Firefox 58 (nightly) crashes on soundoutput

[Taros007]

Since a few days, Firefox nightly tabs seems to crash on as soon as a site outputs sounds when using apulse (with Arch linux). If I start nightly without apulse, it works correctly, although I don't hear any sounds as I don't have pulseaudio installed.

No clue whether to start debugging, but happy to provide you with any logs you might need! Thanks!

[dbdexter-dev]

Can confirm, also running the Firefox nightly but on Gentoo. Compiling with -DWITH_TRACE=1, apulse reports this on crash:

Sandbox: seccomp sandbox violation: pid 5232, tid 5300, syscall 16, args 52 2147767296 139957134307464 218 0 0.  Killing process.
[Parent 5116, Gecko_IOThread] WARNING: pipe error (83): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
[Parent 5116, Gecko_IOThread] WARNING: pipe error (115): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353

###!!! [Parent][MessageChannel] Error: (msgtype=0x150084,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

As a temporary solution, setting security.sandbox.content.syscall_whitelist in about:config to "16" should fix the issue.

[i-rinat]

Firefox gradually decreases allowed scope in its sandboxing, and now ioctl system calls are also forbidden by default. But ioctl is used by libasound2 library.

As a temporary solution, setting security.sandbox.content.syscall_whitelist in about:config to "16" should fix the issue.

I can't see any other solution but to add 16 (ioctl syscall number on Linux x86-64) to the exception list, security.sandbox.content.syscall_whitelist. On x86 (32-bit) and ARM it's 54 instead.

[i-rinat]

Looks like at the moment, Firefox builds with MOZ_ALSA are also suffering from sandbox violation, but patch is already on its way. See 1408493 in Firefox's bug tracker for details.

[i-rinat]

Also mentioned security.sandbox.content.syscall_whitelist in README file in https://github.com/i-rinat/apulse/commit/d86760b225cc44d07fa12662519f4d8bbcdb3679.

[Taros007]

Thanks so much for the help both! Can confirm the solution works, although not yet sure about security implications.

[dbdexter-dev]

Just a quick update, it seems like the fix is no longer needed. Firefox doesn't crash on audio playback anymore, and the issue on bugzilla has been marked as resolved.

[i-rinat]

it seems like the fix is no longer needed. Firefox doesn't crash on audio playback anymore, and the issue on bugzilla has been marked as resolved.

For Firefox builds with MOZ_ALSA, it's fixed.

But for PulseAudio-only builds, some of ioctl() calls are still forbidden, which may interfere with libasound2 library (user-space part of ALSA).

Compiling with -DWITH_TRACE=1, apulse reports this on crash

By the way, @dbdexter-dev, in the log output you posted, all four lines are from Firefox. None of those lines came from apulse.

[Duncaen]

I think that this all just works by luck because e10s is not enabled (about:support shows if multi process windows are enabled). If e10s is enabled the content process will open pulse. The content process has the actually strict rules, e.g. fork is not allowed, which is necessary for libasound, as far as i can tell libasound spawns a shell while parsing config files, which then again would require more paths to be allowed.

Maybe my observation is wrong and someone here is already running e10s with alsa or apulse, would be good if someone can check about:support and report back. e10s can be manually enabled with browser.tabs.remote.autostart;true, browser.tabs.remote.autostart.2;true and extensions.e10sBlockedByAddons;false.