Bug 1564970

Summary: [abrt] evolution: Gigacage::<lambda()>::operator()(): evolution killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Yogesh Sharma <yogeshsharma>
Component: webkitgtk4Assignee: Tomas Popela <tpopela>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: alexl, caillon+fedoraproject, fweimer, jskarvad, kaiserkarl31, lucilanga, mcatanzaro+wrong-account-do-not-cc, mcrha, rhughes, rstrode, sandmann, tpopela, zlynx
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/ec0d401be6aaf9800d4eb2376b8cc22c90f31d0e
Whiteboard: abrt_hash:0abd6be6589e247bbfa57d755c4ec7e437138ac8;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-09 08:02:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: cpuinfo
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Yogesh Sharma 2018-04-09 04:32:29 UTC 
Version-Release number of selected component:
evolution-3.26.6-1.fc27

Additional info:
reporter:       libreport-2.9.3
backtrace_rating: 4
cmdline:        evolution
crash_function: Gigacage::<lambda()>::operator()
executable:     /usr/bin/evolution
journald_cursor: s=024aab46c7724ae2aed2f448d356d350;i=caf15;b=cc477aff3c894904b5424fa221edbc78;m=625f58f;t=56962c6198696;x=add61b6f1276d4a3
kernel:         4.15.14-300.fc27.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 Gigacage::<lambda()>::operator() at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/bmalloc/bmalloc/Gigacage.cpp:154
 #1 std::__invoke_impl<void, Gigacage::ensureGigacage()::<lambda()> > at /usr/include/c++/7/bits/invoke.h:60
 #2 std::__invoke<Gigacage::ensureGigacage()::<lambda()> > at /usr/include/c++/7/bits/invoke.h:95
 #3 std::<lambda()>::operator() at /usr/include/c++/7/mutex:672
 #5 std::<lambda()>::_FUN(void) at /usr/include/c++/7/mutex:677
 #6 __pthread_once_slow at pthread_once.c:116
 #7 __gthread_once at /usr/include/c++/7/x86_64-redhat-linux/bits/gthr-default.h:699
 #8 std::call_once<Gigacage::ensureGigacage()::<lambda()> > at /usr/include/c++/7/mutex:684
 #9 Gigacage::ensureGigacage at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/bmalloc/bmalloc/Gigacage.cpp:108
 #10 bmalloc::Heap::Heap at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/bmalloc/bmalloc/Heap.cpp:58
Comment 1 Yogesh Sharma 2018-04-09 04:32:36 UTC 
Created attachment 1419101 [details]
File: backtrace
Comment 2 Yogesh Sharma 2018-04-09 04:32:37 UTC 
Created attachment 1419102 [details]
File: cgroup
Comment 3 Yogesh Sharma 2018-04-09 04:32:38 UTC 
Created attachment 1419103 [details]
File: core_backtrace
Comment 4 Yogesh Sharma 2018-04-09 04:32:38 UTC 
Created attachment 1419104 [details]
File: cpuinfo
Comment 5 Yogesh Sharma 2018-04-09 04:32:39 UTC 
Created attachment 1419105 [details]
File: dso_list
Comment 6 Yogesh Sharma 2018-04-09 04:32:40 UTC 
Created attachment 1419106 [details]
File: environ
Comment 7 Yogesh Sharma 2018-04-09 04:32:41 UTC 
Created attachment 1419107 [details]
File: exploitable
Comment 8 Yogesh Sharma 2018-04-09 04:32:42 UTC 
Created attachment 1419108 [details]
File: limits
Comment 9 Yogesh Sharma 2018-04-09 04:32:43 UTC 
Created attachment 1419109 [details]
File: maps
Comment 10 Yogesh Sharma 2018-04-09 04:32:45 UTC 
Created attachment 1419110 [details]
File: mountinfo
Comment 11 Yogesh Sharma 2018-04-09 04:32:46 UTC 
Created attachment 1419111 [details]
File: open_fds
Comment 12 Yogesh Sharma 2018-04-09 04:32:46 UTC 
Created attachment 1419112 [details]
File: proc_pid_status
Comment 13 Yogesh Sharma 2018-04-09 04:32:47 UTC 
Created attachment 1419113 [details]
File: var_log_messages
Comment 14 Milan Crha 2018-04-09 08:02:32 UTC 
Thanks for a bug report. This is due to update of webkitgtk4 package to its 2.20.0 release. See more information here, please:
https://bugs.webkit.org/show_bug.cgi?id=183329#c22
The bug contains some information how to work with this new requirement (eventually search for GIGACAGE_ENABLE in there).
Comment 15 Michael Catanzaro 2018-04-09 18:18:10 UTC 
We can change it so that Gigacage gets disabled instead of crashing, but that's a very important security feature and I'm kinda hesitant to just silently disable it. I guess we can decide based on how many crash reports like this we get.
Comment 16 Yogesh Sharma 2018-04-09 18:21:55 UTC 
I had to change vm.overcommit_memory=0 for evolution to work, I had it set to 2.


