1222958 – (CVE-2024-3832) VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 124.0.6367.60

Bug 1222958 (CVE-2024-3832) - VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 124.0.6367.60

Summary: VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 124.0.6...

Status:	RESOLVED FIXED
Duplicates (1):	1222707 (view as bug list)

Alias:	CVE-2024-3832

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/402291/
Whiteboard:
Keywords:

Depends on:	1224178
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2024-04-17 11:43 UTC by Carlos López
Modified:	2024-05-22 11:28 UTC (History)
CC List:	9 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
actually runs into abort in mojo code, here is the backtrace if you're interested (22.22 KB, text/plain) 2024-04-22 14:05 UTC, Ruediger Oertel	Details
logfile from run aborting with segfault accessing suse.okta.com to authenticate Slack (90.07 KB, text/plain) 2024-05-02 09:35 UTC, Oliver Kurz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2024-04-17 11:43:23 UTC

The Stable channel has been updated to 124.0.6367.60/.61 for Windows and Mac and 124.0.6367.60 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.

The Extended Stable channel has been updated to 124.0.6367.60/.61 for Windows and Mac which will roll out over the coming days/weeks.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 23 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27

High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27

High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21

High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24

Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15

Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06

Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16

Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22

Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19

Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24

Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23

Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03

Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23

Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08

Comment 1 Carlos López 2024-04-17 11:45:09 UTC

https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html

Comment 2 Benjamin Greiner 2024-04-17 14:58:55 UTC

*** Bug 1222707 has been marked as a duplicate of this bug. ***

Comment 3 Callum Farmer 2024-04-22 10:31:33 UTC

Build issues:
Fails to build in PartitionAllocator
InternalAllocator::deallocate() is using unsigned long for std::basic_string<char> when upstream intends for size_t (likely related to LLVM bug 50742)
Attempted but non working patch is chromium-123-PA-InternalAllocator.patch

Build configuration:
Upstream uses Clang + libc++
We use Clang + libstdc++ (using libc++ would break unbundling)
We used to use GCC + libstdc++ (acceptable but v8 breaks on GCC)(and we now have Rust things so likely needs Clang for that aswell)

We unbundle multiple libraries from the Chromium source:
    flac
    fontconfig
    libdrm
    libevent
    libjpeg
    libpng
    libusb
    libxml
    libxslt
    opus
    snappy
    harfbuzz-ng
    freetype
    icu
    ffmpeg
    libyuv
    libavif
    re2
    webp
    zstd
    zlib
    libffi

GN (GoogleNinja) generates Ninja build files based on configuration listed under  myconf_gn in specfile, in the upstream repo config options can be found in *.gni & *.gn


Upstream repo search:
https://source.chromium.org/chromium/chromium/src (good for searching)
https://github.com/chromium/chromium (useful for extracting patches)

Other distros versions for reference:
https://src.fedoraproject.org/rpms/chromium/tree/rawhide
https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium
https://gitlab.archlinux.org/archlinux/packaging/packages/chromium

Comment 4 Andreas Stieger 2024-04-22 11:03:41 UTC

(In reply to Callum Farmer from comment #3)
> Build issues:
> Fails to build in PartitionAllocator
> InternalAllocator::deallocate() is using unsigned long for
> std::basic_string<char> when upstream intends for size_t (likely related to
> LLVM bug 50742)
> Attempted but non working patch is chromium-123-PA-InternalAllocator.patch

ro@ attempted a 124 bump that drops chromium-123-PA-InternalAllocator.patch
https://build.opensuse.org/request/show/1169578

Revoked due to 
> crashes CRASHING**:seccomp-bpf failure in syscall

Comment 5 Ruediger Oertel 2024-04-22 14:05:24 UTC

Created attachment 874418 [details]
actually runs into abort in mojo code, here is the backtrace if you're interested

Comment 6 Callum Farmer 2024-04-22 19:06:40 UTC

(In reply to Ruediger Oertel from comment #5)
> Created attachment 874418 [details]
> actually runs into abort in mojo code, here is the backtrace if you're
> interested

Gonna investigate
Currently sorting QImage build issue
And I think the issue may lay in chromium-124-mojo-serialisation.patch - it doesn't look right

Comment 7 Ruediger Oertel 2024-04-23 08:23:36 UTC

yes, that one is definitely wrong still have to find a better solution for
that compile problem 

 error: no matching member function for call to emplace()

it does not find a variant without args

Comment 8 Callum Farmer 2024-04-23 08:26:58 UTC

(In reply to Ruediger Oertel from comment #7)
> yes, that one is definitely wrong still have to find a better solution for
> that compile problem 
> 
>  error: no matching member function for call to emplace()
> 
> it does not find a variant without args

I'm working on it

Typically, you just feed it the default cos for some reason, it makes a difference???

