Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by traumschule@traumschule

Killing firefox.real child at ~100% load caused parent to segfault

(TB 8.5a1 on debian buster 32-bit)

Another hard to reproduce issue. According to #firefox it is safe to kill any of the four content processes of the parent (Tor) Browser (easy to see with ps axjf).

There is the single parent process and then the content processes, by default 4, tabs distributed among them, then there are other misc helper processes.

In my case the rogue child was in a state that took Tor Browser as a whole with it. crash_on_exit shows:

JavaScript error: re[/gre/modules/ExtensionContent.jsm,](/gre/modules/ExtensionContent.jsm,) line 489: TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object.                                                 
JavaScript error: re[/gre/modules/ExtensionContent.jsm,](/gre/modules/ExtensionContent.jsm,) line 489: TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object.                                                 
JavaScript error: re[/gre/modules/ExtensionContent.jsm,](/gre/modules/ExtensionContent.jsm,) line 489: TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object.                                                 
JavaScript error: re[/gre/modules/ExtensionContent.jsm,](/gre/modules/ExtensionContent.jsm,) line 489: TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object.                                                 
JavaScript error: re[/gre/modules/ExtensionContent.jsm,](/gre/modules/ExtensionContent.jsm,) line 489: TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object.                                                 
console.error: (new SyntaxError("JSON.parse: unexpected character at line 1 column 2 of the JSON data", "chrome://devtools/content/framework/toolbox-process-window.js", 231))                        
Sep 17 06:11:42.000 [notice] Owning controller connection has closed -- exiting now.
Sep 17 06:11:42.000 [notice] Catching signal TERM, exiting cleanly.
JavaScript error: jar:file:///path/to/tor-browser_en-US/Browser/omni.ja!/components/nsAsyncShutdown.js, line 114: Error: We have already registered a distinct blocker with the same name: Crash Reporter: blocking on minidumpgeneration.
[Parent 27413, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /var/tmp/build/firefox-124fa904c4b2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 709                               
JavaScript error: chrome://torbutton/content/tor-circuit-display.js, line 466: TypeError: myController is null                                                                                        
JavaScript error: re[//modules/sessionstore/SessionSaver.jsm,](//modules/sessionstore/SessionSaver.jsm,) line 180: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIAppShellService.hiddenDOMWindow]  
WARNING: At least one completion condition is taking too long to complete. Conditions: [{"name":"Crash Reporter: blocking on minidumpgeneration.","state":"(none)","filename":"/var/tmp/build/firefox-124fa904c4b2/ipc/glue/CrashReporterHost.cpp","lineNumber":189,"stack":"Minidump generation"}] Barrier: profile-before-change                                                                           
FATAL ERROR: AsyncShutdown timeout in profile-before-change Conditions: [{"name":"Crash Reporter: blocking on minidumpgeneration.","state":"(none)","filename":"/var/tmp/build/firefox-124fa904c4b2/ipc/glue/CrashReporterHost.cpp","lineNumber":189,"stack":"Minidump generation"}] At least one completion condition failed to complete within a reasonable amount of time. Causing a crash to ensure that we do not leave the user with an unresponsive process draining resources.
WARNING: No crash reporter available
[Parent 27413, Main Thread] ###!!! ABORT: file /var/tmp/build/firefox-124fa904c4b2/ipc/glue/CrashReporterHost.cpp, line 189                                                                           
[Parent 27413, Main Thread] ###!!! ABORT: file /var/tmp/build/firefox-124fa904c4b2/ipc/glue/CrashReporterHost.cpp, line 189                                                                           
./start-tor-browser: line 375: 27413 Segmentation fault      TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class "Tor Browser" -profile TorBrowser/Data/Browser/profile.default "${@}" < /dev/null

I don't think that #27537 (moved) is the cause, not sure about the SyntaxError. I guess the crashreporter is blocked intentionally? myController is null reminds me that i disabled all plugins to see if the load would decrease, but it didn't so i killed the child after being told "If you kill a content process the browser should be fine, all the tabs will be in their unloaded state when you return to them".

Kept a corefile of the child for gdb enthusiasts, unfortunately not of the parent.

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information