Bug 963790 (fuzzing-layers-linux)

Tracking: Run Faulty without parent process crashes on desktop Linux with GL layers and e10s

RESOLVED FIXED in mozilla30

Status

()

RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: bjacob, Assigned: bjacob)

Tracking

(Depends on: 4 bugs)

Trunk
mozilla30
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(7 attachments, 2 obsolete attachments)

Created attachment 8365340 [details] [diff] [review]
Christoph Diehl's Faulty patch, with minor fixes for Desktop Linux

As a first step towards bug 898117, let us first get to the point where we run with Faulty without Gfx IPC crashes on desktop Linux. Need to enable GL layers to get IPC action.

For background on Faulty, refer to bug 777067.

Attaching a slightly fixed version of Faulty suitable for desktop Linux.

Instructions:
 1) apply Faulty patch to mozilla-central
 2) build with --enable-ipc-fuzzer
 3) run with these environment variables defined:
        FAULTY_PICKLE=1
        FAULTY_PARENT=1
        FAULTY_CHILDREN=1
        FAULTY_ENABLE_LOGGING=1
        FAULTY_PROBABILITY=10

Notes:
 1) FAULTY_PROBABILITY=10   <-- the lower the number, the tougher the fuzzing. Christoph typically recomments 1000. Using 10 currently allows me to get Gfx IPC crashes right away, all the time.
 2) Note that FAULTY_CHILDREN=1 is needed for Faulty not to reject the currently only Firefox process (thus a 'child' process as well as the 'parent' process).
(Assignee)

Updated

5 years ago
Depends on: 963795
(Assignee)

Updated

5 years ago
Depends on: 963799
(Assignee)

Updated

5 years ago
Depends on: 963812
(Assignee)

Updated

5 years ago
Depends on: 963974
(Assignee)

Updated

5 years ago
Depends on: 963976
(Assignee)

Updated

5 years ago
Depends on: 963978
(Assignee)

Updated

5 years ago
Depends on: 967132
(Assignee)

Updated

5 years ago
Depends on: 967167
(Assignee)

Updated

5 years ago
Depends on: 967176
(Assignee)

Updated

5 years ago
Depends on: 967184
(Assignee)

Comment 1

5 years ago
Created attachment 8369694 [details] [diff] [review]
Fuzz only gfx/layers protocols (applies on top of faulty_v8.diff)
Attachment #8365340 - Attachment is obsolete: true
(Assignee)

Updated

5 years ago
Depends on: 967320
(Assignee)

Comment 2

5 years ago
Took that to bug 967320.
(Assignee)

Comment 3

5 years ago
Created attachment 8369773 [details] [diff] [review]
Make ipc's DCHECK assertion macro non-fatal

This also avoids a lot of crashes in debug builds, that are nontrivial to avoid. See the conversation on bug 963978.
(Assignee)

Comment 4

5 years ago
Btw, new instructions:

0. Apply Christoph Faulty patch, and apply on top of that the patches here. Make a DEBUG build.
1. run with the tabs.remote pref set to true, to get separate parent and child processes.
2. as said above, run with layers.acceleration.force-enabled
3. do not set FAULTY_CHILDREN=1  (not wanted anymore thanks to step 1.). So here are the environment variables to be used:
        FAULTY_PICKLE=1
        FAULTY_PARENT=1
        FAULTY_ENABLE_LOGGING=1
        FAULTY_PROBABILITY=10
Or any other probability.
(Assignee)

Updated

5 years ago
Depends on: 967327
(Assignee)

Updated

5 years ago
Depends on: 967328
(Assignee)

Updated

5 years ago
Depends on: 967330
(Assignee)

Updated

5 years ago
Depends on: 967522
(Assignee)

Updated

5 years ago
Depends on: 967528
(Assignee)

Updated

5 years ago
No longer depends on: 967528
(Assignee)

Updated

5 years ago
Depends on: 967648
(Assignee)

Updated

5 years ago
Depends on: 967756
(Assignee)

Updated

5 years ago
Depends on: 967762
(Assignee)

Updated

5 years ago
Depends on: 967797
(Assignee)

Updated

5 years ago
Depends on: 967808
(Assignee)

Comment 5

5 years ago
Created attachment 8370315 [details] [diff] [review]
Make assertions non-fatal in child processes

I'm using this patch to get naughtly children to stay alive longer, to annoy the parent more. Otherwise they crash before they have time to do many naughty things.
(Assignee)

Comment 6

5 years ago
Created attachment 8370319 [details] [diff] [review]
Don't kill naughtly child processes

This allows children to survive when the parent decides to kill them for rude behavior, allowing them to stress the parent longer.

