Description of problem: Just regular browsing, it crashes each cca. 2 hours. Version-Release number of selected component: firefox-99.0.1-1.fc35 Additional info: reporter: libreport-2.15.2 backtrace_rating: 4 cgroup: 0::/user.slice/user-1000.slice/session-5.scope cmdline: /usr/lib64/firefox/firefox crash_function: mozilla::SandboxFork::StartChrootServer() executable: /usr/lib64/firefox/firefox journald_cursor: s=56206405487043d58849612879066dcb;i=119a12;b=3b79cb28470b4275ab6ac59840231375;m=a014af724;t=5dd7fc9d35dfd;x=44f1b65a6d9c6b97 kernel: 5.16.20-200.fc35.x86_64 rootdir: / runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: #1 [libxul.so] mozilla::SandboxFork::StartChrootServer() #2 [libxul.so] mozilla::SandboxFork::Fork() #3 [libxul.so] base::LaunchApp(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, base::LaunchOptions const&, int*) [clone .cold] #4 [libxul.so] mozilla::ipc::PosixProcessLauncher::DoLaunch() #5 [libxul.so] mozilla::ipc::BaseProcessLauncher::PerformAsyncLaunch() #6 [libxul.so] mozilla::detail::ProxyRunnable<mozilla::MozPromise<mozilla::ipc::LaunchResults, mozilla::ipc::LaunchError, true>, RefPtr<mozilla::MozPromise<mozilla::ipc::LaunchResults, mozilla::ipc::LaunchError, true> > (mozilla::ipc::BaseProcessLauncher::*)(), mozilla::ipc::BaseProcessLauncher>::Run() #7 [libxul.so] mozilla::TaskQueue::Runner::Run() #8 [libxul.so] nsThread::ProcessNextEvent(bool, bool*) #9 [libxul.so] NS_ProcessNextEvent(nsIThread*, bool) #10 [libxul.so] mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)
Created attachment 1874909 [details] File: core_backtrace
Created attachment 1874910 [details] File: cpuinfo
Created attachment 1874911 [details] File: environ
Created attachment 1874912 [details] File: exploitable
Created attachment 1874913 [details] File: limits
Created attachment 1874914 [details] File: maps
Created attachment 1874915 [details] File: mountinfo
Created attachment 1874916 [details] File: open_fds
Created attachment 1874917 [details] File: proc_pid_status
I commented in the upstream bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1685642 I currently have firefox-99.0.1-1.fc35.x86_64 and it's crashing regularly each cca. 2 hours. The crash time depends on how much the browser is used (lower amount of browsing -> it takes longer to crash). It's crashing in mozilla::SandBoxFork::StartChrootServer() or similar. I was unable to get usable coredump, nor the Firefox crash reporter was usable. The Fedora abrt tools says the crash report is unusable and maybe the Firefox crashreporter is disabled in Fedora, I don't know. It start's crashing few months ago. I tried: - disabling all extensions and plugins -> it didn't help - reset firefox configuration -> it didn't help - closing all tabs -> it didn't help, it crashes no matter how many tabs are open - removing the firefox profile (rm -rf ~/.mozilla) and start over with the new profile -> it didn't help, still the same crash - starting firefox in the safe mode -> this seems to work, I wasn't able to reproduce the crash in cca. 24 hours $ rpm -qV firefox <nothing> $ rpm -qVa <nothing relevant, but uploaded as https://bugzilla.mozilla.org/attachment.cgi?id=9273708&action=edit for reference> This problem persisted since several Firefox updates (IIRC I spotted it in the Firefox 94 or so) and also trough the Fedora 34 -> Fedora 35 update. IIRC I wasn't able to reproduce this problem in Fedora 33, IIRC the problem appeared somewhere during the Fedora 34 life-cycle.
From running addr2line on the reported offset, it appears to be this MOZ_CRASH, in the case where cloning the chroot helper process with CLONE_FS fails: https://searchfox.org/mozilla-release/rev/16de9ad73b20ba44f642832cc0b6b66eeb8b0d81/security/sandbox/linux/launch/SandboxLaunch.cpp#649 That happens in the child process, after it has been successfully cloned from the parent process with CLONE_NEWUSER (and probably CLONE_NEWNET and CLONE_NEWIPC) but before exec. I don't know why the second clone would fail when the first succeeded.
(In reply to Jed Davis from comment #11) > From running addr2line on the reported offset, it appears to be this > MOZ_CRASH, in the case where cloning the chroot helper process with CLONE_FS > fails: > https://searchfox.org/mozilla-release/rev/ > 16de9ad73b20ba44f642832cc0b6b66eeb8b0d81/security/sandbox/linux/launch/ > SandboxLaunch.cpp#649 > > That happens in the child process, after it has been successfully cloned > from the parent process with CLONE_NEWUSER (and probably CLONE_NEWNET and > CLONE_NEWIPC) but before exec. I don't know why the second clone would fail > when the first succeeded. I have pretty stable reproducer on the affected machine. Feel free to provide test patches / test builds to get more diagnostic. I am OK to build the firefox binary myself.
Upstream bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1766727
This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 35 entered end-of-life (EOL) status on 2022-12-13. Fedora Linux 35 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.