TorBrowser crashes at riot.im/app

TorBrowser crashes with this dmesg output:

[  442.940993] Chrome_ChildThr[1759]: segfault at 0 ip 000055676947f225 sp 00007e4ef8cfe470 error 6 in plugin-container[55676947a000+1b000]

Steps to reproduce:

1. go to https://riot.im/app
2. login to account (can be new account)
3. wait about 15 minutes

At least these versions affected:

• TorBrowser Linux 7.0.7
• TorBrowser Linux 7.0.8
• TorBrowser Linux 7.5a6

Trac:
Username: user

added TorBrowserTeam201712 component::applications/tor browser owner::tbb-team priority::high reporter::user resolution::fixed severity::major status::closed tbb-crash type::defect labels

Trac:
Description: TorBrowser crashes with this dmesg output:

[ 442.940993] Chrome_ChildThr[1759]: segfault at 0 ip 000055676947f225 sp 00007e4ef8cfe470 error 6 in plugin-container[55676947a000+1b000]

Steps to reproduce:

1. go to https://riot.im/app
2. login to account (can be new account)
3. wait about 15 minutes

At least these versions affected:

• TorBrowser Linux 7.0.7
• TorBrowser Linux 7.0.8
• TorBrowser Linux 7.5a6

to

TorBrowser crashes with this dmesg output:

[  442.940993] Chrome_ChildThr[1759]: segfault at 0 ip 000055676947f225 sp 00007e4ef8cfe470 error 6 in plugin-container[55676947a000+1b000]

Steps to reproduce:

1. go to https://riot.im/app
2. login to account (can be new account)
3. wait about 15 minutes

At least these versions affected:

• TorBrowser Linux 7.0.7
• TorBrowser Linux 7.0.8
• TorBrowser Linux 7.5a6

Do you adjust the security slider or some other settings or does this happen for you with an "untouched" Tor Browser (too)?

Trac:
Status: new to needs_information
Severity: Normal to Major
Priority: Medium to High

Here is what I did:

1. I extracted a clean, new Tor Browser 7.0.8 on a Debian testing machine
2. I Created an account at https://riot.im/app and logged in
3. I waited about an hour but I still don't see any crash

Do you have other steps I might have missed? Am I supposed to enable desktop notifications?

I'm testing using an untouched torbrowser as downloaded by Whonix's TorBrowser Downloader. I did all testing in qubes-whonix, so the environment is based on debian jessie. I'll see if I can reproduce it on debian testing...

Trac:
Username: user

I manually downloaded Torbrowser 7.0.8 from https://www.torproject.org/download/download-easy.html.en

I ran it in debian-8-oldstable, debian-9-stable, and debian-10-testing VMs.

I'm unable to reproduce the issue.

So far it only happens in the whonix version.

Trac:
Username: user

Replying to user:

So far it only happens in the whonix version.

Intriguing!

What does Whonix change about Tor Browser?

Trac:
Summary: TorBrowser crashes at riot.im/app to TorBrowser under Whonix crashes at riot.im/app

1. debian-8 bridges with outbound firewall restrictions --> no riot.im crash
2. reinstall and then update whonix workstation VM --> riot.im still crashes
3. copy torbrowser from whonix VM to debian-9 VM, redo connection setup --> no riot.im crash

Regarding desktop notifications, the choice doesn't matter.

Regarding the difference between whonix torbrowser vs non-whonix, all I know is the whonix version is preconfigured for a tor instance that runs in a separate whonix gateway VM (which is why I had to redo the connection setup in (3)).

Trac:
Username: user

Replying to user:

1. debian-8 bridges with outbound firewall restrictions --> no riot.im crash
2. reinstall and then update whonix workstation VM --> riot.im still crashes
3. copy torbrowser from whonix VM to debian-9 VM, redo connection setup --> no riot.im crash

Regarding desktop notifications, the choice doesn't matter.

Regarding the difference between whonix torbrowser vs non-whonix, all I know is the whonix version is preconfigured for a tor instance that runs in a separate whonix gateway VM (which is why I had to redo the connection setup in (3)).

You could try to find out what is happening with running Tor Browser under gdb with debug symbols, see: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Usinggdb

Seems not to be a Tor Browser bug per se.

