citrix browser based-light version it is now impossible to launch a desktop session as a crash happens there as well. It was working before with Firefox 143.0.4 built with the same GCC 14.3.0.
|
|
||
Comment 23•6 months ago
|
||
Yeah so to be clear this looks to be a miscompilation of the code from bug 1984102 (which landed in 144).
|
Assignee | |
Comment 24•6 months ago
|
||
@emilio, can you confirm that the following patch fixes the miscompilation?
diff --git a/xpcom/ds/nsTArray.h b/xpcom/ds/nsTArray.h
index be6523301bc91..b3eb20afc5650 100644
--- a/xpcom/ds/nsTArray.h
+++ b/xpcom/ds/nsTArray.h
@@ -2972,7 +2972,7 @@ class MOZ_NON_MEMMOVABLE MOZ_GSL_OWNER AutoTArray : public nsTArray<E> {
char mStorage[sizeof(value_type) * N];
};
AutoBuffer() : mHdr{.mLength = 0, .mCapacity = N, .mIsAutoArray = true} {}
- ~AutoBuffer() {}
+ ~AutoBuffer() = default;
} mAutoBuf;
static_assert(offsetof(AutoBuffer, mStorage) == sizeof(nsTArrayHeader),
"Shouldn't have padding");
it does the trick for me, I'm double checking right now, but I'd like an other pair of eyes.
|
|
||
Comment 25•6 months ago
|
||
Confirmed that wfm locally as well (a bit baffling but...)
|
|
Assignee | |
Comment 26•6 months ago
|
||
This was not the case before due to a user-defined destructor. This
fixes the miscompilation by GCC 15.x, but I'm unsure if it was an actual
miscompilation or a consequence of us moving stuff around with memcpy
where it's actually UB to do so.
|
||
Updated•6 months ago
|
|
||
Comment 27•6 months ago
|
||
Kicked off patched build https://copr.fedorainfracloud.org/coprs/build/9693739, but that usually takes 20+ hours to complete. I'm sure @stransky will beat me to it with a proper build in koji (these usually take a few hours).
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
|
|
Assignee | |
Updated•6 months ago
|
|
||
Comment 28•6 months ago
|
||
The patch fixes the issue for several users who reported having the issue in Gentoo. Thanks!
|
||
Comment 29•6 months ago
|
||
|
||
Comment 30•6 months ago
|
||
| bugherder | ||
|
|
||
Comment 32•6 months ago
|
||
To add to comment 31, specifically, :sergesanspaille could you please add a beta and release uplift request here?
|
||
Comment 33•6 months ago
|
||
Probably esr140 too.
|
|
Assignee | |
Comment 34•6 months ago
|
||
This was not the case before due to a user-defined destructor. This
fixes the miscompilation by GCC 15.x, but I'm unsure if it was an actual
miscompilation or a consequence of us doing something UB with a
non-trivial type.
Original Revision: https://phabricator.services.mozilla.com/D268839
|
|
||
Updated•6 months ago
|
|
|
||
Comment 35•6 months ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined: Without this patch GCC-15 miscompiles Firefox
- Code covered by automated testing: no
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Build with GCC-15 in release mode, run Firefox and try to open a new tab, it shouldn't crash
- Risk associated with taking this patch: low
- Explanation of risk level: Validated manually in the original bug.
- String changes made/needed: no
- Is Android affected?: no
|
|
Assignee | |
Comment 36•6 months ago
|
||
This was not the case before due to a user-defined destructor. This
fixes the miscompilation by GCC 15.x, but I'm unsure if it was an actual
miscompilation or a consequence of us doing something UB with a
non-trivial type.
Original Revision: https://phabricator.services.mozilla.com/D268839
|
|
Assignee | |
Comment 37•6 months ago
|
||
I think esr140 is not affected, it contains the following instead: https://searchfox.org/firefox-main/rev/252c17dbf2c23e1923d408dbed32aa6925eb759a/xpcom/ds/nsTArray.h#3103
|
|
||
Comment 38•6 months ago
|
||
:sergesanspaille, please add a release uplift also when you have a moment
|
|
Assignee | |
Comment 39•6 months ago
|
||
This was not the case before due to a user-defined destructor. This
fixes the miscompilation by GCC 15.x, but I'm unsure if it was an actual
miscompilation or a consequence of us doing something UB with a
non-trivial type.
Original Revision: https://phabricator.services.mozilla.com/D268839
|
|
||
Updated•6 months ago
|
|
|
||
Comment 40•6 months ago
|
||
firefox-release Uplift Approval Request
- User impact if declined: GCC-15 building firefox leads to a non-functional browser
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: build with gcc-15, ruyn the browser, open new tab, should not crash
- Risk associated with taking this patch: low
- Explanation of risk level: tested on nightly
- String changes made/needed: nope
- Is Android affected?: no
|
|
Assignee | |
Comment 41•6 months ago
|
||
This was not the case before due to a user-defined destructor. This
fixes the miscompilation by GCC 15.x, but I'm unsure if it was an actual
miscompilation or a consequence of us doing something UB with a
non-trivial type.
Original Revision: https://phabricator.services.mozilla.com/D268839
|
|
||
Updated•5 months ago
|
|
||
Updated•5 months ago
|
|
|
||
Comment 42•5 months ago
|
||
| uplift | ||
|
|
Assignee | |
Updated•5 months ago
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
|
||
Comment 43•5 months ago
|
||
This is tracked for Fx144. I was planning on uplifting to release along with the planned Fx144 dot release.
:sergesanspaille, the release uplift request was cancelled. Can you restore the patch or comment on why it was cancelled?
|
|
||
Updated•5 months ago
|
|
|
||
Comment 44•5 months ago
|
||
That patch was reopened, I will uplift this to release before 144.0.2
|
|
||
Updated•5 months ago
|
|
|
||
Updated•5 months ago
|
|
|
||
Comment 45•5 months ago
|
||
| uplift | ||
|
|
||
Comment 47•5 months ago
|
||
Copying crash signatures from duplicate bugs.
Description
•