Or,
Avoid "default" construction and use an init list which also apparently makes a difference

Lovely non standardisation :(

Comment 9 Bruno Pitrus 2024-04-23 14:04:39 UTC

(In reply to Callum Farmer from comment #3)
> We unbundle multiple libraries from the Chromium source:
>     re2

The new version of re2 has abseil types in its headers. If you unbundle re2 without unbundling abseil you're going to trip over ABI differences which will likely manifest as hard-to-diagnose linker errors.

I've been unbundling both in the nodejs-electron package (which is right now at version 122 of chromium). Abseil needs a rather trivial patch that should be already in Chromium master.


>     libffi
I believe that library has not been used for a long time (It certainly is not used in electron and i remember cleaning some old stuff related to it)

Comment 10 Ruediger Oertel 2024-04-23 23:50:08 UTC

took out the broken patch, this is the exact compile error I see:

[19748s] clang++ -MD -MF obj/third_party/blink/common/common/auction_config_mojom_traits.o.d -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_OZONE=1 -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_GNU_SOURCE -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_NONE -D_GLIBCXX_ASSERTIONS=1 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -DBLINK_COMMON_IMPLEMENTATION=1 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_56 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_56 -DBASE_USE_PERFETTO_CLIENT_LIBRARY=1 -DSK_ENABLE_SKSL -DSK_UNTIL_CRBUG_1187654_IS_FIXED -DSK_USER_CONFIG_HEADER=\"../../skia/config/SkUserConfig.h\" -DSK_WIN_FONTMGR_NO_SIMULATIONS -DSK_DISABLE_LEGACY_INIT_DECODERS -DSK_SLUG_DISABLE_LEGACY_DESERIALIZE -DSK_DISABLE_LEGACY_VULKAN_BACKENDSEMAPHORE -DSK_DISABLE_LEGACY_CREATE_CHARACTERIZATION -DSK_DISABLE_LEGACY_VULKAN_MUTABLE_TEXTURE_STATE -DSK_CODEC_DECODES_JPEG -DSK_ENCODE_JPEG -DSK_ENCODE_PNG -DSK_ENCODE_WEBP -DSK_GANESH -DSK_GPU_WORKAROUNDS_HEADER=\"gpu/config/gpu_driver_bug_workaround_autogen.h\" -DSK_GL -DSK_VULKAN=1 -DSK_GRAPHITE -DSK_DAWN -DVK_USE_PLATFORM_XCB_KHR -DVK_USE_PLATFORM_WAYLAND_KHR -DUSE_EGL -DLIBYUV_DISABLE_NEON -DLIBYUV_DISABLE_LSX -DLIBYUV_DISABLE_LASX -DGOOGLE_PROTOBUF_NO_RTTI -DGOOGLE_PROTOBUF_NO_STATIC_INITIALIZER -DGOOGLE_PROTOBUF_INTERNAL_DONATE_STEAL_INLINE=0 -DHAVE_PTHREAD -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DUSE_CHROMIUM_ICU=1 -DU_ENABLE_TRACING=1 -DU_ENABLE_RESOURCE_TRACING=0 -DU_STATIC_IMPLEMENTATION -DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_FILE -DWEBRTC_ENABLE_AVX2 -DWEBRTC_NON_STATIC_TRACE_EVENT_HANDLERS=0 -DWEBRTC_CHROMIUM_BUILD -DWEBRTC_POSIX -DWEBRTC_LINUX -DABSL_ALLOCATOR_NOTHROW=1 -DWEBRTC_USE_X11 -DWEBRTC_USE_PIPEWIRE -DWEBRTC_USE_GIO -DLOGGING_INSIDE_WEBRTC -DLEVELDB_PLATFORM_CHROMIUM=1 -DCRASHPAD_ZLIB_SOURCE_EXTERNAL -I.. -Igen -I../third_party/perfetto/include -Igen/third_party/perfetto/build_config -Igen/third_party/perfetto -Igen/shim_headers/libevent_shim -I../net/third_party/quiche/overrides -I../net/third_party/quiche/src/quiche/common/platform/default -I../net/third_party/quiche/src -I../third_party/skia -Igen/third_party/skia -I../third_party/wuffs/src/release/c -I../third_party/vulkan/include -I../third_party/vulkan-deps/vulkan-headers/src/include -I../third_party/wayland/src/src -I../third_party/wayland/include/src -Igen/third_party/dawn/include -I../third_party/dawn/include -Igen/shim_headers/libpng_shim -I../third_party/khronos -I../gpu -I../third_party/libyuv/include -Igen/shim_headers/opus_shim -Igen/shim_headers/ffmpeg_shim -Igen/shim_headers/flac_shim -Igen/shim_headers/snappy_shim -I../base/allocator/partition_allocator/src -Igen/base/allocator/partition_allocator/src -I../third_party/abseil-cpp -I../third_party/boringssl/src/include -I../third_party/protobuf/src -Igen/protoc_out -I../third_party/ipcz/include -Igen/net/third_party/quiche/src -I../third_party/ced/src -I../third_party/icu/source/common -I../third_party/icu/source/i18n -I../third_party/webrtc_overrides -I../third_party/webrtc -Igen/third_party/webrtc -I../third_party/libwebm/source -I../third_party/mesa_headers -I../third_party/leveldatabase -I../third_party/leveldatabase/src -I../third_party/leveldatabase/src/include -I../third_party/crashpad/crashpad -I../third_party/crashpad/crashpad/compat/linux -I../third_party/crashpad/crashpad/compat/non_win -I../third_party/zlib -I../third_party/libaom/source/libaom -I../third_party/libaom/source/config/linux/x64 -I../third_party/re2/src -Wall -Wimplicit-fallthrough -Wextra-semi -Wunreachable-code-aggressive -Wthread-safety -Wno-missing-field-initializers -Wno-unused-parameter -Wno-psabi -Wloop-analysis -Wno-unneeded-internal-declaration -Wno-ignored-pragma-optimize -Wno-deprecated-builtins -Wno-bitfield-constant-conversion -Wno-deprecated-this-capture -Wno-invalid-offsetof -Wno-vla-extension -Wno-thread-safety-reference-return -Wshadow -fno-delete-null-pointer-checks -fno-ident -fno-strict-aliasing -fstack-protector -funwind-tables -fPIC -pthread -fcolor-diagnostics -fmerge-all-constants -flto=thin -fsplit-lto-unit -fwhole-program-vtables -Wno-builtin-macro-redefined -D__DATE__= -D__TIME__= -D__TIMESTAMP__= -no-canonical-prefixes -ftrivial-auto-var-init=pattern -fno-omit-frame-pointer -fvisibility=hidden -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -isystem/usr/include/glib-2.0 -isystem/usr/lib64/glib-2.0/include -Wno-redundant-parens -Wno-redundant-parens -DPROTOBUF_ALLOW_DEPRECATED=1 -isystem/usr/include/nss3 -isystem/usr/include/nspr4 -Wenum-compare-conditional -Wno-c++11-narrowing-const-reference -std=c++20 -Wno-trigraphs -gsimple-template-names -fno-exceptions -fno-rtti -fvisibility-inlines-hidden -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Wno-return-type -Wno-pedantic -Wno-unused-result -Wno-unused-function -Wno-unused-variable -Wno-deprecated-declarations -Wno-return-type -Wno-parentheses -Wno-misleading-indentation -Wno-attributes -Wno-ignored-attributes -Wno-address -Wno-dangling-else -D_GNU_SOURCE -I/usr/include/wayland -I/usr/include/libxkbcommon -I/usr/include/opus -Wno-unused-command-line-argument -Wno-unknown-warning-option -Wno-unused-but-set-variable -Wno-missing-braces -Wno-unused-private-field -Wno-absolute-value -Wno-invalid-offsetof -fpermissive -c ../third_party/blink/common/interest_group/auction_config_mojom_traits.cc -o obj/third_party/blink/common/common/auction_config_mojom_traits.o
[19748s] In file included from ../third_party/blink/common/interest_group/auction_config_mojom_traits.cc:5:
[19748s] In file included from ../third_party/blink/public/common/interest_group/auction_config_mojom_traits.h:20:
[19748s] In file included from ../third_party/blink/public/common/interest_group/auction_config.h:25:
[19748s] In file included from ../third_party/blink/public/common/interest_group/ad_display_size.h:9:
[19748s] In file included from gen/third_party/blink/public/mojom/interest_group/ad_display_size.mojom-shared.h:16:
[19748s] In file included from ../mojo/public/cpp/bindings/array_data_view.h:11:
[19748s] In file included from ../mojo/public/cpp/bindings/lib/array_internal.h:25:
[19748s] In file included from ../mojo/public/cpp/bindings/lib/validation_util.h:13:
[19748s] In file included from ../mojo/public/cpp/bindings/lib/serialization_util.h:14:
[19748s] ../mojo/public/cpp/bindings/lib/serialization_forward.h:72:17: error: no matching member function for call to 'emplace'
[19748s]    72 |         output->emplace();
[19748s]       |         ~~~~~~~~^~~~~~~
[19748s] gen/third_party/blink/public/mojom/interest_group/interest_group_types.mojom-shared.h:1518:28: note: in instantiation of function template specialization 'mojo::internal::Deserialize<blink::mojom::AuctionReportBuyerDebugModeConfigDataView, blink::mojom::internal::AuctionReportBuyerDebugModeConfig_Data *&, std::optional<blink::AuctionConfig::NonSharedParams::AuctionReportBuyerDebugModeConfig>, mojo::Message *&>' requested here
[19748s]  1518 |     return mojo::internal::Deserialize<::blink::mojom::AuctionReportBuyerDebugModeConfigDataView>(
[19748s]       |                            ^
[19748s] ../third_party/blink/common/interest_group/auction_config_mojom_traits.cc:211:13: note: in instantiation of function template specialization 'blink::mojom::AuctionAdConfigNonSharedParamsDataView::ReadAuctionReportBuyerDebugModeConfig<std::optional<blink::AuctionConfig::NonSharedParams::AuctionReportBuyerDebugModeConfig>>' requested here
[19748s]   211 |       !data.ReadAuctionReportBuyerDebugModeConfig(
[19748s]       |             ^
[19748s] /usr/bin/../lib64/gcc/x86_64-suse-linux/13/../../../../include/c++/13/optional:916:2: note: candidate template ignored: requirement 'is_constructible_v<blink::AuctionConfig::NonSharedParams::AuctionReportBuyerDebugModeConfig>' was not satisfied [with _Args = <>]
[19748s]   916 |         emplace(_Args&&... __args)
[19748s]       |         ^
[19748s] /usr/bin/../lib64/gcc/x86_64-suse-linux/13/../../../../include/c++/13/optional:928:2: note: candidate function template not viable: requires at least argument '__il', but no arguments were provided
[19748s]   928 |         emplace(initializer_list<_Up> __il, _Args&&... __args)
[19748s]       |         ^       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[19748s] 1 error generated.

