unity8 crashed with SIGABRT in __gnu_cxx::__verbose_terminate_handler(), thrown from mir::shell::Surface::name()

Bug #1234609 reported by Jean-Baptiste Lallement on 2013-10-03
48
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Mir
Fix Released
Critical
Robert Carr
mir (Ubuntu)
Critical
Unassigned
Saucy
Critical
Unassigned

Bug Description

I launched system-settings, and changed the background, which opened gallery-app
Switched back to application scope, closed all the application and reopen gallery.
Gallery-app was showing a 'pick' button as if I opened it from system-setting, then system crashed (gallery+unity8)

ProblemType: Crash
DistroRelease: Ubuntu 13.10
Package: unity8 7.81.3+13.10.20130927.3-0ubuntu1
Uname: Linux 3.4.0-3-mako armv7l
ApportVersion: 2.12.5-0ubuntu1
Architecture: armhf
Date: Thu Oct 3 09:39:07 2013
ExecutablePath: /usr/bin/unity8
InstallationDate: Installed on 2013-10-03 (0 days ago)
InstallationMedia: Ubuntu Saucy Salamander (development branch) - armhf (20131003)
MarkForUpload: True
ProcCmdline: unity8
Signal: 6
SourcePackage: unity8
StacktraceTop:
 ?? () from /lib/arm-linux-gnueabihf/libc.so.6
 raise () from /lib/arm-linux-gnueabihf/libc.so.6
 abort () from /lib/arm-linux-gnueabihf/libc.so.6
 __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
 ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
Title: unity8 crashed with SIGABRT in raise()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm autopilot cdrom dialout dip nopasswdlogin plugdev sudo tty video

Related branches

Jean-Baptiste Lallement (jibel) wrote :
information type: Private → Public
Changed in unity8 (Ubuntu):
importance: Undecided → High

StacktraceTop:
 __gnu_cxx::__verbose_terminate_handler() () at ../../../../src/libstdc++-v3/libsupc++/vterminate.cc:95
 __cxxabiv1::__terminate(void (*)()) () at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:38
 std::terminate() () at ../../../../src/libstdc++-v3/libsupc++/eh_terminate.cc:48
 __cxa_throw () at ../../../../src/libstdc++-v3/libsupc++/eh_throw.cc:84
 void boost::throw_exception<boost::exception_detail::error_info_injector<std::runtime_error> >(boost::exception_detail::error_info_injector<std::runtime_error> const&) () at /usr/include/boost/throw_exception.hpp:67

summary: - unity8 crashed with SIGABRT in raise()
+ unity8 crashed with SIGABRT in __gnu_cxx::__verbose_terminate_handler()
tags: removed: need-armhf-retrace
kevin gunn (kgunn72) on 2013-10-03
Changed in unity8 (Ubuntu):
status: New → Triaged
importance: High → Critical
kevin gunn (kgunn72) on 2013-10-03
Changed in mir:
status: New → Triaged
importance: Undecided → Critical

the cause is believed to be a mir surface race condition (at least there is a theory)
need to make it safe to hold shared_ptr<msh::Surface>
possible solution in this MP
https://code.launchpad.net/~robertcarr/mir/hold-surface-alive/+merge/189156

Changed in mir:
milestone: none → phone-v1-freeze
assignee: nobody → Alexandros Frantzis (afrantzis)
status: Triaged → In Progress
Alexandros Frantzis (afrantzis) wrote :

As described in the duplicate bug #1235209, this happens when an application tries to close itself. The application session is closed, destroying underlying mir surface resources, but then information about the destroyed surface (it's name) is requested leading to a crash. Still trying to get the details about why the name is requested.

Alexandros Frantzis (afrantzis) wrote :

The thread that crashed is "Thread 6".

tags: added: rls-s-incoming
summary: - unity8 crashed with SIGABRT in __gnu_cxx::__verbose_terminate_handler()
+ unity8 crashed with SIGABRT in __gnu_cxx::__verbose_terminate_handler(),
+ thrown from mir::shell::Surface::name()
Changed in mir:
assignee: Alexandros Frantzis (afrantzis) → Robert Carr (robertcarr)
Alexandros Frantzis (afrantzis) wrote :

Some more information about this issue that may lead to a more informed decision about how to solve it:

The core of the problem is that unity-mir reacts asynchronously to events from the SessionListener. MirSurfaceManager connects to the SessionListener::sessionCreatedSurface() signal using Qt::ConnectionType type = Qt::AutoConnection (the default value) [1] which means that if the emitter and the receiver are in different threads, the event is dispatched through the main loop at a later time. Changing this to Qt::BlockedQueuedConnection, which forces for the signal emission mechanism to wait until the event is handled, fixes the problem.

A tangential problem is that the Mir code doesn't currently notify listeners about destroyed surfaces when the session is closed, it only notifies about the session closing. Unity-mir depends on getting surface destruction events to release the mir surface resources it holds (shell::Surface). Adding surface destruction events to shell::ApplicationSession::~ApplicationSession() [2] solves the problem, but conflicts with using Qt::BlockedQueuedConnection as noted above, because in that case the emitter and the receiver are the same thread, and Qt::BlockedQueuedConnection deadlocks.

We have (at least) two options:

(a) Share shell::Surface ownership with the shell, as is done in https://code.launchpad.net/~robertcarr/mir/hold-surface-alive/+merge/189400

(b) Change [1] to use Qt::BlockedQueuedConnection, and change unity-mir to automatically release surface resources when receiving the session stopping signal, without needing explicit surface destruction events.

If option (a) doesn't have any unintended side effects, it would be my preference since it's conceptually cleaner/simpler, and has fewer edge cases.

[1] https://bazaar.launchpad.net/~mir-team/unity-mir/trunk/view/99/src/modules/Unity/Application/mirsurfacemanager.cpp#L64

[2] This is the same problem and fix as in https://bazaar.launchpad.net/~robertcarr/mir/hold-surface-alive/revision/1066

> The core of the problem is that unity-mir reacts asynchronously to events from the SessionListener. MirSurfaceManager
> connects to the SessionListener::sessionCreatedSurface() signal using Qt::ConnectionType type = Qt::AutoConnection

That was meant to be SessionListener::sessionDestroyingSurface signal...

Because, the event is handled at a later time in the main Qt loop, the underlying ms::Surface has been already destroyed when the handler is invoked, causing the crash.

Omer Akram (om26er) on 2013-10-09
affects: unity8 (Ubuntu Saucy) → mir (Ubuntu Saucy)
kevin gunn (kgunn72) on 2013-10-09
Changed in mir:
status: In Progress → Fix Committed
Changed in mir (Ubuntu Saucy):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mir - 0.0.14+13.10.20131010-0ubuntu1

---------------
mir (0.0.14+13.10.20131010-0ubuntu1) saucy; urgency=low

  [ Colin Watson ]
  * Don't build-depend on valgrind on arm64 for now, as it is not yet
    ported there.

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 1095
 -- Ubuntu daily release <email address hidden> Thu, 10 Oct 2013 01:17:01 +0000

Changed in mir (Ubuntu Saucy):
status: Fix Committed → Fix Released
Changed in mir:
milestone: phone-v1-freeze → 0.0.15
Changed in mir:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers