Created attachment 381884 [details]
"strace -f firefox" output

Comment 2 Jeroen Roovers (RETIRED) 2014-07-30 09:24:35 UTC

Comment on attachment 381882 [details]
"valgrind --track-origins=yes --trace-children=yes firefox" output

What use would this be? It ends in the segmentation fault where the actual information is that we'd need.

Comment 3 Jeroen Roovers (RETIRED) 2014-07-30 09:27:29 UTC

Comment on attachment 381884 [details]
"strace -f firefox" output

Again, this does not have any useful information. If anything, get a gdb backtrace (call `gdb /path/to/firefox' and attach the output of 'run; t a a bt full').

Comment 4 Jeroen Roovers (RETIRED) 2014-07-30 09:27:55 UTC

And please post your `emerge --info' output in a comment.

1. valgrind output is totally useless because you are using jemalloc.
2. ascertain why firefox is crashing -- *without* valgrind.
2.1. if it is sigkill, paste paxctl-ng /usr/bin/firefox.
2.2. if sigsegv, attach gdb backtrace as requested.

Comment 6 Anders Hellgren 2014-07-31 17:19:04 UTC

I got the same type of crash after updating to firefox-31. It happened while checking whether my addons were compatible with the new version.

As for the reporter, it is a sigkill, and (for me) paxctl -v shows mxe.

However, running through gdb as suggested, it still crashed, but showed a new dialogue stating firefox had crashed unexpectantly and presenting options to either reset the profile or start in safe mode. Choosing safe mode, firefox started.

Disabled all addons and restarted normally, everything OK. Re-enabled addons one by one and everything's still OK.

# emerge --info firefox
Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.7.3, glibc-2.19-r1, 3.15.5-hardened-r1 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.15.5-hardened-r1-x86_64-AMD_Phenom-tm-_II_X6_1090T_Processor-with-gentoo-2.2
KiB Mem:    16337740 total,   9964096 free
KiB Swap:   33554428 total,  33554032 free
Timestamp of tree: Wed, 30 Jul 2014 19:00:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.6
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.10.3, 1.11.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=amdfam10 -O2 -pipe -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=amdfam10 -O2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo http://gentoo.osuosl.org"
LANG="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j7"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 berkdb branding bzip2 caps cli cracklib crypt cups curl cxx dri dvdr encode ffmpeg flac gdbm gnome gtk hardened iconv ipv6 jpeg justify lame mad mmx modules mp3 mpeg multilib mysql ncurses nls nptl ogg opengl openmp pam pax_kernel pcre perl png readline session spell sse sse2 ssl tcpd tiff unicode urandom usb vaapi vdpau vorbis xattr xtpax xv zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="radeon v4l r600" XFCE_PLUGINS="clock trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

www-client/firefox-31.0 was built with the following:
USE="hardened minimal -bindist -custom-cflags -custom-optimization -dbus -debug -gstreamer -jit (-pgo) -pulseaudio (-selinux) -startup-notification -system-cairo -system-icu -system-jpeg -system-sqlite -test -wifi" ABI_X86="64" LINGUAS="-af -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -vi -xh -zh_CN -zh_TW -zu"
CFLAGS="-march=amdfam10 -pipe -ggdb -mno-avx"
CXXFLAGS="-march=amdfam10 -pipe -ggdb -mno-avx"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,relro,-z,now"

Also hit it when checking addons compatibility

[34813.654101] PAX: execution attempt in: <anonymous mapping>, 2c7173ac000-2c7173ae000 2c7173ac000
[34813.654144] PAX: terminating task: /usr/lib64/firefox/firefox(firefox):2315, uid/euid: 1000/1000, PC: 000002c7173ace68, SP: 000003c894c62aa8
[34813.654152] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
[34813.654204] PAX: bytes at SP-8: 000002c6fcb52320 000002c7173c2a80 0000000000000202 000002c6fcd17d60 0000000000000001 fffb82c6fa78ebc0 fff9000000000000 000003c894c62b70 000002c6fc9af620 000002c7173c6ca0 0000000000000801 
[34820.521014] PAX: execution attempt in: <anonymous mapping>, 27000c24000-27000c26000 27000c24000
[34820.521021] PAX: terminating task: /usr/lib64/firefox/firefox(firefox):2346, uid/euid: 1000/1000, PC: 0000027000c24e68, SP: 0000039119005928
[34820.521026] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
[34820.521046] PAX: bytes at SP-8: 0000026fe6552320 0000027000c3aa80 0000000000000202 0000026fe6817d60 0000000000000001 fffb826fe418dbc0 fff9000000000000 00000391190059f0 0000026fe63af620 0000027000c3eca0 0000000000000801 
[34951.006530] PAX: execution attempt in: <anonymous mapping>, 37ccdd1d000-37ccdd1f000 37ccdd1d000
[34951.006574] PAX: terminating task: /usr/lib64/firefox/firefox(firefox):3717, uid/euid: 1000/1000, PC: 0000037ccdd1de68, SP: 000003d0a2a9a0f8
[34951.006580] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
[34951.006602] PAX: bytes at SP-8: 0000037cb5952320 0000037ccdd33a80 0000000000000202 0000037cb5b17d60 0000000000000001 fffb837cb368dbc0 fff9000000000000 000003d0a2a9a1c0 0000037cb576f720 0000037ccdd37ca0 0000000000000801 

