I currently have firefox-99.0.1-1.fc35.x86_64 and it's crashing regularly each cca. 2 hours. The crash time depends on how much the browser is used (lower amount of browsing -> it takes longer to crash). It's crashing in mozilla::SandBoxFork::StartChrootServer() or similar. I was unable to get usable coredump, nor the Firefox crash reporter was usable. The Fedora abrt tools says the crash report is unusable and maybe the Firefox crashreporter is disabled in Fedora, I don't know. It start's crashing few months ago.

I tried:

• disabling all extensions and plugins -> it didn't help
• reset firefox configuration -> it didn't help
• closing all tabs -> it didn't help, it crashes no matter how many tabs are open
• removing the firefox profile (rm -rf ~/.mozilla) and start over with the new profile -> it didn't help, still the same crash
• starting firefox in the safe mode -> this seems to work, I wasn't able to reproduce the crash in cca. 24 hours

$ rpm -qV firefox
<nothing>
$ rpm -qVa
<nothing relevant, will add as an attachment for reference>

This problem persisted since several Firefox updates (IIRC I spotted it in the Firefox 94 or so) and also trough the Fedora 34 -> Fedora 35 update. IIRC I wasn't able to reproduce this problem in Fedora 33, IIRC the problem appeared somewhere during the Fedora 34 life-cycle.

This is the proof that the filesystem and libraries are OK and in the state the Fedora distro ship.

I am now installing cca. 8 GB of debuginfo files locally, because the Fedora remote retrace server failed miserably after cca. 5 retries in several days, each try took cca. 4 hour to just tell me, there is no relevant data in the coredump. Hopefully, I will be able to get some usable backtrace from it now.

Finally, I was able to get the backtrace and create downstream Fedora bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=2078627

Truncated backtrace:

#1 [libxul.so] mozilla::SandboxFork::StartChrootServer()
#2 [libxul.so] mozilla::SandboxFork::Fork()
#3 [libxul.so] base::LaunchApp(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, base::LaunchOptions const&, int*) [clone .cold]
#4 [libxul.so] mozilla::ipc::PosixProcessLauncher::DoLaunch()
#5 [libxul.so] mozilla::ipc::BaseProcessLauncher::PerformAsyncLaunch()
#6 [libxul.so] mozilla::detail::ProxyRunnable<mozilla::MozPromise<mozilla::ipc::LaunchResults, mozilla::ipc::LaunchError, true>, RefPtr<mozilla::MozPromise<mozilla::ipc::LaunchResults, mozilla::ipc::LaunchError, true> > (mozilla::ipc::BaseProcessLauncher::*)(), mozilla::ipc::BaseProcessLauncher>::Run()
#7 [libxul.so] mozilla::TaskQueue::Runner::Run()
#8 [libxul.so] nsThread::ProcessNextEvent(bool, bool*)
#9 [libxul.so] NS_ProcessNextEvent(nsIThread*, bool)
#10 [libxul.so] mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)

This is how it looks in the journal. Unfortunately when it crashes, it seems it tries to periodically restart which makes the problem even worse, because abrt/systemd crash dumpers are spawned multiple times which can quickly load the machine to the load 50 or so, which gets the machine to the knees. It quickly consumes all the available memory and the systemd-oomd will start randomly killing processes which usually ends very badly.

Are you sure this is the same issue as the one reported here? Your stack seems to differ enough that I think it's something else: MOZ_CRASH(socketpair failed) is from SandboxFork constructor, while yours is from StartChrootServer() which happens later?

(In reply to Alexandre LISSY :gerard-majax from comment #11)

Are you sure this is the same issue as the one reported here? Your stack seems to differ enough that I think it's something else: MOZ_CRASH(socketpair failed) is from SandboxFork constructor, while yours is from StartChrootServer() which happens later?

Unfortunately, I am not sure, it seemed to me just "close enough", i.e. it's happening in the SandboxFork and related to the fork. Other than that I have no idea. I can open new bug report if you think it's unrelated. I also tried changing DOMFissionEnabled to false (I am totally lost here :).

You dont have stdout/stderr by any chance?

(In reply to Alexandre LISSY :gerard-majax from comment #13)

You dont have stdout/stderr by any chance?

At the moment no, but there is no problem for me to run it from the console. I will follow up tmrw (its nearly 1 AM here :). I have nearly the same configuration on different HW, but I am not experiencing the problem there - it's real mystery for me.

(In reply to Jaroslav Škarvada from comment #14)

(In reply to Alexandre LISSY :gerard-majax from comment #13)

You dont have stdout/stderr by any chance?

