Bug 1564970 - [abrt] evolution: Gigacage::<lambda()>::operator()(): evolution killed by SIGSEGV
Summary: [abrt] evolution: Gigacage::<lambda()>::operator()(): evolution killed by SIG...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: webkitgtk4
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Popela
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:0abd6be6589e247bbfa57d755c4...
: 1565667 1569478 1570341 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-09 04:32 UTC by Yogesh Sharma
Modified: 2018-06-08 02:48 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-09 08:02:32 UTC
Type: ---


Attachments (Terms of Use)
File: backtrace (40.12 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: cgroup (289 bytes, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: core_backtrace (5.21 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: cpuinfo (1.18 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: dso_list (13.89 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: environ (1.86 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: exploitable (82 bytes, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: limits (1.29 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: maps (63.40 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: mountinfo (4.01 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: open_fds (184 bytes, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: proc_pid_status (1.27 KB, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details
File: var_log_messages (167 bytes, text/plain)
2018-04-09 04:32 UTC, Yogesh Sharma
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1569478 0 unspecified CLOSED Emacs crashes when started with vm.overcommit_memory = 2 2021-02-22 00:41:40 UTC
WebKit Project 183329 0 None None None 2018-04-09 08:02:32 UTC

Internal Links: 1569478

Description Yogesh Sharma 2018-04-09 04:32:29 UTC
Version-Release number of selected component:
evolution-3.26.6-1.fc27

Additional info:
reporter:       libreport-2.9.3
backtrace_rating: 4
cmdline:        evolution
crash_function: Gigacage::<lambda()>::operator()
executable:     /usr/bin/evolution
journald_cursor: s=024aab46c7724ae2aed2f448d356d350;i=caf15;b=cc477aff3c894904b5424fa221edbc78;m=625f58f;t=56962c6198696;x=add61b6f1276d4a3
kernel:         4.15.14-300.fc27.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 Gigacage::<lambda()>::operator() at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/bmalloc/bmalloc/Gigacage.cpp:154
 #1 std::__invoke_impl<void, Gigacage::ensureGigacage()::<lambda()> > at /usr/include/c++/7/bits/invoke.h:60
 #2 std::__invoke<Gigacage::ensureGigacage()::<lambda()> > at /usr/include/c++/7/bits/invoke.h:95
 #3 std::<lambda()>::operator() at /usr/include/c++/7/mutex:672
 #5 std::<lambda()>::_FUN(void) at /usr/include/c++/7/mutex:677
 #6 __pthread_once_slow at pthread_once.c:116
 #7 __gthread_once at /usr/include/c++/7/x86_64-redhat-linux/bits/gthr-default.h:699
 #8 std::call_once<Gigacage::ensureGigacage()::<lambda()> > at /usr/include/c++/7/mutex:684
 #9 Gigacage::ensureGigacage at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/bmalloc/bmalloc/Gigacage.cpp:108
 #10 bmalloc::Heap::Heap at /usr/src/debug/webkitgtk4-2.20.0-1.fc27.x86_64/Source/bmalloc/bmalloc/Heap.cpp:58

Comment 1 Yogesh Sharma 2018-04-09 04:32:36 UTC
Created attachment 1419101 [details]
File: backtrace

Comment 2 Yogesh Sharma 2018-04-09 04:32:37 UTC
Created attachment 1419102 [details]
File: cgroup

Comment 3 Yogesh Sharma 2018-04-09 04:32:38 UTC
Created attachment 1419103 [details]
File: core_backtrace

Comment 4 Yogesh Sharma 2018-04-09 04:32:38 UTC
Created attachment 1419104 [details]
File: cpuinfo

Comment 5 Yogesh Sharma 2018-04-09 04:32:39 UTC
Created attachment 1419105 [details]
File: dso_list

Comment 6 Yogesh Sharma 2018-04-09 04:32:40 UTC
Created attachment 1419106 [details]
File: environ

Comment 7 Yogesh Sharma 2018-04-09 04:32:41 UTC
Created attachment 1419107 [details]
File: exploitable

Comment 8 Yogesh Sharma 2018-04-09 04:32:42 UTC
Created attachment 1419108 [details]
File: limits

Comment 9 Yogesh Sharma 2018-04-09 04:32:43 UTC
Created attachment 1419109 [details]
File: maps

