107384 – random tab crashes in firefox nightly

Bug 107384 - random tab crashes in firefox nightly

Summary: random tab crashes in firefox nightly

Status:	RESOLVED FIXED

Alias:	None

Product:	DRI
Classification:	Unclassified
Component:	libdrm (show other bugs)
Version:	DRI git
Hardware:	Other All

Importance:	medium normal
Assignee:	Default DRI bug account
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-26 09:06 UTC by Christoph Haag
Modified:	2018-08-07 13:41 UTC (History)
CC List:	1 user (show)

See Also:	107516
i915 platform:
i915 features:

Attachments
backtrace (4.43 KB, text/plain) 2018-07-26 09:06 UTC, Christoph Haag	no flags	Details
View All

Description Christoph Haag 2018-07-26 09:06:49 UTC

Created attachment 140824 [details]
backtrace

RX 480, mesa git e68fe445f51, libdrm git.

Tabs in firefox nightly randomly crash, see backtrace.
Everything else seems to work fine.

Without debug symbols the backtrace went through glPrimitiveBoundingBox for some reason 

Core was generated by `/opt/firefox-nightly/firefox -contentproc -childID 4 -isForBrowser -prefsLen 43'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000406d30 in ?? ()
[Current thread is 1 (Thread 0x7efc14152740 (LWP 14385))]
(gdb) bt
#0  0x0000000000406d30 in  ()
#1  0x00007efbe0647be0 in drmFreeDevice () at /usr/lib/libdrm.so.2
#2  0x00007efbe0ade8ae in glPrimitiveBoundingBox () at /usr/lib/libGL.so.1
#3  0x00007efbe0ad5bd5 in  () at /usr/lib/libGL.so.1
#4  0x00007efbe0abe350 in  () at /usr/lib/libGL.so.1
#5  0x00007efbe0ab9d81 in glXQueryVersion () at /usr/lib/libGL.so.1

but in the attached backtrace with full debugging enabled it looks a bit different.

Comment 1 Christoph Haag 2018-07-27 07:33:44 UTC

Some websites trigger it more often and more reliably than others. Simpler (?) websites seem to never crash it, reddit sometimes crashes it, gitter channels always crash it after ~2-3 seconds.

Comment 2 Christoph Haag 2018-07-28 12:47:28 UTC

A website that instantly crashes the tab is https://www.kraken.com/en-us/login

Comment 3 Michel Dänzer 2018-07-28 14:26:43 UTC

Emil landed a bunch of changes to libdrm/xf86drm.c last Tuesday, maybe one of those caused this? The Mesa code just passes the pointer it received from drmGetDevice2 to drmFreeDevice.

Comment 4 Niklas Haas 2018-07-28 17:22:05 UTC

I've also been getting random tab crashes since a few days ago, mesa git (and I upgraded to the latest git master HEAD at around the time the issues started happening), but my backtrace is difference.

