Bugzilla – Bug 1214003
Chromium crashed on page loading since last update (signal 11 SEGV_MAPERR __strlen_avx2)
Last modified: 2023-08-22 00:14:24 UTC
OS: openSUSE Tumbleweed 20230803 Chromium version: 115.0.5790.170-1.1 Codecs (if necessary): Packman repo latest Since last update Chromium instantly crashed when I type something in search bar and press Enter. Two second browser try to load page normally, but after a couple of seconds freezed and crashed. I try to run it from console to debug and see stacktrace, that maybe helpful: https://paste.opensuse.org/pastes/7c467c7afe54
Maybe more info can be useful I test some options and find that this Chromium version fall into stack trace with installed any browser extensions. With start option --disable-extensions all seems ok.
*** Bug 1214021 has been marked as a duplicate of this bug. ***
*** Bug 1214028 has been marked as a duplicate of this bug. ***
same problem running with chromium --disable-gpu after a few second crhomium is crashing with a error: #41 0x55f01d1d5035 _start r8: 000055f027a5e4f8 r9: 00003a54026d9f40 r10: 000055f027ec2000 r11: 00007fffcda65afc r12: 00007fffcda653e8 r13: 00007fffcda65320 r14: 00003a54026d9f40 r15: 000055f01b587346 di: 0000000000000000 si: 0000000000000000 bp: 00007fffcda65300 bx: 00007fffcda653e8 dx: 0000000000000000 ax: 0000000000000000 cx: 000055f01b3aeb01 sp: 00007fffcda65248 ip: 00007f1433b6b6ad efl: 0000000000010283 cgf: 002b000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] Ошибка сегментирования (образ памяти сброшен на диск
Hi, I can confirm this bug, for it helps to disable the following extensions: uBlock origin and ClearURLs. I reverted back to 115.0.5790.98. Regards, Sebastian
upstream bug is: https://bugs.chromium.org/p/chromium/issues/detail?id=1470479 But this might be openSUSE specific.
Can I ask the reporters for some data that might help? Regarding being related to extensions: Do we have any counter-example crashes on profiles without extensions installed? Regarding hardware: Could you attach the /proc/cpuinfo flags please, specifically if it contains avx2?
(In reply to Andreas Stieger from comment #7) > Can I ask the reporters for some data that might help? > > Regarding hardware: Could you attach the /proc/cpuinfo flags please, > specifically if it contains avx2? ``` processor : 0 vendor_id : AuthenticAMD cpu family : 23 model : 113 model name : AMD Ryzen 7 3700X 8-Core Processor stepping : 0 microcode : 0x8701021 cpu MHz : 2200.000 cache size : 512 KB physical id : 0 siblings : 16 core id : 0 cpu cores : 8 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 16 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf rapl pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate ssbd mba ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 cqm rdt_a rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local clzero irperf xsaveerptr rdpru wbnoinvd arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif v_spec_ctrl umip rdpid overflow_recov succor smca sev sev_es bugs : sysret_ss_attrs spectre_v1 spectre_v2 spec_store_bypass retbleed smt_rsb bogomips : 7203.21 TLB size : 3072 4K pages clflush size : 64 cache_alignment : 64 address sizes : 43 bits physical, 48 bits virtual power management: ts ttp tm hwpstate cpb eff_freq_ro [13] [14] ``` In my case the crash happens when the Browserpass extension is enabled, when disabled Chromium works fine.
Nothing obvious in the source diff.