Comment 11 Ruediger Oertel 2024-04-30 08:38:32 UTC

okay, meanwhile I have a build 124.0.6367.78 which does not crash at startup
but still pretty frequently hangs when used for slack, no debugging done yet

Comment 12 Callum Farmer 2024-05-01 11:43:12 UTC

TW now builds aswell
124 builds now in network:chromium/chromium-beta

I have no idea how to test Slack?? Any logs would be useful
Try:
chromium-browser --enable-logging=stderr --v=1 > log.txt 2>&1

Comment 13 Oliver Kurz 2024-05-02 09:35:51 UTC

Created attachment 874617 [details]
logfile from run aborting with segfault accessing suse.okta.com to authenticate Slack

I tried out the beta version on Leap 15.5 trying to use Slack and observed a reproducible core dump when accessing the authentication after being redirected to suse.okta.com. No such problem observed on version 122. Logs attached.

Comment 14 Ruediger Oertel 2024-05-02 16:37:03 UTC

the chromium-124 builds all seem rather unstable, the build I tried today
did not crash but showed all kinds of "tab just hangs" with messages like
this at the end of the log

[29751:29791:0502/134525.569410:VERBOSE1:network_delegate.cc(35)] NetworkDelegate::NotifyBeforeURLRequest: https://play.google.com/log?format=json&hasfast=true&authuser=1
[29751:29791:0502/134525.606746:VERBOSE1:url_loader.cc(1819)] Will sniff content for mime type: https://play.google.com/log?format=json&hasfast=true&authuser=1
[29751:29791:0502/134533.798392:VERBOSE1:network_delegate.cc(35)] NetworkDelegate::NotifyBeforeURLRequest: https://signaler-pa.clients6.google.com/punctual/multi-watch/channel?VER=8
&gsessionid=fobar1&key=foobar2&RID=rpc&SID=foobar3&AID=29&CI=0&TYPE=xmlhttp&zx=foobar4&t=1

upstream has a new release, building 124.0.6367.118 in
home:oertel:branches:network:chromium/chromium-beta at the moment

