Tor Browser for Android 60.8.0 crash on aarch64

TBA 60.8.0, installed from F-Droid on my Android 7.1.2 device (arm64-v8a), is consistently crashing on launch since the latest update. Logcat is always showing the same Fatal:

libc Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2aae in tid 10153 (Gecko)

The bad address is always the same. The preceding lines aren't, so I didn't include them. As a workaround, I downgraded to the 32-bit version, which works.

Trac:
Username: j3tracey

added TorBrowserTeam201908R component::applications/tor browser owner::tbb-team priority::high reporter::j3tracey resolution::fixed severity::normal status::closed tbb-crash tbb-mobile type::defect labels

sisbell, can you take a look?

Trac:
Cc: N/A to sisbell
Priority: Medium to High
Keywords: N/A deleted, tbb-crash added
Summary: Tor Browser for Android 60.8.0 crash to Tor Browser for Android 60.8.0 crash on aarch64

IIRC there is no real 64bit tor available that could be part of the problem.

I have a Pixel3a (Android 10) that I'm testing with. Its armv8 and does not crash.

As gk mentioned, the same 32 bit binary is in both 32 bit and 64 bit directories (this is something we do need to solve). However, the device should be able to fallback to 32 bit if 64 bit doesn't load but it sounds like its not doing that. This is likely going to be a Android version and/or device issue.

Which device is this failing on? That may give us a better starting point to see if there is a workaround.

Where did you find TBA in https://search.f-droid.org/?q=tor&lang=en?

Are you sure it's tor and not Gecko?

I now have tor-0.4x now building using NDK clang and 64-bit. (See https://github.com/guardianproject/tor-android/blob/master/external/Makefile)

I have posted new binaries here: https://github.com/guardianproject/tor-android/tree/master/tor-android-binary/src/main/libs

and will be updating the gradle libraries once I am back home.

(I do also agree this could be a Gecko crash and not a Tor crash)

Replying to sisbell:

Which device is this failing on? That may give us a better starting point to see if there is a workaround.

Device is a Samsung Galaxy A5 (2017), running LineageOS 14.1 (Android 7.1.2). Let me know if you need any additional logcat output or anything.

Replying to cypherpunks:

Where did you find TBA in https://search.f-droid.org/?q=tor&lang=en?

TBA ships in the Guardian Project repo that comes with F-Droid, not the default repo (you can enable it in the settings). I'll note that the 64-bit build is only listed in the Alpha version of TBA, though both alpha and non-alpha list the current version as 60.8.0. I think these are Guardian Project builds, but armv8 isn't listed on the Guardian Project listings nor the Tor Project listings, so I don't know where else to find it.

Trac:
Username: j3tracey

sisbell: does the info in comment:8 help you to track the problem down?

Trac:
Keywords: N/A deleted, TorBrowserTeam201907 added

Replying to gk:

sisbell: does the info in comment:8 help you to track the problem down? The Galaxy A5 uses Snapdragron 410, which is 64 bit with 32 bit support so the specs on the device are good. I'll do some more research to see if any issues have been found with support. If that turns up negative, next step is to get some more logs to isolate the specific library that is failing.

My guess is there's a patch we must backport for this. I repo'd this on the Android 7.1.1 arm64-v8a emulator.

07-29 17:51:10.533  5312  5330 D GeckoThread: State changed to RUNNING                                                                                
07-29 17:51:10.535  5312  5330 I GeckoSession: zerdatime 1620358 - chrome startup finished                                                            
07-29 17:51:11.920  1294  1343 I ActivityManager: Waited long enough for: ServiceRecord{17636fd u0 com.google.android.gms/.stats.service.DropBoxEntryA
ddedService}                                                                                                                                   
07-29 17:51:13.271  5312  5330 I Gecko   : console.log: "browser.js: loading Firefox Accounts WebChannel"
07-29 17:51:13.525  5312  5330 D GeckoFxAccounts: FxAccountsWebChannel registered: account_updates with origin https://accounts.firefox.com
07-29 17:51:13.560  5312  5312 D MediaControlService: initialize                                                                       
07-29 17:51:13.643  5312  5312 D MediaControlService: HandleIntent, action = action_init, mediaState = STOPPED                    
--------- beginning of crash                                                                              
07-29 17:51:13.829  5312  5330 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2aae in tid 5330 (Gecko)

These are the logs from Fennec 60.0. If they are any indication of where Tor Browser is crashing, then nsScreenManagerAndroid could be one place we should look. We disabled all of the Push functionality, so that should not be the problem (because it's all written in Java, so we shouldn't see a libc SEGV from that code if it is crashy (and it shouldn't be aarch64 specific)).

