Ubuntu
mir package

Unity8 reliably crashes on logout due to heap corruption (libprotobuf.so.9 called from libprotobuf-lite.so.9), causing delays while it dumps core and reports errors.

Bug #1535297 reported by Andrea Bernabei
96
This bug affects 13 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Won't Fix
High
Stephen M. Webb
Canonical System Image u8c-2 "Unity8 on Classic"
Mesa
New
Undecided
Unassigned
Mir
Won't Fix
High
Unassigned
libphonenumber (Ubuntu)
Confirmed
High
Unassigned
mir (Ubuntu)
Won't Fix
High
Unassigned
protobuf (Ubuntu)
Confirmed
High
Unassigned
telephony-service (Ubuntu)
Confirmed
High
Unassigned
unity8 (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

https://errors.ubuntu.com/problem/72327e33abf9e9da2cd9ed1ac28b9d843c18b5bb

This is happening on a fresh setup, which is basically:
Xenial 17Jan iso + unity8-desktop-session-mir package

When I logout, I get a black screen. Turns out unity8 is crashing with a "double free or linked list corruption"

Please find unity8.log attached

See original description

Related branches

lp:~vanvugt/mir/libprotobuf-unlite
On hold for merging into lp:mir
Mir CI Bot: Needs Fixing (continuous-integration)
Alan Griffiths: Needs Information
Diff: 127 lines (+16/-10)
9 files modified
debian/control (+1/-1)
debian/libmirprotobuf4.install (+1/-1)
src/client/mirclient.pc.in (+1/-1)
src/protobuf/CMakeLists.txt (+2/-2)
src/protobuf/mir_protobuf.proto (+3/-0)
src/protobuf/mir_protobuf_wire.proto (+3/-0)
tests/integration-tests/CMakeLists.txt (+1/-1)
tests/integration-tests/graphics/mesa/CMakeLists.txt (+2/-2)
tests/unit-tests/CMakeLists.txt (+2/-2)
Revision history for this message
Andrea Bernabei (faenil) wrote :
Revision history for this message
Albert Astals Cid (aacid) wrote :

Could you get us a gdb backtrace?

Revision history for this message
Albert Astals Cid (aacid) wrote :

I wonder if it's the same as https://bugs.launchpad.net/ubuntu/+source/unity8/+bug/1521138 or not

Revision history for this message
Andrea Bernabei (faenil) wrote :
Download full text (5.2 KiB)

there you go

Continuing.
[Thread 0x7f9aa8959700 (LWP 5318) exited]
[Thread 0x7f9a9cef3700 (LWP 4924) exited]
[Thread 0x7f9ae5bb9700 (LWP 4530) exited]
[Thread 0x7f9aab9dc700 (LWP 4858) exited]
[Thread 0x7f9aa995b700 (LWP 5323) exited]
[Thread 0x7f9ab305d700 (LWP 4856) exited]
[Thread 0x7f9ae63ba700 (LWP 4529) exited]
[Thread 0x7f9ae6bbb700 (LWP 4528) exited]
[Thread 0x7f9ae73bc700 (LWP 4527) exited]
[Thread 0x7f9ae7bbd700 (LWP 4526) exited]
[Thread 0x7f9af6402700 (LWP 4524) exited]

Program received signal SIGABRT, Aborted.
0x00007f9b03971227 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

Thread 17 (Thread 0x7f9af7404700 (LWP 4522)):
#0 syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1 0x00007f9afab3887c in ?? () from /usr/lib/x86_64-linux-gnu/liblttng-ust.so.0
#2 0x00007f9b024b066a in start_thread (arg=0x7f9af7404700) at pthread_create.c:333
#3 0x00007f9b03a42e4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 16 (Thread 0x7f9af6c03700 (LWP 4523)):
#0 syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1 0x00007f9afab3887c in ?? () from /usr/lib/x86_64-linux-gnu/liblttng-ust.so.0
#2 0x00007f9b024b066a in start_thread (arg=0x7f9af6c03700) at pthread_create.c:333
#3 0x00007f9b03a42e4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 14 (Thread 0x7f9af5787700 (LWP 4525)):
#0 0x00007f9b03a3783d in poll () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007f9afa448ae9 in ?? () from /usr/lib/x86_64-linux-gnu/libmircommon.so.5
#2 0x00007f9afa44acfe in ?? () from /usr/lib/x86_64-linux-gnu/libmircommon.so.5
#3 0x00007f9b03fd5d10 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4 0x00007f9b024b066a in start_thread (arg=0x7f9af5787700) at pthread_create.c:333
#5 0x00007f9b03a42e4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 8 (Thread 0x7f9ad1e0b700 (LWP 4531)):
#0 0x00007f9b03a3783d in poll () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007f9b0135530c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x00007f9b0135541c in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007f9b01355459 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007f9b0137bae5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5 0x00007f9b024b066a in start_thread (arg=0x7f9ad1e0b700) at pthread_create.c:333
#6 0x00007f9b03a42e4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 7 (Thread 0x7f9ad160a700 (LWP 4532)):
#0 0x00007f9b03a3783d in poll () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007f9b0135530c in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x00007f9b01355692 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007f9af8ddc016 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#4 0x00007f9b0137bae5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5 0x00007f9b024b066a in start_thread (arg=0x7f9ad160a700) at pthread_create.c:333
#6 0x00007f9b03a42e4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 6 (Thread 0x7f9ac7fff700 (L...