Comment 15 Andreas Stieger 2024-05-03 08:47:40 UTC

pushed 124.0.6367.118 to network:chromium/chromium-beta

Comment 16 OBSbugzilla Bot 2024-05-11 05:35:06 UTC

This is an autogenerated message for OBS integration:
This bug (1222958) was mentioned in
https://build.opensuse.org/request/show/1173380 Factory / chromium

Comment 17 OBSbugzilla Bot 2024-05-11 06:15:05 UTC

This is an autogenerated message for OBS integration:
This bug (1222958) was mentioned in
https://build.opensuse.org/request/show/1173381 Backports:SLE-15-SP5 / chromium

Comment 18 Marcus Meissner 2024-05-13 04:05:07 UTC

openSUSE-SU-2024:0123-1: An update that fixes 35 vulnerabilities is now available.

Category: security (important)
Bug References: 1221732,1222035,1222260,1222707,1222958,1223845,1223846,1224045
CVE References: CVE-2024-2625,CVE-2024-2626,CVE-2024-2627,CVE-2024-2628,CVE-2024-2883,CVE-2024-2885,CVE-2024-2886,CVE-2024-2887,CVE-2024-3156,CVE-2024-3157,CVE-2024-3158,CVE-2024-3159,CVE-2024-3515,CVE-2024-3516,CVE-2024-3832,CVE-2024-3833,CVE-2024-3834,CVE-2024-3837,CVE-2024-3838,CVE-2024-3839,CVE-2024-3840,CVE-2024-3841,CVE-2024-3843,CVE-2024-3844,CVE-2024-3845,CVE-2024-3846,CVE-2024-3847,CVE-2024-4058,CVE-2024-4059,CVE-2024-4060,CVE-2024-4331,CVE-2024-4368,CVE-2024-4558,CVE-2024-4559,CVE-2024-4671
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    chromium-124.0.6367.201-bp155.2.78.1

Comment 19 Andreas Stieger 2024-05-13 09:13:43 UTC

Chromium 124.0.6367.201 is in, as I did not get any crashes anymore.

Comment 20 Ruediger Oertel 2024-05-13 11:34:56 UTC

getting quite a few segfaults following a gnome-meeting today
with 
Version     : 124.0.6367.201
Release     : bp155.1955.1
Distribution: network:chromium / openSUSE_Backports_SLE-15-SP5