07-30 17:52:03.171 20839 20860 I Gecko   : console.log: "browser.js: loading Firefox Accounts WebChannel"                                             
07-30 17:52:03.417 20839 20860 D GeckoFxAccounts: FxAccountsWebChannel registered: account_updates with origin https://accounts.firefox.com           
07-30 17:52:03.518 20839 20839 D MediaControlService: initialize                                                                                      
07-30 17:52:03.606 20839 20839 D MediaControlService: HandleIntent, action = action_init, mediaState = STOPPED                                                                 
07-30 17:52:03.637 20839 20860 I nsScreenManagerAndroid: nsWindow[0x7324b83400]::Show 1                                                               
07-30 17:52:03.710 20839 21142 D GeckoPushService: Registered Gecko event listener.                                                                   
07-30 17:52:03.736 20839 21142 I GeckoPushService: Starting up.
07-30 17:52:03.737 20839 21142 I GeckoPushManager: Startup: requesting GCM token.
07-30 17:52:03.772 20839 21142 I GeckoPushGCM: Cached GCM token exists.
07-30 17:52:03.772 20839 21142 I GeckoPushManager: Startup: advancing all registrations.
07-30 17:52:03.772 20839 21142 I GeckoPushManager: Startup: no subscriptions for profileName; not advancing registration: default
07-30 17:52:05.359 20839 21142 I GeckoPushService: Handling event: PushServiceAndroidGCM:Configure
07-30 17:52:05.360 20839 21142 I GeckoPushManager: Updating configuration.
07-30 17:52:06.985 20839 20839 I GeckoTabs: zerdatime 88076624 - page load start
07-30 17:52:06.986 20839 20839 D GeckoToolbar: onTabChanged: START

07-30 18:10:30.078 21663 21682 W ResourceType: Too many attribute references, stopped at: 0x01010099
07-30 18:10:48.401 21663 21682 I nsScreenManagerAndroid: nsWindow[0x7324ba2400]::Create 0x0 [0 0 1 1]
07-30 18:10:51.757 21663 21682 I nsScreenManagerAndroid: nsWindow[0x7324ba2400]::Resize [0.000000 63.000000 1080.000000 1731.000000] (repaint 0)
07-30 18:10:51.958 21663 21682 I nsScreenManagerAndroid: nsWindow: 0x7324ba2400 OnSizeChanged [1080 1731]
07-30 18:10:52.240 21663 21682 I nsScreenManagerAndroid: nsWindow[0x7324ba2400]::Resize [0.000000 63.000000 1080.000000 1731.000000] (repaint 0)
07-30 18:10:56.449 21663 21682 D GeckoThread: State changed to RUNNING
07-30 18:10:56.452 21663 21682 I GeckoSession: zerdatime 89206092 - chrome startup finished
07-30 18:10:59.003 21663 21682 I Gecko   : console.log: "browser.js: loading Firefox Accounts WebChannel"
07-30 18:10:59.248 21663 21682 D GeckoFxAccounts: FxAccountsWebChannel registered: account_updates with origin https://accounts.firefox.com
07-30 18:10:59.557 21663 21682 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2aae in tid 21682 (Gecko)
07-30 18:10:59.559   865   865 W         : debuggerd: handling request: pid=21663 uid=10081 gid=10081 tid=21682

Interesting. Maybe there is a race condition. I compiled 9.0a5 with --enable-debug and it did not crash.

