Opened 9 months ago

Closed 4 months ago

#28751 closed defect (wontfix)

TB 8.5a5 Sig 11 core dump on shutdown when compiled with Selfrando

Reported by: jb.1234abcd Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-crash
Cc: ahomescu Actual Points:
Parent ID: #23073 Points:
Reviewer: Sponsor:

Description

Arch Linux
tor-browser-linux64-8.5a5_en-US

Just opened e.g. a TB default home site https://www.torproject.org/
and then closed TB, and the core dump happened.
I repeated it twice. No other application was open (no memory stress).
So, we know that it is repeatable and it happens on TB close.
Unfortunately I did not have debug symbols installed.

Run 1:
$ coredumpctl gdb 3895

PID: 3895 (firefox.real)
UID: 1000 (jb)
GID: 1000 (jb)

Signal: 11 (SEGV)

Timestamp: Thu 2018-12-06 09:00:14 CET (30min ago)

Command Line: ./firefox.real --class Tor Browser -profile TorBrowser/Data/Browser/profile.default

Executable: /home/jb/tor-browser_en-US/Browser/firefox.real

Control Group: /user.slice/user-1000.slice/session-1.scope

Unit: session-1.scope

Slice: user-1000.slice

Session: 1

Owner UID: 1000 (jb)

Boot ID: c163b6107a7944a88616613c95230e2d

Machine ID: e464cf23e765494294ab3515a8e2efd0

Hostname: myhost

Storage: /var/lib/systemd/coredump/core.firefox\x2ereal.1000.c163b6107a7944a88616613c95230e2d.3895.1544083214000000.lz4
Message: Process 3895 (firefox.real) of user 1000 dumped core.


Stack trace of thread 3895:
#0 0x00007f79102b825f raise (libpthread.so.0)
#1 0x00007f79074829ef n/a (libxul.so)

GNU gdb (GDB) 8.2
...
Reading symbols from /home/jb/tor-browser_en-US/Browser/firefox.real...(no debugging symbols found)...done.
[New LWP 3895]
[New LWP 3906]
[New LWP 3909]
[New LWP 4371]
[New LWP 4482]
[New LWP 3901]
[New LWP 3902]
[New LWP 3910]
[New LWP 3943]
[New LWP 4100]
[New LWP 4267]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `./firefox.real --class Tor Browser -profile TorBrowser/Data/Browser/profile.def'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f79102b825f in raise () from /usr/lib/libpthread.so.0
[Current thread is 1 (Thread 0x7f790fc78b80 (LWP 3895))]
(gdb) bt
#0 0x00007f79102b825f in raise () at /usr/lib/libpthread.so.0
#1 0x00007f79074829ef in vpx_ssim_parms_8x8_sse2 () at /home/jb/tor-browser_en-US/Browser/libxul.so
#2 0x0000000000000400 in ()
#3 0x0000000000000000 in ()
(gdb)
(gdb) info reg
rax 0x0 0
rbx 0xb 11
rcx 0x7f79102b825f 140157939057247
rdx 0x0 0
rsi 0x7ffe0de72e20 140729131675168
rdi 0x2 2
rbp 0xb 0xb
rsp 0x7ffe0de72e20 0x7ffe0de72e20
r8 0x0 0
r9 0x7ffe0de72e20 140729131675168
r10 0x8 8
r11 0x246 582
r12 0x7ffe0de731b0 140729131676080
r13 0x7ffe0de73080 140729131675776
r14 0x7ffe0de731b0 140729131676080
r15 0x7f78ed3ea000 140157353107456
rip 0x7f79102b825f 0x7f79102b825f <raise+271>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
(gdb) thread apply all bt

Thread 11 (Thread 0x7f78c3b52700 (LWP 4267)):
#0 0x00007f790fe98c21 in poll () at /usr/lib/libc.so.6
#1 0x00007f78f7ee2673 in () at /usr/lib/libpulse.so.0
#2 0x00007f78f7ed3990 in pa_mainloop_poll () at /usr/lib/libpulse.so.0
#3 0x00007f78f7ed3fe0 in pa_mainloop_iterate () at /usr/lib/libpulse.so.0
#4 0x00007f78f7ed4091 in pa_mainloop_run () at /usr/lib/libpulse.so.0
#5 0x00007f78f7ee25ae in () at /usr/lib/libpulse.so.0
#6 0x00007f78f7c819fc in () at /usr/lib/pulseaudio/libpulsecommon-12.2.so
#7 0x00007f79102ada9d in start_thread () at /usr/lib/libpthread.so.0
#8 0x00007f790fea3b23 in clone () at /usr/lib/libc.so.6