At the moment no, but there is no problem for me to run it from the console. I will follow up tmrw (its nearly 1 AM here :). I have nearly the same configuration on different HW, but I am not experiencing the problem there - it's real mystery for me.

It doesn't seem like HW defect, because the machine is running 10 hours per day, or more, 7 days per week and firefox is the only process regularly crashing.

(In reply to Jaroslav Škarvada from comment #14)

(In reply to Alexandre LISSY :gerard-majax from comment #13)

You dont have stdout/stderr by any chance?

At the moment no, but there is no problem for me to run it from the console. I will follow up tmrw (its nearly 1 AM here :). I have nearly the same configuration on different HW, but I am not experiencing the problem there - it's real mystery for me.

No problem, we're on the same timezone :). Are you at ease enough to build a package with a few changes to the sources? Jed had a look and it looks like you hit https://searchfox.org/mozilla-central/rev/a9de7261619ed0f1eb758847b37a61559b93c6bc/security/sandbox/linux/launch/SandboxLaunch.cpp#649, and I'm wondering if we could explore adding some debug to know the status of errno when we fail the clone() call done by https://searchfox.org/mozilla-central/rev/a9de7261619ed0f1eb758847b37a61559b93c6bc/security/sandbox/linux/launch/SandboxLaunch.cpp#544

(In reply to Alexandre LISSY :gerard-majax from comment #16)

(In reply to Jaroslav Škarvada from comment #14)

(In reply to Alexandre LISSY :gerard-majax from comment #13)

You dont have stdout/stderr by any chance?

At the moment no, but there is no problem for me to run it from the console. I will follow up tmrw (its nearly 1 AM here :). I have nearly the same configuration on different HW, but I am not experiencing the problem there - it's real mystery for me.

No problem, we're on the same timezone :). Are you at ease enough to build a package with a few changes to the sources? Jed had a look and it looks like you hit https://searchfox.org/mozilla-central/rev/a9de7261619ed0f1eb758847b37a61559b93c6bc/security/sandbox/linux/launch/SandboxLaunch.cpp#649, and I'm wondering if we could explore adding some debug to know the status of errno when we fail the clone() call done by https://searchfox.org/mozilla-central/rev/a9de7261619ed0f1eb758847b37a61559b93c6bc/security/sandbox/linux/launch/SandboxLaunch.cpp#544

Really thanks for answering. It's no problem for me to build the patched version - I am upstream/downstream devel/contributor, but unfortunately not the Mozilla contributor (yet :). Please provide the patches.

My personal tip is that the clone failure could be related to the out-of-memory problem - the machine has only 8 GB of physical RAM and another 8 GB in the swap. But I haven't seen anything suspicious in the 'top' output, the sum of the RSS of the related processes wasn't over cca. 30 % of the RAM.

This is stdout/stderr from the lasr firefox browsing session until it crashed (this time 3 hours until the crash):

ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.

###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PBackgroundIDBDatabase::Msg_Close) Channel closing: too late to send/recv, messages will be lost



###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PMessagePort::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PBackgroundIDBDatabase::Msg_Close) Channel closing: too late to send/recv, messages will be lost


###!!! [Parent][PBackgroundParent] Error: RunMessage(msgname=PBackgroundIDBDatabase::Msg_Close) Channel closing: too late to send/recv, messages will be lost

[Parent 3008, IPC Launch] WARNING: fork() failed: Nelze alokovat paměť: file /builddir/build/BUILD/firefox-99.0.1/ipc/chromium/src/base/process_util_linux.cc:274
[Parent 3008, IPC I/O Parent] WARNING: Failed to launch tab subprocess: file /builddir/build/BUILD/firefox-99.0.1/ipc/glue/GeckoChildProcessHost.cpp:743
[Parent 3008, IPC Launch] WARNING: fork() failed: Nelze alokovat paměť: file /builddir/build/BUILD/firefox-99.0.1/ipc/chromium/src/base/process_util_linux.cc:274
[Parent 3008, IPC I/O Parent] WARNING: Failed to launch tab subprocess: file /builddir/build/BUILD/firefox-99.0.1/ipc/glue/GeckoChildProcessHost.cpp:743

###!!! [Child][PContentChild] Error: RunMessage(msgname=PHttpChannel::Msg_DeleteSelf) Channel closing: too late to send/recv, messages will be lost


###!!! [Child][PContentChild] Error: RunMessage(msgname=PHttpChannel::Msg_DeleteSelf) Channel closing: too late to send/recv, messages will be lost

Unfortunately, I had Czech localization, but the "WARNING: fork() failed: Nelze alokovat pamě" means "Cannot allocate memory". If I close and restart Firefox it continues running for another 2-4 hours without problem. Maybe memory fragmentation? I think that cca. 16 GB of virtual RAM should be enough for few hours of regular browsing.

