Bug 1364781 - QtWebEngine 5.7.0 breaks when built against glibc 2.24 (2.23.90) which defines MADV_FREE
Summary: QtWebEngine 5.7.0 breaks when built against glibc 2.24 (2.23.90) which define...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: qt5-qtwebengine
Version: rawhide
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Kevin Kofler
QA Contact: Fedora Extras Quality Assurance
URL: https://www.mail-archive.com/openembe...
Whiteboard: AcceptedFreezeException
: 1361442 (view as bug list)
Depends On:
Blocks: F25AlphaFreezeException
TreeView+ depends on / blocked
 
Reported: 2016-08-07 11:41 UTC by Kevin Kofler
Modified: 2016-08-17 03:17 UTC (History)
17 users (show)

Fixed In Version: qt5-qtwebengine-5.7.0-6.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-17 03:17:42 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1366894 0 urgent CLOSED Chromium breaks when built against glibc 2.24 (2.23.90) which defines MADV_FREE 2021-02-22 00:41:40 UTC

Internal Links: 1366894

Description Kevin Kofler 2016-08-07 11:41:34 UTC
Description of problem:
Both QtWebEngine/QupZilla and Chromium crash in Rawhide with a backtrace such as:
Received signal 4 ILL_ILLOPN 7f58262eac90
#0 0x7f58266a864e <unknown>
#1 0x7f58266a8a29 <unknown>
#2 0x7f5823235540 <unknown>
#3 0x7f58262eac90 <unknown>
#4 0x7f582705dfb0 <unknown>
#5 0x7f582705e3a1 <unknown>
#6 0x7f582705cdac <unknown>
#7 0x7f582705d40c <unknown>
#8 0x7f582777d50a <unknown>
#9 0x7f5825e0830e <unknown>
#10 0x7f5825dddcff <unknown>
#11 0x7f5827794639 <unknown>
#12 0x7f5825da7fa2 <unknown>
#13 0x7f582640c052 <unknown>
#14 0x7f5826427ccf <unknown>
#15 0x7f582642cb41 <unknown>
#16 0x7f582641e2ed <unknown>
#17 0x7f58256fbf80 <unknown>
#18 0x7f582635dd24 <unknown>
#19 0x7f582671d1d9 <unknown>
#20 0x7f5826d634c9 <unknown>
#21 0x7f5826d63d2c <unknown>
#22 0x7f582671d1d9 <unknown>
#23 0x7f58266c6358 <unknown>
#24 0x7f58266c6fc9 <unknown>
#25 0x7f58266c7492 <unknown>
#26 0x7f58266c94b9 <unknown>
#27 0x7f58266db754 <unknown>
#28 0x7f58266c56e5 <unknown>
#29 0x7f5826441ec0 <unknown>
#30 0x7f582594637e <unknown>
#31 0x7f5825946849 <unknown>
#32 0x7f5825945de9 <unknown>
#33 0x7f5824e05fe4 QtWebEngine::processMain()
#34 0x5645bd5a9943 <unknown>
#35 0x7f58225d6401 __libc_start_main
#36 0x5645bd5a999a <unknown>
  r8: 0000000000000000  r9: 0000000000000000 r10: 00005645bdfa4470 r11: 0000000000000202
 r12: 00005645bdfa4470 r13: 0000000000020000 r14: 00005645bdfa3720 r15: 00007ffd74e32310
  di: 00002afeca261000  si: 000000000001e000  bp: 00005645bdf3d370  bx: 00005645bdfa4478
  dx: 0000000000000008  ax: ffffffffffffffff  cx: ffffffffffffff60  sp: 00007ffd74e32180
  ip: 00007f58262eac90 efl: 0000000000010286 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

The OpenEmbedded folks:
https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg82915.html
pinpointed glibc 2.24 as the apparent cause for this issue.

Version-Release number of selected component (if applicable):
glibc-2.23.90-30.fc26

How reproducible:
Always

Steps to Reproduce:
1. Boot a Rawhide KDE Live image.
2. sudo setenforce 0 to work around bug #1363914
3. sudo chmod a+w /dev/shm to work around a live image issue yet to be reported
4. Try starting qupzilla.