Thread 10 (Thread 0x7f78c8efe700 (LWP 4100)):
#0 0x00007f790fe98c21 in poll () at /usr/lib/libc.so.6
#1 0x00007f78f7ee2673 in () at /usr/lib/libpulse.so.0
#2 0x00007f78f7ed3990 in pa_mainloop_poll () at /usr/lib/libpulse.so.0
#3 0x00007f78f7ed3fe0 in pa_mainloop_iterate () at /usr/lib/libpulse.so.0
#4 0x00007f78f7ed4091 in pa_mainloop_run () at /usr/lib/libpulse.so.0
#5 0x00007f78f7ee25ae in () at /usr/lib/libpulse.so.0
#6 0x00007f78f7c819fc in () at /usr/lib/pulseaudio/libpulsecommon-12.2.so
#7 0x00007f79102ada9d in start_thread () at /usr/lib/libpthread.so.0
#8 0x00007f790fea3b23 in clone () at /usr/lib/libc.so.6

Thread 9 (Thread 0x7f78f1bff700 (LWP 3943)):
#0 0x00007f790fe98c21 in poll () at /usr/lib/libc.so.6
#1 0x00007f78f7ee2673 in () at /usr/lib/libpulse.so.0
#2 0x00007f78f7ed3990 in pa_mainloop_poll () at /usr/lib/libpulse.so.0
#3 0x00007f78f7ed3fe0 in pa_mainloop_iterate () at /usr/lib/libpulse.so.0
#4 0x00007f78f7ed4091 in pa_mainloop_run () at /usr/lib/libpulse.so.0
#5 0x00007f78f7ee25ae in () at /usr/lib/libpulse.so.0
#6 0x00007f78f7c819fc in () at /usr/lib/pulseaudio/libpulsecommon-12.2.so
#7 0x00007f79102ada9d in start_thread () at /usr/lib/libpthread.so.0
#8 0x00007f790fea3b23 in clone () at /usr/lib/libc.so.6

Thread 8 (Thread 0x7f78fe5fe700 (LWP 3910)):
#0 0x00007f790fe9e4ed in syscall () at /usr/lib/libc.so.6
#1 0x00007f790587165a in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#2 0x00007f78a730c080 in ()
--Type <RET> for more, q to quit, c to continue without paging--c
#3 0x00007f790bb47370 in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#4 0x00007f78fe5fd6b0 in ()
#5 0x00007f78fe5fd560 in ()
#6 0x000000000000001c in ()
#7 0x00000000000076a2 in ()
#8 0x0000000007906d1d in ()
#9 0x00007f7904b6e60f in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#10 0x0000000000000001 in ()
#11 0x0000000000000000 in ()

Thread 7 (Thread 0x7f790319f700 (LWP 3902)):
#0 0x00007f790fe98c21 in poll () at /usr/lib/libc.so.6
#1 0x00007f790e38bee0 in () at /usr/lib/libglib-2.0.so.0
#2 0x00007f790e38cf62 in g_main_loop_run () at /usr/lib/libglib-2.0.so.0
#3 0x00007f790e621c28 in () at /usr/lib/libgio-2.0.so.0
#4 0x00007f790e3553eb in () at /usr/lib/libglib-2.0.so.0
#5 0x00007f79102ada9d in start_thread () at /usr/lib/libpthread.so.0
#6 0x00007f790fea3b23 in clone () at /usr/lib/libc.so.6

Thread 6 (Thread 0x7f7909454700 (LWP 3901)):
#0 0x00007f790fe98c21 in poll () at /usr/lib/libc.so.6
#1 0x00007f790e38bee0 in () at /usr/lib/libglib-2.0.so.0
#2 0x00007f790e38bfce in g_main_context_iteration () at /usr/lib/libglib-2.0.so.0
#3 0x00007f790e38c022 in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f790e3553eb in () at /usr/lib/libglib-2.0.so.0
#5 0x00007f79102ada9d in start_thread () at /usr/lib/libpthread.so.0
#6 0x00007f790fea3b23 in clone () at /usr/lib/libc.so.6

Thread 5 (Thread 0x7f78b3351700 (LWP 4482)):
#0 0x00007f790fe706a8 in nanosleep () at /usr/lib/libc.so.6
#1 0x00007f790fe9bd08 in usleep () at /usr/lib/libc.so.6
#2 0x00007f790837296a in vpx_ssim_parms_8x8_sse2 () at /home/jb/tor-browser_en-US/Browser/libxul.so
#3 0x00007f78a7352ca0 in ()
#4 0x00007f78b3351658 in ()
#5 0x00007f790fc3711d in () at /home/jb/tor-browser_en-US/Browser/libnspr4.so
#6 0x0000000000000000 in ()

