Tor Browser on Android based on 60.9.0 is crashing on every launch

It might be related to the issue tackled in #31140 (moved) or just another issue that the previous one hid. At any rate users are reporting app crashes on every launch even though the fix for #31140 (moved) shipped.

added TorBrowserTeam201909R actualpoints::1.0 component::applications/tor browser owner::tbb-team points::2 priority::very high resolution::fixed severity::major status::closed tbb-crash tbb-mobile type::defect labels

I can confirm crash on Android 10, Pixel 3. Looks like some problem with libxul.

09-03 23:51:12.698 2238 2238 E ject.torbrowse: Failed to find parent 0x7f0b0026 of bag 0x7f0b0018. 09-03 23:51:12.699 876 1180 I CHRE : @ 35912.078: [ImuCal] [NanoSensorCal:GYRO_RPS] Offset | Temperature [C]: -0.005801, -0.001343, -0.002674 | 32.50 09-03 23:51:12.700 876 1180 I CHRE : @ 35912.078: [ImuCal] [NanoSensorCal:GYRO_RPS] Temp Sensitivity: -0.000087, 0.000137, -0.000009 09-03 23:51:12.700 876 1180 I CHRE : @ 35912.078: [ImuCal] [NanoSensorCal:GYRO_RPS] Temp Intercept: -0.002911, -0.005683, -0.002335 09-03 23:51:12.723 853 1254 D platform_realtek: platform_enable_dsp: Disable 09-03 23:51:12.724 853 1254 I sound_trigger_hw: callback_thread_loop: Enter Suspend 09-03 23:51:12.748 2238 2238 D GeckoBrowserApp: Switchboard disabled - in automation 09-03 23:51:12.748 2238 2238 D GeckoTelemetryUploadSer: Telemetry upload disabled (env var? 09-03 23:51:12.751 2238 2309 E GeckoApp: An error occurred during restore, switching to backup file 09-03 23:51:12.751 2238 2309 E GeckoApp: org.mozilla.gecko.GeckoApp$SessionRestoreException: Could not read from session file 09-03 23:51:12.751 2238 2309 E GeckoApp: at org.mozilla.gecko.GeckoApp.restoreSessionTabs(GeckoApp.java:1637) 09-03 23:51:12.751 2238 2309 E GeckoApp: at org.mozilla.gecko.GeckoApp.access$200(GeckoApp.java:112) 09-03 23:51:12.751 2238 2309 E GeckoApp: at org.mozilla.gecko.GeckoApp$9.run(GeckoApp.java:1180) 09-03 23:51:12.751 2238 2309 E GeckoApp: at android.os.Handler.handleCallback(Handler.java:883) 09-03 23:51:12.751 2238 2309 E GeckoApp: at android.os.Handler.dispatchMessage(Handler.java:100) 09-03 23:51:12.751 2238 2309 E GeckoApp: at android.os.Looper.loop(Looper.java:214) 09-03 23:51:12.751 2238 2309 E GeckoApp: at org.mozilla.gecko.util.GeckoBackgroundThread.run(GeckoBackgroundThread.java:43) 09-03 23:51:12.754 2238 2309 E GeckoApp: An error occurred during restore 09-03 23:51:12.754 2238 2309 E GeckoApp: org.mozilla.gecko.GeckoApp$SessionRestoreException: Could not read from session file 09-03 23:51:12.754 2238 2309 E GeckoApp: at org.mozilla.gecko.GeckoApp.restoreSessionTabs(GeckoApp.java:1637) 09-03 23:51:12.754 2238 2309 E GeckoApp: at org.mozilla.gecko.GeckoApp.access$200(GeckoApp.java:112) 09-03 23:51:12.754 2238 2309 E GeckoApp: at org.mozilla.gecko.GeckoApp$9.run(GeckoApp.java:1198) 09-03 23:51:12.754 2238 2309 E GeckoApp: at android.os.Handler.handleCallback(Handler.java:883) 09-03 23:51:12.754 2238 2309 E GeckoApp: at android.os.Handler.dispatchMessage(Handler.java:100) 09-03 23:51:12.754 2238 2309 E GeckoApp: at android.os.Looper.loop(Looper.java:214) 09-03 23:51:12.754 2238 2309 E GeckoApp: at org.mozilla.gecko.util.GeckoBackgroundThread.run(GeckoBackgroundThread.java:43)