Comment 10 Yogesh Sharma 2018-04-09 04:32:45 UTC
Created attachment 1419110 [details]
File: mountinfo

Comment 11 Yogesh Sharma 2018-04-09 04:32:46 UTC
Created attachment 1419111 [details]
File: open_fds

Comment 12 Yogesh Sharma 2018-04-09 04:32:46 UTC
Created attachment 1419112 [details]
File: proc_pid_status

Comment 13 Yogesh Sharma 2018-04-09 04:32:47 UTC
Created attachment 1419113 [details]
File: var_log_messages

Comment 14 Milan Crha 2018-04-09 08:02:32 UTC
Thanks for a bug report. This is due to update of webkitgtk4 package to its 2.20.0 release. See more information here, please:
https://bugs.webkit.org/show_bug.cgi?id=183329#c22
The bug contains some information how to work with this new requirement (eventually search for GIGACAGE_ENABLE in there).

Comment 15 Michael Catanzaro 2018-04-09 18:18:10 UTC
We can change it so that Gigacage gets disabled instead of crashing, but that's a very important security feature and I'm kinda hesitant to just silently disable it. I guess we can decide based on how many crash reports like this we get.

Comment 16 Yogesh Sharma 2018-04-09 18:21:55 UTC
I had to change vm.overcommit_memory=0 for evolution to work, I had it set to 2.


Similar issue I had with gnome-control-center for that export GIGACAGE_ENABLED=0 worked.

Comment 17 Michael Catanzaro 2018-04-09 18:28:16 UTC
(In reply to Yogesh Sharma from comment #16)
> Similar issue I had with gnome-control-center for that export
> GIGACAGE_ENABLED=0 worked.

You could also set that globally if you want to keep overcommit disabled.

Comment 18 Milan Crha 2018-04-11 07:15:24 UTC
*** Bug 1565667 has been marked as a duplicate of this bug. ***

Comment 19 Milan Crha 2018-04-11 07:21:07 UTC
The above duplicate is from Fedora 26, just that you know.

(In reply to Michael Catanzaro from comment #15)
> We can change it so that Gigacage gets disabled instead of crashing

Crashing is always bad. The code should handle errors gracefully, where the crash is far from graceful handling. It's called 'robust code', right? Anyway, in case of Evolution itself there's no such issue as with Epiphany or any real browser. Yes, WebKitGTK+ is used with OAuth2 authentication, though even that is supposed to access hard-coded known addresses, not some random pages, and if the user does overwrite the domain in /etc/hosts or such, then it's his/her responsibility anyway.

Comment 20 Florian Weimer 2018-04-23 07:20:47 UTC
(In reply to Michael Catanzaro from comment #15)
> We can change it so that Gigacage gets disabled instead of crashing, but
> that's a very important security feature and I'm kinda hesitant to just
> silently disable it. I guess we can decide based on how many crash reports
> like this we get.

See bug 1570021 comment 0: You should call mmap with PROT_NONE first, and then carve out actually allocations from the reserved area using mprotect.

Comment 21 Milan Crha 2018-04-23 09:16:31 UTC
*** Bug 1570341 has been marked as a duplicate of this bug. ***

Comment 22 Milan Crha 2018-05-18 09:59:18 UTC
(In reply to Michael Catanzaro from comment #15)
> We can change it so that Gigacage gets disabled instead of crashing, but
> that's a very important security feature and I'm kinda hesitant to just
> silently disable it. I guess we can decide based on how many crash reports
> like this we get.

I've just got a build crash (SIGSEGV during build) of evolution-data-server in an aarch64 mock and it was damn hard to find out it crashed due to the Gigacage, because it did that during GObject introspection code generation. I do not want to add the `export` into each single package .spec file which uses WebKitGTK+ and all those which use those packages, just to make sure the build break will not happen again.

I can write a similar/same comment in the upstream bug report (or create a new one there), but I hope this gets a bit more attention here, rather than there. I also do not know how much you'd consider it a downstream issue though.

Comment 23 Tomas Popela 2018-05-18 10:01:52 UTC
(In reply to Milan Crha from comment #22)
> I can write a similar/same comment in the upstream bug report (or create a
> new one there), but I hope this gets a bit more attention here, rather than
> there. I also do not know how much you'd consider it a downstream issue
> though.

