GNU bug report logs - #77827
[PATCH] gnu: librewolf: Fix video playback.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 77827 in the body.
You can then email your comments to 77827 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jakob Kirsch <jakob.kirsch <at> web.de>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: librewolf: Fix video playback.
Date: Tue, 15 Apr 2025 18:47:18 +0200

[Message part 1 (text/plain, inline)]

This patch fixes the video playback issue with librewolf.

[0001-gnu-librewolf-Fix-video-playback.patch (text/plain, attachment)]

Message #8 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Jakob Kirsch <jakob.kirsch <at> web.de>
To: 77827 <at> debbugs.gnu.org
Subject: patch v2
Date: Tue, 15 Apr 2025 19:11:25 +0200

[Message part 1 (text/plain, inline)]

oops, forgot to actually add it to LD_LIBRARY_PATH

[v2-0001-gnu-librewolf-Fix-video-playback.patch (text/plain, attachment)]

Message #11 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: Jakob Kirsch <jakob.kirsch <at> web.de>
Cc: 77827 <at> debbugs.gnu.org
Subject: Re: [bug#77827] patch v2
Date: Tue, 15 Apr 2025 22:07:50 -0700

Hi Jakob,

Jakob Kirsch <jakob.kirsch <at> web.de> writes:

> oops, forgot to actually add it to LD_LIBRARY_PATH

Please send patches with `git send-email'.  The subject line of 
your v2 patch is incorrect (it should be with "[PATCH v2] gnu: 
librewolf: Fix video playback."), which means mumi applied the v1 
patch.  Consquently, I have to manually apply the changes and 
rebuild -- since that takes over an hour, I won’t be able to push 
this patch until tomorrow at the earliest.

Hopefully the GCD to move to Codeberg will be accepted, which will 
be a huge improvement for this kind of problem.

Thanks,

 -- Ian

Message #14 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Julian Flake <julian <at> flake.de>
To: 77827 <at> debbugs.gnu.org
Subject: Video playback still fails with 4fd529d
Date: Fri, 18 Apr 2025 09:41:47 +0200

[Message part 1 (text/plain, inline)]

Hi Ian,

thank you for the latest patches. Unfortunately video playback 
still does not work for me on 
4fd529dce953572551e299c0c604a645f0cbeed0 / 137.0.2-1.

Best Regards,
nutcase

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: Julian Flake <julian <at> flake.de>, Jakob Kirsch <jakob.kirsch <at> web.de>
Cc: 77827 <at> debbugs.gnu.org
Subject: Re: [bug#77827] Video playback still fails with 4fd529d
Date: Sat, 19 Apr 2025 11:17:19 -0700

Hi Julian, Jakob,

Julian Flake <julian <at> flake.de> writes:

> Hi Ian,
>
> thank you for the latest patches. Unfortunately video playback 
> still
> does not work for me on 4fd529dce953572551e299c0c604a645f0cbeed0 
> /
> 137.0.2-1.

Yep, I pushed the patch even though it didn’t fully fix the issue. 
Are you using non-free video drivers?  I am, and my symptoms don’t 
match what Jakob mentioned: video playback doesn’t work at all for 
me, but Jakob said video playback works, but poorly.

Jakob, can you confirm your symptoms and whether you’re using 
non-free drivers or not?

In the mean time you can go into about:config and set 
media.hardware-video-decoding.enabled to false, then restart the 
browser.  This restores the 136.x status quo of video playback 
working, but without hardware acceleration.  I’ll do some testing, 
but will likely push a patch making this the default.

Hardware video decoding is an issue in Guix for *all* 
Firefox-derived browsers, has been for some time[2], and I think 
the issue has to be something with the underlying libraries on 
Guix, though I don’t know what it is.  I don’t see these issues on 
Debian.  If anyone has ideas or patches, I’d love to hear.

Thanks,
 -- Ian

[1]: 
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/137
[2]: See #72265, this also affects mullvad, torbrowser, icecat, 
and Firefox in nonguix.

