Nixpkgs: regression on 17.03: firefox 52 tabs keep on crashing
Issue description
Firefox 51 with e10s enabled worked like a charm for me, but now with firefox 52 opening up a new tab and entering a URL (any URL) instantly displays an error saying the tab has crashed. On the console, this error displays:
Sandbox: seccomp sandbox violation: pid 4007, syscall 302, args 0 3 0 140735834676864 3 140735834676864. Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: __getrlimit[/nix/store/vn6fkjnfps37wa82ri4mwszwvnnan6sk-glibc-2.25/lib/libc.so.6 +0xe0319]
Sandbox: frame #02: pthread_getattr_np[/nix/store/vn6fkjnfps37wa82ri4mwszwvnnan6sk-glibc-2.25/lib/libpthread.so.0 +0x8e96]
Sandbox: frame #03: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x9c60b6]
Sandbox: frame #04: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x9c61fd]
Sandbox: frame #05: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x9ce028]
Sandbox: frame #06: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x23cb175]
Sandbox: frame #07: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xf20061]
Sandbox: frame #08: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xcba1bd]
Sandbox: frame #09: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xcc2a4b]
Sandbox: frame #10: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xcc45ed]
Sandbox: frame #11: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x9cdc7a]
Sandbox: frame #12: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x9f3fba]
Sandbox: frame #13: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xcb4012]
Sandbox: frame #14: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xc9ad8d]
Sandbox: frame #15: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x25cda98]
Sandbox: frame #16: XRE_RunAppShell[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x2f331f7]
Sandbox: frame #17: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0xc9ad8d]
Sandbox: frame #18: XRE_InitChildProcess[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so +0x2f337a6]
Sandbox: frame #19: ???[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/plugin-container +0x50bb]
Sandbox: frame #20: __libc_start_main[/nix/store/vn6fkjnfps37wa82ri4mwszwvnnan6sk-glibc-2.25/lib/libc.so.6 +0x20530]
Sandbox: frame #21: _start[/nix/store/c1nnibnlpag15i8haxdjxn1csba8zk0b-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/plugin-container +0x485a]
Sandbox: frame #22: ??? (???:???)
Sandbox: end of stack.
[Parent 3890] WARNING: pipe error (92): Connection reset by peer: file /tmp/nix-build-firefox-unwrapped-52.0.1.drv-0/firefox-52.0.1/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 322
[Parent 3890] WARNING: pipe error (94): Connection reset by peer: file /tmp/nix-build-firefox-unwrapped-52.0.1.drv-0/firefox-52.0.1/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 322
###!!! [Parent][MessageChannel] Error: (msgtype=0x2C0085,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
I disabled e10s and now at least it's usable again, but clearly a big regression.
Steps to reproduce
I made sure this is not caused by some extension or plugin, so I setup a clean new firefox profile (started firefox -P --no-remote from console). Then I enabled e10s and restarted firefox. From then on every tab I open crashes instantly.
I don't use pulseaudio, just alsa, not sure if that might be related (as firefox 52 was supposed to disable alsa by default)
Technical details
- System: NixOS 17.03beta617.f3a9ccc (Gorilla)
- Nix version: 1.11.8
- Nixpkgs version: 17.03beta617.f3a9ccc
bluescreen303
All 19 comments
Cannot reproduce with pulseaudio, could you check if that "fixes"/causes the crash?
globin
on 24 Mar 2017
I checked. Still crashes.
are you sure you enabled e10s?
I have this issue on 3 machines, so it would be strange if it's not reproducible.
bluescreen303
on 24 Mar 2017
Ah some addon disables e10s for me..
globin
on 24 Mar 2017
I can confirm this. I must force e10s on though, it's disabled by default and for a good reason (it makes several addons go nuts).
rnhmjoj
on 26 Mar 2017
Have you force-enabled e10s, or has FF enabled it automatically for you?
grahamc
on 26 Mar 2017
This seems related:
[nix-shell:~]$ find /nix/store/2pi1m4cwpk202kqrd4hjr176zfipjg1s-firefox-unwrapped-52.0.1/ -name '*.so' | xargs ldd
/nix/store/2pi1m4cwpk202kqrd4hjr176zfipjg1s-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libxul.so:
libmozsandbox.so => not found
liblgpllibs.so => not found
/nix/store/2pi1m4cwpk202kqrd4hjr176zfipjg1s-firefox-unwrapped-52.0.1/lib/firefox-52.0.1/libmozavcodec.so:
libmozavutil.so => not found
<snipped>
working on a patch
grahamc
on 26 Mar 2017
Yes, I force-enabled it: for some reason it's disabled by default even on a new clean profile.
