Ubuntu
mir package

Crash in libmirclient on app exit on phone

Bug #1337481 reported by dobey
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mir
New
Undecided
Alberto Aguirre
mir (Ubuntu)
Confirmed
Undecided
Alberto Aguirre

Bug Description

When closing most apps on the phone, a crash is happening in the destructor of MirConnection. For services that are launching an app with ubuntu-app-launch and monitoring the exit status of that app, such as pay-service, this results in any successful completion of the app as far as the user is concerned, to be viewed as a failure state, which prevents download and installation of a purchased app, for example.

The top of the stack trace looks like so:

MirConnection::~MirConnection() () from /usr/lib/arm-linux-gnueabihf/libmirclient.so.8
MirConnection::~MirConnection() () from /usr/lib/arm-linux-gnueabihf/libmirclient.so.8
mir_connection_release () from /usr/lib/arm-linux-gnueabihf/libmirclient.so.8
?? () from /usr/lib/arm-linux-gnueabihf/libubuntu_application_api_touch_mirclient.so.2.1.0

Some reports on errors.ubuntu.com:

https://errors.ubuntu.com/problem/6552ba4342afeb93d20e22711ac36f655cd885d8
https://errors.ubuntu.com/problem/58494c9bc1ca3b8692b656ea55874385ea7d5b0b
https://errors.ubuntu.com/problem/c5ad9bd50e5c85e9703f162902ae1287f323f697

A quick way to reproduce this problem is to just go to the Accounts page of System Settings, and then immediately go back, on image 111. Opening the Clock app, waiting a few seconds, then closing it also results in a crash.

Alberto Aguirre (albaguirre)
Changed in mir (Ubuntu):
assignee: nobody → Alberto Aguirre (albaguirre)
Alberto Aguirre (albaguirre)
Changed in mir:
assignee: nobody → Alberto Aguirre (albaguirre)
Revision history for this message
Alberto Aguirre (albaguirre) wrote :

I can replicate the issue in image #112.

However, if I rebuild libmirclient.so.8 with the cross-compiler I no longer replicate it it exits normally - so I can't tell if we are being passed a bad pointer or not.

I'm going to have to build this on the phone.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mir (Ubuntu):
status: New → Confirmed
Revision history for this message
Alberto Aguirre (albaguirre) wrote :

It looks to me like memory corruption from the QT stack:

#0 0xb6c6f968 in ?? () from /usr/lib/arm-linux-gnueabihf/libQt5Qml.so.5
#1 0xb6c2f5c2 in QV4::MemoryManager::sweep(bool) ()
   from /usr/lib/arm-linux-gnueabihf/libQt5Qml.so.5
#2 0x019be448 in ?? ()

Maybe it's a similar instance to this QT bug: https://bugreports.qt-project.org/browse/QTBUG-35334

Or:
https://bugs.launchpad.net/ubuntu/+source/unity8/+bug/1328485

Revision history for this message
Alberto Aguirre (albaguirre) wrote :

Note I rebuilt libmirclient with the native arm compiler (on a n7 device) and I can't reproduce the issue either like that.

However just navigating to Accounts then clicking on Ubuntu One and going back triggers the stack above, so I suspect a double free by the QT QML GC is also leading to the stack trace in the original report.

Here's a stack trace with symbols of what I'm seeing:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 ~QObjectDeleter (this=0x1fdc860, __in_chrg=<optimized out>)
    at jsruntime/qv4qobjectwrapper.cpp:1004
1004 jsruntime/qv4qobjectwrapper.cpp: No such file or directory.
(gdb) bt
#0 ~QObjectDeleter (this=0x1fdc860, __in_chrg=<optimized out>)
    at jsruntime/qv4qobjectwrapper.cpp:1004
#1 (anonymous namespace)::QObjectDeleter::~QObjectDeleter (this=0x1fdc860,
    __in_chrg=<optimized out>) at jsruntime/qv4qobjectwrapper.cpp:1009
#2 0xb6b855c2 in QV4::MemoryManager::sweep (this=this@entry=0x1ac4678,
    lastSweep=lastSweep@entry=true) at jsruntime/qv4mm.cpp:375
#3 0xb6b8565c in QV4::MemoryManager::~MemoryManager (this=0x1ac4678,
    __in_chrg=<optimized out>) at jsruntime/qv4mm.cpp:498
#4 0xb6b79050 in QV4::ExecutionEngine::~ExecutionEngine (this=0x1acd460,
    __in_chrg=<optimized out>) at jsruntime/qv4engine.cpp:425
#5 0xb6c42c74 in QV8Engine::~QV8Engine (this=0x1acd398,
    __in_chrg=<optimized out>) at qml/v8/qv8engine.cpp:124
#6 0xb6c42e04 in QV8Engine::~QV8Engine (this=0x1acd398,
    __in_chrg=<optimized out>) at qml/v8/qv8engine.cpp:125
#7 0xb6b3b4ce in QJSEngine::~QJSEngine (this=0x1acbcd0,
    __in_chrg=<optimized out>) at jsapi/qjsengine.cpp:210
#8 0xb6be4f4c in QQmlEngine::~QQmlEngine (this=0x1acbcd0,
    __in_chrg=<optimized out>) at qml/qqmlengine.cpp:923
#9 0xb6be4fb8 in QQmlEngine::~QQmlEngine (this=0x1acbcd0,
    __in_chrg=<optimized out>) at qml/qqmlengine.cpp:923
#10 0xb642e6f2 in QObjectPrivate::deleteChildren (this=this@entry=0x1acc1f8)
    at kernel/qobject.cpp:1935
#11 0xb6433fce in QObject::~QObject (this=<optimized out>,
---Type <return> to continue, or q <return> to quit---
    __in_chrg=<optimized out>) at kernel/qobject.cpp:1028
#12 0xb67ec6dc in QWindow::~QWindow (this=0x1acc018, __in_chrg=<optimized out>)
    at kernel/qwindow.cpp:226
#13 0xb6ddd432 in QQuickWindow::~QQuickWindow (this=0x1acc018,
    __in_chrg=<optimized out>) at items/qquickwindow.cpp:1095
#14 0xb6e4220a in QQuickView::~QQuickView (this=0x1acc018,
    __in_chrg=<optimized out>) at items/qquickview.cpp:236
#15 0xb6e42228 in QQuickView::~QQuickView (this=0x1acc018,
    __in_chrg=<optimized out>) at items/qquickview.cpp:236
#16 0x0001e686 in ?? ()

Revision history for this message
kevin gunn (kgunn72) wrote :

i'm going to retarget this bug to Qt

Revision history for this message
kevin gunn (kgunn72) wrote :

Is this bug potentially a duplicate of

https://bugs.launchpad.net/ubuntu/+source/qtdeclarative-opensource-src/+bug/1358169

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.