Thread 4 (Thread 0x7f78ade26700 (LWP 4371)):
#0 0x00007f79102b8057 in recvmsg () at /usr/lib/libpthread.so.0
#1 0x00007f79073ea21a in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#2 0x00007f790510fa43 in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#3 0x00007f78ade20c70 in ()
#4 0x00007f78ade22e90 in ()
#5 0x00007f78ade20cd0 in ()
#6 0x7ffffff500000000 in ()
#7 0x00007f78ade21e80 in ()
#8 0x00007f78ade20d70 in ()
#9 0x00007f78ade20d72 in ()
#10 0xffffffff00000000 in ()
#11 0x00007f789225ddc0 in ()
#12 0x0000000000000009 in ()
#13 0x0000000000000000 in ()

Thread 3 (Thread 0x7f78fe7ff700 (LWP 3909)):
#0 0x00007f790fe9e4ed in syscall () at /usr/lib/libc.so.6
#1 0x00007f790587165a in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#2 0x00007f78a730c3d8 in ()
#3 0x00007f790bb46f98 in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#4 0x00007f78fe7fe870 in ()
#5 0x00007f78a6831200 in ()
#6 0x0000000000000019 in ()
#7 0x0000000000007464 in ()
#8 0x00000000278c46ba in ()
#9 0x00007f7904b6e60f in () at /home/jb/tor-browser_en-US/Browser/libxul.so
#10 0x0000000000000001 in ()
#11 0x0000000000000000 in ()

Thread 2 (Thread 0x7f78ff9ff700 (LWP 3906)):
#0 0x00007f79102b3e5b in pthread_cond_timedwait@@GLIBC_2.3.2 () at /usr/lib/libpthread.so.0
#1 0x00007f790fc38a33 in () at /home/jb/tor-browser_en-US/Browser/libnspr4.so
#2 0x00007f78ff9ff700 in ()
#3 0x0000000000000000 in ()

Thread 1 (Thread 0x7f790fc78b80 (LWP 3895)):
#0 0x00007f79102b825f in raise () at /usr/lib/libpthread.so.0
#1 0x00007f79074829ef in vpx_ssim_parms_8x8_sse2 () at /home/jb/tor-browser_en-US/Browser/libxul.so
#2 0x0000000000000400 in ()
#3 0x0000000000000000 in ()
(gdb)

Child Tickets

Change History (10)

comment:1 Changed 9 months ago by gk

Component: ApplicationsApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

Great that you have found a way to reproduce the core dump. Do you see the same one with the stable Tor Browser as well (8.0.3) or is this an alpha only one?

comment:2 Changed 9 months ago by gk

Keywords: tbb-crash added

comment:3 Changed 9 months ago by jb.1234abcd

The prod TB does not dump like that.

I got strace file (320MB):
$ strace -D -f -o /tmp/strace.log ~/tor-browser_en-US/Browser/firefox

If you want with some other options, let me know.
Or perhaps ltrace too.

comment:4 in reply to:  3 Changed 9 months ago by gk

Summary: TB 8.5a5 Sig 11 core dumpTB 8.5a5 Sig 11 core dump on shutdown

Replying to jb.1234abcd:

The prod TB does not dump like that.

I got strace file (320MB):
$ strace -D -f -o /tmp/strace.log ~/tor-browser_en-US/Browser/firefox

If you want with some other options, let me know.
Or perhaps ltrace too.

Okay, then let's try to track down the difference between stable and alpha that is causing this. I'll get you some bundles to test and we'll see what the problem is.

comment:6 Changed 9 months ago by jb.1234abcd

Looks good.

comment:8 Changed 9 months ago by jb.1234abcd

This one dumps.
Sun 2018-12-09 22:35:03 CET 2813 1000 1000 11 present /home/jb/Downloads/temp1/tor-browser_en-US/Browser/firefox.real

comment:9 Changed 8 months ago by gk

Cc: ahomescu added
Parent ID: #23073
Summary: TB 8.5a5 Sig 11 core dump on shutdownTB 8.5a5 Sig 11 core dump on shutdown when compiled with Selfrando

Okay, the only difference is the bundle doing the coredump is compiled with selfrando. ahomescu: Does that ring a bell/any ideas?

comment:10 Changed 4 months ago by gk

Resolution: wontfix
Status: needs_informationclosed

We removed selfrando support in bug 30377, thus this is a WONTFIX.

Note: See TracTickets for help on using tickets.