Description of problem: Both QtWebEngine/QupZilla and Chromium crash in Rawhide with a backtrace such as: Received signal 4 ILL_ILLOPN 7f58262eac90 #0 0x7f58266a864e <unknown> #1 0x7f58266a8a29 <unknown> #2 0x7f5823235540 <unknown> #3 0x7f58262eac90 <unknown> #4 0x7f582705dfb0 <unknown> #5 0x7f582705e3a1 <unknown> #6 0x7f582705cdac <unknown> #7 0x7f582705d40c <unknown> #8 0x7f582777d50a <unknown> #9 0x7f5825e0830e <unknown> #10 0x7f5825dddcff <unknown> #11 0x7f5827794639 <unknown> #12 0x7f5825da7fa2 <unknown> #13 0x7f582640c052 <unknown> #14 0x7f5826427ccf <unknown> #15 0x7f582642cb41 <unknown> #16 0x7f582641e2ed <unknown> #17 0x7f58256fbf80 <unknown> #18 0x7f582635dd24 <unknown> #19 0x7f582671d1d9 <unknown> #20 0x7f5826d634c9 <unknown> #21 0x7f5826d63d2c <unknown> #22 0x7f582671d1d9 <unknown> #23 0x7f58266c6358 <unknown> #24 0x7f58266c6fc9 <unknown> #25 0x7f58266c7492 <unknown> #26 0x7f58266c94b9 <unknown> #27 0x7f58266db754 <unknown> #28 0x7f58266c56e5 <unknown> #29 0x7f5826441ec0 <unknown> #30 0x7f582594637e <unknown> #31 0x7f5825946849 <unknown> #32 0x7f5825945de9 <unknown> #33 0x7f5824e05fe4 QtWebEngine::processMain() #34 0x5645bd5a9943 <unknown> #35 0x7f58225d6401 __libc_start_main #36 0x5645bd5a999a <unknown> r8: 0000000000000000 r9: 0000000000000000 r10: 00005645bdfa4470 r11: 0000000000000202 r12: 00005645bdfa4470 r13: 0000000000020000 r14: 00005645bdfa3720 r15: 00007ffd74e32310 di: 00002afeca261000 si: 000000000001e000 bp: 00005645bdf3d370 bx: 00005645bdfa4478 dx: 0000000000000008 ax: ffffffffffffffff cx: ffffffffffffff60 sp: 00007ffd74e32180 ip: 00007f58262eac90 efl: 0000000000010286 cgf: 002b000000000033 erf: 0000000000000000 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] The OpenEmbedded folks: https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg82915.html pinpointed glibc 2.24 as the apparent cause for this issue. Version-Release number of selected component (if applicable): glibc-2.23.90-30.fc26 How reproducible: Always Steps to Reproduce: 1. Boot a Rawhide KDE Live image. 2. sudo setenforce 0 to work around bug #1363914 3. sudo chmod a+w /dev/shm to work around a live image issue yet to be reported 4. Try starting qupzilla. Actual results: Received signal 4 ILL_ILLOPN 7f58262eac90 … (see Description) Expected results: No crash.
(Actually, the /dev/shm issue from step 3 is already filed, it is bug #1347436. Once you work around bug #1363914 and bug #1347436, you run into this one, which is the worst because it does not have a simple workaround.)
I can reproduce this with glibc-2.23.90-30.fc25 and qupzilla-2.0.1-1.fc25. We need a better backtrace or a coredump. I don't know how to get that; for me, the Chromium sandbox is pretty effective anti-debugging technology.