no debuginfo installed yet

Comment 21 Andreas Stieger 2024-05-13 11:46:58 UTC

there's a report to users@ complaining about crashes too

Comment 22 Ruediger Oertel 2024-05-13 11:51:34 UTC

aside from many unrelated threads:
                Stack trace of thread 1:
                #0  0x000055ac3fe72d14 _ZN7sandbox19CrashSIGSYS_HandlerERK17arch_seccomp_dataPv (chrome + 0xaab4d14)
                #1  0x000055ac3fe78f02 _ZN7sandbox4Trap6SigSysEiP9siginfo_tP10ucontext_t (chrome + 0xaabaf02)
                #2  0x00007fc0093d5910 __restore_rt (libpthread.so.0 + 0x16910)
                #3  0x00007fc006aead47 alarm (libc.so.6 + 0xe1d47)
                #4  0x000055ac3e248cb8 _ZN4base5debug12_GLOBAL__N_122StackDumpSignalHandlerEiP9siginfo_tPv (chrome + 0x8e8acb8)
                #5  0x00007fc0093d5910 __restore_rt (libpthread.so.0 + 0x16910)
                #6  0x000055ac3e2a443f _ZN14allocator_shim8internal13PartitionFreeEPKNS_17AllocatorDispatchEPvS4_ (chrome + 0x8ee643f)
                #7  0x000055ac41674314 _ZN5blink12FontCacheKeyD2Ev (chrome + 0xc2b6314)
                #8  0x000055ac416788e9 _ZN3WTF29WeakProcessingHashTableHelperILNS_16WeakHandlingFlagE1EN5blink12FontCacheKeyENS_12KeyValuePairIS3_N5cppgc8internal11BasicMemberIKNS2_17SegmentedFontDataENS6_13WeakMemberTagENS6_26DijkstraWriteBarrierPolicyENS6_22DisabledC>
                #9  0x000055ac3b622d1f _ZN5cppgc8internal10MarkerBase15ProcessWeaknessEv (chrome + 0x6264d1f)
                #10 0x000055ac3b6229be _ZN5cppgc8internal10MarkerBase16LeaveAtomicPauseEv (chrome + 0x62649be)
                #11 0x000055ac3af424ba _ZN2v88internal7CppHeap29FinishMarkingAndStartSweepingEv (chrome + 0x5b844ba)
                #12 0x000055ac3af73740 _ZN2v88internal4Heap24PerformGarbageCollectionENS0_16GarbageCollectorENS0_23GarbageCollectionReasonEPKc (chrome + 0x5bb5740)
                #13 0x000055ac3af85c19 _ZZN2v88internal4Heap14CollectGarbageENS0_15AllocationSpaceENS0_23GarbageCollectionReasonENS_15GCCallbackFlagsEENK3$_0clEv (chrome + 0x5bc7c19)
                #14 0x000055ac3af85965 _ZN4heap4base5Stack24SetMarkerAndCallbackImplIZN2v88internal4Heap14CollectGarbageENS4_15AllocationSpaceENS4_23GarbageCollectionReasonENS3_15GCCallbackFlagsEE3$_0EEvPS1_PvPKv (chrome + 0x5bc7965)
                #15 0x000055ac3b6303db PAPushAllRegistersAndIterateStack (chrome + 0x62723db)
                #16 0x000055ac3af6f633 _ZN2v88internal4Heap14CollectGarbageENS0_15AllocationSpaceENS0_23GarbageCollectionReasonENS_15GCCallbackFlagsE (chrome + 0x5bb1633)
                #17 0x000055ac3af87d38 _ZN2v88internal21IncrementalMarkingJob4Task11RunInternalEv (chrome + 0x5bc9d38)
                #18 0x000055ac3e1d5a7b _ZN4base13TaskAnnotator11RunTaskImplERNS_11PendingTaskE (chrome + 0x8e17a7b)
                #19 0x000055ac3e1f12f3 _ZN4base16sequence_manager8internal35ThreadControllerWithMessagePumpImpl10DoWorkImplEPNS_7LazyNowE (chrome + 0x8e332f3)
                #20 0x000055ac3e1f0dcf _ZN4base16sequence_manager8internal35ThreadControllerWithMessagePumpImpl6DoWorkEv (chrome + 0x8e32dcf)
                #21 0x000055ac3e1f1775 _ZThn240_N4base16sequence_manager8internal35ThreadControllerWithMessagePumpImpl6DoWorkEv (chrome + 0x8e33775)
                #22 0x000055ac3e18c96e _ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE (chrome + 0x8dce96e)
                #23 0x000055ac3e1f1b3f _ZN4base16sequence_manager8internal35ThreadControllerWithMessagePumpImpl3RunEbNS_9TimeDeltaE (chrome + 0x8e33b3f)
                #24 0x000055ac3e1b5979 _ZN4base7RunLoop3RunERKNS_8LocationE (chrome + 0x8df7979)
                #25 0x000055ac445ceafb _ZN7content12RendererMainENS_18MainFunctionParamsE (chrome + 0xf210afb)
                #26 0x000055ac3d601ce7 _ZN7content9RunZygoteEPNS_19ContentMainDelegateE (chrome + 0x8243ce7)
                #27 0x000055ac3d60245a _ZN7content28RunOtherNamedProcessTypeMainERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEENS_18MainFunctionParamsEPNS_19ContentMainDelegateE (chrome + 0x824445a)
                #28 0x000055ac3d6033a3 _ZN7content21ContentMainRunnerImpl3RunEv (chrome + 0x82453a3)
                #29 0x000055ac3d600d37 _ZN7content17RunContentProcessENS_17ContentMainParamsEPNS_17ContentMainRunnerE (chrome + 0x8242d37)
                #30 0x000055ac3d601357 _ZN7content11ContentMainENS_17ContentMainParamsE (chrome + 0x8243357)
                #31 0x000055ac398080a4 ChromeMain (chrome + 0x444a0a4)
                #32 0x00007fc006a3e24d __libc_start_main (libc.so.6 + 0x3524d)
                #33 0x000055ac392d003a _start (chrome + 0x3f1203a)


