On Sun, Aug 18, 2024 at 04:20:05PM +0000, Andrey Grozin wrote:

On Sat, 17 Aug 2024, Paul Zander wrote:

Check the logfile at ${T}/Xvfb.log

Recently I've upgraded mesa to 24.2.0. Can this problem be related to this upgrade?

...

Can anybody with the current mesa try to emerge fricas[doc] and tell us if it works (any lisp will do, probably, sbcl is the most reasonable one; by the way, clozurecl compiles fricas very quickly).

Yes; I reproduced it.
- started w/ mesa-24.0.7 installed.
- emerge sbcl => success
- USE=doc emerge fricas => success
- emerge =mesa-24.2.0* => success
- USE=doc emerge fricas => fail w/ sandbox
- patch virtualx.eclass
- USE=doc emerge fricas => success

So Mesa's behavior changed, trying to accelerate Xvfb.

I pushed a fix to virtualx.eclass for you.

--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation President & Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it.

iQKTBAABCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAmbDjIZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsRW3w/9Hi3CgZzw6acIDWkzCUxHHhYSYXMy41+XC2DJZBxN9HO2CuA9cBglpDZS s4Oz+slrGmLJNbjVjZJAUwbQkZ1J97jo3DcyofjzWHNyT1lXsNYA7b8Gkgj+BtI/ UfyZqUhEvrZwyB+lGzGs168yEKEkBQu07kviZ2RevBSNnA2+qwNVRZDhMV4f0LdD LXNEDuPW3UCOR7/Vui2Ii6L6+a27lWmoI+8NRWMq3UGfqGiaKQLoH1owRYO/7IaQ wf43YsTfDFR2cJPYVzjzX8bW+NIuULBJ098Ix38hkJySr5LMySHW2J3gi5Jdn9x6 7jmhsR7Pgg9MIGKrQMBivbdDOQ5rdEN8oXH28cDamFfAdXepKs9LTcYqzdwLxoII
FtNhQoB9

On Mon, 19 Aug 2024, Robin H Johnson wrote:

On Sun, Aug 18, 2024 at 04:20:05PM +0000, Andrey Grozin wrote:

Can anybody with the current mesa try to emerge fricas[doc] and tell us if >> it works (any lisp will do, probably, sbcl is the most reasonable one; by >> the way, clozurecl compiles fricas very quickly).

Yes; I reproduced it.
- started w/ mesa-24.0.7 installed.
- emerge sbcl => success
- USE=doc emerge fricas => success
- emerge =mesa-24.2.0* => success
- USE=doc emerge fricas => fail w/ sandbox
- patch virtualx.eclass
- USE=doc emerge fricas => success

So Mesa's behavior changed, trying to accelerate Xvfb.

I pushed a fix to virtualx.eclass for you.

That addpredict looks like a workaround, not like a real fix of the
problem. Especially, the many warnings mentioned by grozin are still
there. With the patched virtualx.eclass, I still see more than thousand messages in Xvfb.log:

libEGL warning: failed to open /dev/dri/card0: Permission denied

Also, was this so urgent that you had to push the eclass change without
prior mailing list review?

Ulrich

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmbDocgPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4ukqUH/0mQJyv6WsR4d0Pta0EjINu9SpSmY2/LjcEz O++agOPbH4ul8S5aoHA4vG8UDHcX7JA8iwj5Xfa1kvp2fCU3ZEB9qDz6lTHPZ+II QVoD51Sn3pjW96q+p6COHvjIsVCdjP441dpAoCpi6XhqWf2GX0frPEC29GIj03aA xG5WcaQhTvHNLEha13r/BHFfPH/yyD2xZzriVUccjlKOPf7XasDmB4bp+z+4ehdI 3/wJzuGRwZECE2HaLU8ot7l8gjRfGLwBFMjUvMSPGYnzRyzD/UB8p2b9bJ15HVoe DQqRTtCJCgpsuJ2gQAo4CNir8ZAfKOV8isdLKPnWUtsHLrkHEjQ=Yudz
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Aug 19, 2024 at 09:49:28PM +0200, Ulrich Mueller wrote:

I pushed a fix to virtualx.eclass for you.

That addpredict looks like a workaround, not like a real fix of the
problem.

It's a fix in that it correctly tells Sandbox that upstream mesas use a predictive fopen(..., RDWR) and Gentoo expects it to *NOT* actually use the device in the ebuild context.

Especially, the many warnings mentioned by grozin are still
there. With the patched virtualx.eclass, I still see more than thousand messages in Xvfb.log:
libEGL warning: failed to open /dev/dri/card0: Permission denied

The manual does correctly build despite that warning from mesa, because it correctly falls back.

Also, was this so urgent that you had to push the eclass change without
prior mailing list review?

Low impact, fixes blockage.

Reminder to all, if you go looking for bugs, you'll find more than you expected.

Git bisect of mesa points to the relevant upstream commits that introduced the flaws.

1. The init behavior changed here: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/30426/diffs
This was added between mesa-24.2.0-rc3 and mesa-24.2.0-rc4
It always probes those /dev/ files now.

