tor-browser crashes opening about:support and shows "Gah! tab crashed" (nixos-20.03)

[unode]

Describe the bug
After upgrading to nixos-20.03 and enabling pulseaudio support I started experiencing the "Gah! tab crashed" error too often, to the point that browsing sites with certain types of embedded media (mostly audio/video) instantly triggers the error (e.g browsing https://www.washingtonpost.com/).

While troubleshooting this I also noticed that opening about:support crashes not the tab but the browser. On the console I can see:

(...)
Apr 29 20:44:27.000 [notice] Bootstrapped 100% (done): Done
Apr 29 20:44:28.000 [notice] New control connection opened.
Apr 29 20:44:28.000 [notice] New control connection opened.
Fontconfig warning: "/nix/store/hj7n3mgfbs413mjcap0xyh29wy4ff84n-tor-browser-bundle-bin-9.0.9/share/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 145: blank doesn't take any effect anymore. please remove it from your fonts.conf
Fontconfig warning: "/nix/store/hj7n3mgfbs413mjcap0xyh29wy4ff84n-tor-browser-bundle-bin-9.0.9/share/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 145: blank doesn't take any effect anymore. please remove it from your fonts.conf
fatal allocator error: invalid uninitialized allocator usage
Redirecting call to abort() to mozalloc_abort

Exiting due to channel error.
Apr 29 20:44:32.000 [notice] Owning controller connection has closed -- exiting now.
Apr 29 20:44:32.000 [notice] Catching signal TERM, exiting cleanly.
zsh: segmentation fault (core dumped)  tor-browser

This crash is present with default options (i.e. mediaSupport = false and pulseaudioSupport = false).

In addition, after several crashes Tor asks to start in "Safe mode". I'm not sure what safe mode disables but it allows opening about:support without crashing and/or triggering the segfault.

This seems to hint at some interaction with external libraries and my assumption that this is somehow related to pulseaudio.

To Reproduce
Steps to reproduce the behavior:

1. nix-env -iA tor-browser-bundle-bin
2. tor-browser
3. In the URL about:support
4. browser will crash

Notify maintainers
@offlinehacker @matejc @doublec @thoughtpolice @joachifm @hax404 @scaredmushroom

Metadata

% nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.6.7, NixOS, 20.03.git.034f307a86c (Markhor)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.4`
 - channels(root): `"nixos-20.09pre217261.a2e06fc3423"`
 - nixpkgs: `/var/nixpkgs-channels/nixos

The following expression was used to enable mediaSupport and puseaudioSupport:

(...)
    torbrowserWithAudio = pkgs.torbrowser.override {
      mediaSupport = true;
      pulseaudioSupport = true;
    };
(...)

and installed with nix-env -iA torbrowserWithAudio.

[joachifm]

Can you try with override useHardenedMalloc = false?

[unode]

This helps.

On a quick test I didn't see any "Gah! Tab crashed" error and about:support works fine.

[joachifm]

It should be off by default then, it used to work :(

[unode]

Could this be triggered by a missing or mismatched library?
I also only started noticing this after enabling pulseaudio system-wide. If this helps diagnosing the issue...

[joachifm]

I think it's simply because the firefox jemalloc is incompatible with the hardened allocator. firefox has to be built with --disable-jemalloc for that to work. I wonder why this appears to have worked before; maybe the tbb build has changed.

Relevant mailing list thread here (fair warning: it turns into a not-so-productive exchange after a few messages): https://lists.torproject.org/pipermail/tor-dev/2019-August/013982.html

[joachifm]

I think that at this point it'd be appropriate to revert the commit that added hardened alloc support, with a note as to why, maybe opening an issue to track work (if anyone cares) to make hardened malloc work with tbb/firefox.

[unode]

I'm not into the differences/advantages of each allocator.

In this case I have the user hat on and unless there's a critical aspect of relevance I'm happy to trade that in favour of a functional browser.