doing 
run firefox -safe-mode and disabling addons
then relaunch and reenabling addons seems to have fixed it

Comment 8 Jory A. Pratt 2014-08-04 03:20:15 UTC

For everyone hitting this start with a clean profile. I am aware of the problem and looking into it.

Sorry for not replying sooner. For some reason my b.g.o e-mail notification settings had changed without my knowledge.

(In reply to Jeroen Roovers from comment #3)
> Again, this does not have any useful information. If anything, get a gdb
> backtrace (call `gdb /path/to/firefox' and attach the output of 'run; t a a
> bt full').

Please read the bug description about why it is not possible to get a gdb backtrace.

(In reply to Alex Xu (Hello71) from comment #5)
> 1. valgrind output is totally useless because you are using jemalloc.

I don't know what jemalloc is.

> 2. ascertain why firefox is crashing -- *without* valgrind.

SIGKILL by kernel.

> 2.1. if it is sigkill, paste paxctl-ng /usr/bin/firefox.
I assume you meant # paxctl-ng -v /usr/bin/firefox 
/usr/bin/firefox:
        open(O_RDWR) failed: cannot change PT_PAX flags
        PT_PAX    : -em--
        XATTR_PAX : not found

> 2.2. if sigsegv, attach gdb backtrace as requested.
The SIGSEGV when running Firefox in Valgrind appears to happen at the same time (given the same user input) as the SIGKILL when running without Valgrind, which is why I attached the Valgrind log.

(In reply to Jeroen Roovers from comment #4)
> And please post your `emerge --info' output in a comment.

Here's some:

Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.8.3, glibc-2.19-r1, 3.15.7-hardened x86_64)
=================================================================
System uname: Linux-3.15.7-hardened-x86_64-Intel-R-_Core-TM-_i7-4700MQ_CPU_@_2.40GHz-with-gentoo-2.2
KiB Mem:    16303960 total,   8516044 free
KiB Swap:   16777212 total,  16777212 free
Timestamp of tree: Mon, 04 Aug 2014 00:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 3.1.9 [disabled]
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.7, 3.2.5-r6, 3.3.5-r1
dev-util/ccache:          3.1.9-r3
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r2
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.4, 4.8.3, 4.9.0
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.15 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -ggdb"
CHOST="x86_64-pc-linux-gnu"
CXXFLAGS="-O2 -pipe -march=native -ggdb"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
ABI_X86="64" ELIBC="glibc" KERNEL="linux" LINGUAS="en et et_EE" USERLAND="GNU"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

I found that flipping javascript.options.baselinejit (or paxmark -p) stopped these segfaults.

Unfortunately, 31 broke -M also, which was working with 30. =(

(In reply to sedfu from comment #10)
> I found that flipping javascript.options.baselinejit (or paxmark -p) stopped
> these segfaults.
> 
> Unfortunately, 31 broke -M also, which was working with 30. =(

Thank you. Changing it to false stopped the segfaults for me as well.

Created attachment 383566 [details, diff]
POC that -jit useflag is useless

Firefox seems to have dropped the --enable-ion (or was it --disable-ion) and --enable-yarr-jit (--disable-*) options in their configure script. Since this are the options that the mozconfig-v4.eclass tries to manipulate the -jit useflag does essentially nothing: firefox is build with jit support.
The patch I attached solves this problem in a hacky way (the better way would likely be to revert the upstream patch the removed the options or even better: get upstream to revert the patch).
Though the patch works (either by epatch_user or by modfying the build to apply it conditionally on the jit USE flag, I would see it more as a proof of concept (on how to fix the issue).

Comment 13 Ian Stakenvicius (RETIRED) 2014-08-25 18:30:46 UTC

Thanks for the patch, however if I remember correctly this particular setting merely assigns the default values.  The very next line unsets ENABLE_ION if --disable-ion is provided to ./configure, and I have verified that this works as expected on the beta package for spidermonkey-31.

The actual problem seems to be that mozconfig-v4.eclass doesn't ever write out the proper --disable-ion and --disable-yarr-jit options to .mozconfig.  I am attempting to address this now.