Message #20 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Julian Flake <julian <at> flake.de>
To: Ian Eure <ian <at> retrospec.tv>
Cc: 77827 <at> debbugs.gnu.org, Jakob Kirsch <jakob.kirsch <at> web.de>
Subject: Re: [bug#77827] Video playback still fails with 4fd529d
Date: Sat, 19 Apr 2025 21:32:34 +0200

[Message part 1 (text/plain, inline)]

Hi Ian,

thanks for your response + tests.

On Sat, Apr 19 2025, Ian Eure wrote:

> Yep, I pushed the patch even though it didn’t fully fix the 
> issue. Are
> you using non-free video drivers?

Yes, I think I do. This is what I get in my shell, when trying to 
playback some video:

--8<---------------cut here---------------start------------->8---
➜  ~ librewolf
libva info: VA-API version 1.22.0
libva info: Trying to open 
/run/current-system/profile/lib/dri/iHD_drv_video.so
libva info: va_openDriver() returns -1
libva info: Trying to open 
/run/current-system/profile/lib/dri/i965_drv_video.so
libva info: va_openDriver() returns -1
--8<---------------cut here---------------end--------------->8---

> I am, and my symptoms don’t match
> what Jakob mentioned: video playback doesn’t work at all for me, 
> but
> Jakob said video playback works, but poorly.

Same here. Video playback doesn't work for me at all with hardware 
acceleration enabled (starting with 137, I think). Without hw 
acceleration (I disable it in the settings), playback works. 

> Hardware video decoding is an issue in Guix for *all* 
> Firefox-derived
> browsers, has been for some time[2], and I think the issue has 
> to be
> something with the underlying libraries on Guix, though I don’t 
> know
> what it is.  I don’t see these issues on Debian.  If anyone has 
> ideas
> or patches, I’d love to hear.

I did not change my setting (hw acceleration) during the 
transition from 136 to 137. Finally, I confirm that this is the 
state with 137 of another Firefox derivation as well.

best, nutcase

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Jussi Timperi <jussi.timperi <at> iki.fi>
To: Julian Flake <julian <at> flake.de>
Cc: 77827 <at> debbugs.gnu.org, Jakob Kirsch <jakob.kirsch <at> web.de>,
 Ian Eure <ian <at> retrospec.tv>
Subject: Re: [bug#77827] Video playback still fails with 4fd529d
Date: Sun, 20 Apr 2025 00:24:43 +0300

Hi,

On 19 April 2025 21:32, Julian Flake <julian <at> flake.de> wrote:

> --8<---------------cut here---------------start------------->8---
> ➜  ~ librewolf
> libva info: VA-API version 1.22.0
> libva info: Trying to open /run/current-system/profile/lib/dri/iHD_drv_video.so
> libva info: va_openDriver() returns -1
> libva info: Trying to open /run/current-system/profile/lib/dri/i965_drv_video.so
> libva info: va_openDriver() returns -1
> --8<---------------cut here---------------end--------------->8---

intel-vaapi-driver isn't whitelisted in the RDD sandbox, so it will block
opening the drivers. Running with MOZ_SANDBOX_LOGGING=1 will show something
like:

    [30324] Sandbox: SandboxBroker: denied op=open rflags=2000000 perms=0 path=/gnu/store/jji80qsrw6dm3zsgwxhz5301d5ww0ga8-intel-vaapi-driver-2.4.1/lib/dri/i965_drv_video.so for pid=30400
    [30400] Sandbox: Failed errno -13 op open flags 02000000 path /home/jussi/.guix-profile/lib/dri/i965_drv_video.so
    [30324] Sandbox: SandboxBroker: denied op=access rflags=0 perms=0 path=/gnu/store/jji80qsrw6dm3zsgwxhz5301d5ww0ga8-intel-vaapi-driver-2.4.1/lib/dri/i965_drv_video.so for pid=30400
    [30400] Sandbox: Failed errno -13 op access flags 00 path /home/jussi/.guix-profile/lib/dri/i965_drv_video.so
    libva info: va_openDriver() returns -1

HW video decoding working with MOZ_DISABLE_RDD_SANDBOX=1 further
confirms it being the sandbox issue.