Actual results:
Received signal 4 ILL_ILLOPN 7f58262eac90
…
(see Description)

Expected results:
No crash.

Comment 1 Kevin Kofler 2016-08-07 11:47:34 UTC
(Actually, the /dev/shm issue from step 3 is already filed, it is bug #1347436. Once you work around bug #1363914 and bug #1347436, you run into this one, which is the worst because it does not have a simple workaround.)

Comment 2 Florian Weimer 2016-08-07 19:23:45 UTC
I can reproduce this with glibc-2.23.90-30.fc25 and qupzilla-2.0.1-1.fc25.

We need a better backtrace or a coredump.  I don't know how to get that; for me, the Chromium sandbox is pretty effective anti-debugging technology.

Comment 3 Kevin Kofler 2016-08-13 21:22:00 UTC
So I got 3 backtraces by installing the Rawhide ISO to a virtual HDD, installing qt5-qtwebengine-debuginfo there, then attaching gdb to the second zygote process, which shows up in ps ax as:
 2497 pts/1    S      0:00 /usr/lib/qt5/libexec/QtWebEngineProcess --type=zyg
(There was also 2495 that looked the same, but was not interesting.)
and running:
(gdb) set follow-fork-mode child
(gdb) c

The first one I got is a SIGSYS on sched_getparam, probably not what is causing the bug, but I am still posting it in case it is of interest:

Thread 2.3 "QtWebEngineProc" received signal SIGSYS, Bad system call.
[Switching to Thread 0xad1ffb40 (LWP 2869)]
0xb7fd7d49 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fd7d49 in __kernel_vsyscall ()
#1  0xb22370a6 in sched_getparam () from /lib/libc.so.6
#2  0xb2536a42 in pthread_getschedparam () from /lib/libpthread.so.0
#3  0xb517da9e in base::internal::GetCurrentThreadPriorityForPlatform ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:66
#4  0xb517db1f in base::internal::SetCurrentThreadPriorityForPlatform ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:47
#5  0xb517e0ed in base::PlatformThread::SetCurrentThreadPriority ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:217
#6  0xb517e14e in ThreadFunc ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:60
#7  0xb25354ee in start_thread () from /lib/libpthread.so.0
#8  0xb2257f9e in clone () from /lib/libc.so.6

After a continue, I get yet another SIGSYS, again, just in case it is of interest:

Thread 2.3 "QtWebEngineProc" received signal SIGSYS, Bad system call.
0xb7fd7d49 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fd7d49 in __kernel_vsyscall ()
#1  0xb2237102 in sched_getscheduler () from /lib/libc.so.6
#2  0xb2536a1b in pthread_getschedparam () from /lib/libpthread.so.0
#3  0xb517da9e in base::internal::GetCurrentThreadPriorityForPlatform ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:66
#4  0xb517db1f in base::internal::SetCurrentThreadPriorityForPlatform ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_linux.cc:47
#5  0xb517e0ed in base::PlatformThread::SetCurrentThreadPriority ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:217
#6  0xb517e14e in ThreadFunc ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/threading/platform_thread_posix.cc:60
#7  0xb25354ee in start_thread () from /lib/libpthread.so.0
#8  0xb2257f9e in clone () from /lib/libc.so.6

But after yet another continue, I finally get the illegal instruction:

