#24040 closed defect (fixed)

TorBrowser crashes at riot.im/app

Reported by: user Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-crash, TorBrowserTeam201712
Cc: whonix-devel@…, adrelanos Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arma)

TorBrowser crashes with this dmesg output:

[  442.940993] Chrome_ChildThr[1759]: segfault at 0 ip 000055676947f225 sp 00007e4ef8cfe470 error 6 in plugin-container[55676947a000+1b000]

Steps to reproduce:

  1. go to https://riot.im/app
  2. login to account (can be new account)
  3. wait about 15 minutes

At least these versions affected:

  • TorBrowser Linux 7.0.7
  • TorBrowser Linux 7.0.8
  • TorBrowser Linux 7.5a6

Child Tickets

Change History (25)

comment:1 Changed 19 months ago by arma

Description: modified (diff)

comment:2 Changed 19 months ago by gk

Priority: MediumHigh
Severity: NormalMajor
Status: newneeds_information

Do you adjust the security slider or some other settings or does this happen for you with an "untouched" Tor Browser (too)?

comment:3 Changed 19 months ago by gk

Here is what I did:

1) I extracted a clean, new Tor Browser 7.0.8 on a Debian testing machine
2) I Created an account at https://riot.im/app and logged in
3) I waited about an hour but I still don't see any crash

Do you have other steps I might have missed? Am I supposed to enable desktop notifications?

comment:4 Changed 19 months ago by user

I'm testing using an untouched torbrowser as downloaded by Whonix's TorBrowser Downloader.
I did all testing in qubes-whonix, so the environment is based on debian jessie.
I'll see if I can reproduce it on debian testing...

Last edited 19 months ago by user (previous) (diff)

comment:5 Changed 19 months ago by user

I manually downloaded Torbrowser 7.0.8 from https://www.torproject.org/download/download-easy.html.en

I ran it in debian-8-oldstable, debian-9-stable, and debian-10-testing VMs.

I'm unable to reproduce the issue.

So far it only happens in the whonix version.

comment:6 in reply to:  5 Changed 19 months ago by arma

Replying to user:

So far it only happens in the whonix version.

Intriguing!

What does Whonix change about Tor Browser?

comment:7 Changed 19 months ago by arma

Summary: TorBrowser crashes at riot.im/appTorBrowser under Whonix crashes at riot.im/app

comment:8 Changed 19 months ago by user

  1. debian-8 bridges with outbound firewall restrictions --> no riot.im crash
  2. reinstall and then update whonix workstation VM --> riot.im still crashes
  3. copy torbrowser from whonix VM to debian-9 VM, redo connection setup --> no riot.im crash

Regarding desktop notifications, the choice doesn't matter.

Regarding the difference between whonix torbrowser vs non-whonix, all I know is the whonix version is preconfigured for a tor instance that runs in a separate whonix gateway VM (which is why I had to redo the connection setup in (3)).

Last edited 19 months ago by user (previous) (diff)

comment:9 in reply to:  8 Changed 19 months ago by gk

Priority: HighMedium
Severity: MajorNormal

Replying to user:

  1. debian-8 bridges with outbound firewall restrictions --> no riot.im crash
  2. reinstall and then update whonix workstation VM --> riot.im still crashes
  3. copy torbrowser from whonix VM to debian-9 VM, redo connection setup --> no riot.im crash

Regarding desktop notifications, the choice doesn't matter.

Regarding the difference between whonix torbrowser vs non-whonix, all I know is the whonix version is preconfigured for a tor instance that runs in a separate whonix gateway VM (which is why I had to redo the connection setup in (3)).

You could try to find out what is happening with running Tor Browser under gdb with debug symbols, see: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Usinggdb

Seems not to be a Tor Browser bug per se.

comment:10 Changed 19 months ago by gk

Cc: whonix-devel@… adrelanos added

Hey Whonix folks, can you help with debugging this problem? (see my last comment for a start) Thanks.

comment:11 Changed 19 months ago by user

I was able to reproduce this using a stock downloaded torbrowser 7.0.8. on debian-8-oldstable and also debian-10-buster, but only if I login to my customized riot.im account. No whonix involved.

After reinstalling qubes-whonix-gw, I can no longer produce crashes using fresh riot.im accounts.

Last edited 19 months ago by user (previous) (diff)

comment:12 Changed 19 months ago by cypherpunks

Try to reproduce it with some CPU load in background. It's a race condition my browser hits with every modern site.

comment:13 Changed 19 months ago by user

I followed the instructions here to launch torbrowser with debugging:

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Usinggdb

then logged into my riot.im account on torbrowser-7.0.8 running on debian-10-buster, and then waited about 15 minutes.