09-03 23:51:14.148 2238 2312 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2aae in tid 2312 (Gecko), pid 2238 (ject.torbrowser) 09-03 23:51:14.213 2238 2238 D TorBootstrap: Current Top=135 09-03 23:51:14.213 2238 2238 D TorBootstrap: Current Height=1350 09-03 23:51:14.213 2238 2238 D TorBootstrap: Current Width=1024 09-03 23:51:14.213 2238 2238 D TorBootstrap: Expected height=1198 09-03 23:51:14.213 2238 2238 D TorBootstrap: Expected width=1153 09-03 23:51:14.213 2238 2238 D TorBootstrap: New height=1198 09-03 23:51:14.213 2238 2238 D TorBootstrap: New width=1024 09-03 23:51:14.213 2238 2238 D TorBootstrap: New width without padding=600 09-03 23:51:14.213 2238 2238 D TorBootstrap: New height without padding=702 09-03 23:51:14.213 2238 2238 D TorBootstrap: New top padding=648 09-03 23:51:14.213 2238 2238 D TorBootstrap: New side padding=424 09-03 23:51:14.213 2414 2414 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone 09-03 23:51:14.215 1044 1044 I /system/bin/tombstoned: received crash request for pid 2312 09-03 23:51:14.216 2414 2414 I crash_dump64: performing dump of process 2238 (target tid = 2312) 09-03 23:51:14.228 2414 2414 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 09-03 23:51:14.228 2414 2414 F DEBUG : Build fingerprint: 'google/sargo/sargo:10/QP1A.190711.020/5800535:user/release-keys' 09-03 23:51:14.228 2414 2414 F DEBUG : Revision: 'MP1.0' 09-03 23:51:14.228 2414 2414 F DEBUG : ABI: 'arm64' 09-03 23:51:14.229 2414 2414 F DEBUG : Timestamp: 2019-09-03 23:51:14-0700 09-03 23:51:14.229 2414 2414 F DEBUG : pid: 2238, tid: 2312, name: Gecko >>> org.torproject.torbrowser <<< 09-03 23:51:14.229 2414 2414 F DEBUG : uid: 10260 09-03 23:51:14.229 2414 2414 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2aae 09-03 23:51:14.229 2414 2414 F DEBUG : x0 00000071d7c0b4c0 x1 00000071d7c0b4c0 x2 0000007240443390 x3 00000071dfd58470 09-03 23:51:14.229 2414 2414 F DEBUG : x4 000000723263f5f8 x5 0000000000000001 x6 0000007240a30708 x7 fff8800000000000 09-03 23:51:14.229 2414 2414 F DEBUG : x8 00000071dfd58368 x9 0000007240065e40 x10 ffffffffffffffe6 x11 0000007240a30dc8 09-03 23:51:14.229 2414 2414 F DEBUG : x12 fffe0071dff32d30 x13 0000000000000000 x14 fffb000000000000 x15 0000000000000008 09-03 23:51:14.229 2414 2414 F DEBUG : x16 00000072326a3528 x17 0000007320e07340 x18 0000007240a30188 x19 000000000000000b 09-03 23:51:14.229 2414 2414 F DEBUG : x20 0000007240422778 x21 000000723263ff40 x22 fff8800000000000 x23 0000007240a30d08 09-03 23:51:14.229 2414 2414 F DEBUG : x24 0000007240a30c88 x25 0000007240a30b18 x26 0000007240a30ce8 x27 00000071dfd58470 09-03 23:51:14.229 2414 2414 F DEBUG : x28 0000007240a30670 x29 fff9000000000000 09-03 23:51:14.229 2414 2414 F DEBUG : sp 0000007240a30980 lr 0000007231377ed8 pc 0000007231375fe0 09-03 23:51:14.229 2414 2414 F DEBUG : 09-03 23:51:14.229 2414 2414 F DEBUG : backtrace: 09-03 23:51:14.229 2414 2414 F DEBUG : NOTE: Function names and BuildId information is missing for some frames due 09-03 23:51:14.229 2414 2414 F DEBUG : NOTE: to unreadable libraries. For unwinds of apps, only shared libraries 09-03 23:51:14.229 2414 2414 F DEBUG : NOTE: found under the lib/ directory are readable. 09-03 23:51:14.229 2414 2414 F DEBUG : #00 pc 00000000028bcfe0 /data/data/org.torproject.torbrowser/cache/libxul.so 09-03 23:51:14.605 1397 2423 I DropBoxManagerService: add tag=data_app_native_crash isTagEnabled=true flags=0x2 09-03 23:51:14.606 1044 1044 E /system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_02 09-03 23:51:14.606 1397 2422 W ActivityTaskManager: Force finishing activity org.torproject.torbrowser/org.mozilla.gecko.BrowserApp 09-03 23:51:14.614 1397 1498 I BootReceiver: Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE) 09-03 23:51:14.615 1397 1498 I DropBoxManagerService: add tag=SYSTEM_TOMBSTONE isTagEnabled=true flags=0x2 09-03 23:51:14.616 1397 1470 W BroadcastQueue: Background execution not allowed: receiving Intent { act=android.intent.action.DROPBOX_ENTRY_ADDED flg=0x10 (has extras) } to com.google.android.gms/.stats.service.DropBoxEntryAddedReceiver 09-03 23:51:14.616 1397 1470 W BroadcastQueue: Background execution not allowed: receiving Intent { act=android.intent.action.DROPBOX_ENTRY_ADDED flg=0x10 (has extras) } to com.google.android.gms/.chimera.GmsIntentOperationService$PersistentTrustedReceiver 09-03 23:51:14.637 1397 1452 I ActivityManager: Showing crash dialog for package org.torproject.torbrowser u0 09-03 23:51:14.649 1397 1470 W BroadcastQueue: Background execution not allowed: receiving Intent { act=android.intent.action.DROPBOX_ENTRY_ADDED flg=0x10 (has extras) } to com.google.android.gms/.stats.service.DropBoxEntryAddedReceiver 09-03 23:51:14.649 1397 1470 W BroadcastQueue: Background execution not allowed: receiving Intent { act=android.intent.action.DROPBOX_ENTRY_ADDED flg=0x10 (has extras) } to com.google.android.gms/.chimera.GmsIntentOperationService$PersistentTrustedReceiver

