dragonboard: history daemon dereferences a rogue pointer

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1625805

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

i assume this is running a snap on a classic image, not on an ubuntu core one ?
(since we have no EGL support in teh core image yet)

@ogra actually we do! we all lucked out, recently (like within the last month) someone somewhere turned on gallium/freedreno drivers for our mesa builds. So i've got the full stack, i've already run the mir-server/client snap on it with no problems (really need to blog that)

so to be clear, this on ubuntu-core dragonboard image from the beta images

oh, do you ship mesa in the mir server snap ? i didnt think that would be possible

There's no "on Dragonboard" section in the document linked above, is there a way to reproduce it on a classic image?

@ppisati sorry about that, must've had too many tabs open. Corrected the link and shared the doc with you as well.

I tried running the unity8-session on DB as per the steps mentioned in above doc but process terminated as soon as it launched followed by several respawing messages. Please find attached the relevant syslog as well as terminal output after launching unity8-session is here
https://paste.ubuntu.com/23254146/

My dragonboard environment info is

~$ snap list
Name Version Rev Developer Notes
dragonboard 16.04-0.17 23 canonical -
dragonboard-kernel 4.4.0-1024-3 9 canonical -
snapweb 0.21 17 canonical -
ubuntu-core 16.04.1 759 canonical -
unity8-session 0 x1 devmode

Ok, i was able to reproduce this on a classic image by installing the snap core / unity-session 8 snaps and running it under snap-confine - now, how can i recreate the unity-session8 binary locally? I want a vanilla linux elf executable that i can run on a vanilla ubuntu classic image to start digging into it.

@ppisati - if you have a classic deb based filesystem that is Xenial based, add the ppa:ci-train-ppa-service/stable-phone-overlay (update/upgrade), then you can simply apt-get install unity8-desktop-session-mir. Once that is installed, you can toggle between unity8 & unity7 by clicking the ubuntu-logo icon just in the top-right corner of the password entry box on the greeter/lock-screen to your session.
here's a doc for any other questions.
https://docs.google.com/document/d/1Io3pQvzyBQIpZi2n_hfseNsVOo4LH-BjtNhmdWNijEc

@ppisati - didi you need anything else?

I can reproduce it on a ubuntu-classic installation on the Dragonboard, just trying to execute the history-daemon as an unprivileged user:

$ sudo apt-get instal history-service
$ sudo reboot

login again:

$ history-daemon
Using database at "/home/ubuntu/.local/share/history-service/history.sqlite"
tp-qt 0.9.6.1 WARN: Unable to register client: busName "org.freedesktop.Telepathy.Client.HistoryDaemonObserver" already register
ed
...
tp-qt 0.9.6.1 WARN: Unable to register client: busName "org.freedesktop.Telepathy.Client.HistoryDaemonObserver20" already registered
void HistoryDaemon::onObserverCreated()
Segmentation fault

$ dmesg
...
[ 698.875269] history-daemon[751]: unhandled level 2 translation fault (11) at 0x00000018, esr 0x83000006
[ 698.875307] pgd = ffffffc0316dc000
[ 698.875347] [00000018] *pgd=00000000b02af003, *pud=00000000b02af003, *pmd=0000000000000000

[ 698.885755] CPU: 3 PID: 751 Comm: history-daemon Not tainted 4.4.0-1030-snapdragon #33-Ubuntu
[ 698.885779] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
[ 698.885811] task: ffffffc033f40c80 ti: ffffffc033aa8000 task.ti: ffffffc033aa8000
[ 698.885839] PC is at 0x18
[ 698.885863] LR is at 0x7f8ab8e848
[ 698.885890] pc : [<0000000000000018>] lr : [<0000007f8ab8e848>] pstate: 00000000
[ 698.885911] sp : 0000007fe62df5c0
[ 698.885934] x29: 0000007fe62df5c0 x28: 0000000000000000
[ 698.885967] x27: 0000007f8ac25000 x26: 0000007f8adad000
[ 698.885999] x25: 0000000000000000 x24: 0000007fe62df8a8
[ 698.886030] x23: 0000000037e64ed0 x22: 0000000037e263a0
[ 698.886062] x21: 0000007f8adad000 x20: 0000000000420dc0
[ 698.886092] x19: 0000000000420df0 x18: 0000000000000040
[ 698.886123] x17: 0000007f8ab8e678 x16: 000000000043a320
[ 698.886154] x15: 0000007f8b3d1000 x14: 0000000000000000
[ 698.886185] x13: 0072004300720065 x12: 0076007200650073
[ 698.886217] x11: 0000007fe62df7a0 x10: 0101010101010101
[ 698.886248] x9 : 0000000037e64ed0 x8 : 0000007fe62df8a8
[ 698.886278] x7 : 0000000000000000 x6 : 0000000000000000
[ 698.886309] x5 : 0000007f8a7389d0 x4 : 0000000000000002
[ 698.886339] x3 : 0000007f8ac25b20 x2 : 37d279b830dd2300
[ 698.886370] x1 : 0000000000000018 x0 : 0000000037e64ed0