Thread 2.1 "QtWebEngineProc" received signal SIGILL, Illegal instruction.
[Switching to Thread 0xae5fdb40 (LWP 2867)]
WTF::discardSystemPages ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp:244
244         decommitSystemPages(addr, len);
(gdb) bt
#0  WTF::discardSystemPages ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp:244
#1  0xb5b28f46 in blink::MemoryRegion::decommit ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/PageMemory.cpp:26
#2  0xb5b29393 in blink::PageMemory::decommit ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/PageMemory.h:179
#3  blink::FreePagePool::addFreePage ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/PagePool.cpp:31
#4  0xb5b27c35 in blink::NormalPageHeap::allocatePage ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/HeapPage.cpp:445
#5  0xb5b282f1 in blink::NormalPageHeap::outOfLineAllocate ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/HeapPage.cpp:744
#6  0xb62e4480 in blink::NormalPageHeap::allocateObject ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/HeapPage.h:878
#7  blink::Heap::allocateOnHeapIndex ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:443
#8  blink::Heap::allocate<blink::FetchContext> ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:450
#9  blink::GarbageCollected<blink::FetchContext>::allocateObject ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:348
#10 blink::GarbageCollected<blink::FetchContext>::operator new ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/platform/heap/Heap.h:343
#11 blink::FrameFetchContext::createContextAndFetcher ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.h:56
#12 blink::DocumentLoader::DocumentLoader ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/loader/DocumentLoader.cpp:101
#13 0xb47abf05 in blink::WebDataSourceImpl::WebDataSourceImpl ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebDataSourceImpl.cpp:134
#14 blink::WebDataSourceImpl::create ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebDataSourceImpl.cpp:42
#15 0xb477e86b in blink::FrameLoaderClientImpl::createDocumentLoader ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp:711
#16 0xb62fd0cb in blink::FrameLoader::init ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/loader/FrameLoader.cpp:198
#17 0xb4743161 in blink::LocalFrame::init ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h:244
#18 blink::WebLocalFrameImpl::initializeCoreFrame ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:1793
#19 0xb4754210 in blink::WebViewImpl::setMainFrame ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/third_party/WebKit/Source/web/WebViewImpl.cpp:432
#20 0xb4e47ab3 in content::RenderFrameImpl::CreateMainFrame ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_frame_impl.cc:750
#21 0xb4e66b17 in content::RenderViewImpl::Initialize ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_view_impl.cc:683
#22 0xb4e6c088 in content::RenderViewImpl::Create ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_view_impl.cc:1133
#23 0xb4e51afb in content::RenderThreadImpl::OnCreateNewView ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_thread_impl.cc:1800
#24 0xb4e5bcbd in base::DispatchToMethodImpl<content::RenderThreadImpl, void (content::RenderThreadImpl::*)(ViewMsg_New_Params const&), ViewMsg_New_Params, 0u> ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/tuple.h:252
#25 base::DispatchToMethod<content::RenderThreadImpl, void (content::RenderThreadImpl::*)(ViewMsg_New_Params const&), ViewMsg_New_Params> ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/tuple.h:259
#26 ViewMsg_New::Dispatch<content::RenderThreadImpl, content::RenderThreadImpl, void, void (content::RenderThreadImpl::*)(ViewMsg_New_Params const&)> ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/common/view_messages.h:621
#27 content::RenderThreadImpl::OnControlMessageReceived ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/render_thread_impl.cc:1739
#28 0xb3fc6cd5 in content::ChildThreadImpl::OnMessageReceived ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/child/child_thread_impl.cc:635
#29 0xb4d93583 in IPC::ChannelProxy::Context::OnDispatchMessage ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/ipc/ipc_channel_proxy.cc:293
#30 0xb4d92f03 in base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>::Run ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:178
#31 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, base::internal::TypeList<IPC::ChannelProxy::Context* const&, IPC::Message const&> >::MakeItSo ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:297
#32 base::internal::Invoker<base::IndexSequence<0u, 1u>, base::internal::BindState<base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context*, IPC::Message const&), IPC::ChannelProxy::Context*, IPC::Message>, base::internal::TypeList<base::internal::UnwrapTraits<IPC::ChannelProxy::Context*>, base::internal::UnwrapTraits<IPC::Message> >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, base::internal::TypeList<IPC::ChannelProxy::Context* const&, IPC::Message const&> >, void ()>::Run(base::internal::BindStateBase*) ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:350
#33 0xb51b03f3 in base::Callback<void ()>::Run() const ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/callback.h:394
#34 base::debug::TaskAnnotator::RunTask ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/debug/task_annotator.cc:51
#35 0xb65b826f in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/components/scheduler/base/task_queue_manager.cc:264
#36 0xb65b8cde in scheduler::TaskQueueManager::DoWork ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/components/scheduler/base/task_queue_manager.cc:180
#37 0xb65b5e8f in base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>::Run ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:178
#38 base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const&, base::TimeTicks const&, bool const&> >::MakeItSo ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:307
#39 base::internal::Invoker<base::IndexSequence<0u, 1u, 2u>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::TypeList<base::internal::UnwrapTraits<base::WeakPtr<scheduler::TaskQueueManager> >, base::internal::UnwrapTraits<base::TimeTicks>, base::internal::UnwrapTraits<bool> >, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const&, base::TimeTicks const&, bool const&> >, void ()>::Run(base::internal::BindStateBase*) ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/bind_internal.h:350
#40 0xb51b03f3 in base::Callback<void ()>::Run() const ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/callback.h:394
#41 base::debug::TaskAnnotator::RunTask ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/debug/task_annotator.cc:51
#42 0xb514e691 in base::MessageLoop::RunTask ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:486
#43 0xb514f354 in base::MessageLoop::DeferOrRunPendingTask ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:495
#44 0xb5150858 in base::MessageLoop::DoDelayedWork ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:645
#45 0xb515196c in base::MessagePumpDefault::Run ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_pump_default.cc:37
#46 0xb514def0 in base::MessageLoop::RunHandler ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:450
#47 0xb5166888 in base::RunLoop::Run ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/run_loop.cc:56
#48 0xb514d841 in base::MessageLoop::Run ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/base/message_loop/message_loop.cc:293
#49 0xb4e84534 in content::RendererMain ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/renderer/renderer_main.cc:235
#50 0xb4263ebd in content::RunZygote ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/app/content_main_runner.cc:308
#51 0xb42643bf in content::ContentMainRunnerImpl::Run ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/app/content_main_runner.cc:801
#52 0xb42637e0 in content::ContentMain ()
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/content/app/content_main.cc:19
#53 0xb3b68245 in QtWebEngine::processMain (argc=3, argv=0xbfffefa4)
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/core/process_main.cpp:67
#54 0x80000775 in main (argc=<optimized out>, argv=0xbfffefa4)
    at /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/process/main.cpp:166

