Firefox crashreporter crashed with SIGSEGV in memcpy() when opening links from Visual Studio Code snap

Bug #1838129 reported by Stefano Probst on 2019-07-27
100
This bug affects 14 people
Affects Status Importance Assigned to Milestone
Visual Studio Code
Fix Released
Unknown
firefox (Ubuntu)
Medium
Unassigned

Bug Description

How the crash happened:

0) Firefox is already open with a few tabs.
1) Click on a link in VS Code.
2) Firefox crashes
3) The crashreporter of firefex pops up.
4) Click on "Send to Mozilla".
5) Crash.

Here is the crashreport of Firefox: https://crash-stats.mozilla.org/report/index/b6952db2-9983-4f67-b51c-f03a60190727#tab-details
I send it manually via about:crashes because the crashreporter is crashed.

VS Code is installed as a snap by the way.

$ snap list
Name Version Rev Tracking Publisher Notes
code 2213894e 11 stable vscode✓ classic
core 16-2.39.3 7270 stable canonical✓ core
core18 20190709 1066 stable canonical✓ base
gtk-common-themes 0.1-22-gab0a26b 1313 stable canonical✓ -
telegram-desktop 1.7.13 836 stable telegram.desktop -

As you can see telegram is also installed as as snap. but open links from telegram just work.

Auto generated data below
-------------------------------------------------------

ProblemType: Crash
DistroRelease: Ubuntu 19.10
Package: firefox 68.0.1+build1-0ubuntu2
ProcVersionSignature: Ubuntu 5.2.0-8.9-generic 5.2.0
Uname: Linux 5.2.0-8-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
AddonCompatCheckDisabled: False
ApportVersion: 2.20.11-0ubuntu7
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: stefano 1718 F.... pulseaudio
BuildID: 20190719083815
Channel: Unavailable
CrashCounter: 1
CurrentDesktop: Unity
Date: Sat Jul 27 13:01:39 2019
DefaultProfileExtensions: extensions.sqlite corrupt or missing
DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
DefaultProfileLocales: extensions.sqlite corrupt or missing
DefaultProfilePrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:1141
DefaultProfilePrefSources: prefs.js
DefaultProfilePrefs:
 extensions.lastAppVersion: "68.0.1" (prefs.js)
 security.sandbox.content.tempDirSuffix: "0b21b0ae-b91f-43b6-9458-bf92ba3df531" (prefs.js)
 security.sandbox.plugin.tempDirSuffix: "9a7729c3-823f-443e-95cb-6b41d9a61198" (prefs.js)
DefaultProfileThemes: extensions.sqlite corrupt or missing
ExecutablePath: /usr/lib/firefox/crashreporter
ForcedLayersAccel: False
InstallationDate: Installed on 2019-07-20 (7 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Alpha amd64 (20190715)
IpRoute:
 default via 192.168.0.1 dev wlp2s0 proto dhcp metric 600
 169.254.0.0/16 dev wlp2s0 scope link metric 1000
 192.168.0.0/24 dev wlp2s0 proto kernel scope link src 192.168.0.199 metric 600
LocalLibraries: /snap/code/11/usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13 /snap/code/11/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so /snap/code/11/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so /snap/code/11/usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1 /snap/code/11/usr/lib/x86_64-linux-gnu/libicudata.so.55.1 /snap/code/11/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so /snap/code/11/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4 /snap/code/11/usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
MostRecentCrashID: bp-b6952db2-9983-4f67-b51c-f03a60190727
ProcCmdline: /usr/lib/firefox/crashreporter /home/username/.mozilla/firefox/7n8aku4a.default/minidumps/7eb59ca7-3107-9f59-9af7-7a6e321d6230.dmp
Profile0Extensions: extensions.sqlite corrupt or missing
Profile0IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile0Locales: extensions.sqlite corrupt or missing
Profile0PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:1141
Profile0PrefSources: prefs.js
Profile0Themes: extensions.sqlite corrupt or missing
Profiles:
 Profile1 (Default) - LastVersion=68.0.1/20190719083815
 Profile0 - LastVersion=68.0.1/20190719083815 (In use)
RunningIncompatibleAddons: False
SegvAnalysis:
 Segfault happened at: 0x7f36ea452871 <__memmove_avx_unaligned_erms+33>: vmovdqu %ymm0,(%rdi)
 PC (0x7f36ea452871) ok
 source "%ymm0" ok
 destination "(%rdi)" (0x00000000) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: firefox
StacktraceTop:
 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:240
 ?? () from /lib/x86_64-linux-gnu/libpng16.so.16
 ?? () from /lib/x86_64-linux-gnu/libpng16.so.16
 ?? () from /lib/x86_64-linux-gnu/libpng16.so.16
 ?? () from /lib/x86_64-linux-gnu/libpng16.so.16
SubmittedCrashIDs:
 bp-b6952db2-9983-4f67-b51c-f03a60190727
 bp-7b9123e3-e901-4bcd-8815-f36980190720
Title: crashreporter crashed with SIGSEGV in __memmove_avx_unaligned_erms()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
dmi.bios.date: 12/20/2018
dmi.bios.vendor: LENOVO
dmi.bios.version: 5XCN26WW
dmi.board.asset.tag: NO Asset Tag
dmi.board.name: LNVNB161216
dmi.board.vendor: LENOVO
dmi.board.version: SDK0J40709 WIN
dmi.chassis.asset.tag: NO Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Lenovo Y520-15IKBM
dmi.modalias: dmi:bvnLENOVO:bvr5XCN26WW:bd12/20/2018:svnLENOVO:pn80YY:pvrLenovoY520-15IKBM:rvnLENOVO:rnLNVNB161216:rvrSDK0J40709WIN:cvnLENOVO:ct10:cvrLenovoY520-15IKBM:
dmi.product.family: Y520-15IKBM
dmi.product.name: 80YY
dmi.product.sku: LENOVO_MT_80YY_BU_idea_FM_Y520-15IKBM
dmi.product.version: Lenovo Y520-15IKBM
dmi.sys.vendor: LENOVO
separator:

