Closed Bug 981949 Opened 11 years ago Closed 11 years ago

reftest crash due to sqlite calling ftruncate (syscall 93) in sandboxed content process

Categories

(Testing :: Reftest, defect)

Product:
Testing
Component:
Reftest
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:1.4+, firefox29 wontfix, firefox30 fixed, firefox31 fixed, b2g-v1.4 fixed, b2g-v2.0 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla31
Project Flags:
blocking-b2g 1.4+
Tracking Flags:
Tracking Status
firefox29 --- wontfix
firefox30 --- fixed
firefox31 --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: vichen, Assigned: jld)

References

Details

Attachments

(2 files)

Whitelist ftruncate on mozilla-central.
1.54 KB, patch
kang
: review+
Details | Diff | Splinter Review
Whitelist ftruncate on mozilla-aurora.
1.72 KB, patch
kang
: review+
Details | Diff | Splinter Review
PROCESS-CRASH | http://10.247.24.96:8888/tests/layout/reftests/floats/other-float-outside-rule-3-right-2.html | application crashed [Unknown top frame]
Blocks: B2GRT
Environment: B2G/OOP Mark floats/other-float-outside-rule-3-right-2.html as skip-if(B2G)
Did this crash happen reliably, or just once? This test doesn't seem like a test that would have anything specific to B2G or to running OOP.
Flags: needinfo?(vichen)
(In reply to David Baron [:dbaron] (needinfo? me) (UTC-8) from comment #2) > Did this crash happen reliably, or just once? > > This test doesn't seem like a test that would have anything specific to B2G > or to running OOP. These crash/hang do not happen reliably. Something like bug 970911, the first test run of failure is timed out waiting for reftest-wait, but the other test run it just pass or another failure type (e.g. different in scroll bar).
Flags: needinfo?(vichen)
Another hang: TEST-UNEXPECTED-FAIL | http://10.247.24.96:8888/tests/layout/reftests/flexbox/flexbox-paint-ordering-3.html | application timed out after 330 seconds with no output
Another hang: REFTEST TEST-START | http://10.247.24.96:8888/tests/layout/reftests/font-face/src-list-local-full.html REFTEST TEST-LOAD | http://10.247.24.96:8888/tests/layout/reftests/font-face/src-list-local-full.html | 5033 / 10343 (48%) REFTEST TEST-LOAD | http://10.247.24.96:8888/tests/layout/reftests/font-face/src-list-local-full-ref.html | 5033 / 10343 (48%) Killed TEST-UNEXPECTED-FAIL | http://10.247.24.96:8888/tests/layout/reftests/font-face/src-list-local-full.html | application timed out after 330 seconds with no output INFO | automation.py | Application ran for: 2:04:45.782132 INFO | zombiecheck | Reading PID log: /tmp/tmpvBmbm9pidlog checking for crashes in '/data/local/tests/profile/minidumps' WARNING | leakcheck | refcount logging is off, so leaks can't be detected!
TEST-UNEXPECTED-FAIL | http://10.247.24.96:8888/tests/layout/reftests/flexbox/flexbox-inlinecontent-horiz-1a.xhtml | application timed out after 330 seconds with no output
Crash on try server [Child 741] ###!!! ABORT: constructor for actor failed: file PLayerTransactionChild.cpp, line 134 TEST-UNEXPECTED-FAIL | http://10.0.2.2:8888/tests/layout/reftests/bugs/501627-1.html | application timed out after 330 seconds with no output PROCESS-CRASH | http://10.0.2.2:8888/tests/layout/reftests/bugs/501627-1.html | application crashed [@ mozalloc_abort(char const*)] Bug 907145 - Intermittent mailnews/news/test/unit/test_server.js | test failed (with xpcshell return code: 1) | application crashed [@ mozalloc_abort(char const*)] (ASSERTION: unknown error, but don't alert user.: 'errorID != UNKNOWN_ERROR') Bug 909474 - Intermittent test_bug460636.js | test failed (with xpcshell return code: 