Comment 4 Florian Weimer 2016-08-13 21:25:57 UTC
(In reply to Kevin Kofler from comment #3)
> So I got 3 backtraces by installing the Rawhide ISO to a virtual HDD,
> installing qt5-qtwebengine-debuginfo there, then attaching gdb to the second
> zygote process, which shows up in ps ax as:
>  2497 pts/1    S      0:00 /usr/lib/qt5/libexec/QtWebEngineProcess --type=zyg
> (There was also 2495 that looked the same, but was not interesting.)
> and running:
> (gdb) set follow-fork-mode child
> (gdb) c
> 
> The first one I got is a SIGSYS on sched_getparam, probably not what is
> causing the bug, but I am still posting it in case it is of interest:

Does Chromium have a SIGSYS handler?  The sandbox may not be prepared for glibc and QtWebkit using these system calls.

> But after yet another continue, I finally get the illegal instruction:
> 
> Thread 2.1 "QtWebEngineProc" received signal SIGILL, Illegal instruction.
> [Switching to Thread 0xae5fdb40 (LWP 2867)]
> WTF::discardSystemPages ()
>     at
> /usr/src/debug/qtwebengine-opensource-src-5.7.0/src/3rdparty/chromium/
> third_party/WebKit/Source/wtf/PageAllocator.cpp:244
> 244         decommitSystemPages(addr, len);
> (gdb) bt

What's the disassembly at this point?