08-05 19:49:31.639  6853  6938 D         : HostConnection::get() New Host Connection established 0x7287de3540, tid 6938                                                                                  
08-05 19:49:31.800  6853  6938 I Gecko   : Initializing context 0x72443de380 surface 0x7287c43a80 on display 0x1                                           
08-05 19:49:31.858  6853  6938 I Gecko   : [6853, Compositor] WARNING: robust_buffer_access_behavior marked as unsupported: file /var/tmp/build/firefox-86b5513abc35/gfx/gl/GLContextFeatures.cpp, line 608                                                                                                 
08-05 19:49:31.870  6853  6938 E libEGL  : called unimplemented OpenGL ES API              
08-05 19:49:32.830  6853  6870 I Gecko   : [6853, Main Thread] WARNING: Attempting to get a displayport from a content with no primary frame!: file /var/tmp/build/firefox-86b5513abc35/layout/base/nsLayoutUtils.cpp, line 927                                                                             
08-05 19:49:32.882  6853  6870 I nsScreenManagerAndroid: nsWindow[0x728ecb3c00]::Resize [0.000000 63.000000 1080.000000 1731.000000] (repaint 0)
08-05 19:49:32.882  6853  6870 I nsScreenManagerAndroid: nsWindow: 0x728ecb3c00 OnSizeChanged [1080 1731]
08-05 19:49:33.027  6853  6870 I nsScreenManagerAndroid: nsWindow[0x728ecb3c00]::Resize [0.000000 63.000000 1080.000000 1731.000000] (repaint 0)
08-05 19:49:39.598  6853  6870 I Gecko   : --DOMWINDOW == 4 (0x728f15a000) [pid = 6853] [serial = 2] [outer = 0x0] [url = about:blank]
08-05 19:49:44.589  6853  6870 D GeckoThread: State changed to RUNNING                                                                                
08-05 19:49:44.592  6853  6870 I GeckoSession: zerdatime 4699657 - chrome startup finished                                                            
08-05 19:49:49.511  6853  6870 I Gecko   : console.log: "browser.js: loading Firefox Accounts WebChannel"                                                                                                            
08-05 19:49:50.278  6853  6870 D GeckoFxAccounts: FxAccountsWebChannel registered: account_updates with origin https://accounts.firefox.com                                                                                                
08-05 19:49:50.420  6853  6853 D MediaControlService: initialize                                                                                                                                          
08-05 19:49:50.518  6853  6853 D MediaControlService: HandleIntent, action = action_init, mediaState = STOPPED                                        
08-05 19:49:51.292  6853  6870 I nsScreenManagerAndroid: nsWindow[0x728ecb3c00]::Show 1                                                               
08-05 19:49:51.353  6853  6870 I Gecko   : AndroidBridge::GetScreenOrientation                                                                        
08-05 19:49:51.713  6853  6870 I Gecko   : console.log: "Locale:OS: en-US"                                                                            
08-05 19:49:51.742  6853  6870 I Gecko   : console.log: "New OS locale."
08-05 19:49:51.814  6853  6870 I Gecko   : console.log: "Default intl.accept_languages = en-US, en"
08-05 19:49:52.027  6853  6870 I Gecko   : console.log: "Setting intl.accept_languages to en-us,en") waiters=0 in android.os.Message android.os.MessageQueue.next() for 1.607s
08-05 19:49:54.556  6853  6870 D GeckoDistribution: Custom distribution directory not found.
08-05 19:49:55.013  6853  6870 I Gecko   : ++DOCSHELL 0x723fdda800 == 3 [pid = 6853] [id = {fd31f791-791a-4c9e-95cc-44398ef5f2f7}]
08-05 19:49:55.027  6853  6870 I Gecko   : ++DOMWINDOW == 5 (0x728eb02800) [pid = 6853] [serial = 6] [outer = 0x0]
08-05 19:49:57.073  6853  6870 I Gecko   : ++DOMWINDOW == 6 (0x723fee2400) [pid = 6853] [serial = 7] [outer = 0x728eb02800]
08-05 19:49:58.533  6853  6853 I GeckoTabs: zerdatime 4713598 - page load start
08-05 19:49:58.534  6853  6853 D GeckoToolbar: onTabChanged: START
08-05 19:49:58.535  6853  6853 D GeckoBrowserApp: BrowserApp.onTabChanged: 0: START
08-05 19:49:58.553  6853  6870 D GeckoScreenOrientation: unlocking

Excitingly, the debug build does crash, but it crashes at a different (later) location with an assert. I suspect this is a different bug, and it's fixed upstream. I'll test it anyway (because "crashing later" may simply be a result of the debug build being slower).