Stefano Probst (senden9) wrote :

StacktraceTop:
 ?? () from /tmp/apport_sandbox_ti3gpnl4/lib/x86_64-linux-gnu/libc.so.6
 memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
 png_combine_row (png_ptr=<optimized out>, dp=<optimized out>, display=1) at pngrutil.c:3853
 png_push_process_row (png_ptr=png_ptr@entry=0x55c687e09f70) at pngpread.c:1150
 png_process_IDAT_data (buffer=<optimized out>, buffer_length=<optimized out>, png_ptr=0x55c687e09f70) at pngpread.c:909

Changed in firefox (Ubuntu):
importance: Undecided → Medium
summary: - Firefox crashreporter crashed with SIGSEGV in
- __memmove_avx_unaligned_erms()
+ Firefox crashreporter crashed with SIGSEGV in memcpy()
tags: removed: need-amd64-retrace

Is reproducible on my machine. I tested again. The link is http://inoryy.com/post/tensorflow2-deep-reinforcement-learning/ but this should not matter I think.

Stefano Probst (senden9) on 2019-07-28
description: updated
description: updated
summary: - Firefox crashreporter crashed with SIGSEGV in memcpy()
+ Firefox crashreporter crashed with SIGSEGV in memcpy() when open link
+ from Visual Studio Code

I can reliably reproduce in a clean 19.10 VM. Just after installing the code snap, the first time it is launched a welcome page is displayed with links to external resources (Help section). Clicking any of these external links is enough to trigger the firefox crash. Interestingly, it's not the whole browser that crashes.

Changed in firefox (Ubuntu):
status: New → Confirmed
information type: Private → Public
Olivier Tilloy (osomon) wrote :

I can reliably reproduce the crash on Ubuntu 19.04 and 19.10, not on 18.04, which makes me think that it could be classic confinement playing tricks here, by exposing two ABI-incompatible versions of libpng16 (the one in the snap, and the one on the host system).

summary: - Firefox crashreporter crashed with SIGSEGV in memcpy() when open link
- from Visual Studio Code
+ Firefox crashreporter crashed with SIGSEGV in memcpy() when opening
+ links from Visual Studio Code snap
Stefano Probst (senden9) on 2019-08-03
information type: Public → Public Security
information type: Public Security → Public
Cameron Taggart (ctaggart) wrote :

This happens for me on Ubuntu 19.10 only when vscode is installed as a snap. https://github.com/snapcrafters/vscode/issues/48

Callum Williams (thegooball) wrote :

I can reliably reproduce this issue on a fresh install of Ubuntu 19.10. Default install of FF and deb install of VS code.

Sergio Schvezov (sergiusens) wrote :
Download full text (3.3 KiB)

If I were a betting person, I would put my stakes on gdk-pixbuf (https://github.com/snapcrafters/vscode/blob/master/files/bin/wrapper#L36)

If that is part of code's environment, whatever it calls will leak that env into the callee...

sergiusens@umbar:~$ snap run --shell code
sergiusens@umbar:~$ cd $SNAP
sergiusens@umbar:/snap/code/25$ cat electron-launch
#!/usr/bin/env bash

# On Fedora $SNAP is under /var and there is some magic to map it to /snap.
# We need to handle that case and reset $SNAP
SNAP=$(echo $SNAP | sed -e "s|/var/lib/snapd||g")

if [ "$SNAP_ARCH" == "amd64" ]; then
  ARCH="x86_64-linux-gnu"
elif [ "$SNAP_ARCH" == "armhf" ]; then
  ARCH="arm-linux-gnueabihf"
elif [ "$SNAP_ARCH" == "arm64" ]; then
  ARCH="aarch64-linux-gnu"
else
  ARCH="$SNAP_ARCH-linux-gnu"
fi

export XDG_CACHE_HOME=$SNAP_USER_COMMON/.cache
if [[ -d $SNAP_USER_DATA/.cache && ! -e $XDG_CACHE_HOME ]]; then
  # the .cache directory used to be stored under $SNAP_USER_DATA, migrate it
  mv $SNAP_USER_DATA/.cache $SNAP_USER_COMMON/
fi
mkdir -p $XDG_CACHE_HOME

