This bug was filed from the Socorro interface and is report bp-b84b0784-d151-40b4-9aab-4643c2160726. ============================================================= Although we don't use gtk_im_* APIs on content process, GTK API might calls gtk_im_* APIs (ex. set cursor position into GTK internal code). I think that we shouldn't load GTK IM Module on content process if possible. But GTK doesn't provide good APIs for this usage... - Step 1. Setup uim-mozc 2. Run Firefox with e10s+content sandbox - Result Crash by Sandbox violation

#4 vfork () at ../sysdeps/unix/sysv/linux/x86_64/vfork.S:52 #5 0x00007fe30a105215 in __spawni (pid=0x7ffc77fa862c, file=0x7fe2ddabefe0 "/usr/lib/mozc/mozc_server", file_actions=0x0, attrp=0x0, argv=0x7fe2ddae2bd0, envp=0x7ffc77faa670, xflags=0) at ../sysdeps/posix/spawni.c:106 #6 0x00007fe30a104f5b in __posix_spawn (pid=<optimized out>, path=<optimized out>, file_actions=<optimized out>, attrp=<optimized out>, argv=<optimized out>, envp=<optimized out>) at spawn.c:30 #7 0x00007fe2dd7c43a8 in mozc::Process::SpawnProcess(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long*) () from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so #8 0x00007fe2dd77b9f0 in mozc::client::ServerLauncher::StartServer(mozc::client::ClientInterface*) () from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so #9 0x00007fe2dd779cc5 in mozc::client::Client::EnsureConnection() () from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so #10 0x00007fe2dd77870a in ?? () from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so #11 0x00007fe2de5c5f9f in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #12 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #13 0x00007fe2de5d2047 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #14 0x00007fe2de5c5f74 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #15 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #16 0x00007fe2de5d2047 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #17 0x00007fe2de5c5f74 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #18 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #19 0x00007fe2de5d2047 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #20 0x00007fe2de5c5f74 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #21 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #22 0x00007fe2de5c6b3c in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #23 0x00007fe2de1a0cbd in GCROOTS_call_with_gc_ready_stack () from /usr/lib/x86_64-linux-gnu/libgcroots.so.0 #24 0x00007fe2de5d7b33 in uim_scm_callf () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0 #25 0x00007fe2de3ac040 in uim_create_context () from /usr/lib/x86_64-linux-gnu/libuim.so.8 #26 0x00007fe2de7f001a in im_module_create () from /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-uim.so #27 0x00007fe3028111b6 in _gtk_im_module_create (context_id=<optimized out>) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimmodule.c:793 #28 0x00007fe302811c4b in gtk_im_multicontext_get_slave ( multicontext=0x7fe2ef2d8690) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimmulticontext.c:275 #29 0x00007fe302811f82 in gtk_im_multicontext_get_preedit_string ( context=<optimized out>, str=0x7ffc77fa8f40, attrs=0x7ffc77fa8f48, cursor_pos=0x0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimmulticontext.c:337 #30 0x00007fe30280e11c in gtk_im_context_get_preedit_string ( context=0x7fe2ef2d8690, str=0x7ffc77fa8f40, attrs=0x7ffc77fa8f48, cursor_pos=0x0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimcontext.c:490 #31 0x00007fe3027ac04a in gtk_entry_create_layout (include_preedit=1, entry=0x7fe2ef2e45d0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6213 #32 gtk_entry_ensure_layout (entry=0x7fe2ef2e45d0, include_preedit=include_preedit@entry=1) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6305 #33 0x00007fe3027ad297 in gtk_entry_get_cursor_locations ( entry=entry@entry=0x7fe2ef2e45d0, strong_x=strong_x@entry=0x7ffc77fa9024, weak_x=weak_x@entry=0x0, type=CURSOR_STANDARD) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6736 #34 0x00007fe3027adaca in update_im_cursor_location (entry=0x7fe2ef2e45d0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6102 #35 gtk_entry_recompute (entry=0x7fe2ef2e45d0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6133 #36 0x00007fe3027abaea in get_buffer (entry=entry@entry=0x7fe2ef2e45d0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:7416 #37 0x00007fe3027ae612 in gtk_entry_real_set_position ( editable=0x7fe2ef2e45d0, position=0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:5106 #38 0x00007fe3027aba6d in gtk_entry_set_buffer (entry=0x7fe2ef2e45d0, buffer=0x0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:7491 #39 0x00007fe30534d6a3 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #40 0x00007fe30534ec01 in g_object_newv () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #41 0x00007fe30534f534 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #42 0x00007fe3027ab7f9 in gtk_entry_new () at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:7387 #43 0x00007fe3027641f5 in gtk_combo_box_create_child (combo_box=0x7fe2ef2ee2a0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkcombobox.c:1652 #44 0x00007fe302766966 in gtk_combo_box_constructed (object=0x7fe2ef2ee2a0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkcombobox.c:4408 #45 0x00007fe30534d897 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #46 0x00007fe30534f1b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #47 0x00007fe30534f521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #48 0x00007fe302766345 in gtk_combo_box_new_with_entry () at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkcombobox.c:3628 #49 0x00007fe30d7e847f in nsLookAndFeel::Init (this=0x7fe2fa51ca80) at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/widget/gtk/nsLookAndFeel.cpp:1201 #50 0x00007fe30d7be9a3 in nsXPLookAndFeel::GetInstance () at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/widget/nsXPLookAndFeel.cpp:265 #51 0x00007fe30d7c177b in mozilla::LookAndFeel::GetColor ( aID=aID@entry=mozilla::LookAndFeel::eColorID_WindowBackground, aResult=aResult@entry=0x7fe2fd218340) at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/widget/nsXPLookAndFeel.cpp:906 #52 0x00007fe30dddef0f in nsWebBrowser::Create (this=0x7fe2fd218240) at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/embedding/browser/nsWebBrowser.cpp:1199 #53 0x00007fe30d5b955b in mozilla::dom::TabChild::Init (this=0x7fe2ef2d1400) at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/dom/ipc/TabChild.cpp:803 #54 0x00007fe30d5be4e5 in mozilla::dom::TabChild::Create ( aManager=aManager@entry=0x7fe2fdd819d8, aTabId=..., aContext=..., aChromeFlags=<optimized out>) ... #77 0x00007fe30e03f3a7 in XRE_InitChildProcess (aArgc=<optimized out>, aArgv=aArgv@entry=0x7ffc77faa638, aChildData=aChildData@entry=0x7ffc77faa510) at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/toolkit/xre/nsEmbedFunctions.cpp:681 #78 0x000000000040939d in content_process_main (argc=<optimized out>, argv=0x7ffc77faa638)