Anyway, while killing children is nice, it's not something that we would rely on for security. For starters, we currently ship browsers where child and parent are in the same process, and KillProcess just fails in this case.
(Assignee)

Comment 7

5 years ago
Created attachment 8370320 [details] [diff] [review]
Preferences to enable IPC layers and enable remote-IPC on desktop (useful to run reftest/mochitest with Faulty)
(Assignee)

Updated

5 years ago
Depends on: 967820
(Assignee)

Updated

5 years ago
Depends on: 967824
(Assignee)

Updated

5 years ago
Depends on: 967989
(Assignee)

Updated

5 years ago
Depends on: 967995
(Assignee)

Updated

5 years ago
Depends on: 968001
(Assignee)

Updated

5 years ago
Depends on: 968004
(Assignee)

Updated

5 years ago
Depends on: 968168
(Assignee)

Updated

5 years ago
Depends on: 968191
(Assignee)

Updated

5 years ago
Depends on: 968194
(Assignee)

Updated

5 years ago
Depends on: 968204
(Assignee)

Updated

5 years ago
Depends on: 968244
(Assignee)

Updated

5 years ago
No longer depends on: 967132
(Assignee)

Updated

5 years ago
Depends on: 967132
(Assignee)

Updated

5 years ago
No longer depends on: 967320
(Assignee)

Updated

5 years ago
Alias: fuzzing-layers-linux
(Assignee)

Comment 8

5 years ago
Created attachment 8372296 [details] [diff] [review]
Force non-optimized build of gfx/layers
Bugs filed below this point are to be considered part of the "second round" of fuzzing.
(Assignee)

Updated

5 years ago
Depends on: 969517
(Assignee)

Updated

5 years ago
Depends on: 969549
(Assignee)

Updated

5 years ago
Depends on: 970584
(Assignee)

Updated

5 years ago
Depends on: 970699
(Assignee)

Updated

5 years ago
Depends on: 971189
(Assignee)

Updated

5 years ago
Depends on: 971262
Bugs filed below this point are to be considered part of the "third round" of fuzzing.
(Assignee)

Updated

5 years ago
Depends on: 971678
(Assignee)

Updated

5 years ago
Depends on: 971695
(Assignee)

Updated

5 years ago
Depends on: 972682
(Assignee)

Updated

5 years ago
Depends on: 973880
(Assignee)

Updated

5 years ago
Depends on: 974353
(Assignee)

Updated

5 years ago
Depends on: 974356
Disabling the dom/plugins reftests, which were stalling, I have a 100% complete run of all reftests, without any crash or ASan error!

REFTEST FINISHED: Slowest test took 34477ms (http://localhost:60033/1392778213147/355/font-matching/font-stretch-1.html)
REFTEST INFO | Result summary:
REFTEST INFO | Successful: 8151 (8132 pass, 19 load only)
REFTEST INFO | Unexpected: 2955 (1963 unexpected fail, 3 unexpected pass, 989 unexpected asserts, 0 unexpected fixed asserts, 0 failed load, 0 exception)
REFTEST INFO | Known problems: 343 (179 known fail, 11 known asserts, 82 random, 71 skipped, 0 slow)
REFTEST INFO | Total canvas count = 8

Time to start landing patches....
(Assignee)

Updated

5 years ago
Depends on: 968872
Already landed: 11 patches out of 25.
With the landing of bug 968825 and 970747 we are now at: 18 patches landed out of 25.
With the landing of bug 968823 and 974356 we are now at: 23 patches landed out of 25.
...and with bug 968244 landed, now at 24 patches landed out of 25 ....
...and with bug 974353 landed, we are finally done here! Thanks everybody!
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Assignee: nobody → bjacob
Target Milestone: --- → mozilla30
Created attachment 8384829 [details] [diff] [review]
Preferences to enable remote IPC

For the record (and to link to from the wiki page), patch I used to turn on remote IPC (e10s).
Attachment #8370320 - Attachment is obsolete: true
Created attachment 8384830 [details] [diff] [review]
Preferences to enable GL layers
(Assignee)

Updated

5 years ago
Summary: Tracking: Run Faulty without gfx ipc crashes on desktop Linux with GL layers → Tracking: Run Faulty without parent process crashes on desktop Linux with GL layers and e10s
You need to log in before you can comment on or make changes to this bug.