Webview sandboxed_process crashed, signal 31 (SECCOMP)
Reported by
julian....@mediatek.com,
Nov 3 2017
|
|||||
Issue description
Device name: Mediatek MT6580 based platform
Android version: 8.1.0/O10921
WebView version: 61.0.3163.98
Application: com.android.webview:sandboxed_process0
Application version: N/A
URLs (if applicable): N/A
1. Webview sandboxed process received signal 3 from Android's ActivityManager for ANR backtrace dump
2. linker call prctl after received signal 3 (linker is stock AOSP, unmodified)
3. webview:sandboxed_process0 throw out signal 31 due to SECCOMP was enabled after WebView Chromium 61
From kernal log:
[13272.021475] -(1)[676:ActivityManager][name:mtprof&][signal][676:ActivityManager] send death sig 3 to [14186:dboxed_process0:S]
...
[13274.024713] -(0)[14186:dboxed_process0][name:mtprof&][signal][14186:dboxed_process0] send death sig 31 to [14186:dboxed_process0:R]
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'alps/full_k80_bsp/k80_bsp:8.1.0/O10921/1507666027:eng/dev-keys'
Revision: '0'
ABI: 'arm'
pid: 14186, tid: 14186, name: dboxed_process0 >>> com.android.webview:sandboxe <<<
signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr --------
r0 00000027 r1 00000000 r2 00000000 r3 00000000
r4 00000000 r5 00000000 r6 00000000 r7 000000ac
r8 00000000 r9 aa51b4fc sl 00000004 fp 00000000
ip aa42bb58 sp aa42bb48 lr aa449df9 pc aa4a9b10 cpsr 400b0010
backtrace:
#00 pc 00078b10 /system/bin/linker (__dl_prctl+20)
#01 pc 00018df5 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+164)
#02 pc 00081624 /system/bin/linker
#03 pc 000612ec /system/lib/libc.so (__epoll_pwait+16)
#04 pc 0001c8b4 /system/lib/libc.so (epoll_pwait+68)
#05 pc 0001c8f4 /system/lib/libc.so (epoll_wait+20)
#06 pc 0000fff3 /system/lib/libutils.so (android::Looper::pollInner(int)+118)
#07 pc 0000fee5 /system/lib/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+32)
#08 pc 000b2689 /system/lib/libandroid_runtime.so (android::NativeMessageQueue::pollOnce(_JNIEnv*, _jobject*, int)+24)
,
Nov 4 2017
,
Nov 7 2017
I am not sure the Android WebView's crashes show in the Chrome browser. I have done some experiments that kill the sandboxed process vai "kill -11": 1. Kill sandboxed process used by Chrome browser: crash report shows in chrome://crashes page 2. Kill sandboxed process used by Google WebView: crash report doesn't show in chrome://crashes page Anyway, We have another sandbox crash using Google WebView, breakpad microdump is attached.
,
Nov 7 2017
Yeah, chrome://crashes is not relevant for webview. Chromium policy for prctl only permits certain PR_* flags to be used, as per https://cs.chromium.org/chromium/src/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc?rcl=e11e9a668e39a1ede332793ba8d677664d057f32&l=153 Current debuggerd appears to use several other PR_* flags such as PR_GET_NO_NEW_PRIVS. This probably doesn't affect "normal" crashes because breakpad intentionally doesn't let the debuggerd handler get called in most cases, but breakpad doesn't trap SIGQUIT. Robert, I guess we should update the policy here. :/ Can you take care of it?
,
Nov 8 2017
Hi Torne, thanks for the information. I have checked our crash log further, it seems SIGQUIT doesn't cause the crash directly. In Android 8.1: when ANR occurs, debuggerd performs dumping twice for each process: 11-07 13:25:36.720890 819 908 I zygote : libdebuggerd_client: started dumping process 6081 11-07 13:25:36.723400 482 482 I /system/bin/tombstoned: registered intercept for pid 6081 and type kDebuggerdJavaBacktrace … 11-07 13:25:41.875832 819 908 I zygote : libdebuggerd_client: started dumping process 6081 11-07 13:25:41.895708 482 482 I /system/bin/tombstoned: registered intercept for pid 6081 and type kDebuggerdNativeBacktrace The first dump is SIGQUIT, and sandboxed process still alive. The second dump is DEBUGGER_SIGNAL (signal 35), then debuggerd uses prctl during handling DEBUGGER_SIGNAL, and causes signal 31 (sandbox process crash) Is it possible that Android 8.1's default webview get the fix of prctl policy? Thank you.
,
Nov 8 2017
Breakpad doesn't trap DEBUGGER_SIGNAL either, so the same applies. It's much too late to update the webview in 8.1; this will be fixed in an update via the play store.
,
Nov 20 2017
,
Nov 29 2017
https://chromium-review.googlesource.com/c/chromium/src/+/797435
,
Nov 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8e969ee8d650f7799ff05e2998e109350e2ef0f1 commit 8e969ee8d650f7799ff05e2998e109350e2ef0f1 Author: Robert Sesek <rsesek@chromium.org> Date: Wed Nov 29 22:45:19 2017 [Android] Permit PR_GET_NO_NEW_PRIVS under seccomp. The debuggerd_signal_handler uses this as an indicator for Seccomp being enabled. See https://android-review.googlesource.com/c/platform/system/core/+/335460. Bug: 781110 Cq-Include-Trybots: master.tryserver.chromium.android:android_arm64_dbg_recipe;master.tryserver.chromium.android:android_compile_mips_dbg;master.tryserver.chromium.android:android_compile_x64_dbg;master.tryserver.chromium.android:android_compile_x86_dbg Change-Id: I0f394876aa0ec3cc665307936565b22d71b9cdec Reviewed-on: https://chromium-review.googlesource.com/797435 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#520281} [modify] https://crrev.com/8e969ee8d650f7799ff05e2998e109350e2ef0f1/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
,
Nov 30 2017
Should be fixed in Chrome/WebView 64. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ligim...@chromium.org
, Nov 3 2017