                Stack trace of thread 29:
                #0  0x00007fc0093d44b3 __lll_lock_wait (libpthread.so.0 + 0x154b3)
                #1  0x00007fc0093cc1d1 __pthread_mutex_lock (libpthread.so.0 + 0xd1d1)
                #2  0x000055ac3b62799c _ZN5cppgc8internal20PersistentRegionLockC2Ev (chrome + 0x626999c)
                #3  0x000055ac41af981f _ZN5cppgc8internal26BasicCrossThreadPersistentIN5blink26ScriptPromiseResolverTypedINS2_11ImageBitmapEEENS0_33StrongCrossThreadPersistentPolicyENS0_20IgnoreLocationPolicyENS0_22DisabledCheckingPolicyEEC2EPS5_RKN2v814SourceLocationE>
                #4  0x000055ac43086e9c _ZN5blink26FrameQueueUnderlyingSourceI13scoped_refptrIN5media11AudioBufferEEE10QueueFrameES4_ (chrome + 0xdcc8e9c)
                #5  0x000055ac43086ccc _ZN5blink26FrameQueueUnderlyingSourceI13scoped_refptrIN5media11AudioBufferEEE10QueueFrameES4_ (chrome + 0xdcc8ccc)
                #6  0x000055ac430814f0 _ZN5blink25MediaStreamAudioDelivererINS_23WebMediaStreamAudioSinkEE6OnDataERKN5media8AudioBusEN4base9TimeTicksE (chrome + 0xdcc34f0)
                #7  0x000055ac43081214 _ZN5blink21MediaStreamAudioTrack6OnDataERKN5media8AudioBusEN4base9TimeTicksE (chrome + 0xdcc3214)
                #8  0x000055ac4307be8f _ZN5blink25MediaStreamAudioDelivererINS_21MediaStreamAudioTrackEE6OnDataERKN5media8AudioBusEN4base9TimeTicksE (chrome + 0xdcbde8f)
                #9  0x000055ac430e5fcf _ZN5blink25ProcessedLocalAudioSource21DeliverProcessedAudioERKN5media8AudioBusEN4base9TimeTicksESt8optionalIdE (chrome + 0xdd27fcf)
                #10 0x000055ac430e63c9 _ZN5blink25ProcessedLocalAudioSource7CaptureEPKN5media8AudioBusEN4base9TimeTicksERKNS1_15AudioGlitchInfoEdb (chrome + 0xdd283c9)
                #11 0x000055ac3a344099 _ZN5media16AudioInputDevice19AudioThreadCallback7ProcessEj (chrome + 0x4f86099)
                #12 0x000055ac3a342668 _ZN5media17AudioDeviceThread10ThreadMainEv (chrome + 0x4f84668)
                #13 0x000055ac3e22b90f _ZN4base12_GLOBAL__N_110ThreadFuncEPv (chrome + 0x8e6d90f)
                #14 0x00007fc0093c96ea start_thread (libpthread.so.0 + 0xa6ea)
                #15 0x00007fc006b2158f __clone (libc.so.6 + 0x11858f)

Comment 23 Robert Frohl 2024-05-13 15:26:29 UTC

FTR: retracted the update (openSUSE:Maintenance:18364) b/c of the issue mentioned here and in boo#1224178

Comment 24 Ruediger Oertel 2024-05-16 08:33:16 UTC

hm ... FontCacheKey also here ...

./debian/patches/fixes/bad-font-gc2.patch mentions this

https://salsa.debian.org/chromium-team/chromium/-/tree/master/debian/patches/fixes?ref_type=heads

looks like a big can of works looking at the number of patches
starting with bad-font-...

Comment 25 Ruediger Oertel 2024-05-17 09:37:49 UTC

trying to build a 125.0.6422.60 with a bad-font-gc patchkit in
home:oertel:branches:network:chromium/chromium-beta

Comment 26 Ruediger Oertel 2024-05-18 22:37:39 UTC

looks promising, running now
ro@p14srudi:~> rpm -q chromium-beta 
chromium-beta-125.0.6422.60-bp155.20.1.x86_64

Comment 27 Andreas Stieger 2024-05-19 05:56:26 UTC

https://build.opensuse.org/request/show/1175078

Comment 28 Andreas Stieger 2024-05-22 11:28:04 UTC

done