1) | application crashed [@ mozalloc_abort(char const*)] after "ASSERTION: error setting up imap url" Bug 924622 - Intermittent PROCESS-CRASH | application crashed [@ mozalloc_abort(char const*)] after "ABORT: mismatched CxxStackFrame ctor/dtors" Bug 932601 - Intermittent ABORT: bad Shmem: file ./PImageBridgeParent.cpp, line 737 | test_browserElement_oop_CookiesNotThirdParty.html | application terminated with exit code 256 | application crashed [@ mozalloc_abort(char const*)] | Bug 965527 - Intermittent B2G desktop Shutdown | application crashed [@ mozalloc_abort(char const*)] after "###!!! ABORT: file resource://gre/modules/AsyncShutdown.jsm" Bug 974213 - Intermittent PROCESS-CRASH | test_dataChannel_basicAudio.html | application crashed [@ mozalloc_abort(char const*)] | application crashed [@ libc-2.15.so + 0xe8403] Bug 903256 - Intermittent test_dataChannel_basicAudioVideoCombined.html | Exited with code 11 during test run | application crashed [@ mozalloc_abort(char const*)] Return code: 1 03-13 04:07:38.274 741 741 I Gecko : [Child 741] ###!!! ABORT: constructor for actor failed: file PLayerTransactionChild.cpp, line 134 03-13 04:07:38.284 741 741 E Gecko : mozalloc_abort: [Child 741] ###!!! ABORT: constructor for actor failed: file PLayerTransactionChild.cpp, line 134 AttributeError: GzipFile instance has no attribute '__exit__' Return code: 1
Test on local 04-10 06:40:18.015: E/Sandbox(355): seccomp sandbox violation: pid 355, syscall 93, args 50 354304 354304 1074071492 50 1108822848. Killing process. 355 is content process
Log from reftest: REFTEST TEST-END | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/placeholder-type-change-2.html REFTEST TEST-START | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-display.html REFTEST TEST-LOAD | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-display.html | 4191 / 10845 (38%) REFTEST TEST-PASS | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-display.html | image comparison (==) REFTEST INFO | Loading a blank page REFTEST TEST-END | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-display.html REFTEST TEST-START | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-opacity.html REFTEST TEST-LOAD | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-opacity.html | 4192 / 10845 (38%) TEST-UNEXPECTED-FAIL | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-opacity.html | application timed out after 330 seconds with no output INFO | automation.py | Application ran for: 1:56:00.028157 INFO | zombiecheck | Reading PID log: /tmp/tmpA8UafIpidlog checking for crashes in '/data/local/tests/profile/minidumps' PROCESS-CRASH | http://10.247.24.96:8888/tests/layout/reftests/css-placeholder/input/css-opacity.html | application crashed [@ libc.so + 0xc7d0] Crash dump filename: /tmp/tmpnY53bq/189b91b8-3879-cf99-02cd063d-1d0a9f43.dmp Operating system: Android 0.0.0 Linux 2.6.29-00302-g586075d #31 Mon Feb 24 10:28:23 PST 2014 armv7l Android/full/generic:4.0.4.0.4.0.4/OPENMASTER/eng.vichen.20140408.155251:eng/test-keys CPU: arm 0 CPUs Crash reason: SIGSYS Crash address: 0x400507d0 Thread 10 (crashed) 0 libc.so + 0xc7d0 r4 = 0x00000032 r5 = 0x42174b40 r6 = 0x00056800 r7 = 0x0000005d r8 = 0x00056800 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000800 sp = 0x43cff688 lr = 0x420f73a1 pc = 0x400507d0 Found by: given as instruction pointer in context 1 libnss3.so!unixTruncate [sqlite3.c : 27281 + 0xb] sp = 0x43cff6a8 pc = 0x420f74c5 Found by: stack scanning 2 libxul.so!xTruncate [TelemetryVFS.cpp : 210 + 0x5] r4 = 0x43314808 r6 = 0x000005c5 r7 = 0xc1ffba3a r8 = 0x00056800 r9 = 0x00000000 sp = 0x43cff6c0 pc = 