Upstream solved it for Nix by whitelisting the entire store[1]. As Ian
mentioned, there's a patch in #72265[2] trying to do the same for guix.


Footnotes:
[1]  https://hg-edge.mozilla.org/releases/mozilla-release/file/FIREFOX_137_0_2_RELEASE/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#l478

[2]  https://issues.guix.gnu.org/72265

Best,
--
Jussi

Message #26 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: Jussi Timperi <jussi.timperi <at> iki.fi>
Cc: Julian Flake <julian <at> flake.de>, 77827 <at> debbugs.gnu.org,
 Jakob Kirsch <jakob.kirsch <at> web.de>
Subject: Re: [bug#77827] Video playback still fails with 4fd529d
Date: Sat, 19 Apr 2025 15:45:12 -0700

Hi Jussi,

Jussi Timperi <jussi.timperi <at> iki.fi> writes:

> Hi,
>
> On 19 April 2025 21:32, Julian Flake <julian <at> flake.de> wrote:
>
>> --8<---------------cut 
>> here---------------start------------->8---
>> ➜  ~ librewolf
>> libva info: VA-API version 1.22.0
>> libva info: Trying to open 
>> /run/current-system/profile/lib/dri/iHD_drv_video.so
>> libva info: va_openDriver() returns -1
>> libva info: Trying to open 
>> /run/current-system/profile/lib/dri/i965_drv_video.so
>> libva info: va_openDriver() returns -1
>> --8<---------------cut 
>> here---------------end--------------->8---
>
> intel-vaapi-driver isn't whitelisted in the RDD sandbox, so it 
> will block
> opening the drivers. Running with MOZ_SANDBOX_LOGGING=1 will 
> show something
> like:
>
>     [30324] Sandbox: SandboxBroker: denied op=open 
>     rflags=2000000 perms=0 
>     path=/gnu/store/jji80qsrw6dm3zsgwxhz5301d5ww0ga8-intel-vaapi-driver-2.4.1/lib/dri/i965_drv_video.so 
>     for pid=30400
>     [30400] Sandbox: Failed errno -13 op open flags 02000000 
>     path /home/jussi/.guix-profile/lib/dri/i965_drv_video.so
>     [30324] Sandbox: SandboxBroker: denied op=access rflags=0 
>     perms=0 
>     path=/gnu/store/jji80qsrw6dm3zsgwxhz5301d5ww0ga8-intel-vaapi-driver-2.4.1/lib/dri/i965_drv_video.so 
>     for pid=30400
>     [30400] Sandbox: Failed errno -13 op access flags 00 path 
>     /home/jussi/.guix-profile/lib/dri/i965_drv_video.so
>     libva info: va_openDriver() returns -1
>
> HW video decoding working with MOZ_DISABLE_RDD_SANDBOX=1 further
> confirms it being the sandbox issue.
>
> Upstream solved it for Nix by whitelisting the entire 
> store[1]. As Ian
> mentioned, there's a patch in #72265[2] trying to do the same 
> for guix.

I pushed the patch provided in #72265, but reverted it, as I got 
bug reports about it breaking live video streams.  I’ve updated 
and reapplied the patch locally a few times, but it’s continued to 
exhibit that problem, _and_ it still complains about being unable 
to open the vaapi drivers with sandbox logging enabled.  The 
specific issue is that with hwaccel enabled, it can’t demux 
AAC-LATM audio streams.  Mullvadb and Torbrowser are both subject 
to this issue, I wrote up #77559 about what I found there, but 
haven’t gotten a response.

I have an idea here, I’ll patch things up a bit and see if the 
situation is improved.

I’m *also* experiencing serious graphics issues with 137.x.  The 
hamburger menu requires two clicks to open, other drop-down menus 
don’t open at all, and some sites exhibit graphical issues 
(flickering / corrupt graphics, scrolling up/down leaves pixel 
trails).  Are any of you seeing those issues?