I have this crash too, with the same stack as the bugs.chromium.org report, ie involving `extensions::FormDataParser::CreateFromContentTypeHeader()` . My CPU has avx2 and indeed it no longer crashes if I disable the uBlock Origin extension. The strange thing is that the disassembly of the chromium frame is: <_ZN10extensions14FormDataParser27CreateFromContentTypeHeader...+941> xor edi,edi <_ZN10extensions14FormDataParser27CreateFromContentTypeHeader...+943> call 0x56094fe55260 <strlen@plt> This is `strlen(NULL)` so it's not surprising that it segfaults, but why this is here I can't tell. There's no -debugsource and I can't line up the surrounding assembly with the upstream source at https://github.com/chromium/chromium/blob/115.0.5790.170/extensions/browser/api/web_request/form_data_parser.cc#L327
(In reply to Andreas Stieger from comment #7) > Can I ask the reporters for some data that might help? > > Regarding being related to extensions: Do we have any counter-example > crashes on profiles without extensions installed? > > Regarding hardware: Could you attach the /proc/cpuinfo flags please, > specifically if it contains avx2? processor : 0 vendor_id : AuthenticAMD cpu family : 23 model : 104 model name : AMD Ryzen 5 5500U with Radeon Graphics stepping : 1 microcode : 0x8608103 cpu MHz : 400.000 cache size : 512 KB physical id : 0 siblings : 12 core id : 0 cpu cores : 6 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 16 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf rapl pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate ssbd mba ibrs ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 cqm rdt_a rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local clzero irperf xsaveerptr rdpru wbnoinvd cppc arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif v_spec_ctrl umip rdpid overflow_recov succor smca bugs : sysret_ss_attrs spectre_v1 spectre_v2 spec_store_bypass retbleed smt_rsb bogomips : 4193.47 TLB size : 3072 4K pages clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: ts ttp tm hwpstate cpb eff_freq_ro [13] [14] If it necessary, I have uBlock Origins and Plasma Browser integration as extensions
My cpu is the following processor : 7 vendor_id : GenuineIntel cpu family : 6 model : 94 model name : Intel(R) Xeon(R) CPU E3-1535M v5 @ 2.90GHz stepping : 3 microcode : 0xf0 cpu MHz : 800.040 cache size : 8192 KB physical id : 0 siblings : 8 core id : 3 cpu cores : 4 apicid : 7 initial apicid : 7 fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust sgx bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp vnmi md_clear flush_l1d arch_capabilities vmx flags : vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest ple shadow_vmcs pml bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed bogomips : 5802.42 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management: My extensions list is the following video player Markdown preview Advanced Fonts 0.7 Theme Breeze Dark so no ublock or things like that, but I have a filtering upstream dns, so maybe some dns call return nothing. if started with --disable-extensions it will work as normal.
I'm using also official chrome Version 115.0.5790.170 (Official Build) (64-bit) with the same extension and nothing crash actually.
Maybe related to someextent CVE-2022-40982) vulnerability mitigations will cause up to %50 performance drop as it concern AVX2 and AVX512 ?
(In reply to Arnav Singh from comment #10) > The strange thing is that the disassembly of the chromium frame is: > > <_ZN10extensions14FormDataParser27CreateFromContentTypeHeader...+941> > xor edi,edi > <_ZN10extensions14FormDataParser27CreateFromContentTypeHeader...+943> > call 0x56094fe55260 <strlen@plt> > > This is `strlen(NULL)` so it's not surprising that it segfaults, but why > this is here I can't tell. There's no -debugsource and I can't line up > the surrounding assembly with the upstream source at > https://github.com/chromium/chromium/blob/115.0.5790.170/extensions/browser/ > api/web_request/form_data_parser.cc#L327 This appears to be this line https://github.com/chromium/chromium/blob/115.0.5790.170/extensions/browser/api/web_request/form_data_parser.cc#L361 If I'm reading the offsets right, the `strlen(NULL)` is being used to populate the `source_` field defined on this line https://github.com/chromium/chromium/blob/115.0.5790.170/extensions/browser/api/web_request/form_data_parser.cc#L107 with its default value. `re2::StringPiece` is a typedef for `abseil::string_view` which does claim to have a well-defined default ctor. In any case, I don't believe avx2 is a requirement for this bug since `strlen(NULL)` is illegal regardless of whether that eventually forwards to `strlen_avx2` or not, unless the non-avx2 impls happen to support being called with `NULL` for some reason. If someone can test with a non-avx2 CPU that would be good.
