Comment 1 Nirbheek Chauhan (RETIRED) 2011-06-25 13:30:55 UTC

It's quite likely that you simply ran out of RAM or disk space. Are you sure that isn't the case?

Comment 2 Agostino Sarubbo 2011-06-25 13:59:16 UTC

In cases that you mean should be see "killed" or some like this. Anyway, i have 1.5gb of tmpfs and 2gb of swap, compiling with makeopts="-j1"

I can retry to verify if more resources are needed.

Comment 3 Agostino Sarubbo 2011-06-25 18:07:35 UTC

when the compilation is terminated i have still:

tmpfs                 1,5G  1,4G  167M  89% /tmp

Swap:         1999        608       1391

Comment 4 Jory A. Pratt 2011-06-25 21:42:35 UTC

(In reply to comment #3)
> when the compilation is terminated i have still:
> 
> tmpfs                 1,5G  1,4G  167M  89% /tmp
> 
> Swap:         1999        608       1391

this is no where near enough room for firefox, firefox can not even be compiled in a 3GB tmpfs

Comment 5 Agostino Sarubbo 2011-06-26 09:18:48 UTC

Created attachment 278197 [details]
Build log

(In reply to comment #4)
> this is no where near enough room for firefox, firefox can not even be compiled
> in a 3GB tmpfs

ok, now i'm compiling directly on a disk, and I have ~28 Gb available...It fails for another reason.

Comment 6 Jory A. Pratt 2011-06-26 14:44:15 UTC

Created attachment 278243 [details, diff]
firefox-5.0-hardened initial support

This will get you threw a complete build, but will result in failure when firefox is launched with pgo enabled, 

grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/firefox/firefox-bin[firefox-bin:5567] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:5563] uid/euid:250/250 gid/egid:250/250

Comment 7 Jory A. Pratt 2011-06-26 16:59:16 UTC

*** Bug 373071 has been marked as a duplicate of this bug. ***

Comment 8 Jory A. Pratt 2011-06-26 17:03:14 UTC

*** Bug 373029 has been marked as a duplicate of this bug. ***

Comment 9 Jory A. Pratt 2011-06-26 17:04:37 UTC

*** Bug 373031 has been marked as a duplicate of this bug. ***

Comment 10 Jory A. Pratt 2011-06-26 18:09:55 UTC

I have commited a working ebuild for fx-5, it will not make everyone happy but atleast you are getting the latest, I will continue to work on removing the pax-mark m for firefox-bin plugin-container will continue to be marked due to flash and java.

Doesn't make me happy at all, see my latest comment in 373031:

You have 
        use hardened && mozconfig_annotate 'hardened' --disable-methodjit
and
        if use hardened; then
                pax-mark m "${ED}"/${MOZILLA_FIVE_HOME}/firefox-bin
                pax-mark m "${ED}"/${MOZILLA_FIVE_HOME}/plugin-container
        fi

I use PaX, but I'm not hardened:
"hardened" means "hardened toolchain" and "pie executables",
but I have PaX with standard toolchain and standard (non-pie) executables,
and hence don't have "hardened" set!
(PaX kernel is completely independent of hardened or non-hardened userland...)

So please do the pax-marking independent of "hardened".

And if you really manage to build a firefox which doesn't need pax-mark:
Could you try the same for thunderbird?
A pax-marked firefox doesn't really hurt me, because firefox is running
strictly separated under a browsing-only guest-level account here, 
and even if it were hacked, damage would be very limited.
But thunderbird is running under my normal account in my homedir,
and that's a real danger...

Comment 12 Agostino Sarubbo 2011-06-27 08:30:08 UTC

(In reply to comment #10)
> I have commited a working ebuild for fx-5, it will not make everyone happy but
> atleast you are getting the latest, I will continue to work on removing the
> pax-mark m for firefox-bin plugin-container will continue to be marked due to
> flash and java.

Good job Jory. Works for me now for compile and execution phase.