Thanks,
 -- Ian

Message #29 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Jussi Timperi <jussi.timperi <at> iki.fi>
To: Ian Eure <ian <at> retrospec.tv>
Cc: Julian Flake <julian <at> flake.de>, 77827 <at> debbugs.gnu.org,
 Jakob Kirsch <jakob.kirsch <at> web.de>
Subject: Re: [bug#77827] Video playback still fails with 4fd529d
Date: Sun, 20 Apr 2025 13:07:12 +0300

Hi Ian,

On 19 April 2025 15:45, Ian Eure <ian <at> retrospec.tv> wrote:

> I pushed the patch provided in #72265, but reverted it, as I got bug reports
> about it breaking live video streams.  I’ve updated and reapplied the patch
> locally a few times, but it’s continued to exhibit that problem, _and_ it still
> complains about being unable to open the vaapi drivers with sandbox logging
> enabled.  The specific issue is that with hwaccel enabled, it can’t demux
> AAC-LATM audio streams.  Mullvadb and Torbrowser are both subject to this issue,
> I wrote up #77559 about what I found there, but haven’t gotten a response.
>
> I have an idea here, I’ll patch things up a bit and see if the situation is
> improved.

I decided to test it with this dumb patch, basically adding /gnu/store
everywhere /nix/store was added. With the patch I have HW decoding with
my old Intel GPU using i965_drv_video.so from
intel-vaapi-driver package. Can't comment if the AAC-LATM issue is
there.

There's some sandbox messages when it goes through
LD_LIBRARY_PATH trying to open nonexistent libraries that can look
sandbox rejection messages at first glance:

--8<---------------cut here---------------start------------->8---
[3942] Sandbox: Failed errno -2 op open flags 02000000 path /gnu/store/71122si4k9mwxp71i483xica7fh7nsrx-mesa-24.3.2/lib/libdrm_intel.so.1
--8<---------------cut here---------------end--------------->8---

Possibly not everything in the patch is necessary, but iterating on it
and building Firefox is too much of a pain on an old machine.

--8<---------------cut here---------------start------------->8---
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index 4eff5e6..42171eb 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
   // Various places where fonts reside
   policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts");
   policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/gnu/store");
   // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
   policy->AddTree(rdonly, "/run/host/fonts");
   policy->AddTree(rdonly, "/run/host/user-fonts");
@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
   // Bug 1848615
   policy->AddPath(rdonly, "/usr");
   policy->AddPath(rdonly, "/nix");
+  policy->AddPath(rdonly, "/gnu");
 
   AddLdconfigPaths(policy);
   AddLdLibraryEnvPaths(policy);
@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
   policy->AddTree(rdonly, "/usr/lib64");
   policy->AddTree(rdonly, "/run/opengl-driver/lib");
   policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/gnu/store");
 
   // Bug 1647957: memory reporting.
   AddMemoryReporting(policy.get(), aPid);
@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
   // Required to make sure ffmpeg loads properly, this is already existing on
   // Content and RDD
   policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/gnu/store");
 
   // glibc will try to stat64("/") while populating nsswitch database
   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396
--8<---------------cut here---------------end--------------->8---

Best,
--
Jussi

Message #32 received at 77827 <at> debbugs.gnu.org (full text, mbox):

From: Ian Eure <ian <at> retrospec.tv>
To: Jussi Timperi <jussi.timperi <at> iki.fi>
Cc: Julian Flake <julian <at> flake.de>, 77827 <at> debbugs.gnu.org,
 Jakob Kirsch <jakob.kirsch <at> web.de>
Subject: Re: [bug#77827] Video playback still fails with 4fd529d
Date: Sun, 20 Apr 2025 19:56:53 -0700

Hi Jussi,

Thank you very much for the patch.  It does indeed fix both 
hardware acceleration and live video playback.  I pushed it along 
with a couple other cleanups, mainly removal of a build phase that 
was manipulating the RDD settings via a preference file which 
seems redundant and more likely to cause problems than not.

Will close this and #72265, but please reach out if you have other 
issues.

Thanks,

-- Ian

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.