(gdb) bt
#0  0x00007f7d1f0c8087 in drm_get_pci_id_for_fd (fd=fd@entry=36, vendor_id=vendor_id@entry=0x7ffd32efaaa0, chip_id=chip_id@entry=0x7ffd32efaaa4) at ../mesa-9999/src/loader/loader.c:281
#1  0x00007f7d1f0c86e9 in loader_get_pci_id_for_fd (fd=fd@entry=36, vendor_id=vendor_id@entry=0x7ffd32efaaa0, chip_id=chip_id@entry=0x7ffd32efaaa4) at ../mesa-9999/src/loader/loader.c:306
#2  0x00007f7d1f0c7e35 in pipe_loader_drm_probe_fd (dev=dev@entry=0x7ffd32efaad0, fd=fd@entry=36) at ../mesa-9999/src/gallium/auxiliary/pipe-loader/pipe_loader_drm.c:180
#3  0x00007f7d1f0c7f5f in pipe_loader_drm_probe (devs=devs@entry=0x0, ndev=ndev@entry=0) at ../mesa-9999/src/gallium/auxiliary/pipe-loader/pipe_loader_drm.c:237
#4  0x00007f7d1f0c750f in pipe_loader_probe (devs=devs@entry=0x0, ndev=ndev@entry=0) at ../mesa-9999/src/gallium/auxiliary/pipe-loader/pipe_loader.c:65
#5  0x00007f7d1f0c19f8 in clover::platform::platform() () at ../mesa-9999/src/gallium/state_trackers/clover/core/platform.cpp:28
#6  0x00007f7d1f096d66 in __static_initialization_and_destruction_0 (__initialize_p=1, __priority=65535) at ../mesa-9999/src/gallium/state_trackers/clover/api/platform.cpp:145
#7  _GLOBAL__sub_I_platform.cpp(void) () at ../mesa-9999/src/gallium/state_trackers/clover/api/platform.cpp:145
#8  0x00007f7d5496954a in call_init (l=<optimized out>, argc=argc@entry=17, argv=argv@entry=0x7ffd32efcbd8, env=env@entry=0x7f7d52f15400) at dl-init.c:72
#9  0x00007f7d54969654 in call_init (env=0x7f7d52f15400, argv=0x7ffd32efcbd8, argc=17, l=<optimized out>) at dl-init.c:30
#10 _dl_init (main_map=main_map@entry=0x7f7d37925000, argc=17, argv=0x7ffd32efcbd8, env=0x7f7d52f15400) at dl-init.c:119
#11 0x00007f7d5496d8f3 in dl_open_worker (a=a@entry=0x7ffd32efb0d0) at dl-open.c:511
#12 0x00007f7d53a6694f in __GI__dl_catch_exception (exception=exception@entry=0x7ffd32efb0b0, operate=operate@entry=0x7f7d5496d550 <dl_open_worker>, args=args@entry=0x7ffd32efb0d0) at dl-error-skeleton.c:196
#13 0x00007f7d5496d187 in _dl_open (file=0x7f7d47ca6e89 "libavcodec.so.58", mode=-2147483646, caller_dlopen=0x7f7d536ecc73 <PR_LoadLibraryWithFlags+275>, nsid=<optimized out>, argc=17, argv=0x7ffd32efcbd8, 
    env=0x7f7d52f15400) at dl-open.c:594
#14 0x00007f7d54311fba in dlopen_doit (a=a@entry=0x7ffd32efb320) at dlopen.c:66
#15 0x00007f7d53a6694f in __GI__dl_catch_exception (exception=exception@entry=0x7ffd32efb2b0, operate=operate@entry=0x7f7d54311f50 <dlopen_doit>, args=args@entry=0x7ffd32efb320) at dl-error-skeleton.c:196
#16 0x00007f7d53a669ef in __GI__dl_catch_error (objname=objname@entry=0x7f7d52f140b0, errstring=errstring@entry=0x7f7d52f140b8, mallocedp=mallocedp@entry=0x7f7d52f140a8, 
    operate=operate@entry=0x7f7d54311f50 <dlopen_doit>, args=args@entry=0x7ffd32efb320) at dl-error-skeleton.c:215
#17 0x00007f7d5431283d in _dlerror_run (operate=operate@entry=0x7f7d54311f50 <dlopen_doit>, args=args@entry=0x7ffd32efb320) at dlerror.c:162
#18 0x00007f7d54312066 in __dlopen (file=file@entry=0x7f7d47ca6e89 "libavcodec.so.58", mode=<optimized out>) at dlopen.c:87
#19 0x00007f7d536ecc73 in pr_LoadLibraryByPathname (flags=10, name=0x7f7d47ca6e89 "libavcodec.so.58") at /usr/src/debug/dev-libs/nspr-4.19/nspr-4.19/nspr/pr/src/linking/prlink.c:803
#20 PR_LoadLibraryWithFlags (libSpec=..., flags=flags@entry=10) at /usr/src/debug/dev-libs/nspr-4.19/nspr-4.19/nspr/pr/src/linking/prlink.c:418
#21 0x00007f7d45c2d746 in mozilla::FFmpegRuntimeLinker::Init () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp:64
#22 0x00007f7d45c2d9df in mozilla::FFmpegRuntimeLinker::Init () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp:51
#23 0x00007f7d45c037b7 in mozilla::PDMFactoryImpl::PDMFactoryImpl (this=0x7f7d2dab89f8) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/platforms/PDMFactory.cpp:76
#24 mozilla::PDMFactory::EnsureInit (this=<optimized out>) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/platforms/PDMFactory.cpp:188
#25 0x00007f7d45c04510 in mozilla::PDMFactory::PDMFactory (this=0x7f7d2dbe7c70) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/platforms/PDMFactory.cpp:168
#26 0x00007f7d45cebc91 in mozilla::MP4Decoder::IsSupportedType(mozilla::MediaContainerType const&, mozilla::DecoderDoctorDiagnostics*) [clone .part.299] ()
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/mozilla/mozalloc.h:156
#27 0x00007f7d45a47b48 in mozilla::DecoderTraits::IsSupportedType (aType=...) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/DecoderTraits.cpp:289
#28 0x00007f7d45a7e936 in mozilla::ChannelMediaDecoder::Create (aInit=..., aDiagnostics=aDiagnostics@entry=0x7ffd32efb660)
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/media/ChannelMediaDecoder.cpp:213