Comment 13 Jory A. Pratt 2011-06-27 12:22:17 UTC

(In reply to comment #11)
> Doesn't make me happy at all, see my latest comment in 373031:
> 
> You have 
>         use hardened && mozconfig_annotate 'hardened' --disable-methodjit
> and
>         if use hardened; then
>                 pax-mark m "${ED}"/${MOZILLA_FIVE_HOME}/firefox-bin
>                 pax-mark m "${ED}"/${MOZILLA_FIVE_HOME}/plugin-container
>         fi
> 
> I use PaX, but I'm not hardened:
> "hardened" means "hardened toolchain" and "pie executables",
> but I have PaX with standard toolchain and standard (non-pie) executables,
> and hence don't have "hardened" set!
> (PaX kernel is completely independent of hardened or non-hardened userland...)
> 
> So please do the pax-marking independent of "hardened".
> 
> And if you really manage to build a firefox which doesn't need pax-mark:
> Could you try the same for thunderbird?
> A pax-marked firefox doesn't really hurt me, because firefox is running
> strictly separated under a browsing-only guest-level account here, 
> and even if it were hacked, damage would be very limited.
> But thunderbird is running under my normal account in my homedir,
> and that's a real danger...

Klause there is no way to make everyone happy, you can either accept it or do your own ebuild. I am looking out for the greater good of the gentoo users not a single users sorry.

What's the problem with just setting paxctl unconditionally, 
independent of hardened? 
Just drop the if, pax-marking won't do any harm on a non-PaX system?!

Sun JDK does it unconditionally, LibreOffice does it, Thunderbird does it,
Firefox 3.* and 4.* (Xulrunner) always did it that way, Google V8 and all the
other browsers do it. In fact, I just grepped all of /usr/portage,
and firefox 5 is the *only* ebuild in which pax-mark depends on hardened.

I accept both a JIT firefox with pax marking
and a non-JIT firefox without pax marking,
but at least plugin-container should be pax marked in any case,
and the build should not fail on a PaX system without hardened.

"euses hardened" says
"hardened - activate default security enhancements for toolchain (gcc, glibc, binutils)"
I don't have that, so I don't use "hardened".

Independently, the "hardened-sources" kernel includes PaX.
"hardened-sources" without "hardened" userland always was a supported
configuration in Gentoo up to now, even for firefox.

Maybe then 'jit' use flag would make sense after all? This way it would not be depended on the 'hardened' flag so non-hardened users, using pax kernels would be able to compile it fine if they unset it...

Alternatively, maybe a similar magic to what's done in lates mono ebuild in src_prepare() could be used?

While I accept that firefox could be pax-marked 'off' by default, giving user information that in certain conditions they could use mprotect if they wish should be an option too IMHO...

building is ok. But firefox still doesnt start.
Just go to infinite-loop, without showing window/allocating memory.

Here my USE flags for firefox:

[ebuild   R    ] www-client/firefox-5.0-r1  USE="alsa dbus hardened ipc libnotify webm wifi -bindist -custom-optimization -debug -gconf -pgo -startup-notification -system-sqlite" LINGUAS="en ru -af -ak -ar -ast -be -bg -bn -bn_BD -bn_IN -br -bs -ca -cs -cy -da -de -el -eo -es -es_ES -et -eu -fa -fi -fr -fy -fy_NL -ga -ga_IE -gd -gl -gu -gu_IN -he -hi -hi_IN -hr -hu -hy -hy_AM -id -is -it -ja -kk -kn -ko -ku -lg -lt -lv -mai -mk -ml -mr -nb -nb_NO -nl -nn -nn_NO -nso -or -pa -pa_IN -pl -pt -pt_PT -rm -ro -si -sk -sl -son -sq -sr -sv -sv_SE -ta -ta_LK -te -th -tr -uk -vi -zu" 0 kB


Portage 2.1.10.3 (hardened/linux/x86, gcc-4.5.2, glibc-2.12.2-r0, 2.6.37-hardened i686)
=================================================================
System uname: Linux-2.6.37-hardened-i686-Intel-R-_Celeron-R-_CPU_743_@_1.30GHz-with-gentoo-2.0.2
Timestamp of tree: Mon, 27 Jun 2011 08:45:01 +0000
ccache version 3.1.4 [enabled]
app-shells/bash:          4.2_p7
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.6.6-r1, 2.7.1, 3.1.3
dev-util/ccache:          3.1.4
dev-util/cmake:           2.8.3-r1
dev-util/pkgconfig:       0.25-r2
sys-apps/baselayout:      2.0.2
sys-apps/openrc:          0.8.2-r1
sys-apps/sandbox:         2.4
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:       2.21
sys-devel/gcc:            4.4.5, 4.5.2
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82
sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories:

gentoo
    location: /usr/portage
    sync: rsync://rsync.namerica.gentoo.org/gentoo-portage
    priority: -1000

sabayon
    location: /var/lib/layman/sabayon
    masters: gentoo
    priority: 0

zugaina
    location: /var/lib/layman/zugaina
    masters: gentoo
    priority: 1

