Bug #2623

Instant panic trying to view html5 videos with Firefox

Added by ftigeot 4 months ago. Updated 3 months ago.

Status:NewStart date:01/01/2014
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

The kernel panics almost immediately after a video has started playing.

Steps to reproduce:
- Use DragonFly 3.7/x86_64 (i386 untested)
- Launch firefox
- Try to see a video on youtube

Panic message and stack trace:

<6>pid 1606 (firefox), uid 1000: exited on signal 6
panic: assertion "ref >= &td->td_toks_base && ref->tr_tok == tok" failed in lwkt_reltoken at /usr/src/sys/kern/lwkt_token.c:812

(kgdb) #0 _get_mycpu () at ./machine/thread.h:69
#1 md_dumpsys (di=di@entry=0xffffffff80f2df60 <dumper>)
at /usr/src/sys/platform/pc64/x86_64/dump_machdep.c:265
#2 0xffffffff80564952 in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:912
#3 0xffffffff80564e1f in boot (howto=howto@entry=260)
at /usr/src/sys/kern/kern_shutdown.c:369
#4 0xffffffff80565115 in panic (
fmt=fmt@entry=0xffffffff8097ba38 "assertion \"%s\" failed in %s at %s:%u")
at /usr/src/sys/kern/kern_shutdown.c:818
#5 0xffffffff80579478 in lwkt_reltoken (tok=tok@entry=0xffffffe209df2040)
at /usr/src/sys/kern/lwkt_token.c:812
#6 0xffffffff80567f58 in sigexit (lp=lp@entry=0xffffffe20a21f200,
sig=sig@entry=6) at /usr/src/sys/kern/kern_sig.c:2185
#7 0xffffffff80568126 in postsig (sig=sig@entry=6)
at /usr/src/sys/kern/kern_sig.c:2083
#8 0xffffffff80930f1d in userret (lp=lp@entry=0xffffffe20a21f200,
frame=frame@entry=0xffffffe20f42f9f8, sticks=sticks@entry=7812)
at /usr/src/sys/platform/pc64/x86_64/trap.c:275
#9 0xffffffff809325e3 in syscall2 (frame=0xffffffe20f42f9f8)
at /usr/src/sys/platform/pc64/x86_64/trap.c:1310
#10 0xffffffff8091bfeb in Xfast_syscall ()
at /usr/src/sys/platform/pc64/x86_64/exception.S:323
#11 0x000000000000002b in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

patch-kern_sig.c Magnifier - Kernel patch removing lwkt_xxx_token() calls from sigexit() (555 Bytes) ftigeot, 01/12/2014 01:29 AM

History

#1 Updated by ftigeot 4 months ago

Core dump files are now present on leaf:~ftigeot/crash/crash.issue2623

#2 Updated by marino 4 months ago

i am curious, which firefox are you using? version 26?

and was firefox installed from binary package?

#3 Updated by ftigeot 3 months ago

It was with firefox 25 (both package and locally compiled dports version).
Now that I've upgraded to firefox 26, the issue isn't visible anymore.

#4 Updated by ftigeot 3 months ago

I can still reproduce this issue with a firefox or seamonkey binary built with the ALSA option

#5 Updated by ftigeot 3 months ago

The kernel panic is obviously caused by some wrong usage of the p->p_token token.

Removing the lwkt_gettoken() and lwkt_reltoken() calls from sigexit() is enough to prevent it.
The user process dies quietly, producing a coredump and printing some debug information:

Assertion failed: (r == 0), function alsa_stream_destroy, file /usr/obj/dports/www/seamonkey/work/comm-release/mozilla/media/libcubeb/src/cubeb_alsa.c, line 885.

#6 Updated by ftigeot 3 months ago

Kernel patch I used

Also available in: Atom PDF