#29 0x00007f7d459edf7b in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel (this=this@entry=0x7f7d2ed61000, aChannel=<optimized out>, aListener=<optimized out>)
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/dom/html/HTMLMediaElement.cpp:4891
#30 0x00007f7d459ee44b in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest (this=0x7f7d377b6ce0, aRequest=0x7f7d37939868, aContext=0x0)
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/nsCOMPtr.h:795
#31 0x00007f7d444fcf23 in mozilla::net::HttpChannelChild::DoOnStartRequest (this=this@entry=0x7f7d37939800, aRequest=aRequest@entry=0x7f7d37939868, aContext=0x0)
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/netwerk/protocol/http/HttpChannelChild.cpp:744
#32 0x00007f7d444fd4b2 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&, bool const&) ()
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/nsCOMPtr.h:1109
#33 0x00007f7d444fd86d in mozilla::net::StartRequestEvent::Run (this=0x7f7d37c5e3f0) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/netwerk/protocol/http/HttpChannelChild.cpp:467
#34 0x00007f7d444fa42d in mozilla::net::ChannelEventQueue::RunOrEnqueue (aAssertionWhenNotQueued=false, aCallback=<optimized out>, this=0x7f7d2dc12a00)
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/mozilla/UniquePtr.h:326
#35 mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, mozilla::dom::OptionalIPCServiceWorkerDescriptor const&, bool const&) ()
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/netwerk/protocol/http/HttpChannelChild.cpp:537
#36 0x00007f7d44728c2f in mozilla::net::PHttpChannelChild::OnMessageReceived (this=0x7f7d37939800, msg__=...) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/ipc/ipdl/PHttpChannelChild.cpp:701
#37 0x00007f7d446c8338 in mozilla::dom::PContentChild::OnMessageReceived (this=0x7f7d52f71020, msg__=...) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/ipc/ipdl/PContentChild.cpp:5316
#38 0x00007f7d44639e7f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/glue/MessageChannel.cpp:2142
#39 0x00007f7d44640c99 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/glue/MessageChannel.cpp:2072
#40 0x00007f7d44642b2f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/glue/MessageChannel.cpp:1918
#41 0x00007f7d44642cda in mozilla::ipc::MessageChannel::MessageTask::Run() () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/glue/MessageChannel.cpp:1951
#42 0x00007f7d4431731c in mozilla::SchedulerGroup::Runnable::Run() () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/nsCOMPtr.h:805
#43 0x00007f7d4431a1fe in nsThread::ProcessNextEvent(bool, bool*) () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/xpcom/threads/nsThread.cpp:1090
#44 0x00007f7d44323438 in NS_ProcessNextEvent (aThread=<optimized out>, aThread@entry=0x7f7d52fcbc80, aMayWait=aMayWait@entry=false)
    at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/xpcom/threads/nsThreadUtils.cpp:519
#45 0x00007f7d4463309a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/glue/MessagePump.cpp:97
#46 0x00007f7d4460f774 in MessageLoop::RunInternal (this=<optimized out>) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/mozilla/RefPtr.h:315
#47 MessageLoop::RunHandler (this=<optimized out>) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/chromium/src/base/message_loop.cc:319
#48 MessageLoop::Run (this=<optimized out>) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/chromium/src/base/message_loop.cc:299
#49 0x00007f7d460e2b98 in nsBaseAppShell::Run (this=0x7f7d3bab8580) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/widget/nsBaseAppShell.cpp:157
#50 0x00007f7d46e56477 in XRE_RunAppShell () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/toolkit/xre/nsEmbedFunctions.cpp:896
#51 0x00007f7d4460f774 in MessageLoop::RunInternal (this=0x7ffd32efc890) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/mozilla/RefPtr.h:315
#52 MessageLoop::RunHandler (this=0x7ffd32efc890) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/chromium/src/base/message_loop.cc:319
#53 MessageLoop::Run (this=this@entry=0x7ffd32efc890) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/chromium/src/base/message_loop.cc:299
#54 0x00007f7d46e56971 in XRE_InitChildProcess(int, char**, XREChildData const*) () at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/toolkit/xre/nsEmbedFunctions.cpp:722
#55 0x00005579a32fc226 in content_process_main (bootstrap=0x7f7d52f30630, argc=16, argv=0x7ffd32efcbd8) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ipc/contentproc/plugin-container.cpp:50
#56 0x00005579a32fbd60 in main (argc=17, argv=0x7ffd32efcbd8, envp=0x7ffd32efcc68) at /usr/src/debug/www-client/firefox-61.0-r1/firefox-61.0/ff/dist/include/mozilla/UniquePtr.h:326