So, this just happens on 64bit devices?

e.g. sec level flips https://bugzilla.mozilla.org/show_bug.cgi?id=1458662, and hundreds of other crashes, starting from https://bugzilla.mozilla.org/show_bug.cgi?id=1446898

The sec level point is a good one. We should make sure that javascript.options.native_regexp is never set to true.

#31140 (moved) https://bugzilla.mozilla.org/show_bug.cgi?id=1523015

e.g. "This is the top crash for ARM64 Fennec ": https://bugzilla.mozilla.org/show_bug.cgi?id=1521158

Android 10: https://bugzilla.mozilla.org/show_bug.cgi?id=1537701#c5

Many users are reporting crashes on Android: https://blog.torproject.org/comment/283654#comment-283654 https://blog.torproject.org/comment/283655#comment-283655 https://blog.torproject.org/comment/283657#comment-283657 https://blog.torproject.org/comment/283658#comment-283658 https://blog.torproject.org/comment/283664#comment-283664 https://blog.torproject.org/comment/283666#comment-283666

I'm wondering if we should temporarily disable the update on Android until we have a fix.

Yes, we should but I think only sysrqb can do that right now. :(

#31620 (moved) is a duplicate.

Trac:
Cc: sysrqb, sisbell to sysrqb, sisbell, Sendpuzzles

So, all those happy users spamming everywhere have just upgraded from 32-bit arm to 64-bit, is that supported at least?

Replying to cypherpunks:

So, all those happy users spamming everywhere have just upgraded from 32-bit arm to 64-bit, is that supported at least?

Yes, there shouldn't be any impact from switching from a 32-bit library to a 64-bit library. This is what Mozilla did, as well - and this is what Google's policy effectively enforces.

Google Play shows this is primarily affecting Android 9 on aarch64. signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2aae is interesting. This is the same fault address (and same code) as #31140 (moved).

Replying to sysrqb:

Google Play shows this is primarily affecting Android 9 on aarch64. signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2aae is interesting. This is the same fault address (and same code) as #31140 (moved).

This is the same bug as #31140 (moved). acat found there was a syntax error on [ticket:31140#comment:30 #31140 (moved)] in the original patch and corrected that. I didn't notice the syntax error while I was testing the original patch and I incorrectly assumed the patch avoided the gecko crash, instead the syntax error preventing the code from executing.

After some more testing now, it does seems like javascript.options.native_regexp is the correct pref we should disable. ion is not the cause and it is enable by default (and it does not cause a crash).