Comment 5 Kevin Kofler 2016-08-13 21:28:20 UTC
I had the same idea than you of looking at the disassembly:

(gdb) disas $pc-10,$pc+10
Dump of assembler code from 0xb4d10e1e to 0xb4d10e32:
   0xb4d10e1e <WTF::discardSystemPages(void*, unsigned int)+46>:        jne    0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56>
   0xb4d10e20 <WTF::discardSystemPages(void*, unsigned int)+48>:        lea    0x18(%esp),%esp
   0xb4d10e24 <WTF::discardSystemPages(void*, unsigned int)+52>:        pop    %ebx
   0xb4d10e25 <WTF::discardSystemPages(void*, unsigned int)+53>:        ret    
   0xb4d10e26 <WTF::discardSystemPages(void*, unsigned int)+54>:        xchg   %ax,%ax
=> 0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56>:        ud2    
   0xb4d10e2a:  lea    0x0(%esi),%esi
   0xb4d10e30 <_ZN3WTF19decommitSystemPagesEPvj+0>:     jmp    0xb4d10df0 <WTF::discardSystemPages(void*, unsigned int)>
End of assembler dump.

Comment 7 Kevin Kofler 2016-08-13 21:35:55 UTC
No, it must actually be a RELEASE_ASSERT that is failing. It is this one from decommitSystemPages:
http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp?h=49-based#n225
that is being inlined. madvise is returning a non-zero error code.

Comment 8 Kevin Kofler 2016-08-13 21:38:02 UTC
Proof: Here is the full disassembly of WTF::discardSystemPages up to the offending point:
(gdb) disas $pc-56,$pc+10
Dump of assembler code from 0xb4d10df0 to 0xb4d10e32:
   0xb4d10df0 <WTF::discardSystemPages(void*, unsigned int)+0>: push   %ebx
   0xb4d10df1 <WTF::discardSystemPages(void*, unsigned int)+1>: call   0xb3b2f450 <__x86.get_pc_thunk.bx>
   0xb4d10df6 <WTF::discardSystemPages(void*, unsigned int)+6>: add    $0x31e9eb6,%ebx
   0xb4d10dfc <WTF::discardSystemPages(void*, unsigned int)+12>:        lea    -0x18(%esp),%esp
   0xb4d10e00 <WTF::discardSystemPages(void*, unsigned int)+16>:        mov    0x24(%esp),%eax
   0xb4d10e04 <WTF::discardSystemPages(void*, unsigned int)+20>:        movl   $0x8,0x8(%esp)
   0xb4d10e0c <WTF::discardSystemPages(void*, unsigned int)+28>:        mov    %eax,0x4(%esp)
   0xb4d10e10 <WTF::discardSystemPages(void*, unsigned int)+32>:        mov    0x20(%esp),%eax
   0xb4d10e14 <WTF::discardSystemPages(void*, unsigned int)+36>:        mov    %eax,(%esp)
   0xb4d10e17 <WTF::discardSystemPages(void*, unsigned int)+39>:        call   0xb3b1d8f0 <madvise@plt>
   0xb4d10e1c <WTF::discardSystemPages(void*, unsigned int)+44>:        test   %eax,%eax
   0xb4d10e1e <WTF::discardSystemPages(void*, unsigned int)+46>:        jne    0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56>
   0xb4d10e20 <WTF::discardSystemPages(void*, unsigned int)+48>:        lea    0x18(%esp),%esp
   0xb4d10e24 <WTF::discardSystemPages(void*, unsigned int)+52>:        pop    %ebx
   0xb4d10e25 <WTF::discardSystemPages(void*, unsigned int)+53>:        ret    
   0xb4d10e26 <WTF::discardSystemPages(void*, unsigned int)+54>:        xchg   %ax,%ax
=> 0xb4d10e28 <WTF::discardSystemPages(void*, unsigned int)+56>:        ud2    
   0xb4d10e2a:  lea    0x0(%esi),%esi
   0xb4d10e30 <_ZN3WTF19decommitSystemPagesEPvj+0>:     jmp    0xb4d10df0 <WTF::discardSystemPages(void*, unsigned int)>
End of assembler dump.

As you can see, it calls madvise, tests its return value, and if it is non-zero, jumps to the ud2. So that's the RELEASE_ASSERT at line 225.