$ uname -a
Linux dragon410c 4.4.0-1030-snapdragon #33-Ubuntu SMP Fri Oct 7 23:16:14 UTC 2016 aarch64 aarch64 aarch64 GNU/Linux

is there any update to this bug?

Kevin, the oops above is just the history-daemon process that dereferences a stray pointer: i can reproduce it on every arm64 installation where i tried running the history-daemon (classic or snappy), or a test.c prg like the one below.

(here is my raspberrypi3 in arm64 mode dereferencing a foobar ptr)

$ cat test.c
int main(void) {

        ((void(*)(void))0x18)();
}

$ gcc test.c
$ ./a.out

dmesg:
...
[ 783.753484] a.out[447]: unhandled level 2 translation fault (11) at 0x00000018, esr 0x82000006
[ 783.753495] pgd = ffffffc037a7e000
[ 783.757090] [00000018] *pgd=0000000036fdd003, *pud=0000000036fdd003, *pmd=0000000000000000

[ 783.765693] CPU: 3 PID: 447 Comm: a.out Not tainted 4.8.0-1016-raspi2 #18~ufaultfd
[ 783.765698] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[ 783.765704] task: ffffffc036dc8000 task.stack: ffffffc0356e4000
[ 783.765711] PC is at 0x18
[ 783.765716] LR is at 0x400580
[ 783.765721] pc : [<0000000000000018>] lr : [<0000000000400580>] pstate: 60000000
[ 783.765725] sp : 0000007fc9fc7090
[ 783.765729] x29: 0000007fc9fc7090 x28: 0000000000000000
[ 783.765738] x27: 0000000000000000 x26: 0000000000000000
[ 783.765747] x25: 0000000000000000 x24: 0000000000000000
[ 783.765756] x23: 0000000000000000 x22: 0000000000000000
[ 783.765765] x21: 0000000000000000 x20: 0000000000000000
[ 783.765774] x19: 0000000000400590 x18: 0000000000000a03
[ 783.765783] x17: 0000000000411000 x16: 0000007f8ca7c7c0
[ 783.765792] x15: 0000007f8cbcf000 x14: 0000000000000000
[ 783.765801] x13: 0000000000000402 x12: 0000007f8cbd0028
[ 783.765810] x11: 0000000000000020 x10: 0101010101010101
[ 783.765819] x9 : 000000ffffffffff x8 : ffffffffffffffff
[ 783.765829] x7 : 0000000004000000 x6 : 0000000000000000
[ 783.765837] x5 : 0000000000000000 x4 : 0000007fc9fc7108
[ 783.765846] x3 : 0000000000400570 x2 : 0000007fc9fc71f8
[ 783.765855] x1 : 0000007fc9fc71e8 x0 : 0000000000000018

$ uname -a
Linux raspi64 4.8.0-1016-raspi2 #18 SMP Fri Oct 14 13:29:38 UTC 2016 aarch64 aarch64 aarch64 GNU/Linux

Paolo, you marked this invalid. Is there a workaround or does the kernel no longer panic in this case?

Guys, this is not a panic, it's history-daemon process that dereferences a rouge pointer, it has nothing to do with the kernel - the kernel just print out that your application dereferenced a rouge pointer.

Per the discussion above, this could be anywhere (qtmir, untiy8) not necessarily in unity8 per se.
It does seem that this is specific to "unity8 on dragonboard" though.
We know that...
- mir-kiosk examples works on dragonboard
- unity8 works on arm64 m10