But firefox also crashes with USE=jit. Does this mean that some PaX flags missing? "paxmark -p" was mentioned in comment 10, but I didn't verify that.

Comment 15 Ian Stakenvicius (RETIRED) 2014-08-25 18:42:04 UTC

(In reply to Alexander Tsoy from comment #14)
> But firefox also crashes with USE=jit. Does this mean that some PaX flags
> missing? "paxmark -p" was mentioned in comment 10, but I didn't verify that.

Apparently either one needs to use a clean profile or adjust marks on something(s) in one's profile to avoid the crashes.  I don't know anything more than that about it, unfortunately.  I haven't seen anything so far in this bug that says crashes occur when a clean profile is used, and I think the change in the profile that is necessary is mentioned in comment 10

As stated above:
The patch doesn't return it to the state it was for e.g. firefox-30.0. You're correct that the patch just changes the default values.
The problem (as far as I can tell) is, that the options --disable-ion and --disable-yarr-jit were removed from the buildsystem (they aren't shown in the output of ./configure --help for example).
@Alexander: jit and mprotect can't really work together - it's by design. jit writes executable code to be executed and that's exactly what pax' mprotect is designed to disallow. If you are enabling jit it is expected to fail.
Right now I have firefox-31.0 running with the following pax-marks:
/usr/lib64/firefox/firefox:
        XATTR_PAX : -em--
And that is with my old and "dirty" profile.

(In reply to Hinnerk van Bruinehsen from comment #16)
> @Alexander: jit and mprotect can't really work together - it's by design.

Yes I know it. And firefox-31 crashes for me even when mprotect is disabled!

Moreover firefox ebuild disables MPROTECT unconditionally, even with USE=-jit.

(In reply to sedfu from comment #10)
> I found that flipping javascript.options.baselinejit (or paxmark -p) stopped
> these segfaults.

Same for me. After adding the line:

  user_pref("javascript.options.baselinejit", false);

to the prefs.js file of my broken profile fixed it. Thanks!

To summarize:
USE=jit: firefox needs additional pax markings. I'll recheck with -p and report my results.
USE=-jit: eclass fixes are needed. After that maybe we can get rid of all paxmarkings.

The problem is here:

    if has jit ${IUSE}; then

IIUC you cannot use IUSE in eclass. Or you should inherit eclass after declaring IUSE in ebuild. %)

Comment 21 Ian Stakenvicius (RETIRED) 2014-08-25 19:29:47 UTC

(In reply to Alexander Tsoy from comment #18)
> Moreover firefox ebuild disables MPROTECT unconditionally, even with
> USE=-jit.

That's because USE=jit isn't the only thing that makes the firefox binary require MPROTECT be disabled.  

On those lines, though, please try firefox-31.0-r1 from the mozilla overlay ; this (and the new eclass) will properly respect USE=-jit and should bring back the same behaviour seen in firefox-30 and previous. 

(except for the profile issue, as that may be new)

(In reply to Alexander Tsoy from comment #20)

> USE=jit: firefox needs additional pax markings. I'll recheck with -p and
> results.

I can confirm that firefox-31.0 also needs "pax-mark p" when jit is enabled. :(

Comment 23 Ian Stakenvicius (RETIRED) 2014-08-27 13:51:19 UTC

(In reply to Alexander Tsoy from comment #22)
> (In reply to Alexander Tsoy from comment #20)
> 
> > USE=jit: firefox needs additional pax markings. I'll recheck with -p and
> > results.
> 
> I can confirm that firefox-31.0 also needs "pax-mark p" when jit is enabled.
> :(

Again, is that when javascript.options.baselinejit is flipped in the profile (ie, what you get when you have a clean profile) as per comment 10??  Or did you skip that step?

Seems we do not understand each other. Turning javascript.options.baselinejit off should be equivalent to USE=-jit (with mozconfig-v4.1.eclass), but I want to use firefox *WITH* jit on one of my PCs. firefox-24 works fine if just MPROTECT is disabled, but firefox-31 also needs PAGEEXEC to be disabled. So I'd like to propose the following change to firefox-31 ebuild:

@@ -367,6 +367,9 @@
 
        # Required in order to use plugins and even run firefox on hardened.
        pax-mark m "${ED}"${MOZILLA_FIVE_HOME}/{firefox,firefox-bin,plugin-container}
+       if use jit; then
+               pax-mark p "${ED}"${MOZILLA_FIVE_HOME}/{firefox,firefox-bin}
+       fi
 
        if use minimal; then
                rm -r "${ED}"/usr/include "${ED}${MOZILLA_FIVE_HOME}"/{idl,include,lib,sdk} \

Comment 25 Ian Stakenvicius (RETIRED) 2014-09-08 20:06:57 UTC

fixed in 31.1 and 32.