I'm not sure if the issues are connected, but I can try downgrading to mesa stable and seeing if the issues still happen. If they don't, I'll attempt bisecting.

Comment 5 Chris Wilson 2018-07-28 17:32:33 UTC

Sigh.

diff --git a/src/loader/loader.c b/src/loader/loader.c
index 43275484cc..87b7281f78 100644
--- a/src/loader/loader.c
+++ b/src/loader/loader.c
@@ -274,7 +274,7 @@ int loader_get_user_preferred_fd(int default_fd, bool *different_device)
 static int
 drm_get_pci_id_for_fd(int fd, int *vendor_id, int *chip_id)
 {
-   drmDevicePtr device;
+   drmDevicePtr device = NULL;
    int ret;
 
    if (drmGetDevice2(fd, 0, &device) == 0) {

Comment 6 Niklas Haas 2018-07-28 18:52:55 UTC

Concerning my issue, which I now believe is unrelated, I tracked it down to this commit in libdrm:

a02900133b32dd4a7d6da4966f455ab337e80dfc is the first bad commit
commit a02900133b32dd4a7d6da4966f455ab337e80dfc
Author: Emil Velikov <emil.velikov@collabora.com>
Date:   Tue May 15 17:29:44 2018 +0100

    xf86drm: introduce a get_real_pci_path() helper
    
    Introduce a helper which gets the real sysfs path for the given pci
    device.
    
    In other words, instead opening the /sys/dev/char/*/device symlink, we
    opt for the actual /sys/devices/pci*/*/
    
    It folds three (nearly identical) snprintf's and paves the way of adding
    extra devices (see next patch) a piece of pie.
    
    v2: use a caller (on stack) provided real_path (Eric)
    
    Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
    Tested-by: Robert Foss <robert.foss@collabora.com> (v1)
    Reviewed-by: Robert Foss <robert.foss@collabora.com> (v1)
    Reviewed-by: Eric Engestrom <eric@engestrom.ch> (v1)

:100644 100644 02da3e1f9b2ac5be41caf0178aefc07da018c945 51e00d23d90fd4a5217eb1aeae964140002cf417 M	xf86drm.c

Comment 7 Christoph Haag 2018-07-28 23:16:35 UTC

(In reply to Chris Wilson from comment #5)
> Sigh.
> 
> diff --git a/src/loader/loader.c b/src/loader/loader.c
> index 43275484cc..87b7281f78 100644
> --- a/src/loader/loader.c
> +++ b/src/loader/loader.c
> @@ -274,7 +274,7 @@ int loader_get_user_preferred_fd(int default_fd, bool
> *different_device)
>  static int
>  drm_get_pci_id_for_fd(int fd, int *vendor_id, int *chip_id)
>  {
> -   drmDevicePtr device;
> +   drmDevicePtr device = NULL;
>     int ret;
>  
>     if (drmGetDevice2(fd, 0, &device) == 0) {

Thanks, looks like this is my issue too.

diff --git a/src/loader/loader.c b/src/loader/loader.c
index 43275484cc2..02a1f97684f 100644
--- a/src/loader/loader.c
+++ b/src/loader/loader.c
@@ -167,7 +167,7 @@ static bool drm_device_matches_tag(drmDevicePtr device, const char *prime_tag)

 static char *drm_get_id_path_tag_for_fd(int fd)
 {
-   drmDevicePtr device;
+   drmDevicePtr device = NULL;
    char *tag;

    if (drmGetDevice2(fd, 0, &device) != 0)
@@ -274,7 +274,7 @@ int loader_get_user_preferred_fd(int default_fd, bool *different_device)
 static int
 drm_get_pci_id_for_fd(int fd, int *vendor_id, int *chip_id)
 {
-   drmDevicePtr device;
+   drmDevicePtr device = NULL;
    int ret;

    if (drmGetDevice2(fd, 0, &device) == 0) {

Comment 8 Michel Dänzer 2018-07-30 08:40:22 UTC

Still smells like a libdrm bug to me, surely drmGetDevice2 can't rely on its caller initializing the device pointer.

Comment 9 Michel Dänzer 2018-07-30 10:25:46 UTC

Thanks for the report, fixed in drm Git master:

commit 4519db23ef716f37f804485f50955c26c38a6ae6
Author: Mariusz Ceier <mceier+mesa-dev@gmail.com>
Date:   Sun Jul 29 10:20:14 2018 +0200

    xf86drm: Fix error path in drmGetDevice2

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.