lisp
    location: /var/lib/layman/lisp
    masters: gentoo
    priority: 2

rion
    location: /var/lib/layman/rion
    masters: gentoo
    priority: 3

bitcoin
    location: /var/lib/layman/bitcoin
    masters: gentoo
    priority: 4

pentoo
    location: /var/lib/layman/pentoo
    masters: gentoo
    priority: 5

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 6

ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="* -@EULA dlj-1.1"
ACCEPT_PROPERTIES="*"
ALSA_CARDS="hda-intel"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ARCH="x86"
AUTOCLEAN="yes"
CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words"
CAMERAS="ptp2"
CBUILD="i686-pc-linux-gnu"
CCACHE_DIR="/var/tmp/ccache/"
CCACHE_SIZE="2G"
CFLAGS="-O2 -march=core2 -mfpmath=sse -mmmx -msse -msse2 -mssse3 -pipe"
CHOST="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog"
COLLISION_IGNORE="/lib/modules"
COLORFGBG="7;default"
COLORTERM="rxvt"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CVS_RSH="ssh"
CXXFLAGS="-O2 -march=core2 -mfpmath=sse -mmmx -msse -msse2 -mssse3 -pipe"
DESKTOP_STARTUP_ID="awesome/urxvt/2892-0-XLaptop_TIME124418"
DISPLAY=":0"
DISTDIR="/usr/portage/distfiles"
EDITOR="vim"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--verbose --keep-going --ask"
EMERGE_WARNING_DELAY="10"
EPREFIX=""
EROOT="/"
FCFLAGS=""
FEATURES="assume-digests binpkg-logs ccache distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FETCHCOMMAND="/usr/bin/wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
FETCHCOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}""
FETCHCOMMAND_SFTP="bash -c "x=\${2#sftp://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec sftp -P \${port} \"\${host}:/\${x#*/}\" \"\$1\"" sftp "${DISTDIR}/${FILE}" "${URI}""
FETCHCOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}""
FFLAGS=""
FLTK_DOCDIR="/usr/share/doc/fltk-2.0_pre6970-r1/html"
GCC_SPECS=""
GDK_USE_XFT="1"
GENTOO_MIRRORS="ftp://mirror.yandex.ru/gentoo-distfiles/ http://gentoo.osuosl.org/ "
GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx"
GSETTINGS_BACKEND="gconf"
GUILE_LOAD_PATH="/usr/share/guile/1.8"
HG="/usr/bin/hg"
HOME="/root"
HUSHLOGIN="FALSE"
INFOPATH="/usr/share/info:/usr/share/binutils-data/i686-pc-linux-gnu/2.21/info:/usr/share/gcc-data/i686-pc-linux-gnu/4.5.2/info:/usr/share/info/emacs-23"
INPUT_DEVICES="evdev synaptics"
JAVAC="/etc/java-config-2/current-system-vm/bin/javac"
JAVA_HOME="/etc/java-config-2/current-system-vm"
JDK_HOME="/etc/java-config-2/current-system-vm"
KERNEL="linux"
LANG="en_US.UTF-8"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe.sh %s"
LESS_TERMCAP_mb="[01;31m"
LESS_TERMCAP_md="[01;38;5;74m"
LESS_TERMCAP_me="[0m"
LESS_TERMCAP_se="[0m"
LESS_TERMCAP_so="[38;5;246m"
LESS_TERMCAP_ue="[0m"
LESS_TERMCAP_us="[04;38;5;146m"
LINGUAS="en ru"
LOGNAME="root"
LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
MAIL="/var/mail/xvilka"
MAKEOPTS="-j2"
MANPATH="/etc/java-config-2/current-system-vm/man:/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.21/man:/usr/share/gcc-data/i686-pc-linux-gnu/4.5.2/man:/etc/java-config/system-vm/man/:/usr/lib/php5.3/man/:/usr/share/postgresql-9.0/man"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
NOCOLOR="true"
OLDPWD="/usr/lib/firefox"
OPENGL_PROFILE="xorg-x11"
PAGER="/usr/bin/less"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.5.2"
PHP_TARGETS="php5-3"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="ppc sparc64-freebsd ppc-openbsd x86-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 arm-linux x86-macos x64-openbsd ia64-hpux hppa x86-netbsd x86-cygwin amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris mips-irix m68k sh x86-solaris sparc-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_BIN_PATH="/usr/lib/portage/bin"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="log warn error"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save_summary echo"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --clearsign --yes --default-key "${PORTAGE_GPG_KEY}" --homedir "${PORTAGE_GPG_DIR}" "${FILE}""