08-12 12:57:52.640 12092 12125 I Gecko   : Destroying context 0x7cfd98a980 surface 0x7ce5cb5e00 on display 0x1
08-12 12:57:53.703 12092 12125 I nsScreenManagerAndroid: nsScreenManagerAndroid: add PRIMARY screen
08-12 12:58:03.645 12092 12125 I nsScreenManagerAndroid: nsWindow[0x7ced782c00]::Create 0x0 [0 0 100 100]
08-12 12:58:03.647 12092 12125 I Gecko   : ++DOCSHELL 0x7cf13a9800 == 1 [pid = 12092] [id = {46a6ea06-6df3-4c4f-b59e-75a2624084cd}]
08-12 12:58:03.684 12092 12125 I Gecko   : ++DOMWINDOW == 1 (0x7cef287800) [pid = 12092] [serial = 1] [outer = 0x0]
08-12 12:58:04.065 12092 12125 I Gecko   : ++DOMWINDOW == 2 (0x7cef288400) [pid = 12092] [serial = 2] [outer = 0x7cef287800]
08-12 12:58:18.425 12092 12125 I nsScreenManagerAndroid: nsWindow[0x7cef28fc00]::Create 0x0 [0 0 1 1]
08-12 12:58:18.426 12092 12125 I Gecko   : ++DOCSHELL 0x7ceeba0800 == 2 [pid = 12092] [id = {5821e818-d8b1-4cdd-99cc-4d1ac4d56b2b}]
08-12 12:58:18.427 12092 12125 I Gecko   : ++DOMWINDOW == 3 (0x7cef290000) [pid = 12092] [serial = 3] [outer = 0x0]
08-12 12:58:18.517 12092 12125 I Gecko   : ++DOMWINDOW == 4 (0x7cef290800) [pid = 12092] [serial = 4] [outer = 0x7cef290000]
08-12 12:58:22.385 12092 12125 I Gecko   : ++DOMWINDOW == 5 (0x7cee85d000) [pid = 12092] [serial = 5] [outer = 0x7cef287800]
08-12 12:58:24.172 12092 12125 I Gecko   : [12092, Main Thread] WARNING: Attempting to get a displayport from a content with no primary frame!: file /home/android/tor-browser/layout/base/nsLayoutUtils.cpp, line 927
08-12 12:58:24.237 12092 12125 I nsScreenManagerAndroid: nsWindow[0x7cef28fc00]::Resize [0.000000 63.000000 1080.000000 1731.000000] (repaint 0)
08-12 12:58:24.237 12092 12125 I nsScreenManagerAndroid: nsWindow: 0x7cef28fc00 OnSizeChanged [1080 1731]
08-12 12:58:25.315 12092 12125 I nsScreenManagerAndroid: nsWindow[0x7cef28fc00]::Resize [0.000000 63.000000 1080.000000 1731.000000] (repaint 0)
08-12 12:58:26.563 12092 12125 W ResourceType: Too many attribute references, stopped at: 0x01010099
08-12 12:59:01.886 12092 12125 D GeckoThread: State changed to RUNNING
08-12 12:59:02.036 12092 12125 I GeckoSession: zerdatime 66406478 - chrome startup finished
08-12 12:59:13.836 12092 12125 I Gecko   : console.log: "browser.js: loading Firefox Accounts WebChannel"
08-12 12:59:16.341 12092 12125 D GeckoFxAccounts: FxAccountsWebChannel registered: account_updates with origin https://accounts.firefox.com
08-12 12:59:18.813 12092 12092 D MediaControlService: initialize
08-12 12:59:19.488 12092 12092 D MediaControlService: HandleIntent, action = action_init, mediaState = STOPPED
08-12 12:59:21.996 12092 12125 I nsScreenManagerAndroid: nsWindow[0x7cef28fc00]::Show 1
08-12 12:59:22.146 12092 12125 I Gecko   : AndroidBridge::GetScreenOrientation
08-12 12:59:24.341 12092 12125 I Gecko   : console.log: "Locale:OS: en-US"
08-12 12:59:24.465 12092 12125 I Gecko   : console.log: "New OS locale."
08-12 12:59:24.723 12092 12125 I Gecko   : console.log: "Default intl.accept_languages = en-US, en"
08-12 12:59:25.396 12092 12125 I Gecko   : console.log: "Setting intl.accept_languages to en-us,en"
08-12 12:59:33.072 12092 12125 D GeckoDistribution: Custom distribution directory not found.
08-12 12:59:34.774 12092 12125 I Gecko   : ++DOCSHELL 0x7c9de85000 == 3 [pid = 12092] [id = {bd496ae9-7ec6-45ce-b90f-ae93c79cfbd3}]
08-12 12:59:34.777 12092 12125 I Gecko   : ++DOMWINDOW == 6 (0x7c9df07c00) [pid = 12092] [serial = 6] [outer = 0x0]
08-12 12:59:43.536 12092 12125 I Gecko   : ++DOMWINDOW == 7 (0x7c9df11800) [pid = 12092] [serial = 7] [outer = 0x7c9df07c00]
08-12 12:59:49.389 12092 12125 D GeckoScreenOrientation: unlocking
08-12 13:00:02.086 12092 12125 I Gecko   : ++DOMWINDOW == 8 (0x7cee85ac00) [pid = 12092] [serial = 8] [outer = 0x7c9df07c00]
08-12 13:01:12.375 12092 12125 I Gecko   : int mozilla::AndroidBridge::GetScreenDepth()
08-12 13:01:15.861 12092 12125 F MOZ_Assert: Assertion failure: bytes_ >= bytesAtStartOfGC_, at /home/android/tor-browser/js/src/gc/GC.cpp:1786
08-12 13:01:15.866 12092 12125 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 12125 (Gecko)