So I got 3 backtraces by installing the Rawhide ISO to a virtual HDD, installing qt5-qtwebengine-debuginfo there, then attaching gdb to the second zygote process, which shows up in ps ax as: 2497 pts/1 S 0:00 /usr/lib/qt5/libexec/QtWebEngineProcess --type=zyg (There was also 2495 that looked the same, but was not interesting.) and running: (gdb) set follow-fork-mode child (gdb) c The first one I got is a SIGSYS on sched_getparam, probably not what is causing the bug, but I am still posting it in case it is of interest: Thread 2.3 "QtWebEngineProc" received signal SIGSYS, Bad system call. [Switching to Thread 0xad1ffb40 (LWP 2869)] 0xb7fd7d49 in __kernel_vsyscall () (gdb) bt #0 0xb7fd7d49 in __kernel_vsyscall () #1 0xb22370a6 in sched_getparam () from /lib/libc.so.6 #2 0xb2536a42 in pthread_getschedparam () from /lib/libpthread.so.0 #3 0xb517da9e in base::internal::GetCurrentThreadPriorityForPlatform () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:66 #4 0xb517db1f in base::internal::SetCurrentThreadPriorityForPlatform () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:47 #5 0xb517e0ed in base::PlatformThread::SetCurrentThreadPriority () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:217 #6 0xb517e14e in ThreadFunc () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:60 #7 0xb25354ee in start_thread () from /lib/libpthread.so.0 #8 0xb2257f9e in clone () from /lib/libc.so.6 After a continue, I get yet another SIGSYS, again, just in case it is of interest: Thread 2.3 "QtWebEngineProc" received signal SIGSYS, Bad system call. 0xb7fd7d49 in __kernel_vsyscall () (gdb) bt #0 0xb7fd7d49 in __kernel_vsyscall () #1 0xb2237102 in sched_getscheduler () from /lib/libc.so.6 #2 0xb2536a1b in pthread_getschedparam () from /lib/libpthread.so.0 #3 0xb517da9e in base::internal::GetCurrentThreadPriorityForPlatform () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:66 #4 0xb517db1f in base::internal::SetCurrentThreadPriorityForPlatform () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:47 #5 0xb517e0ed in base::PlatformThread::SetCurrentThreadPriority () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:217 #6 0xb517e14e in ThreadFunc () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:60 #7 0xb25354ee in start_thread () from /lib/libpthread.so.0 #8 0xb2257f9e in clone () from /lib/libc.so.6 But after yet another continue, I finally get the illegal instruction: Thread 2.1 "QtWebEngineProc" received signal SIGILL, Illegal instruction. [Switching to Thread 0xae5fdb40 (LWP 2867)] WTF::discardSystemPages () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp:244 244 decommitSystemPages(addr, len); (gdb) bt #0 WTF::discardSystemPages () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp:244 #1 0xb5b28f46 in blink::MemoryRegion::decommit () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/PageMemory.cpp:26 #2 0xb5b29393 in blink::PageMemory::decommit () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/PageMemory.h:179 #3 blink::FreePagePool::addFreePage () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/PagePool.cpp:31 #4 0xb5b27c35 in blink::NormalPageHeap::allocatePage () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/HeapPage.cpp:445 #5 0xb5b282f1 in blink::NormalPageHeap::outOfLineAllocate () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/HeapPage.cpp:744 #6 0xb62e4480 in blink::NormalPageHeap::allocateObject () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/HeapPage.h:878 #7 blink::Heap::allocateOnHeapIndex () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:443 #8 blink::Heap::allocate<blink::FetchContext> () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:450 #9 blink::GarbageCollected<blink::FetchContext>::allocateObject () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:348 #10 blink::GarbageCollected<blink::FetchContext>::operator new () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:343 #11 blink::FrameFetchContext::createContextAndFetcher () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.h:56 #12 blink::DocumentLoader::DocumentLoader () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/loader/DocumentLoader.cpp:101 #13 0xb47abf05 in blink::WebDataSourceImpl::WebDataSourceImpl () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebDataSourceImpl.cpp:134 #14 blink::WebDataSourceImpl::create () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebDataSourceImpl.cpp:42 #15 0xb477e86b in blink::FrameLoaderClientImpl::createDocumentLoader () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp:711 #16 0xb62fd0cb in blink::FrameLoader::init () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/loader/FrameLoader.cpp:198 #17 0xb4743161 in blink::LocalFrame::init () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h:244 #18 blink::WebLocalFrameImpl::initializeCoreFrame () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:1793 #19 0xb4754210 in blink::WebViewImpl::setMainFrame () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebViewImpl.cpp:432 #20 0xb4e47ab3 in content::RenderFrameImpl::CreateMainFrame () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_frame_impl.cc:750 #21 0xb4e66b17 in content::RenderViewImpl::Initialize () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_view_impl.cc:683 #22 0xb4e6c088 in content::RenderViewImpl::Create () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_view_impl.cc:1133 #23 0xb4e51afb in content::RenderThreadImpl::OnCreateNewView () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_thread_impl.cc:1800 #24 0xb4e5bcbd in base::DispatchToMethodImpl<content::RenderThreadImpl, void (content::RenderThreadImpl::*)(ViewMsg_New_Params const&), ViewMsg_New_Params, 0u> () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/tuple.h:252 #25 base::DispatchToMethod<content::RenderThreadImpl, void (content::RenderThreadImpl::*)(ViewMsg_New_Params const&), ViewMsg_New_Params> () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/tuple.h:259 #26 ViewMsg_New::Dispatch<content::RenderThreadImpl, content::RenderThreadImpl, void, void (content::RenderThreadImpl::*)(ViewMsg_New_Params const&)> () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/common/view_messages.h:621 #27 content::RenderThreadImpl::OnControlMessageReceived () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_thread_impl.cc:1739 #28 0xb3fc6cd5 in content::ChildThreadImpl::OnMessageReceived () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/child/child_thread_impl.cc:635 #29 0xb4d93583 in IPC::ChannelProxy::Context::OnDispatchMessage () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/ipc/ipc_channel_proxy.cc:293 #30 0xb4d92f03 in base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>::Run () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:178 #31 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, base::internal::TypeList<IPC::ChannelProxy::Context* const&, IPC::Message const&> >::MakeItSo () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:297 #32 base::internal::Invoker<base::IndexSequence<0u, 1u>, base::internal::BindState<base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context*, IPC::Message const&), IPC::ChannelProxy::Context*, IPC::Message>, base::internal::TypeList<base::internal::UnwrapTraits<IPC::ChannelProxy::Context*>, base::internal::UnwrapTraits<IPC::Message> >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, base::internal::TypeList<IPC::ChannelProxy::Context* const&, IPC::Message const&> >, void ()>::Run(base::internal::BindStateBase*) () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:350 #33 0xb51b03f3 in base::Callback<void ()>::Run() const () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/callback.h:394 #34 base::debug::TaskAnnotator::RunTask () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/debug/task_annotator.cc:51 #35 0xb65b826f in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/components/scheduler/base/task_queue_manager.cc:264 #36 0xb65b8cde in scheduler::TaskQueueManager::DoWork () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/components/scheduler/base/task_queue_manager.cc:180 #37 0xb65b5e8f in base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>::Run () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:178 #38 base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const&, base::TimeTicks const&, bool const&> >::MakeItSo () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:307 #39 base::internal::Invoker<base::IndexSequence<0u, 1u, 2u>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::TypeList<base::internal::UnwrapTraits<base::WeakPtr<scheduler::TaskQueueManager> >, base::internal::UnwrapTraits<base::TimeTicks>, base::internal::UnwrapTraits<bool> >, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const&, base::TimeTicks