# Gdk-pixbuf loaders
export GDK_PIXBUF_MODULE_FILE=$XDG_CACHE_HOME/gdk-pixbuf-loaders.cache
export GDK_PIXBUF_MODULEDIR=$SNAP/usr/lib/$ARCH/gdk-pixbuf-2.0/2.10.0/loaders
if [ -f $SNAP/usr/lib/$ARCH/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders ]; then
  $SNAP/usr/lib/$ARCH/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders > $GDK_PIXBUF_MODULE_FILE
fi

# Create $XDG_RUNTIME_DIR if not exists (to be removed when https://pad.lv/1656340 is fixed)
[ -n "$XDG_RUNTIME_DIR" ] && mkdir -p $XDG_RUNTIME_DIR -m 700

exec "$@"
sergiusens@umbar:/snap/code/25$ if [ "$SNAP_ARCH" == "amd64" ]; then
> ARCH="x86_64-linux-gnu"
> elif [ "$SNAP_ARCH" == "armhf" ]; then
> ARCH="arm-linux-gnueabihf"
> elif [ "$SNAP_ARCH" == "arm64" ]; then
> ARCH="aarch64-linux-gnu"
> else
> ARCH="$SNAP_ARCH-linux-gnu"
> fi
sergiusens@umbar:/snap/code/25$
sergiusens@umbar:/snap/code/25$ export XDG_CACHE_HOME=$SNAP_USER_COMMON/.cache
sergiusens@umbar:/snap/code/25$ if [[ -d $SNAP_USER_DATA/.cache && ! -e $XDG_CACHE_HOME ]]; then
> # the .cache directory used to be stored under $SNAP_USER_DATA, migrate it
> mv $SNAP_USER_DATA/.cache $SNAP_USER_COMMON/
> fi
sergiusens@umbar:/snap/code/25$ mkdir -p $XDG_CACHE_HOME
sergiusens@umbar:/snap/code/25$
sergiusens@umbar:/snap/code/25$ # Gdk-pixbuf loaders
sergiusens@umbar:/snap/code/25$ export GDK_PIXBUF_MODULE_FILE=$XDG_CACHE_HOME/gdk-pixbuf-loaders.cache
sergiusens@umbar:/snap/code/25$ export GDK_PIXBUF_MODULEDIR=$SNAP/usr/lib/$ARCH/gdk-pixbuf-2.0/2.10.0/loaders
sergiusens@umbar:/snap/code/25$ if [ -f $SNAP/usr/lib/$ARCH/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders ]; then
> $SNAP/usr/lib/$ARCH/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders > $GDK_PIXBUF_MODULE_FILE
> fi
sergiusens@umbar:/snap/code/25$ firefox
ExceptionHandler::GenerateDump cloned child 570327
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
sergiusens@umbar:/snap/code/25$ unset GDK_PIXBUF_MODULE_FILE
sergiusens@umbar:/snap/code/25$ unset GDK_PIXBUF_MODULEDIR
sergiusens@umbar:/snap/code/25$ firefox

###!!! [Child][MessageChannel] Error: (msgtype=0x370135,na...

Read more...

Joao Moreno (alphpt) wrote :

@sergiusens

Fantastic findings! Thanks a lot for looking into this.

This is also the underlying issue behind another issue I face when selfhosting VS Code: it simply crashes when opening a native Open dialog. Unsetting those env vars also fixes that issue!

We got that bootstrapping code from Martin (@flexiondotorg): https://github.com/snapcrafters/vscode/commit/1477ff8a6b80d3e337ffabf75c2c9e3482b8ab74

Including a tiny review from you: https://github.com/snapcrafters/vscode/commit/1477ff8a6b80d3e337ffabf75c2c9e3482b8ab74#r32657237

I didn't really understand the original motive behind the `Gdk-pixbuf loaders` section. What do you think we can do here? What's the right way to move forward?

Thanks!

Mossroy (mossroy) wrote :

This PR seems to try to fix the bug : https://github.com/microsoft/vscode/pull/94503
It has been merged recently, so hopefully we might have this problem fixed in a future version of VSCode/VSCodium

Changed in firefox (Ubuntu):
status: Confirmed → Fix Committed
Daniel Llewellyn (diddledan) wrote :

Set back to confirmed. While there have been changes to VSCode, that isn't "Firefox (Ubuntu)". The Ubuntu codebase for Firefox has not received any commits to fix this. The likely outcome of this issue is that we set Firefox (Ubuntu) to invalid because it is a bug in VSCode, not Firefox on Ubuntu.

Changed in firefox (Ubuntu):
status: Fix Committed → Confirmed
no longer affects: firefox
Changed in vscode:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.