Trac:
Severity: Major to Normal
Priority: High to Medium

Hey Whonix folks, can you help with debugging this problem? (see my last comment for a start) Thanks.

Trac:
Cc: N/A to whonix-devel@whonix.org, adrelanos

I was able to reproduce this using a stock downloaded torbrowser 7.0.8. on debian-8-oldstable and also debian-10-buster, but only if I login to my customized riot.im account. No whonix involved.

After reinstalling qubes-whonix-gw, I can no longer produce crashes using fresh riot.im accounts.

Trac:
Username: user

Try to reproduce it with some CPU load in background. It's a race condition my browser hits with every modern site.

I followed the instructions here to launch torbrowser with debugging: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Usinggdb then logged into my riot.im account on torbrowser-7.0.8 running on debian-10-buster, and then waited about 15 minutes.

Session 1 crash:

[Thread 0x7fffc0dcb700 (LWP 3381) exited]
[New Thread 0x7fffc0dcb700 (LWP 3382)]

Thread 68 "IndexedDB #2" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc0dcb700 (LWP 3382)]
mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
2714	/home/debian/build/tor-browser/dom/quota/ActorsParent.cpp: No such file or directory.

Session 2 crash:

[Thread 0x7fffbbff3700 (LWP 3622) exited]
[New Thread 0x7fffbbff3700 (LWP 3623)]

Thread 69 "IndexedDB #3" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffbbff3700 (LWP 3623)]
mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
2714	/home/debian/build/tor-browser/dom/quota/ActorsParent.cpp: No such file or directory.

Trac:
Username: user

Interesting. Could you give us the full backtrace (i.e. more stack frames)? What is happening with Tor Browser 7.0.6? (see: https://archive.torproject.org/tor-package-archive/torbrowser/7.0.6/)

Trac:
Severity: Normal to Major
Priority: Medium to High
Summary: TorBrowser under Whonix crashes at riot.im/app to TorBrowser crashes at riot.im/app
Keywords: N/A deleted, tbb-crash added

Backtrace for crash on torbrowser-7.0.8 on debian-10-buster:

[New Thread 0x7fffc1889700 (LWP 5455)]
[New Thread 0x7fffb6a77700 (LWP 5456)]
[New Thread 0x7fffce9ff700 (LWP 5457)]
[New Thread 0x7fffc04fe700 (LWP 5458)]
[Thread 0x7fffc04fe700 (LWP 5458) exited]
[Thread 0x7fffc1889700 (LWP 5455) exited]
[Thread 0x7fffce9ff700 (LWP 5457) exited]
[New Thread 0x7fffce9ff700 (LWP 5459)]
[New Thread 0x7fffc1889700 (LWP 5460)]

Thread 76 "IndexedDB #4" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc1889700 (LWP 5460)]
mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
2714	/home/debian/build/tor-browser/dom/quota/ActorsParent.cpp: No such file or directory.
(gdb) backtrace
#0  mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
#1  0x00007ffff39cf5ad in mozilla::dom::indexedDB::(anonymous namespace)::DatabaseConnection::DisableQuotaChecks (
    this=0x7fffcac91580) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:11355
#2  mozilla::dom::indexedDB::(anonymous namespace)::Database::StartTransactionOp::DoDatabaseWork (this=0x7fffcac79040, 
    aConnection=0x7fffcac91580) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:14927
#3  0x00007ffff39cf10e in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::RunOnConnectionThread (this=this@entry=0x7fffcac79040) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:23735
#4  0x00007ffff39cf28a in mozilla::dom::indexedDB::(anonymous namespace)::Database::StartTransactionOp::RunOnConnectionThread
    (this=0x7fffcac79040) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:14914
#5  0x00007ffff39c71b4 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::Run (
    this=0x7fffcac79040) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:23906
#6  0x00007ffff28ca7b1 in nsThread::ProcessNextEvent (this=0x7fffcc480590, aMayWait=<optimized out>, aResult=0x7fffc1888ccf)
    at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:1216
#7  0x00007ffff28e53b5 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x7fffcc480590, 
    aMayWait=aMayWait@entry=true) at /home/debian/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:361
#8  0x00007ffff39b9e55 in mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::ThreadRunnable::Run (
    this=0x7fffcc0aaca0) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:13539
#9  0x00007ffff28ca7b1 in nsThread::ProcessNextEvent (this=0x7fffcc480590, aMayWait=<optimized out>, aResult=0x7fffc1888dff)
    at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:1216
#10 0x00007ffff28e53b5 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x7fffcc480590, 
    aMayWait=aMayWait@entry=false) at /home/debian/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:361
#11 0x00007ffff2bb0f81 in mozilla::ipc::MessagePumpForNonMainThreads::Run (this=0x7fffcc4085c0, aDelegate=0x7fffc70b9d50)
    at /home/debian/build/tor-browser/ipc/glue/MessagePump.cpp:338
#12 0x00007ffff2b81b1c in MessageLoop::RunHandler (this=<optimized out>)
    at /home/debian/build/tor-browser/ipc/chromium/src/base/message_loop.cc:225
#13 MessageLoop::Run (this=this@entry=0x7fffc70b9d50)
    at /home/debian/build/tor-browser/ipc/chromium/src/base/message_loop.cc:205
#14 0x00007ffff28c953f in nsThread::ThreadFunc (aArg=0x7fffcc480590)
    at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:467
#15 0x00007ffff7f96ec7 in _pt_root (arg=0x7fffcc0630c0)
    at /home/debian/build/tor-browser/nsprpub/pr/src/pthreads/ptthread.c:216
#16 0x00007ffff7bc3494 in start_thread (arg=0x7fffc1889700) at pthread_create.c:333
#17 0x00007ffff6c51abf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Trac:
Username: user