It's upstream issue and upstream is aware of it. Please don't create a new bug report - it's handled in https://bugs.webkit.org/show_bug.cgi?id=183329

Comment 24 Milan Crha 2018-05-18 10:52:38 UTC
(In reply to Tomas Popela from comment #23)
> It's upstream issue and upstream is aware of it. Please don't create a new
> bug report - it's handled in https://bugs.webkit.org/show_bug.cgi?id=183329

Okay, will not do. Thanks for the pointer.

I opened this:
https://bugs.webkit.org/show_bug.cgi?id=185762
which is related, but not the same thing.

Comment 25 Michael Catanzaro 2018-05-18 20:32:14 UTC
(In reply to Milan Crha from comment #22)
> I've just got a build crash (SIGSEGV during build) of evolution-data-server
> in an aarch64 mock and it was damn hard to find out it crashed due to the
> Gigacage, because it did that during GObject introspection code generation.

Do we known why it crashed? It shouldn't crash unless the builder has disabled VM overcommit or set a virtual memory ulimit.

Certainly, you shouldn't have to disable gigacage to use gobject-introspection.

Comment 26 Florian Weimer 2018-05-18 20:40:50 UTC
(In reply to Michael Catanzaro from comment #25)
> (In reply to Milan Crha from comment #22)
> > I've just got a build crash (SIGSEGV during build) of evolution-data-server
> > in an aarch64 mock and it was damn hard to find out it crashed due to the
> > Gigacage, because it did that during GObject introspection code generation.
> 
> Do we known why it crashed? It shouldn't crash unless the builder has
> disabled VM overcommit or set a virtual memory ulimit.

BMALLOC_NORESERVE appears to be defined as MAP_NORESERVE, which turns off memory overcommit in vm.overcommit_memory=0 mode.  The mmap call will always succeed.  Out of memory is reported via SIGSEGV on write instead.

Comment 27 Michael Catanzaro 2018-05-18 20:43:49 UTC
Then surely the OOM condition is not WebKit's fault?

Comment 28 Tomas Popela 2018-05-21 04:51:29 UTC
(In reply to Michael Catanzaro from comment #27)
> Then surely the OOM condition is not WebKit's fault?

Could be. Also the Gigacage allocation on aarch64 could fail - the code is ready for that[0] and [1]. So it looks like it's a different bug.

[0] - https://trac.webkit.org/browser/webkit/trunk/Source/bmalloc/bmalloc/Gigacage.h#L39
[1] - https://trac.webkit.org/browser/webkit/trunk/Source/bmalloc/bmalloc/Gigacage.cpp#L151

Comment 29 Milan Crha 2018-05-21 07:08:16 UTC
Below is the only thing I see in the build log. I tried to disable the gigacage in the .spec file and it did help, thus it's it, from my point of view.

(In reply to Michael Catanzaro from comment #25)
> Certainly, you shouldn't have to disable gigacage to use
> gobject-introspection.

I agree. There's this one for it:
https://bugs.webkit.org/show_bug.cgi?id=185762

------------------------------------------------------------------------------

In the build log:

Command '['/builddir/build/BUILD/evolution-data-server-3.28.1/_build/src/libedataserver/tmp-introspect4eikde20/EDataServer-1.2', '--introspect-dump=/builddir/build/BUILD/evolution-data-server-3.28.1/_build/src/libedataserver/tmp-introspect4eikde20/functions.txt,/builddir/build/BUILD/evolution-data-server-3.28.1/_build/src/libedataserver/tmp-introspect4eikde20/dump.xml']' died with <Signals.SIGSEGV: 11>.
make[2]: Leaving directory '/builddir/build/BUILD/evolution-data-server-3.28.1/_build'
make[2]: *** [src/libedataserver/CMakeFiles/gir-typelibs-EDataServer_1_2_gir.dir/build.make:236: src/libedataserver/EDataServer-1.2.gir] Error 1
make[1]: *** [CMakeFiles/Makefile2:5470: src/libedataserver/CMakeFiles/gir-typelibs-EDataServer_1_2_gir.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....

Comment 30 Michael Catanzaro 2018-06-08 02:48:21 UTC
*** Bug 1569478 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.