set gtk-im-context-simple to GTK_IM_MODULE on content process...

We can also make vfork() fail with EPERM instead of crashing; this is already the case for fork() and any other non-pthread_create uses of clone(), in bug 1286324. Also, from the stack it looks like this would affect anything using posix_spawn (at least with a similar libc), so we might want to do that just to make posix_spawn consistent with fork+exec.

(In reply to Jed Davis [:jld] [⏰PDT; UTC-7] from comment #3) > We can also make vfork() fail with EPERM instead of crashing; this is > already the case for fork() and any other non-pthread_create uses of > clone(), in bug 1286324. Also, from the stack it looks like this would > affect anything using posix_spawn (at least with a similar libc), so we > might want to do that just to make posix_spawn consistent with fork+exec. Thanks. Even if we allow or return EPERM, uim-mozc won't be able to communicate mozc server (IM engine) process... (I don't debug it yet). So we shouldn't load IM module on content process because we don't use gtk_im APIs on content process. GTK_IM_MODULE=gtk-im-context-simple will be able to disallow external im module.

Now content sandbox process is enabled. Since uim-mozc uses vfork, it causes sandbox violation. It is unnecessary to load IM module on content process becasue we don't use GTK IM APIs on content process. Review commit: https://reviewboard.mozilla.org/r/67326/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/67326/

Comment on attachment 8774980 [details] Bug 1289500 - Don't load GTK IM module on content process. https://reviewboard.mozilla.org/r/67326/#review64360 If my following worries are wrong, r=masayuki. ::: ipc/glue/GeckoChildProcessHost.cpp:736 (Diff revision 1) > + // disable IM module to avoid sandbox violation > + newEnvVars["GTK_IM_MODULE"] = "gtk-im-context-simple"; I worry about something: 1. Whether "gtk-im-context-simple" is valid value in any environments which Gecko is available on. 2. If "gtk-im-context-simple" isn't available, which IM module will be used? 3. Could we get the alternative IM module name from pref for odd environment?

https://reviewboard.mozilla.org/r/67326/#review64360 > I worry about something: > > 1. Whether "gtk-im-context-simple" is valid value in any environments which Gecko is available on. > 2. If "gtk-im-context-simple" isn't available, which IM module will be used? > 3. Could we get the alternative IM module name from pref for odd environment? Um, I found this document: https://wiki.archlinux.org/index.php/Internationalization#Disabling_GTK_IM_modules_.28without_uninstalling.29 > To prevent GTK+ from loading any IM modules > > set GTK_IM_MODULE to the empty string > set GTK_IM_MODULE to "gtk-im-context-simple" Setting empty string might be safer? (up to you!)

(In reply to Masayuki Nakano [:masayuki] (Mozilla Japan) from comment #6) > Comment on attachment 8774980 [details] > Bug 1289500 - Don't load GTK IM module on content process. > > https://reviewboard.mozilla.org/r/67326/#review64360 > > If my following worries are wrong, r=masayuki. > > ::: ipc/glue/GeckoChildProcessHost.cpp:736 > (Diff revision 1) > > + // disable IM module to avoid sandbox violation > > + newEnvVars["GTK_IM_MODULE"] = "gtk-im-context-simple"; > > I worry about something: > > 1. Whether "gtk-im-context-simple" is valid value in any environments which > Gecko is available on. > 2. If "gtk-im-context-simple" isn't available, which IM module will be used? gtk-im-context-simple is internal context id of GTK. gtk-im-context-simple means that GTK doesn't load external IM module, If gtk module is it, GtkIMContext is created by gtk_im_context_simple_new() for builtin IM class. > 3. Could we get the alternative IM module name from pref for odd environment? Although we clear GTK_IM_MODULE or GTK_IM_MODULE has unknown module name, GTK will get gtk-im-module from xsettings. To detect current IM module, we check both value, and check whether it can load, then we must check whether im_moudle->create call is success. (I request API to them, but they reject it now. see https://bugzilla.gnome.org/show_bug.cgi?id=764568). (In reply to Masayuki Nakano [:masayuki] (Mozilla Japan) from comment #7) > https://reviewboard.mozilla.org/r/67326/#review64360 > > > I worry about something: > > > > 1. Whether "gtk-im-context-simple" is valid value in any environments which Gecko is available on. > > 2. If "gtk-im-context-simple" isn't available, which IM module will be used? > > 3. Could we get the alternative IM module name from pref for odd environment? > > Um, I found this document: > https://wiki.archlinux.org/index.php/ > Internationalization#Disabling_GTK_IM_modules_.28without_uninstalling.29 > > > To prevent GTK+ from loading any IM modules > > > > set GTK_IM_MODULE to the empty string > > set GTK_IM_MODULE to "gtk-im-context-simple" > > Setting empty string might be safer? (up to you!) Empty doesn't work well. If GTK_IM_MODULE is empty or invalid, GTK reads xsettings.

Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/635ffb6c4ccf Don't load GTK IM module on content process. r=masayuki

Thanks!