0x407ee94f Found by: call frame info 3 libnss3.so!sqlite3OsTruncate [sqlite3.c : 15624 + 0x5] r4 = 0x43314808 r5 = 0x00000000 r6 = 0x000000ad r7 = 0x00000800 r8 = 0x00056800 r9 = 0x00000000 sp = 0x43cff708 pc = 0x420d17d5 Found by: call frame info 4 libnss3.so!pager_truncate [sqlite3.c : 42077 + 0x9] r4 = 0x43314808 r5 = 0x00000000 r6 = 0x000000ad r7 = 0x00000800 r8 = 0x00056800 r9 = 0x00000000 sp = 0x43cff710 pc = 0x420da3dd Found by: call frame info 5 libnss3.so!pager_end_transaction [sqlite3.c : 41553 + 0x3] r4 = 0x43314808 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000001 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 sp = 0x43cff748 pc = 0x420da5b9 Found by: call frame info 6 libnss3.so!sqlite3BtreeCommitPhaseTwo [sqlite3.c : 45822 + 0x9] r4 = 0x43314808 r5 = 0x43bbf748 r6 = 0x43b2c3a8 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 sp = 0x43cff778 pc = 0x420ed19f Found by: call frame info 7 libnss3.so!sqlite3_backup_step [sqlite3.c : 59844 + 0x7] r4 = 0x43cffa18 r5 = 0x43314808 r6 = 0x00000800 r7 = 0x000000ad r8 = 0x000000ad r9 = 0x00000000 r10 = 0x00000000 sp = 0x43cff790 pc = 0x420f5295 Found by: call frame info 8 libnss3.so!sqlite3Step [sqlite3.c : 60039 + 0x3] r4 = 0x0000000c r5 = 0x43bbf748 r6 = 0x43313c08 r7 = 0x43e7e168 r8 = 0x00000000 r9 = 0x44149820 r10 = 0x43d19b48 fp = 0x43cffa18 sp = 0x43cff800 pc = 0x4211b7fd Found by: call frame info 9 libnss3.so!sqlite3_step [sqlite3.c : 65863 + 0x5] r4 = 0x43e7e168 r5 = 0x43313c08 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x43cffb88 r9 = 0x00000000 r10 = 0x00000000 fp = 0x418490bc sp = 0x43cffb70 pc = 0x4210685f Found by: call frame info 10 libnss3.so!sqlite3_exec [sqlite3.c : 95520 + 0x9] r4 = 0x43313c08 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x418490bc sp = 0x43cffc88 pc = 0x42106a09 Found by: call frame info 11 libxul.so!mozilla::storage::Connection::executeSql(char const*) [mozStorageConnection.cpp : 1017 + 0x3] r4 = 0x438037c0 r5 = 0x41847fe0 r6 = 0x43cffcf0 r7 = 0x00000000 r8 = 0xa47e6739 r9 = 0x000005c5 r10 = 0x4184915f fp = 0x418490bc sp = 0x43cffce8 pc = 0x407ec6a7 Found by: call frame info 12 libxul.so!mozilla::storage::Connection::ExecuteSimpleSQL(nsACString_internal const&) [mozStorageConnection.cpp : 1359 + 0x7] r4 = 0x43cffd4c r5 = 0x438037c0 r6 = 0x00064800 r7 = 0x00000000 r8 = 0x418490ea r9 = 0x00000000 r10 = 0x4184915f fp = 0x418490bc sp = 0x43cffd48 pc = 0x407ec7e3 Found by: call frame info 13 libxul.so!mozilla::net::Seer::VacuumDatabase() [Seer.cpp : 2612 + 0x1] r4 = 0x43966de0 r5 = 0x43cffd6c r6 = 0x00064800 r7 = 0x00000000 r8 = 0x418490ea r9 = 0x00000000 r10 = 0x4184915f fp = 0x418490bc sp = 0x43cffd68 pc = 0x40616fd5 Found by: call frame info 14 libxul.so!mozilla::net::Seer::Cleanup() [Seer.cpp : 2599 + 0x5] r4 = 0x43966de0 r5 = 0x41849159 r6 = 0x00064800 r7 = 0x00000000 r8 = 0x418490ea r9 = 0x00000000 r10 = 0x4184915f fp = 0x418490bc sp = 0x43cffd88 pc = 0x40619355 Found by: call frame info 15 libxul.so!mozilla::net::SeerCleanupEvent::Run() [Seer.cpp : 2274 + 0x9] r4 = 0x41e73540 r5 = 0x00000000 r6 = 0x433f20b0 r7 = 0x00000000 r8 = 0x43cffe67 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000001 sp = 0x43cffe10 pc = 0x40619389 Found by: call frame info 16 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 694 + 0x5] r4 = 0x433f2080 r5 = 0x00000000 r6 = 0x433f20b0 r7 = 0x00000000 r8 = 0x43cffe67 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000001 sp = 0x43cffe18 pc = 0x405eb427 Found by: call frame info 17 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb] r4 = 0x00000000 r5 = 0x434e1820 r6 = 0x43b73c50 r7 = 0x00000000 r8 = 0x42178974 r9 = 0x00000001 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffe60 pc = 0x405bab15 Found by: call frame info 18 libxul.so!