Comment 9 Florian Weimer 2016-08-13 21:40:28 UTC
Hmm.  What's the contents of errno?

I really doubt this is a glibc bug.  It's more likely the sandbox is making incorrect assumptions about how other libraries behave.

Comment 10 Kevin Kofler 2016-08-13 21:47:28 UTC
Also be warned that were it says "MADV_FREE", it's actually using "MADV_DONTNEED", not "MADV_FREE":
http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/third_party/WebKit/Source/wtf/PageAllocator.cpp?h=49-based#n42

Comment 11 Kevin Kofler 2016-08-13 21:48:42 UTC
errno is 1.

Comment 12 Florian Weimer 2016-08-13 21:54:42 UTC
(In reply to Kevin Kofler from comment #11)
> errno is 1.

#define   EPERM            1      /* Operation not permitted */

This doesn't look something like the kernel implementation of madvise would return for MADV_DONTNEED.

Is this code running under the sandbox?

Comment 13 Kevin Kofler 2016-08-13 22:02:22 UTC
Yes, I think so. This looks more and more like an error deep in Chromium code (and in code that is already gone from Google's master, there's no PageAllocator.cpp there anymore, grrr).

Comment 14 Kevin Kofler 2016-08-13 22:23:57 UTC
OK, so actually, looking at it, it seems the hack to redefine MADV_FREE to MADV_DONTNEED is not in our package yet (see also the assembly that passes $8, not $4), and so we fail this check in the sandboxing code:
http://code.qt.io/cgit/qt/qtwebengine-chromium.git/tree/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc?h=49-based#n172

Backporting this:
http://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?h=49-based&id=b12ffcd411d4776f7120ccecb3be34344d930d2b
should fix it. I am going to do it ASAP.

The only reason the glibc version matters at all is that only recent versions of glibc contain this commit:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=981569c74cbb6bafa2ddcefa6dd9dbdc938ff1c8
that actually defines MADV_FREE. Before this commit, we always got MADV_DONTNEED that passes the sandbox.

Comment 15 Kevin Kofler 2016-08-13 22:41:41 UTC
I am building new qt5-qtwebengine packages for Rawhide and then F25 which should fix this. Florian, thanks for your help debugging this.

Comment 16 Kevin Kofler 2016-08-13 22:48:12 UTC
(For the record, I verified (but forgot to post) that glibc 2.24 is really the first release that defines MADV_FREE in its headers, glibc 2.23 did not define it. So the breakage only happened when building against glibc 2.24. It should be fixed in qt5-qtwebengine-5.7.0-6 no matter what glibc is used.)

Comment 17 Fedora Update System 2016-08-14 09:58:22 UTC
qt5-qtwebengine-5.7.0-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-bb971cbd03

Comment 18 Fedora Blocker Bugs Application 2016-08-14 10:54:48 UTC
Proposed as a Freeze Exception for 25-alpha by Fedora user lupinix using the blocker tracking app because:

 QupZilla, a component shipped by KDE Spin, does not work due to a bug in qt5-qtwebengine in combination with glibc 2.24. A fix already exists and has been submitted as a testing update.

Comment 19 Fedora Update System 2016-08-15 18:27:21 UTC
qt5-qtwebengine-5.7.0-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-bb971cbd03

Comment 20 Geoffrey Marr 2016-08-15 19:24:28 UTC
Discussed during the 2016-08-15 blocker review meeting: [1]

The decision to classify this bug as an accepted Alpha Freeze Exception was made due to the fact that the fix cannot be made with just an update. Also, the fix does not touch glibc, so the possibility for negative impact is minute.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-08-15/f25-blocker-review.2016-08-15-16.00.txt

Comment 21 Kevin Kofler 2016-08-16 03:04:02 UTC
*** Bug 1361442 has been marked as a duplicate of this bug. ***

Comment 22 Adam Williamson 2016-08-16 18:22:27 UTC
Confirmed both the bug and the fix here. Thanks.

Comment 23 Fedora Update System 2016-08-17 03:17:35 UTC
qt5-qtwebengine-5.7.0-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.