const&, bool const&> >, void ()>::Run(base::internal::BindStateBase*) () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:350 #40 0xb51b03f3 in base::Callback<void ()>::Run() const () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/callback.h:394 #41 base::debug::TaskAnnotator::RunTask () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/debug/task_annotator.cc:51 #42 0xb514e691 in base::MessageLoop::RunTask () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:486 #43 0xb514f354 in base::MessageLoop::DeferOrRunPendingTask () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:495 #44 0xb5150858 in base::MessageLoop::DoDelayedWork () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:645 #45 0xb515196c in base::MessagePumpDefault::Run () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_pump_default.cc:37 #46 0xb514def0 in base::MessageLoop::RunHandler () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:450 #47 0xb5166888 in base::RunLoop::Run () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/run_loop.cc:56 #48 0xb514d841 in base::MessageLoop::Run () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:293 #49 0xb4e84534 in content::RendererMain () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/renderer_main.cc:235 #50 0xb4263ebd in content::RunZygote () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/app/content_main_runner.cc:308 #51 0xb42643bf in content::ContentMainRunnerImpl::Run () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/app/content_main_runner.cc:801 #52 0xb42637e0 in content::ContentMain () at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/app/content_main.cc:19 #53 0xb3b68245 in QtWebEngine::processMain (argc=3, argv=0xbfffefa4) at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/core/process_main.cpp:67 #54 0x80000775 in main (argc=<optimized out>, argv=0xbfffefa4) at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/process/main.cpp:166
(In reply to Kevin Kofler from comment #3) > So I got 3 backtraces by installing the Rawhide ISO to a virtual HDD, > installing qt5-qtwebengine-debuginfo there, then attaching gdb to the second > zygote process, which shows up in ps ax as: > 2497 pts/1 S 0:00 /usr/lib/qt5/libexec/QtWebEngineProcess --type=zyg > (There was also 2495 that looked the same, but was not interesting.) > and running: > (gdb) set follow-fork-mode child > (gdb) c > > The first one I got is a SIGSYS on sched_getparam, probably not what is > causing the bug, but I am still posting it in case it is of interest: Does Chromium have a SIGSYS handler? The sandbox may not be prepared for glibc and QtWebkit using these system calls. > But after yet another continue, I finally get the illegal instruction: > > Thread 2.1 "QtWebEngineProc" received signal SIGILL, Illegal instruction. > [Switching to Thread 0xae5fdb40 (LWP 2867)] > WTF::discardSystemPages () > at > /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/ > third_party/WebKit/Source/wtf/PageAllocator.cpp:244 > 244 decommitSystemPages(addr, len); > (gdb) bt What's the disassembly at this point?
I had the same idea than you of looking at the disassembly: (gdb) disas $pc-10,$pc+10 Dump of assembler code from 0xb4d10e1e to 0xb4d10e32: 0xb4d10e1e <WTF::discardSystemPages(void*, unsigned int)+46>: jne 0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56> 0xb4d10e20 <WTF::discardSystemPages(void*, unsigned int)+48>: lea 0x18(%esp),%esp 0xb4d10e24 <WTF::discardSystemPages(void*, unsigned int)+52>: pop %ebx 0xb4d10e25 <WTF::discardSystemPages(void*, unsigned int)+53>: ret 0xb4d10e26 <WTF::discardSystemPages(void*, unsigned int)+54>: xchg %ax,%ax => 0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56>: ud2 0xb4d10e2a: lea 0x0(%esi),%esi 0xb4d10e30 <_ZN3WTF19decommitSystemPagesEPvj+0>: jmp 0xb4d10df0 <WTF::discardSystemPages(void*, unsigned int)> End of assembler dump.
I think it's this assertion that is failing: http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp?h=49-based#n243
No, it must actually be a RELEASE_ASSERT that is failing. It is this one from decommitSystemPages: http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp?h=49-based#n225 that is being inlined. madvise is returning a non-zero error code.