2. I *also* found a similar failure upstream between 24.0.9 and 24.1.0; with USE=llvm specifically:
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27805/diffs#81e929dbdc766bd46257096f260549cbdeba18fc_1133_1161

sandbox snippet for USE=llvm:
F: open_wr
S: deny
P: /dev/udmabuf
A: /dev/udmabuf
R: /dev/udmabuf
C: Xvfb -displayfd 1 -screen 0 1280x1024x24 +extension RANDR

"addpredict /dev/udmabuf" should also enable other cases to be stricter: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48b4885e4f9a19ccc4c1489a387e38fb3b7d62b7

and re-enable tests here:
https://bugs.gentoo.org/933257

--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation President & Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it.

iQKTBAABCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAmbErb5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsSQTRAAk48E0Kl91px4jxG0pyeumwAAkC/Hedo/SR4r4zXlqnZGo4EGhMko5Vmw HwKrnn0goim4iPPczn+yRlD3wnXnEb1IkN9ueU932QfpW/sz1GLVnpsPjpJuryQU 9vxedpJvkd6DMNBlcs420cRXUNxk6zPOlhg3/YrTTCz7S+A2di+8F4vVF+6xTTwH M+LyLfZ0oVNd8TNlONvFtoAeDluO6rdFScjyL2p3PVg7sH6FyKOsS0eGG2HHm3io 8acpvsk1HFSYq+A5fw0vzuWFnfqV3fWA1ugi/1DYW5oPe6JLAnUT0Rsn+N8pM5MF 5hwSCd92CcJHkTaFiwoq79k8qKm++75Z7AjtiE2Qx472Veushmrbew84w2JSJ+hV
jA5/+yBc

On Tue, Aug 20, 2024 at 06:06:17PM +0200, Paul Zander wrote:

Especially, the many warnings mentioned by grozin are still
there. With the patched virtualx.eclass, I still see more than thousand
messages in Xvfb.log:
libEGL warning: failed to open /dev/dri/card0: Permission denied

The manual does correctly build despite that warning from mesa, because it correctly falls back.

This is the hallmark of a workaround.

Hiding the errors also isn't a fix - it's just picking a different code path.

virtualx has detection automagic in what Mesa drivers are actually loading; and that certainly contributes to the problems.

Also, was this so urgent that you had to push the eclass change without
prior mailing list review?

Low impact, fixes blockage.

The impact of changing an eclass willy nilly without asking anyone for
@X11 or anyone affected?

Who was affected by the breakage? Grozin.
The tree has a sprawl of addpredict/addwrite /dev/dri/ entries; because this isn't handled consistently at the Xvfb/mesa level.

We've had mesa-24.2.0* in the tree for a while now. We had plenty of tinderbox runs testing. This is the only package that fails with those sandbox violations. No other @sci stuff, no @kde stuff.

See below about libeproxy - it's failing because of the same files.

The "Low impact, fixes blockage." fix would have been to add that
addpredict line to the affected package, file a bug and ask the people
that actually know about mesa.

If I didn't know about mesa, why do you think I commented on this thread, and provided bisect showing where upstream introduced the change in behavior?

Oddly enough fricas also has an automagic dependency on xvfb-run...

@grozin: please do fix the automagic behavior in fricas; it's clearly not fatal either, because my test environment does not have xvfb-run installed at all.

FYI: this actually fixes the access for fricas:

Your patch would "fix" fricas, but I think it will break anything else
that explicitly relies on GLX inside Xvfb; and would need a tinderbox
run to verify what that is. There is an even worse potential outcome in your patch: tests might skip some cases because they probe for the GLX extension and skip those cases.

It would not surprise me if there are other packages already broken, and
not detected in the prior testing.

As a fast example, media-libs/libepoxy, fails already because it wants
GLX in src_test. It was broken before per bug #823786, and still broken
with my patch, and yours outright disables what it wants to test. I think it's mucking with sandbox in another way, because even with both config explicitly permitting writes, it still shows Xvfb errors to them:

libepoxy-1.5.10-r3.ebuild:
==
multilib_src_test() {
export MESA_LOADER_DRIVER_OVERRIDE=llvmpipe
export LIBGL_KOPPER_DISABLE=true
export LIBGL_KOPPER_DRI2=true
export GALLIUM_DRIVER=llvmpipe
export LIBGL_ALWAYS_SOFTWARE=true
addwrite /dev/dri/card0
addwrite /dev/udmabuf
addwrite /dev/dri/renderD128
virtx meson_src_test
}
==


$ head /var/tmp/portage-tmpfs/portage/media-libs/libepoxy-1.5.10-r3/temp/Xvfb.log
_XSERVTransSocketUNIXCreateListener: ...SocketCreateListener() failed _XSERVTransMakeAllCOTSServerListeners: server already running
libEGL warning: failed to open /dev/dri/card0: Permission denied
...

And yet running the same test outside of the ebuild works fine.

--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation President & Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it.

iQKTBAABCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAmbE7ANfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsTJww//ckSQR7EXHkcdBbo09OjLH/NEpP1iwZ+vR7c2hd5SEV+pYwsge0eigha7 iRyz5RMTAriDsKQEBSsycsDAPoGu3h/jPlyT/pLLnUY6Kas1lr/f87bAKwYfAY+x 2JJcsEZ5nbThepWiE3smQK7f27nMnk0/J9TLu00jv/gKiOCnKQqHWiEKRrU8g3YZ V7Ld+u6HmkiBZghDv/l+i+NoAbrmBLF+kTnGO/fFO0HvOHNUfWY+ZCpcaOh09Xci 7xoqVbOTwFNH8/B4r574XMv4HNXo0WnX3Zg/VSSKwrVorPIBVSpJEZ1uTbYnP4FV 8EdYA0I283ay+Gi++SGkkbqKHqTSAXapdGja/30wmxty5qdGLq74rX79+6Xo7wYO
rBDBSNOP