Details
-
Bug
-
Resolution: Unresolved
-
P1: Critical
-
None
-
6.6.2
-
None
-
Linux 6.9.9 on Debian sid / experimental, running under plasmashell 6.1.0, on Wayland, with nVidia driver 555.58.02 with the open kernel driver.
Description
I have a somewhat reproducible crash inside the chromium portion of libQt6WebEngineCore when it is running under plasmashell 4:6.1.0-1 on Debian sid/experimental.
I am in the process of porting the WebSlice widget to Plasma 6, and as this is essentially a wrapper around webengine, it's not a complete shock that I'm hitting surprises.
Sometimes when loading or reloading a page, everything works fine, however sometimes it triggers a crash.
One such crash looks like:
[2349584:2349619:0724/141800.246685:FATAL:scoped_file.cc(43)] Check failed: . : Bad file descriptor (9) 14:20:22 [243/1865] Thread 16 "ThreadPoolForeg" received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 0x7fffb2a006c0 (LWP 2349619)] 0x00007fffbdea6a23 in logging::LogMessage::~LogMessage() () from /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 (gdb) bt #0 0x00007fffbdea6a23 in logging::LogMessage::~LogMessage() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #1 0x00007fffbdea6b21 in logging::ErrnoLogMessage::~ErrnoLogMessage() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #2 0x00007fffbdeaaa0a in logging::CheckError::~CheckError() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #3 0x00007fffbdec1e61 in base::internal::ScopedFDCloseTraits::Free(int) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #4 0x00007fffbdf6a123 in base::File::Close() [clone .part.0] () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #5 0x00007fffbdebb551 in base::File::~File() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #6 0x00007fffbe12c4ce in disk_cache::SimpleFileTracker::Close(disk_cache::SimpleSynchronousEntry const*, disk_cache::SimpleFileTracker:: SubFile) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #7 0x00007fffbe135ae9 in disk_cache::SimpleSynchronousEntry::CloseFiles() [clone .part.0] () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #8 0x00007fffbe13966e in disk_cache::SimpleSynchronousEntry::OpenEntry(net::CacheType, base::FilePath const&, std::__cxx11::basic_string <char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, disk_cache::SimpleFileTracker*, std::unique_ptr<disk_cache:: UnboundBackendFileOperations, std::default_delete<disk_cache::UnboundBackendFileOperations> >, int, disk_cache::SimpleEntryCreationResult s*) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #9 0x00007fffbe123181 in base::internal::Invoker<base::internal::BindState<void (*)(net::CacheType, base::FilePath const&, std::__cxx11: :basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, disk_cache::SimpleFileTracker*, std::unique_ptr <disk_cache::UnboundBackendFileOperations, std::default_delete<disk_cache::UnboundBackendFileOperations> >, int, disk_cache::SimpleEntryC reationResults*), net::CacheType, base::FilePath, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, unsign ed long, base::internal::UnretainedWrapper<disk_cache::SimpleFileTracker, base::unretained_traits::MayNotDangle, (base::RawPtrTraits)0>, std::unique_ptr<disk_cache::UnboundBackendFileOperations, std::default_delete<disk_cache::UnboundBackendFileOperations> >, int, base::int ernal::UnretainedWrapper<disk_cache::SimpleEntryCreationResults, base::unretained_traits::MayNotDangle, (base::RawPtrTraits)0> >, void () >::RunOnce(base::internal::BindStateBase*) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6 #10 0x00007fffa00a16c0 in () #11 0x00007fffb29ff070 in () #12 0x0000000000000000 in ()
Digging into the program flow a bit, along with the error message, SimpleSynchronousEntry::OpenEntry attempts to open a new cache file, calling SimpleSynchronousEntry::InitializeForCreate.
If InitializeForCreate fails, we fall into an error path that appears end to when we try to close a file that has, at that point in the error path, an invalid fd.
That then hits:
void ScopedFDCloseTraits::Free(int fd) { // It's important to crash here. // There are security implications to not closing a file descriptor // properly. As file descriptors are "capabilities", keeping them open // would make the current process keep access to a resource. Much of // Chrome relies on being able to "drop" such access. // It's especially problematic on Linux with the setuid sandbox, where // a single open directory would bypass the entire security model. int ret = IGNORE_EINTR(close(fd));
Which then quite intentionally crashes at:
PCHECK(0 == ret);
I am having some difficulty tracking down the exact program flow which is leading to the crash, mostly due to lack of debugging symbols, and the build process already being a nightmare on my system.
But if there is anything at all that I can do to help narrow things down, I'll be happy to try.