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_PYM_PATH="/usr/lib/portage/pym"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="-1"
PORTAGE_SANDBOX_COMPAT_LEVEL="16"
PORTAGE_SYNC_STALE="30"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sabayon /var/lib/layman/zugaina /var/lib/layman/lisp /var/lib/layman/rion /var/lib/layman/bitcoin /var/lib/layman/pentoo /usr/local/portage"
PRELINK_PATH_MASK="/usr/lib/klibc:/usr/lib/libfreebl3.so:/usr/lib/libnssdbm3.so:/usr/lib/libsoftokn3.so"
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"
PWD="/root"
PYTHONDONTWRITEBYTECODE="1"
RESUMECOMMAND="/usr/bin/wget -c -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
RESUMECOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}""
RESUMECOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.5.2"
RPMDIR="/usr/portage/rpm"
RUBYOPT="-rauto_gem"
RUBY_TARGETS="ruby18"
SBCL_HOME="/usr/lib/sbcl"
SBCL_SOURCE_ROOT="/usr/lib/sbcl/src"
SCHEME_LIBRARY_PATH="/usr/share/slib/"
SHELL="/bin/bash"
SHLVL="4"
STAGE1_USE="hardened nptl nptlonly pic"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
TERM="rxvt-unicode-256color"
USE="X a52 aac acl acpi alsa bash-completion bazaar berkdb bluetooth bzip2 cairo cli consolekit cracklib crypt cups curl curlwrappers cvs cxx dbus dirac djvu dri dts fbcon fbcondecor ffmpeg flac fontconfig ftp gdbm geoip gif git gnutls gpm gtk guile hardened hddtemp iconv idn imap ipv6 jabber java jpeg jpeg2k laptop lm-sensors lua matroska mercurial mime mng modules mp3 mp4 mpeg mtp mudflap ncurses networking nls nptl nptlonly opengl openmp pam pango pcre pdf perl php pic png pppd python qt3support qt4 readline rtsp sasl sbcl schroedinger session sockets sqlite ssl subversion svg symlink sysfs tcpd theora tidy tiff truetype unicode urandom usb v4l2 vaapi vim-syntax vorbis wifi x264 x86 xattr xcb xcomposite xft xml xmlrpc xorg xpm xsl zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ru" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
USER="root"
USERLAND="GNU"
USE_COMPRESS="zlib bzip2 zip compress cpio lzma 7zip lzo ace rar"
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CALLIGRA_FEATURES CAMERAS COLLECTD_PLUGINS CROSSCOMPILE_OPTS DRACUT_MODULES DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS GPSD_PROTOCOLS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES NGINX_MODULES_HTTP NGINX_MODULES_MAIL PHP_TARGETS QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS XFCE_PLUGINS XTABLES_ADDONS"
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"
USE_GRAPHICS="svg xpm png mng jpeg jpeg2k gif pdf tiff djvu"
USE_GUI="X xcb xft xcomposite opengl pango cairo fbcon fbcondecor qt4 qt3support dbus gtk"
USE_HARDWARE="acpi usb wifi bluetooth alsa v4l2 laptop lm-sensors hddtemp hal dri vaapi"
USE_LANG="ncurses cxx perl python php java sbcl guile lua xml xmlrpc xsl"
USE_MEDIA="vorbis flac aac dts mp3 a52 x264 matroska theora mpeg mp4 dirac schroedinger mtp rtsp ffmpeg"
USE_NETWORK="networking sockets geoip idn imap jabber curl curlwrappers ftp cvs subversion git mercurial bazaar"
USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"
USE_OTHERS="tidy mime consolekit sqlite"
USE_SECURITY="hardened acl crypt gnutls sasl"
USE_SYSTEM="ipv6 symlink xattr unicode vim-syntax bash-completion truetype fontconfig"
USE____DISABLED="-gnome -kde -oss -mono"
VIDEO_CARDS="intel"
WINDOWID="10485829"
WINDOWPATH="7"
XAUTHORITY="/root/.xauthyte9Bc"
XDG_CONFIG_DIRS="/etc/xdg"
XDG_DATA_DIRS="/usr/local/share:/usr/share"
XDG_SESSION_COOKIE="d351818c673d40ebdbb801f700001219-1305341581.380944-291222157"
XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
_="/usr/bin/emerge"
__LINUX__="1"

Comment 17 Agostino Sarubbo 2011-06-27 19:37:57 UTC

(In reply to comment #16)
> building is ok. But firefox still doesnt start.
> Just go to infinite-loop, without showing window/allocating memory.