I cannot reproduce the crash on 7.0.6 on debian-10-buster ( tor-browser-linux64-7.0.6_en-US.tar.xz ).

I've been logged in to my riot.im account over an hour.

Trac:
Username: user

Thanks, that's helpful. Two further questions for you:

1. I guess you are using Tor Browser in its default mode. Do you see in your profile directory (under Browser/TorBrowser/Data/Browser/profile.default) a storage/default/<protocol>+++<domain>^privateBrowsingId=1&firstPartyDomain=<domain> one with "domain" pointing to riot.im (or basically any entry at all)

2. If you go to about:preferences#privacy and uncheck the "Always use private browsing mode" option behind the "Use custom settings for history" one and restart, does the Tor Browser still crash for you (note: this should enable disk activity which is not recommended; it's just for better understanding this bug)?

1. This file exists:

tor-browser_en-US-7.0.8/Browser/TorBrowser/Data/Browser/profile.default/storage/default/https+++riot.im^privateBrowsingId=1&firstPartyDomain=riot.im

2. After unchecking and restarting, it appears the file above is deleted, however the setting in preferences automatically goes back to checked. (Security slider = lowest)

Leaving it checked, I log in and later it crashes.

Edit: Okay, the checkbox stayed off (this time?)... testing...

Trac:
Username: user

7.0.9: checkbox on -> crash within 15 minutes checkbox off -> no crash after an hour

Trac:
Username: user

That might addressed by ESR 52.5.0, keeping it on our radar.

Trac:
Keywords: N/A deleted, TorBrowserTeam201711 added
Status: needs_information to assigned

  Problem Event Name:	APPCRASH
  Application Name:	firefox.exe
  Application Version:	52.5.0.6242
  Application Timestamp:	00000000
  Fault Module Name:	xul.dll
  Fault Module Version:	52.5.0.6242
  Fault Module Timestamp:	00000000
  Exception Code:	c0000005
  Exception Offset:	015f7624
  OS Version:	6.1.7601.2.1.0.256.1

why does it create that storage?

Replying to user:

7.0.9: checkbox on -> crash within 15 minutes checkbox off -> no crash after an hour

Hey user! Could you test whether the following testbuild fixes your problem?

https://people.torproject.org/~gk/testbuilds/tor-browser-linux64-24040_en-US.tar.xz https://people.torproject.org/~gk/testbuilds/tor-browser-linux64-24040_en-US.tar.xz.asc

Trac:
Status: assigned to needs_information

Moving tickets to December 2017

Moving tickets to December 2017, for realz.

Trac:
Keywords: TorBrowserTeam201711 deleted, TorBrowserTeam201712 added

That should be fixed with 7.0.11 and 7.5a9. If not, please reopen.

Trac:
Status: needs_information to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#24040 (closed)