Similar issue I had with gnome-control-center for that export GIGACAGE_ENABLED=0 worked.
Comment 17 Michael Catanzaro 2018-04-09 18:28:16 UTC 
(In reply to Yogesh Sharma from comment #16)
> Similar issue I had with gnome-control-center for that export
> GIGACAGE_ENABLED=0 worked.

You could also set that globally if you want to keep overcommit disabled.
Comment 18 Milan Crha 2018-04-11 07:15:24 UTC 
*** Bug 1565667 has been marked as a duplicate of this bug. ***
Comment 19 Milan Crha 2018-04-11 07:21:07 UTC 
The above duplicate is from Fedora 26, just that you know.

(In reply to Michael Catanzaro from comment #15)
> We can change it so that Gigacage gets disabled instead of crashing

Crashing is always bad. The code should handle errors gracefully, where the crash is far from graceful handling. It's called 'robust code', right? Anyway, in case of Evolution itself there's no such issue as with Epiphany or any real browser. Yes, WebKitGTK+ is used with OAuth2 authentication, though even that is supposed to access hard-coded known addresses, not some random pages, and if the user does overwrite the domain in /etc/hosts or such, then it's his/her responsibility anyway.
Comment 20 Florian Weimer 2018-04-23 07:20:47 UTC 
(In reply to Michael Catanzaro from comment #15)
> We can change it so that Gigacage gets disabled instead of crashing, but
> that's a very important security feature and I'm kinda hesitant to just
> silently disable it. I guess we can decide based on how many crash reports
> like this we get.

See bug 1570021 comment 0: You should call mmap with PROT_NONE first, and then carve out actually allocations from the reserved area using mprotect.
Comment 21 Milan Crha 2018-04-23 09:16:31 UTC 
*** Bug 1570341 has been marked as a duplicate of this bug. ***
Comment 22 Milan Crha 2018-05-18 09:59:18 UTC 
(In reply to Michael Catanzaro from comment #15)
> We can change it so that Gigacage gets disabled instead of crashing, but
> that's a very important security feature and I'm kinda hesitant to just
> silently disable it. I guess we can decide based on how many crash reports
> like this we get.

I've just got a build crash (SIGSEGV during build) of evolution-data-server in an aarch64 mock and it was damn hard to find out it crashed due to the Gigacage, because it did that during GObject introspection code generation. I do not want to add the `export` into each single package .spec file which uses WebKitGTK+ and all those which use those packages, just to make sure the build break will not happen again.

I can write a similar/same comment in the upstream bug report (or create a new one there), but I hope this gets a bit more attention here, rather than there. I also do not know how much you'd consider it a downstream issue though.
Comment 23 Tomas Popela 2018-05-18 10:01:52 UTC 
(In reply to Milan Crha from comment #22)
> I can write a similar/same comment in the upstream bug report (or create a
> new one there), but I hope this gets a bit more attention here, rather than
> there. I also do not know how much you'd consider it a downstream issue
> though.