Works for me with a stable environment..I see that you have gcc ~arch, glibc stable, and 2.6.37 that is no more supported.

(In reply to comment #15)
> Maybe then 'jit' use flag would make sense after all? This way it would not be
> depended on the 'hardened' flag so non-hardened users, using pax kernels would
> be able to compile it fine if they unset it...

that's what the jit USE flag is for, so why not use it here as well? so the logic should be simply 'if USE=jit then disable MPROTECT on the firefox binaries otherwise disable the jit config option(s)'.

(In reply to comment #16)
> building is ok. But firefox still doesnt start.
> Just go to infinite-loop, without showing window/allocating memory.

what does strace show? if it's an infinite loop of a hinted mmap, it's supposed to be fixed already, otherwise we'll have to take a look (open a new bug please and CC us).

firefox-5.0-r2 still doesnt contain paxmarking on xpcshell stage. So, installation still breaking on this stage.

Comment 21 Jory A. Pratt 2011-07-06 22:42:28 UTC

(In reply to comment #20)
> firefox-5.0-r2 still doesnt contain paxmarking on xpcshell stage. So,
> installation still breaking on this stage.

methodjit and pgo are both disabled on hardened now, bug is resolved.

Not fixed.

See comment #20, same problem here.

Still breaks with the default settings on a system with hardened-sources
(PaX) kernel and non-hardened userland during emerge in the xpcshell stage
(xpcshell lacks pax marking and gets killed).

Works fine with explicit USE="-methodjit" (which is *not* the default).

As I said in comment #14, pax marking should be independent of "hardened"
(as it is in all other ebuilds which do pax marking).

Comment 23 Jory A. Pratt 2011-07-07 12:41:24 UTC

(In reply to comment #22)
> Not fixed.
> 
> See comment #20, same problem here.
> 
> Still breaks with the default settings on a system with hardened-sources
> (PaX) kernel and non-hardened userland during emerge in the xpcshell stage
> (xpcshell lacks pax marking and gets killed).
> 
> Works fine with explicit USE="-methodjit" (which is *not* the default).
> 
> As I said in comment #14, pax marking should be independent of "hardened"
> (as it is in all other ebuilds which do pax marking).

aight as I said there is no way to make everyone happy, we can not ensure that you are running a pax enabled kernel, I am not gonna add a bunch of hacks, if you do not like what is provided in the ebuild please feel free to use your own ebuild. You are a small corner case and I am not gonna force people to drop methodjit support just to support your corner case out of the box. Maybe it is time you switch to a hardened profile.

I'm not the only one, #20 is not me.

Does that mean that there is no easy way to paxmark xpcshell during the build?
(unconditionally and in general)

That would make everyone happy!

Comment 25 Jory A. Pratt 2011-07-07 13:26:55 UTC

(In reply to comment #24)
> I'm not the only one, #20 is not me.
> 
> Does that mean that there is no easy way to paxmark xpcshell during the build?
> (unconditionally and in general)
> 
> That would make everyone happy!

xpcshell would need to be paxmarked during the actual `make` which is not gonna happen. The solution is to disable methodjit so xpcshell can function properly. As far as pax marking unconditionally it is already handled for firefox-bin and plugin-container in src_install(). This is one of the reasons that pgo and methodjit useflags have been masked on hardened profiles.

(In reply to comment #25)
> 
> xpcshell would need to be paxmarked during the actual `make` which is not gonna
> happen. The solution is to disable methodjit so xpcshell can function properly.
> As far as pax marking unconditionally it is already handled for firefox-bin and
> plugin-container in src_install(). This is one of the reasons that pgo and
> methodjit useflags have been masked on hardened profiles.

Funny enough I've just tried upgrading to firefox-5.0-r2 and got the exact same error - xpcshell being killed by PAX and firefox failing to emerge. Not sure what has changed, I was able to compile it previously, I'm on hardened profile and just upgraded to hardened-sources 2.6.39-r5...

Anyway, I was able to finish the installation by manually paxmarking xpcshell (it fails during src_install not src_compile) and then doing ebuild install and qmerge manually.

Maybe paxmark xpcshell then in src_install?

Created attachment 279349 [details]
failed firefox-5.0-r2 build log

Created attachment 279377 [details]
the actual failing log

ignore the previous one, that's the one which is failing, but this is probably due to my custom patch being enabled