Yes, this simple program with abseil-cpp-devel-20230125.3-2.1 from TW repo has the same issue: $ cat foo.cpp #include <absl/strings/string_view.h> int main() { absl::string_view sv(nullptr); return 0; } $ g++ -o foo -g foo.cpp && gdb --args ./foo ... Program received signal SIGSEGV, Segmentation fault. __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 76 VPCMPEQ (%rdi), %ymm0, %ymm1 It's also because it's doing `strlen(NULL)` So this is either an abseil issue that `string_view(nullptr)` crashes, or chromium is wrong when it does `string_view(nullptr)` on this line: https://github.com/chromium/chromium/blob/115.0.5790.170/extensions/browser/api/web_request/form_data_parser.cc#L375
(In reply to Arnav Singh from comment #16) > Yes, this simple program with abseil-cpp-devel-20230125.3-2.1 from TW repo > has the same issue: > > $ cat foo.cpp > > #include <absl/strings/string_view.h> > > int main() { > absl::string_view sv(nullptr); > return 0; > } > > $ g++ -o foo -g foo.cpp && gdb --args ./foo > > ... > > Program received signal SIGSEGV, Segmentation fault. > __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 > 76 VPCMPEQ (%rdi), %ymm0, %ymm1 > > It's also because it's doing `strlen(NULL)` > > So this is either an abseil issue that `string_view(nullptr)` crashes, > or chromium is wrong when it does `string_view(nullptr)` on this line: > https://github.com/chromium/chromium/blob/115.0.5790.170/extensions/browser/ > api/web_request/form_data_parser.cc#L375 Chromium bundled abseil-cpp = ~20230802.rc1 openSUSE abseil-cpp = 20230125.3
And lastly, as for why this broke, re2::StringPiece used to be its own type that allowed being initialized with a single nullptr parameter: https://github.com/google/re2/blame/b76a3eac1dfc7f0fe1d6a64cb59eab868056f099/re2/stringpiece.h#L61-L62 When it changed to become a typedef of absl::string_view https://github.com/google/re2/commit/49d776b9d29d79b6e2876d5f091d2207d8123dfa#diff-3575b93827d50e6bd516e94b3511782f72bac0315d105c5de8d0c10b7f4a9fb8 it lost this ability, since absl::string_view requires that nullptr construction use the two-arg ctor `string_view(nullptr, 0)`: https://github.com/abseil/abseil-cpp/blob/20230125.3/absl/strings/string_view.h#L193-L198 I don't know about chromium's build system to know if the problem is upstream using new re2 without updating chromium for its semantics, or if the problem is with OpenSUSE's build forcing it to use the distro re2 package that is newer than what upstream supports building with.
Reproduced on my machine. Received signal 11 SEGV_MAPERR 000000000000 #0 0x55f52e97f382 base::debug::CollectStackTrace() #1 0x55f52e96b653 base::debug::StackTrace::StackTrace() #2 0x55f52e97ee61 base::debug::(anonymous namespace)::StackDumpSignalHandler() #3 0x7fb90ac41330 (/usr/lib64/libc.so.6+0x3e32f) #4 0x7fb90acb3c3a __strlen_sse2 #5 0x55f52d58fd24 extensions::FormDataParser::CreateFromContentTypeHeader() I'll need a bit of time to look at an abseil-cpp bump or re2. Callum WDYT?
(In reply to Andreas Stieger from comment #19) > I'll need a bit of time to look at an abseil-cpp bump or re2. Callum WDYT? Neither of those will help. abseil's string_view is just delegating to std::string_view (which is where the behavior of not supporting nullptr in the single-arg ctor comes from), and that hasn't changed in the newer version. re2 being bumped will also not help because using a newer re2 is what caused the problem in the first place. Upstream fixed this in https://github.com/chromium/chromium/commit/3f6cd624418e2aacd7f2802df188585db78044da so you can patch that in.
Thanks Arnav and all. https://build.opensuse.org/request/show/1103210
Thanks. I confirmed the package from network:chromium doesn't crash for me on the websites it crashed before.
This is an autogenerated message for OBS integration: This bug (1214003) was mentioned in https://build.opensuse.org/request/show/1104076 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / chromium
This is an autogenerated message for OBS integration: This bug (1214003) was mentioned in https://build.opensuse.org/request/show/1104146 Factory / ungoogled-chromium
openSUSE-SU-2023:0234-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1214003,1214301 CVE References: CVE-2023-2312,CVE-2023-4349,CVE-2023-4350,CVE-2023-4351,CVE-2023-4352,CVE-2023-4353,CVE-2023-4354,CVE-2023-4355,CVE-2023-4356,CVE-2023-4357,CVE-2023-4358,CVE-2023-4359,CVE-2023-4360,CVE-2023-4361,CVE-2023-4362,CVE-2023-4363,CVE-2023-4364,CVE-2023-4365,CVE-2023-4366,CVE-2023-4367,CVE-2023-4368 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): chromium-116.0.5845.96-bp155.2.19.1 openSUSE Backports SLE-15-SP4 (src): chromium-116.0.5845.96-bp154.2.105.1