Maybe: https://bugzilla.mozilla.org/show_bug.cgi?id=1455709

08-12 12:59:25.396 12092 12125 I Gecko : console.log: "Setting intl.accept_languages to en-us,en" bug

Replying to sysrqb:

Maybe: https://bugzilla.mozilla.org/show_bug.cgi?id=1455709

This is looking positive. Debug build fully bootstraps and the browser works. Now building a release build and will test that.

Replying to sysrqb:

Replying to sysrqb:

Maybe: https://bugzilla.mozilla.org/show_bug.cgi?id=1455709

This is looking positive. Debug build fully bootstraps and the browser works. Now building a release build and will test that.

Yep, not related at all.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 24193]
0x00c98570 in ?? ()
(gdb) bt
#0  0x00c98570 in ?? ()
#1  0x00000000 in ?? ()Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 24193]
0x00c98570 in ?? ()
(gdb) bt
#0  0x00c98570 in ?? ()
#1  0x00000000 in ?? ()
(gdb) info all-reg
r0             0xb6d7a550       3067585872
r1             0xb6d7a550       3067585872
r2             0xfa545390       4199830416
r3             0xb9c5a470       3116737648
r4             0x1f595f8        32871928
r5             0x1      1
r6             0x30d5c88        51207304
r7             0x0      0
r8             0xb9c5a368       3116737384
r9             0x2f65e40        49700416
r10            0xffffffe6       4294967270
r11            0x30d6348        51209032
r12            0xb7232a60       3072535136
sp             0x0      0x0
lr             0x0      0
pc             0xc98570 0xc98570
f0             0        (raw 0xaae3be700000000000000000)
f1             0        (raw 0xaae3be700000000000000000)
f2             0        (raw 0xaae3be700000000000000000)
f3             0        (raw 0xaae3be700000000000000000)
f4             0        (raw 0xaae3be700000000000000000)
f5             0        (raw 0xaae3be700000000000000000)
f6             0        (raw 0xaae3be700000000000000000)
f7             0        (raw 0xaae3be700000000000000000)
fps            0x0      0
cpsr           0x20000000       536870912

But, my current guess is this garbage is due to using a 32-bit adb with a 64-bit binary.