It's upstream issue and upstream is aware of it. Please don't create a new bug report - it's handled in https://bugs.webkit.org/show_bug.cgi?id=183329
Comment 24 Milan Crha 2018-05-18 10:52:38 UTC 
(In reply to Tomas Popela from comment #23)
> It's upstream issue and upstream is aware of it. Please don't create a new
> bug report - it's handled in https://bugs.webkit.org/show_bug.cgi?id=183329

Okay, will not do. Thanks for the pointer.

I opened this:
https://bugs.webkit.org/show_bug.cgi?id=185762
which is related, but not the same thing.
Comment 25 Michael Catanzaro 2018-05-18 20:32:14 UTC 
(In reply to Milan Crha from comment #22)
> I've just got a build crash (SIGSEGV during build) of evolution-data-server
> in an aarch64 mock and it was damn hard to find out it crashed due to the
> Gigacage, because it did that during GObject introspection code generation.

Do we known why it crashed? It shouldn't crash unless the builder has disabled VM overcommit or set a virtual memory ulimit.

Certainly, you shouldn't have to disable gigacage to use gobject-introspection.
Comment 26 Florian Weimer 2018-05-18 20:40:50 UTC 
(In reply to Michael Catanzaro from comment #25)
> (In reply to Milan Crha from comment #22)
> > I've just got a build crash (SIGSEGV during build) of evolution-data-server
> > in an aarch64 mock and it was damn hard to find out it crashed due to the
> > Gigacage, because it did that during GObject introspection code generation.
> 
> Do we known why it crashed? It shouldn't crash unless the builder has
> disabled VM overcommit or set a virtual memory ulimit.

BMALLOC_NORESERVE appears to be defined as MAP_NORESERVE, which turns off memory overcommit in vm.overcommit_memory=0 mode.  The mmap call will always succeed.  Out of memory is reported via SIGSEGV on write instead.
Comment 27 Michael Catanzaro 2018-05-18 20:43:49 UTC 
Then surely the OOM condition is not WebKit's fault?
Comment 28 Tomas Popela 2018-05-21 04:51:29 UTC 
(In reply to Michael Catanzaro from comment #27)
> Then surely the OOM condition is not WebKit's fault?

Could be. Also the Gigacage allocation on aarch64 could fail - the code is ready for that[0] and [1]. So it looks like it's a different bug.

[0] - https://trac.webkit.org/browser/webkit/trunk/Source/bmalloc/bmalloc/Gigacage.h#L39
[1] - https://trac.webkit.org/browser/webkit/trunk/Source/bmalloc/bmalloc/Gigacage.cpp#L151
Comment 29 Milan Crha 2018-05-21 07:08:16 UTC 
Below is the only thing I see in the build log. I tried to disable the gigacage in the .spec file and it did help, thus it's it, from my point of view.

(In reply to Michael Catanzaro from comment #25)
> Certainly, you shouldn't have to disable gigacage to use
> gobject-introspection.

I agree. There's this one for it:
https://bugs.webkit.org/show_bug.cgi?id=185762

------------------------------------------------------------------------------

In the build log:

Command '['/builddir/build/BUILD/evolution-data-server-3.28.1/_build/src/libedataserver/tmp-introspect4eikde20/EDataServer-1.2', '--introspect-dump=/builddir/build/BUILD/evolution-data-server-3.28.1/_build/src/libedataserver/tmp-introspect4eikde20/functions.txt,/builddir/build/BUILD/evolution-data-server-3.28.1/_build/src/libedataserver/tmp-introspect4eikde20/dump.xml']' died with <Signals.SIGSEGV: 11>.
make[2]: Leaving directory '/builddir/build/BUILD/evolution-data-server-3.28.1/_build'
make[2]: *** [src/libedataserver/CMakeFiles/gir-typelibs-EDataServer_1_2_gir.dir/build.make:236: src/libedataserver/EDataServer-1.2.gir] Error 1
make[1]: *** [CMakeFiles/Makefile2:5470: src/libedataserver/CMakeFiles/gir-typelibs-EDataServer_1_2_gir.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
Comment 30 Michael Catanzaro 2018-06-08 02:48:21 UTC 
*** Bug 1569478 has been marked as a duplicate of this bug. ***