From there it gets more interesting:

09-04 17:50:42.045  4803  4821 I GeckoThread: preparing to run Gecko
09-04 17:50:42.048  4803  4821 D GeckoThread: State changed to MOZGLUE_READY
[...]
09-04 17:50:42.234  4803  4821 E GeckoLibLoad: Load sqlite start
09-04 17:50:42.236  4803  4821 E GeckoLinker: /system/lib64/libc.so: Missing or broken DT_HASH
09-04 17:50:42.236  4803  4821 E GeckoLinker: /system/lib64/libc.so: Missing or broken DT_HASH
[...]
09-04 17:50:46.360  4803  4829 D         : HostConnection::get() New Host Connection established 0x79d891ea80, tid 4829
09-04 17:50:46.389  4803  4829 I OpenGLRenderer: Initialized EGL, version 1.4
09-04 17:50:46.390  4803  4829 D OpenGLRenderer: Swap behavior 1
09-04 17:50:46.391  4803  4829 W OpenGLRenderer: Failed to choose config with EGL_SWAP_BEHAVIOR_PRESERVED, retrying without...
09-04 17:50:46.391  4803  4829 D OpenGLRenderer: Swap behavior 0
09-04 17:50:46.402  4803  4829 D EGL_emulation: eglCreateContext: 0x79d89140e0: maj 2 min 0 rcv 2
09-04 17:50:46.406  4803  4829 D EGL_emulation: eglMakeCurrent: 0x79d89140e0: ver 2 0 (tinfo 0x79d892ae80)
09-04 17:50:46.511  4803  4821 F libc    : Fatal signal 11 (SIGSEGV), code 2, fault addr 0x79e8078108 in tid 4821 (Gecko)
09-04 17:50:46.519  4803  4803 D GeckoToolbar: onTabChanged: SELECTED
09-04 17:50:46.551  4803  4803 D GeckoBrowserApp: BrowserApp.onTabChanged: 0: SELECTED

Replying to sysrqb:

Replying to sysrqb:

Google Play shows this is primarily affecting Android 9 on aarch64. signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2aae is interesting. This is the same fault address (and same code) as #31140 (moved).

This is the same bug as #31140 (moved). acat found there was a syntax error on [ticket:31140#comment:30 #31140 (moved)] in the original patch and corrected that. I didn't notice the syntax error while I was testing the original patch and I incorrectly assumed the patch avoided the gecko crash, instead the syntax error preventing the code from executing.

After some more testing now, it does seems like javascript.options.native_regexp is the correct pref we should disable. ion is not the cause and it is enable by default (and it does not cause a crash).

I am wary having those JIT options on. Cypherpunks mentioned a meta bug about baseline JIT issues e.g. and there might be other ones as well (with ion as well although it might not be available on aarch64 on esr60?). I'd really like to avoid playing whack-a-mole here by us doing release after release to deal with those crash bugs one-by-one. We don't have the time and capacity for that.

I am facing the same issue, the Tor Browser crashes on startuo, I do not even have the time to press "Start". My device is a Samsung Galaxy S8 running Android 9.

Trac:
Username: billybob55

This started since the latest update (published on Google Play store on the Sept 3)

Trac:
Username: billybob55

Replying to gk:

Replying to sysrqb:

Replying to sysrqb:

Google Play shows this is primarily affecting Android 9 on aarch64. signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2aae is interesting. This is the same fault address (and same code) as #31140 (moved).

This is the same bug as #31140 (moved). acat found there was a syntax error on [ticket:31140#comment:30 #31140 (moved)] in the original patch and corrected that. I didn't notice the syntax error while I was testing the original patch and I incorrectly assumed the patch avoided the gecko crash, instead the syntax error preventing the code from executing.

After some more testing now, it does seems like javascript.options.native_regexp is the correct pref we should disable. ion is not the cause and it is enable by default (and it does not cause a crash).

I am wary having those JIT options on. Cypherpunks mentioned a meta bug about baseline JIT issues e.g. and there might be other ones as well (with ion as well although it might not be available on aarch64 on esr60?). I'd really like to avoid playing whack-a-mole here by us doing release after release to deal with those crash bugs one-by-one. We don't have the time and capacity for that.

Understood, and I definitely agree with this. I modified the original torbutton patch such that it sets the three javascript.options. prefs as false. This prevents the app crash, but now torbutton is not initialized for some reason. about:tor is a blank, white screen and the torbutton logs show initialization fails/aborts/errors somewhere, but I haven't yet successfully found where this is happening in the code. It seems this is only occurring on aarch64 (torbutton is working on x86_64, but I did not try armv7).

The problem is really serious and annoying! I can only ask the responsible as fast as it is to push a solution (patch) afterwards! When updating the Tor Browser, something seems to have gone horribly wrong! In any case, at least under Android is nothing! I have a Galaxy A7 (2018) Android 9! Please fix it! The Tor Browser was super good before!

Trac:
Username: Horizon78