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 307 + 0x7] r4 = 0x43b73c40 r5 = 0x434e1820 r6 = 0x43b73c50 r7 = 0x00000000 r8 = 0x42178974 r9 = 0x00000001 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffe70 pc = 0x4072d7f5 Found by: call frame info 19 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 226 + 0x5] r4 = 0x434e1820 r5 = 0x434e1820 r6 = 0x00000000 r7 = 0x0000b560 r8 = 0x42178974 r9 = 0x00000001 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffe98 pc = 0x4072145d Found by: call frame info 20 libxul.so!MessageLoop::Run() [message_loop.cc : 219 + 0x5] r4 = 0x434e1820 r5 = 0x434e1820 r6 = 0x00000000 r7 = 0x0000b560 r8 = 0x42178974 r9 = 0x00000001 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffea0 pc = 0x407214db Found by: call frame info 21 libxul.so!nsThread::ThreadFunc(void*) [nsThread.cpp : 308 + 0x5] r4 = 0x433f2080 r5 = 0x434e1820 r6 = 0x00000000 r7 = 0x0000b560 r8 = 0x42178974 r9 = 0x00000001 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffeb8 pc = 0x405eb96f Found by: call frame info 22 libnss3.so!_pt_root [ptthread.c : 212 + 0x5] r4 = 0x43961880 r5 = 0x00000000 r6 = 0x42178974 r7 = 0x0000b560 r8 = 0x42178974 r9 = 0x00000001 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffed0 pc = 0x420ce3c5 Found by: call frame info 23 libc.so!__thread_entry [pthread.c : 217 + 0x6] r4 = 0x43cfff00 r5 = 0x420ce321 r6 = 0x43961880 r7 = 0x00000078 r8 = 0x420ce321 r9 = 0x43961880 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cffef0 pc = 0x40056e4c Found by: call frame info 24 libc.so!pthread_create [pthread.c : 357 + 0xe] r4 = 0x43cfff00 r5 = 0x0000b560 r6 = 0xbef73c64 r7 = 0x00000078 r8 = 0x420ce321 r9 = 0x43961880 r10 = 0x00100000 fp = 0x00000001 sp = 0x43cfff00 pc = 0x4005699c Found by: call frame info
Bug 988100 has similar symptom.
(In reply to Vincent Chen [:vichen] from comment #8) > Test on local > > 04-10 06:40:18.015: E/Sandbox(355): seccomp sandbox violation: pid 355, > syscall 93, args 50 354304 354304 1074071492 50 1108822848. Killing process. > > 355 is content process jld, Do you have any suggestion about this bug?
Flags: needinfo?(jld)
I don't see why we couldn't whitelist ftruncate. (I hope the network seer isn't opening the sqlite file directly, but that's outside the scope of this bug.) Also, this was first seen on 2014-03-10, so it would affect Gecko 30 / FxOS 1.4.
Assignee: nobody → jld
blocking-b2g: --- → 1.4?
status-b2g-v1.4: --- → affected
status-b2g-v2.0: --- → affected
Flags: needinfo?(jld)
Summary: Crash while doing reftests → reftest crash due to sqlite calling ftruncate (syscall 93) in sandboxed content process
Blocking for 1.4.
blocking-b2g: 1.4? → 1.4+
Attachment #8405575 - Flags: review?(gdestuynder) → review+
Attachment #8405574 - Flags: review?(gdestuynder) → review+
Comment on attachment 8405575 [details] [diff] [review] Whitelist ftruncate on mozilla-aurora. [Approval Request Comment] Bug caused by (feature/regressing bug #): 1.4-seccomp User impact if declined: App crashes on seccomp-enabled devices Testing completed (on m-c, etc.): Tested locally; ran try. Risk to taking this patch (and alternatives if risky): None; it simply adds system calls to the whitelist. String or IDL/UUID changes made by this patch: None.
Attachment #8405575 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/aac74f0bcfbf
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Attachment #8405575 - Flags: approval-mozilla-aurora?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: