Closed Bug 963790 (fuzzing-layers-linux) Opened 6 years ago Closed 6 years ago

Tracking: Run Faulty without parent process crashes on desktop Linux with GL layers and e10s

Categories

(Core :: Graphics: Layers, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: bjacob, Assigned: bjacob)

References

(Depends on 4 open bugs, Blocks 1 open bug, )

Details

Attachments

(7 files, 2 obsolete files)

As a first step towards bug 898117, let us first get to the point where we run with Faulty without Gfx IPC crashes on desktop Linux. Need to enable GL layers to get IPC action.

For background on Faulty, refer to bug 777067.

Attaching a slightly fixed version of Faulty suitable for desktop Linux.

Instructions:
 1) apply Faulty patch to mozilla-central
 2) build with --enable-ipc-fuzzer
 3) run with these environment variables defined:
        FAULTY_PICKLE=1
        FAULTY_PARENT=1
        FAULTY_CHILDREN=1
        FAULTY_ENABLE_LOGGING=1
        FAULTY_PROBABILITY=10

Notes:
 1) FAULTY_PROBABILITY=10   <-- the lower the number, the tougher the fuzzing. Christoph typically recomments 1000. Using 10 currently allows me to get Gfx IPC crashes right away, all the time.
 2) Note that FAULTY_CHILDREN=1 is needed for Faulty not to reject the currently only Firefox process (thus a 'child' process as well as the 'parent' process).
Depends on: 963795
Depends on: 963799
Depends on: 963812
Depends on: 963974
Depends on: 963976
Depends on: 967132
Depends on: ipc-big-arrays
Depends on: 967176
Depends on: 967184
Depends on: 967320
Took that to bug 967320.
This also avoids a lot of crashes in debug builds, that are nontrivial to avoid. See the conversation on bug 963978.
Btw, new instructions:

0. Apply Christoph Faulty patch, and apply on top of that the patches here. Make a DEBUG build.
1. run with the tabs.remote pref set to true, to get separate parent and child processes.
2. as said above, run with layers.acceleration.force-enabled
3. do not set FAULTY_CHILDREN=1  (not wanted anymore thanks to step 1.). So here are the environment variables to be used:
        FAULTY_PICKLE=1
        FAULTY_PARENT=1
        FAULTY_ENABLE_LOGGING=1
        FAULTY_PROBABILITY=10
Or any other probability.
Depends on: 967327
Depends on: 967328
Depends on: 967330
Depends on: 967522
Depends on: 967528
No longer depends on: 967528
Depends on: 967648
Depends on: 967756
Depends on: 967762
Depends on: 967797
Depends on: 967808
I'm using this patch to get naughtly children to stay alive longer, to annoy the parent more. Otherwise they crash before they have time to do many naughty things.
This allows children to survive when the parent decides to kill them for rude behavior, allowing them to stress the parent longer.

Anyway, while killing children is nice, it's not something that we would rely on for security. For starters, we currently ship browsers where child and parent are in the same process, and KillProcess just fails in this case.
Depends on: 967820
Depends on: 967824
Depends on: 967989
Depends on: 967995
Depends on: 968001
Depends on: 968004
Depends on: 968168
Depends on: 968191
Depends on: 968194
Depends on: 968204
Depends on: 968244
No longer depends on: 967132
Depends on: 967132
No longer depends on: 967320
Alias: fuzzing-layers-linux
Bugs filed below this point are to be considered part of the "second round" of fuzzing.
Depends on: 969517
Depends on: 969549
Depends on: 970584
Depends on: 970699
Depends on: 971189
Depends on: 971262
Bugs filed below this point are to be considered part of the "third round" of fuzzing.
Depends on: 971678
Depends on: 971695
Depends on: 972682
Depends on: 973880
Depends on: 974353
Depends on: 974356
Disabling the dom/plugins reftests, which were stalling, I have a 100% complete run of all reftests, without any crash or ASan error!

REFTEST FINISHED: Slowest test took 34477ms (http://localhost:60033/1392778213147/355/font-matching/font-stretch-1.html)
REFTEST INFO | Result summary:
REFTEST INFO | Successful: 8151 (8132 pass, 19 load only)
REFTEST INFO | Unexpected: 2955 (1963 unexpected fail, 3 unexpected pass, 989 unexpected asserts, 0 unexpected fixed asserts, 0 failed load, 0 exception)
REFTEST INFO | Known problems: 343 (179 known fail, 11 known asserts, 82 random, 71 skipped, 0 slow)
REFTEST INFO | Total canvas count = 8

Time to start landing patches....
Depends on: 968872
Already landed: 11 patches out of 25.
With the landing of bug 968825 and 970747 we are now at: 18 patches landed out of 25.
With the landing of bug 968823 and 974356 we are now at: 23 patches landed out of 25.
...and with bug 968244 landed, now at 24 patches landed out of 25 ....
...and with bug 974353 landed, we are finally done here! Thanks everybody!
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Assignee: nobody → bjacob
Target Milestone: --- → mozilla30
For the record (and to link to from the wiki page), patch I used to turn on remote IPC (e10s).
Attachment #8370320 - Attachment is obsolete: true
Summary: Tracking: Run Faulty without gfx ipc crashes on desktop Linux with GL layers → Tracking: Run Faulty without parent process crashes on desktop Linux with GL layers and e10s
You need to log in before you can comment on or make changes to this bug.