Details
-
Bug
-
Resolution: Unresolved
-
P1: Critical
-
None
-
6.6.2
-
None
-
Linux 6.9.9 on Debian sid / experimental, running under plasmashell 6.1.0, on Wayland, with nVidia driver 555.58.02 with the open kernel driver.
-
Linux/Wayland
Description
I have a somewhat reproducible crash inside the chromium portion of libQt6WebEngineCore when it is running under plasmashell 4:6.1.0-1 on Debian sid/experimental.
I am in the process of porting the WebSlice widget to Plasma 6, and as this is essentially a wrapper around webengine, it's not a complete shock that I'm hitting surprises.
Sometimes when loading or reloading a page, everything works fine, however sometimes it triggers a crash.
One such crash looks like:
[2349584:2349619:0724/141800.246685:FATAL:scoped_file.cc(43)] Check failed: . : Bad file descriptor (9) 14:20:22 [243/1865]
Thread 16 "ThreadPoolForeg" received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 0x7fffb2a006c0 (LWP 2349619)]
0x00007fffbdea6a23 in logging::LogMessage::~LogMessage() () from /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
(gdb) bt
#0 0x00007fffbdea6a23 in logging::LogMessage::~LogMessage() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#1 0x00007fffbdea6b21 in logging::ErrnoLogMessage::~ErrnoLogMessage() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#2 0x00007fffbdeaaa0a in logging::CheckError::~CheckError() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#3 0x00007fffbdec1e61 in base::internal::ScopedFDCloseTraits::Free(int) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#4 0x00007fffbdf6a123 in base::File::Close() [clone .part.0] () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#5 0x00007fffbdebb551 in base::File::~File() () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#6 0x00007fffbe12c4ce in disk_cache::SimpleFileTracker::Close(disk_cache::SimpleSynchronousEntry const*, disk_cache::SimpleFileTracker::
SubFile) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#7 0x00007fffbe135ae9 in disk_cache::SimpleSynchronousEntry::CloseFiles() [clone .part.0] ()
at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#8 0x00007fffbe13966e in disk_cache::SimpleSynchronousEntry::OpenEntry(net::CacheType, base::FilePath const&, std::__cxx11::basic_string
<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, disk_cache::SimpleFileTracker*, std::unique_ptr<disk_cache::
UnboundBackendFileOperations, std::default_delete<disk_cache::UnboundBackendFileOperations> >, int, disk_cache::SimpleEntryCreationResult
s*) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#9 0x00007fffbe123181 in base::internal::Invoker<base::internal::BindState<void (*)(net::CacheType, base::FilePath const&, std::__cxx11:
:basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, disk_cache::SimpleFileTracker*, std::unique_ptr
<disk_cache::UnboundBackendFileOperations, std::default_delete<disk_cache::UnboundBackendFileOperations> >, int, disk_cache::SimpleEntryC
reationResults*), net::CacheType, base::FilePath, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, unsign
ed long, base::internal::UnretainedWrapper<disk_cache::SimpleFileTracker, base::unretained_traits::MayNotDangle, (base::RawPtrTraits)0>,
std::unique_ptr<disk_cache::UnboundBackendFileOperations, std::default_delete<disk_cache::UnboundBackendFileOperations> >, int, base::int
ernal::UnretainedWrapper<disk_cache::SimpleEntryCreationResults, base::unretained_traits::MayNotDangle, (base::RawPtrTraits)0> >, void ()
>::RunOnce(base::internal::BindStateBase*) () at /lib/x86_64-linux-gnu/libQt6WebEngineCore.so.6
#10 0x00007fffa00a16c0 in ()
#11 0x00007fffb29ff070 in ()
#12 0x0000000000000000 in ()
Digging into the program flow a bit, along with the error message, SimpleSynchronousEntry::OpenEntry attempts to open a new cache file, calling SimpleSynchronousEntry::InitializeForCreate.
If InitializeForCreate fails, we fall into an error path that appears end to when we try to close a file that has, at that point in the error path, an invalid fd.
That then hits:
void ScopedFDCloseTraits::Free(int fd) {
// It's important to crash here.
// There are security implications to not closing a file descriptor
// properly. As file descriptors are "capabilities", keeping them open
// would make the current process keep access to a resource. Much of
// Chrome relies on being able to "drop" such access.
// It's especially problematic on Linux with the setuid sandbox, where
// a single open directory would bypass the entire security model.
int ret = IGNORE_EINTR(close(fd));
Which then quite intentionally crashes at:
PCHECK(0 == ret);
I am having some difficulty tracking down the exact program flow which is leading to the crash, mostly due to lack of debugging symbols, and the build process already being a nightmare on my system.
But if there is anything at all that I can do to help narrow things down, I'll be happy to try.