Proof: Here is the full disassembly of WTF::discardSystemPages up to the offending point: (gdb) disas $pc-56,$pc+10 Dump of assembler code from 0xb4d10df0 to 0xb4d10e32: 0xb4d10df0 <WTF::discardSystemPages(void*, unsigned int)+0>: push %ebx 0xb4d10df1 <WTF::discardSystemPages(void*, unsigned int)+1>: call 0xb3b2f450 <__x86.get_pc_thunk.bx> 0xb4d10df6 <WTF::discardSystemPages(void*, unsigned int)+6>: add $0x31e9eb6,%ebx 0xb4d10dfc <WTF::discardSystemPages(void*, unsigned int)+12>: lea -0x18(%esp),%esp 0xb4d10e00 <WTF::discardSystemPages(void*, unsigned int)+16>: mov 0x24(%esp),%eax 0xb4d10e04 <WTF::discardSystemPages(void*, unsigned int)+20>: movl $0x8,0x8(%esp) 0xb4d10e0c <WTF::discardSystemPages(void*, unsigned int)+28>: mov %eax,0x4(%esp) 0xb4d10e10 <WTF::discardSystemPages(void*, unsigned int)+32>: mov 0x20(%esp),%eax 0xb4d10e14 <WTF::discardSystemPages(void*, unsigned int)+36>: mov %eax,(%esp) 0xb4d10e17 <WTF::discardSystemPages(void*, unsigned int)+39>: call 0xb3b1d8f0 <madvise@plt> 0xb4d10e1c <WTF::discardSystemPages(void*, unsigned int)+44>: test %eax,%eax 0xb4d10e1e <WTF::discardSystemPages(void*, unsigned int)+46>: jne 0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56> 0xb4d10e20 <WTF::discardSystemPages(void*, unsigned int)+48>: lea 0x18(%esp),%esp 0xb4d10e24 <WTF::discardSystemPages(void*, unsigned int)+52>: pop %ebx 0xb4d10e25 <WTF::discardSystemPages(void*, unsigned int)+53>: ret 0xb4d10e26 <WTF::discardSystemPages(void*, unsigned int)+54>: xchg %ax,%ax => 0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56>: ud2 0xb4d10e2a: lea 0x0(%esi),%esi 0xb4d10e30 <_ZN3WTF19decommitSystemPagesEPvj+0>: jmp 0xb4d10df0 <WTF::discardSystemPages(void*, unsigned int)> End of assembler dump. As you can see, it calls madvise, tests its return value, and if it is non-zero, jumps to the ud2. So that's the RELEASE_ASSERT at line 225.
Hmm. What's the contents of errno? I really doubt this is a glibc bug. It's more likely the sandbox is making incorrect assumptions about how other libraries behave.
Also be warned that were it says "MADV_FREE", it's actually using "MADV_DONTNEED", not "MADV_FREE": http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp?h=49-based#n42
errno is 1.
(In reply to Kevin Kofler from comment #11) > errno is 1. #define EPERM 1 /* Operation not permitted */ This doesn't look something like the kernel implementation of madvise would return for MADV_DONTNEED. Is this code running under the sandbox?
Yes, I think so. This looks more and more like an error deep in Chromium code (and in code that is already gone from Google's master, there's no PageAllocator.cpp there anymore, grrr).
OK, so actually, looking at it, it seems the hack to redefine MADV_FREE to MADV_DONTNEED is not in our package yet (see also the assembly that passes $8, not $4), and so we fail this check in the sandboxing code: http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc?h=49-based#n172 Backporting this: http://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?h=49-based&id=b12ffcd411d4776f7120ccecb3be34344d930d2b should fix it. I am going to do it ASAP. The only reason the glibc version matters at all is that only recent versions of glibc contain this commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=981569c74cbb6bafa2ddcefa6dd9dbdc938ff1c8 that actually defines MADV_FREE. Before this commit, we always got MADV_DONTNEED that passes the sandbox.
I am building new qt5-qtwebengine packages for Rawhide and then F25 which should fix this. Florian, thanks for your help debugging this.
(For the record, I verified (but forgot to post) that glibc 2.24 is really the first release that defines MADV_FREE in its headers, glibc 2.23 did not define it. So the breakage only happened when building against glibc 2.24. It should be fixed in qt5-qtwebengine-5.7.0-6 no matter what glibc is used.)
qt5-qtwebengine-5.7.0-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-bb971cbd03
Proposed as a Freeze Exception for 25-alpha by Fedora user lupinix using the blocker tracking app because: QupZilla, a component shipped by KDE Spin, does not work due to a bug in qt5-qtwebengine in combination with glibc 2.24. A fix already exists and has been submitted as a testing update.
qt5-qtwebengine-5.7.0-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-bb971cbd03
Discussed during the 2016-08-15 blocker review meeting: [1] The decision to classify this bug as an accepted Alpha Freeze Exception was made due to the fact that the fix cannot be made with just an update. Also, the fix does not touch glibc, so the possibility for negative impact is minute. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-08-15/f25-blocker-review.2016-08-15-16.00.txt
*** Bug 1361442 has been marked as a duplicate of this bug. ***
Confirmed both the bug and the fix here. Thanks.
qt5-qtwebengine-5.7.0-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.