Moving more tickets to August

Trac:
Keywords: TorBrowserTeam201907 deleted, TorBrowserTeam201908 added

Okay, I have a patch that (I believe) solves this. The cause? Ionmonkey.

Okay, onto github it is.

https://github.com/sysrqb/torbutton.git branch bug31140_0

I'm building a testbuild now.

To be clear, I don't think we should backport the patch from Bug 1455709 - 68esr is coming soon enough.

Hm, what am I supposed to look at? The Torbutton branch is at the same commit as master. 0e282a0db815beb07fee8354294a7cf597b6e9e5 in the tor-browser repo maybe?

Replying to gk:

Hm, what am I supposed to look at? The Torbutton branch is at the same commit as master. 0e282a0db815beb07fee8354294a7cf597b6e9e5 in the tor-browser repo maybe?

I didn't push the commit :( It is now there on the torbutton repo.

Replying to sysrqb:

Replying to gk:

Hm, what am I supposed to look at? The Torbutton branch is at the same commit as master. 0e282a0db815beb07fee8354294a7cf597b6e9e5 in the tor-browser repo maybe?

I didn't push the commit :( It is now there on the torbutton repo.

Is that bug affecting an esr60-based Fennec and an esr68-one equally or only an issue for the former?

Replying to gk:

Is that bug affecting an esr60-based Fennec and an esr68-one equally or only an issue for the former?

I think we only need this for 60esr, but I still must test an aarch64 68esr build. I know ion was buggy on aarch64 before 68 (see https://wiki.mozilla.org/Mobile/ARM64), and ion is currently enabled in the Fennec 68 release on aarch64 - but I'll confirm enabling ion with 68esr (#31010 (moved)) doesn't crash, too.

Replying to sysrqb:

I'll confirm enabling ion with 68esr (#31010 (moved)) doesn't crash, too.

Confirmed, ion is enabled by default on Fennec 68 and it doesn't crash.

Trac:
Status: new to needs_review

Trac:
Keywords: TorBrowserTeam201908 deleted, TorBrowserTeam201908R added

Looks good to me. I cherry-picked the patch to maint-2.1 (commit 2a15af35080b9723d88e5111151f8cd889d592e0) as it is not needed on master which we'll use for esr68-based builds. I hadd to slightly fix it up as the paradigm on maint-2.1 is still to use Cu to import scripts instead of ChromeUtils which should not affect functionality, though.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

I just tested this, and there's a syntax error: SyntaxError: continue must be inside loop. There's a continue inside a .forEach (here https://github.com/sysrqb/torbutton/commit/636afd52d70c9676f4b9d0f1f86d2f693d91e8f7#diff-9a4ff5d4f9e8419db8a4ac6a36da1422R53), which should probably be a return instead since it's actually a function and not a 'real' loop.

Trac:
Status: closed to reopened
Resolution: fixed to N/A

Trac:
Status: reopened to needs_revision

Did a quick fixup: https://github.com/acatarineu/torbutton/commit/31140

Trac:
Status: needs_revision to needs_review

Replying to acat:

Did a quick fixup: https://github.com/acatarineu/torbutton/commit/31140

Nice catch and works for me, thanks! Merged to maint-2.1 (commit 5533b49ca22cacebb2900e427413bed4444b1f87).

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

closed

mentioned in issue #31520 (moved)

mentioned in issue #31616 (moved)

mentioned in issue #31730 (moved)

moved to tpo/applications/tor-browser#31140 (closed)

mentioned in issue tpo/applications/tor-browser#31616 (closed)

mentioned in issue tpo/applications/tor-browser#31730 (closed)