rnhmjoj
on 26 Mar 2017
Ok, this is unrelated to the missing libraries.
grahamc
on 26 Mar 2017
Fixing the libraries hasn't resolved anything :( seccomp seems strange...
grahamc
on 26 Mar 2017
I think we should fix the RPATHs anyway, to avoid surprises.
vcunat
on 27 Mar 2017
mozilla chooses a staged rollout for e10s, so with a clean profile you always start with e10s disabled, but after some time (days/weeks) it will switch to e10s unless you have incompatible addons. With version 52 they are going more aggressive by also switching if you have any addons which have "unknown" e10s support, forcing addons to be explicit about support.
Anyway, we cannot count on e10s being something that users choose by themselves. It will turn on by itself in a while.
bluescreen303
on 27 Mar 2017
I got same error with 52.0.2 and 52.0.2esr. I use pulseaudio. firefox-bin works well with e10s.
taku0
on 28 Mar 2017
seems to work again
bluescreen303
on 27 Apr 2017
Confirmed on 17.03.
fpletz
on 27 Apr 2017
Does NixOS make it's own builds of Firefox? The official Mozilla releases won't ship Linux content sandboxing until Firefox 54, and this crash is because of a sandbox violation. I can't see whether it's the content process, but the use case suggests so. (There's a more strict sandbox for DRM/EME plugins)
There's several issues at play here, one is that getrlimit is supposed to be whitelisted (https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp#749) so this is a bit strange, but there might be an interaction with ugetrlimit in play.
The other is that there's an option for distros to whitelist certain syscalls if the libc/libraries they ship require one that wasn't anticipated (as might be the case here), named "security.sandbox.content.syscall_whitelist", but this was only introduced in Firefox 54. In other words, you aren't supposed to be running a sandboxed version without the option to allow any holes the distro needs.
gcp
on 10 May 2017
firefox-bin is the mozilla provided binary and firefox is built from source.
rnhmjoj
on 10 May 2017
Ok, that confirms the problem is with the NixOS builds.
The problem is this: https://github.com/taku0/nixpkgs/blob/014d11ea96d8791b004d0627a5ce53398f253ba9/pkgs/applications/networking/browsers/firefox/default.nix#L71
Content Sandboxing for Linux wasn't implemented until Firefox 52, and isn't considered release ready until Firefox 54 (see https://bugzilla.mozilla.org/show_bug.cgi?id=1337162). NixOS broke because it overrides the defaults and enables it on 52.
I would recommend not enabling it until Firefox 54, and if this problem persists there, adding a
security.sandbox.content.syscall_whitelist=302. You might want to report the need for that upstream, because this isn't expected.
gcp
on 10 May 2017
Syscall 302 on amd64 is prlimit64, which was taken care of in Mozilla bug 1320085.
The real problem here is f6c1004b2a64138f84bb03c9bf473151adfa50dd, which added聽--enable-content-sandbox to the configure flags; that's not supported and should be removed.
(That commit also used --disable-content-sandbox-reporter, which no longer exists but used to mean that the process would just exit with no error message or crash report if it used an unexpected syscall. So if there are any old bug reports where that was happening, that might be why.)
jld
on 10 May 2017
Thank you! I disabled the sandbox on master and release-17.03. That sandbox-report option has been gone from nixpkgs for a long time already.
vcunat
on 14 May 2017
Related issues
vaibhavsagar
路
3Comments
lverns
路
3Comments
spacekitteh
路
3Comments
tomberek
路
3Comments
ob7
路
3Comments
Most helpful comment
Does NixOS make it's own builds of Firefox? The official Mozilla releases won't ship Linux content sandboxing until Firefox 54, and this crash is because of a sandbox violation. I can't see whether it's the content process, but the use case suggests so. (There's a more strict sandbox for DRM/EME plugins)
There's several issues at play here, one is that getrlimit is supposed to be whitelisted (https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp#749) so this is a bit strange, but there might be an interaction with ugetrlimit in play.
The other is that there's an option for distros to whitelist certain syscalls if the libc/libraries they ship require one that wasn't anticipated (as might be the case here), named "security.sandbox.content.syscall_whitelist", but this was only introduced in Firefox 54. In other words, you aren't supposed to be running a sandboxed version without the option to allow any holes the distro needs.