I tried setting the dom.ipc.processCount.* to 1.

With the unmodified dom.ipc.processCount.* the first crash occurred after cca. 2 hours with the following top output:

top - 00:49:53 up  2:01,  1 user,  load average: 0,43, 0,86, 0,92
Tasks: 235 total,   1 running, 234 sleeping,   0 stopped,   0 zombie
%Cpu(s):  2,5 us,  1,5 sy,  0,0 ni, 95,4 id,  0,2 wa,  0,3 hi,  0,1 si,  0,0 st
MiB Mem : 36,7/7818,3   [||||||||||||||||||||||||||||||||||||                                                                ]
MiB Swap:  0,0/7952,0   [                                                                                                    ]

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                        
   2581 yarda     20   0 4196728 685704 257400 S   6,0   8,6  20:32.51 firefox                                                        
   5054 yarda     20   0 2946780 327020 108408 S   0,0   4,1   1:40.16 Isolated Web Co                                                
   8051 yarda     20   0 2932216 300388 108056 S   0,7   3,8   0:47.87 Isolated Web Co                                                
   3157 yarda     20   0 9171196 248264 104108 S   0,0   3,1   0:46.69 Isolated Web Co                                                
   5835 yarda     20   0 2637428 159504  96780 S   0,0   2,0   0:06.89 Isolated Web Co                                                
   7425 yarda     20   0 2646200 154548 104844 S   0,0   1,9   0:06.01 Isolated Web Co                                                
   5912 yarda     20   0 2656576 140636 103044 S   0,0   1,8   0:03.19 Isolated Web Co                                                
   5673 yarda     20   0 2574640 139300  93544 S   0,0   1,7   0:03.48 Isolated Web Co                                                
   2345 yarda     20   0  721884 112516  61464 S   1,7   1,4   3:22.72 compiz                                                         
   2762 yarda     20   0 2566872 111352  85264 S   0,3   1,4   0:09.60 Privileged Cont                                                
    785 root      20   0  204292 107144 105356 S   0,0   1,3   0:00.67 systemd-journal                                                
   2797 yarda     20   0 2554360  98736  75944 S   0,0   1,2   0:02.63 WebExtensions                                                  
   1353 root      20   0  605680  98376  65492 S   3,3   1,2   6:59.68 Xorg                                                           
   2679 yarda     20   0  929808  77536  63688 S   0,0   1,0   0:01.08 xdg-desktop-por                                                
  12063 yarda     20   0 2522692  73780  61752 S   0,0   0,9   0:00.12 Web Content                                                    
  12027 yarda     20   0 2522692  73700  61652 S   0,0   0,9   0:00.13 Web Content                                                    
  11983 yarda     20   0 2522692  73380  61468 S   0,0   0,9   0:00.12 Web Content                                                    
   3351 yarda     20   0  394868  69792  58400 S   0,0   0,9   0:42.44 RDD Process                                                    

I.e. there should be still enough memory available. Let's see whether the dom.ipc.processCount.* set to 1 improves the situation.

(In reply to Jaroslav Škarvada from comment #19)

I tried setting the dom.ipc.processCount.* to 1.

This didn't help, crash after 3:23. When it happened the RSS usage was about 51% (i.e. cca. 4 GB) of all processes, swap usage was 0%. The load of the machine (dual core) was about 5.0 and the UI was a bit lagy. After the start of the firefox the RSS usage was cca. 25% and was slightly increasing during the browsing to over the 50% where it usually crashes. I do normal browsing - facebook, youtube, google, ... and I am closing the tabs. thus there is nearly constant number of simultaneously opened tabs. I could do bisecting, because this didn't happen few firefox releases earlier.

Jaroslav, I think we have enough hints that this is probably a different bug. I fear it might be related to your system itself. In order to keep the current issue clean, would you mind filing a new bug in the same component, and attach all your current findings to this new bug? Then we'll hide comments on this one. I'm also wondering if you have a specific cgroup setup or something like that, or what are your ulimit sets.

(In reply to Alexandre LISSY :gerard-majax from comment #22)

Jaroslav, I think we have enough hints that this is probably a different bug. I fear it might be related to your system itself. In order to keep the current issue clean, would you mind filing a new bug in the same component, and attach all your current findings to this new bug? Then we'll hide comments on this one. I'm also wondering if you have a specific cgroup setup or something like that, or what are your ulimit sets.

Re-reported as: https://bugzilla.mozilla.org/show_bug.cgi?id=1766727

Sorry for noise.