Session 1 crash:

[Thread 0x7fffc0dcb700 (LWP 3381) exited]
[New Thread 0x7fffc0dcb700 (LWP 3382)]

Thread 68 "IndexedDB #2" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc0dcb700 (LWP 3382)]
mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
2714	/home/debian/build/tor-browser/dom/quota/ActorsParent.cpp: No such file or directory.

Session 2 crash:

[Thread 0x7fffbbff3700 (LWP 3622) exited]
[New Thread 0x7fffbbff3700 (LWP 3623)]

Thread 69 "IndexedDB #3" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffbbff3700 (LWP 3623)]
mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
2714	/home/debian/build/tor-browser/dom/quota/ActorsParent.cpp: No such file or directory.

Last edited 19 months ago by user (previous) (diff)

comment:14 Changed 19 months ago by gk

Keywords: tbb-crash added
Priority: MediumHigh
Severity: NormalMajor
Summary: TorBrowser under Whonix crashes at riot.im/appTorBrowser crashes at riot.im/app

Interesting. Could you give us the full backtrace (i.e. more stack frames)? What is happening with Tor Browser 7.0.6? (see: https://archive.torproject.org/tor-package-archive/torbrowser/7.0.6/)

comment:15 Changed 19 months ago by user

Backtrace for crash on torbrowser-7.0.8 on debian-10-buster:

[New Thread 0x7fffc1889700 (LWP 5455)]
[New Thread 0x7fffb6a77700 (LWP 5456)]
[New Thread 0x7fffce9ff700 (LWP 5457)]
[New Thread 0x7fffc04fe700 (LWP 5458)]
[Thread 0x7fffc04fe700 (LWP 5458) exited]
[Thread 0x7fffc1889700 (LWP 5455) exited]
[Thread 0x7fffce9ff700 (LWP 5457) exited]
[New Thread 0x7fffce9ff700 (LWP 5459)]
[New Thread 0x7fffc1889700 (LWP 5460)]

Thread 76 "IndexedDB #4" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc1889700 (LWP 5460)]
mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
2714	/home/debian/build/tor-browser/dom/quota/ActorsParent.cpp: No such file or directory.
(gdb) backtrace
#0  mozilla::dom::quota::QuotaObject::DisableQuotaCheck (this=0x0)
    at /home/debian/build/tor-browser/dom/quota/ActorsParent.cpp:2714
#1  0x00007ffff39cf5ad in mozilla::dom::indexedDB::(anonymous namespace)::DatabaseConnection::DisableQuotaChecks (
    this=0x7fffcac91580) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:11355
#2  mozilla::dom::indexedDB::(anonymous namespace)::Database::StartTransactionOp::DoDatabaseWork (this=0x7fffcac79040, 
    aConnection=0x7fffcac91580) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:14927
#3  0x00007ffff39cf10e in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::RunOnConnectionThread (this=this@entry=0x7fffcac79040) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:23735
#4  0x00007ffff39cf28a in mozilla::dom::indexedDB::(anonymous namespace)::Database::StartTransactionOp::RunOnConnectionThread
    (this=0x7fffcac79040) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:14914
#5  0x00007ffff39c71b4 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::Run (
    this=0x7fffcac79040) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:23906
#6  0x00007ffff28ca7b1 in nsThread::ProcessNextEvent (this=0x7fffcc480590, aMayWait=<optimized out>, aResult=0x7fffc1888ccf)
    at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:1216
#7  0x00007ffff28e53b5 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x7fffcc480590, 
    aMayWait=aMayWait@entry=true) at /home/debian/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:361
#8  0x00007ffff39b9e55 in mozilla::dom::indexedDB::(anonymous namespace)::ConnectionPool::ThreadRunnable::Run (
    this=0x7fffcc0aaca0) at /home/debian/build/tor-browser/dom/indexedDB/ActorsParent.cpp:13539
#9  0x00007ffff28ca7b1 in nsThread::ProcessNextEvent (this=0x7fffcc480590, aMayWait=<optimized out>, aResult=0x7fffc1888dff)
    at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:1216
#10 0x00007ffff28e53b5 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x7fffcc480590, 
    aMayWait=aMayWait@entry=false) at /home/debian/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:361
#11 0x00007ffff2bb0f81 in mozilla::ipc::MessagePumpForNonMainThreads::Run (this=0x7fffcc4085c0, aDelegate=0x7fffc70b9d50)
    at /home/debian/build/tor-browser/ipc/glue/MessagePump.cpp:338
#12 0x00007ffff2b81b1c in MessageLoop::RunHandler (this=<optimized out>)
    at /home/debian/build/tor-browser/ipc/chromium/src/base/message_loop.cc:225
#13 MessageLoop::Run (this=this@entry=0x7fffc70b9d50)
    at /home/debian/build/tor-browser/ipc/chromium/src/base/message_loop.cc:205
#14 0x00007ffff28c953f in nsThread::ThreadFunc (aArg=0x7fffcc480590)
    at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:467
#15 0x00007ffff7f96ec7 in _pt_root (arg=0x7fffcc0630c0)
    at /home/debian/build/tor-browser/nsprpub/pr/src/pthreads/ptthread.c:216
#16 0x00007ffff7bc3494 in start_thread (arg=0x7fffc1889700) at pthread_create.c:333
#17 0x00007ffff6c51abf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

comment:16 Changed 19 months ago by user

I cannot reproduce the crash on 7.0.6 on debian-10-buster ( tor-browser-linux64-7.0.6_en-US.tar.xz ).

I've been logged in to my riot.im account over an hour.

Last edited 19 months ago by user (previous) (diff)

comment:17 Changed 19 months ago by gk

Thanks, that's helpful. Two further questions for you:

1) I guess you are using Tor Browser in its default mode. Do you see in your profile directory (under Browser/TorBrowser/Data/Browser/profile.default) a storage/default/<protocol>+++<domain>^privateBrowsingId=1&firstPartyDomain=<domain> one with "domain" pointing to riot.im (or basically any entry at all)

2) If you go to about:preferences#privacy and uncheck the "Always use private browsing mode" option behind the "Use custom settings for history" one and restart, does the Tor Browser still crash for you (note: this should enable disk activity which is not recommended; it's just for better understanding this bug)?

comment:18 Changed 19 months ago by user

1) This file exists:

tor-browser_en-US-7.0.8/Browser/TorBrowser/Data/Browser/profile.default/storage/default/https+++riot.im^privateBrowsingId=1&firstPartyDomain=riot.im

2) After unchecking and restarting, it appears the file above is deleted, however the setting in preferences automatically goes back to checked. (Security slider = lowest)

Leaving it checked, I log in and later it crashes.

Edit: Okay, the checkbox stayed off (this time?)... testing...

Last edited 19 months ago by user (previous) (diff)

comment:19 Changed 19 months ago by user

7.0.9:

checkbox on -> crash within 15 minutes
checkbox off -> no crash after an hour

Last edited 19 months ago by user (previous) (diff)

comment:20 Changed 19 months ago by gk

Keywords: TorBrowserTeam201711 added
Status: needs_informationassigned

That might addressed by ESR 52.5.0, keeping it on our radar.

comment:21 Changed 19 months ago by cypherpunks

  Problem Event Name:	APPCRASH
  Application Name:	firefox.exe
  Application Version:	52.5.0.6242
  Application Timestamp:	00000000
  Fault Module Name:	xul.dll
  Fault Module Version:	52.5.0.6242
  Fault Module Timestamp:	00000000
  Exception Code:	c0000005
  Exception Offset:	015f7624
  OS Version:	6.1.7601.2.1.0.256.1

why does it create that storage?

Last edited 19 months ago by cypherpunks (previous) (diff)

comment:22 in reply to:  19 Changed 18 months ago by gk

Status: assignedneeds_information

Replying to user:

7.0.9:

checkbox on -> crash within 15 minutes
checkbox off -> no crash after an hour

Hey user! Could you test whether the following testbuild fixes your problem?

https://people.torproject.org/~gk/testbuilds/tor-browser-linux64-24040_en-US.tar.xz
https://people.torproject.org/~gk/testbuilds/tor-browser-linux64-24040_en-US.tar.xz.asc

comment:23 Changed 18 months ago by gk

Moving tickets to December 2017

comment:24 Changed 18 months ago by gk

Keywords: TorBrowserTeam201712 added; TorBrowserTeam201711 removed

Moving tickets to December 2017, for realz.

comment:25 Changed 18 months ago by gk

Resolution: fixed
Status: needs_informationclosed

That should be fixed with 7.0.11 and 7.5a9. If not, please reopen.

Note: See TracTickets for help on using tickets.