Read more...

Revision history for this message
Albert Astals Cid (aacid) wrote :

Seems like a mir issue?

Thread 1 (Thread 0x7f9afc45c8c0 (LWP 4435)):
#0 0x00007f9b03971227 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007f9b03972e8a in __GI_abort () at abort.c:89
#2 0x00007f9b039b4bb3 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f9b03acd128 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007f9b039bcbc9 in malloc_printerr (ptr=<optimised out>, str=0x7f9b03acd238 "double free or corruption (out)", action=1) at malloc.c:4965
#4 _int_free (av=<optimised out>, p=<optimised out>, have_lock=0) at malloc.c:3834
#5 0x00007f9b039c07fc in __GI___libc_free (mem=<optimised out>) at malloc.c:2950
#6 0x00007f9ac6838901 in google::protobuf::internal::DestroyDefaultRepeatedFields() () from /usr/lib/x86_64-linux-gnu/libprotobuf.so.9
#7 0x00007f9af99a172b in google::protobuf::ShutdownProtobufLibrary() () from /usr/lib/x86_64-linux-gnu/libprotobuf-lite.so.9
#8 0x00007f9afa1f85e9 in ?? () from /usr/lib/x86_64-linux-gnu/libmirprotobuf.so.3
#9 0x00007f9b05e68bf7 in _dl_fini () at dl-fini.c:252
#10 0x00007f9b03975cf2 in __run_exit_handlers (status=0, listp=0x7f9b03d00698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
#11 0x00007f9b03975d45 in __GI_exit (status=<optimised out>) at exit.c:104
#12 0x00007f9b0395ca07 in __libc_start_main (main=0x406810, argc=1, argv=0x7ffefeb6f5b8, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>,
    stack_end=0x7ffefeb6f5a8) at libc-start.c:323
#13 0x0000000000406939 in _start ()

Revision history for this message
Alberto Aguirre (albaguirre) wrote :

It's a protobuf problem really.

The issue is Mir's libmirprotobuf links against libprotobuf-lite; the call to ShutdownProtobufLibrary is expected to be resolved by libprotobuf-lite; in this case presumably libprotobuf was also loaded and the linker is resolving "ShutdownProtobufLibrary" to libmirprotobuf instead hence the crash.

Revision history for this message
Alberto Aguirre (albaguirre) wrote :

An strace log would be helpful to see what's loading libprotobuf.

Revision history for this message
Andrea Bernabei (faenil) wrote :

using lsof I noticed that libprotobuf was being loaded by
unity8
telephony-service-handler

After inspection with ldd, I found out that
- unity8 doesn't explicitly load libprotobuf
- /usr/bin/telephony-service* (-handler, -indicator, -approver) all link to libprotobuf.so.9

Does that help?

Revision history for this message
Andrea Bernabei (faenil) wrote :

I also modified /usr/share/upstart/sessions/unity8.conf to run "strace unity8"

and unity8 doesn't seem to be directly loading libprotobuf (even though lsof refers to unity8)

:~$ cat .cache/upstart/unity8.log | grep protobuf
open("/usr/lib/x86_64-linux-gnu/unity8/libmirprotobuf.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/libmirprotobuf.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/x86_64-linux-gnu/unity8/libprotobuf-lite.so.9", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/libprotobuf-lite.so.9", O_RDONLY|O_CLOEXEC) = 3
read(33, "x-gnu/libmirprotobuf.so.3\n7f821c"..., 1024) = 1024
read(33, "x-gnu/libmirprotobuf.so.3\n7f821c"..., 1024) = 1024

Alberto Aguirre (albaguirre)
Changed in mir (Ubuntu):
status: New → Invalid
Changed in mir:
status: New → Invalid
Revision history for this message
Alberto Aguirre (albaguirre) wrote :

Right, so somehow unity8 loads libmirprotobuf (a plugin perhaps?)

Not much we can do from mir side.

It's a consequence of loading libprotobuf and libprotobuf-lite in the same process, as the library symbols will have name collisions (a protobuf issue).

Revision history for this message
Alberto Aguirre (albaguirre) wrote :

Ooops s/libmirprotobuf/libprotobuf (typo)

Revision history for this message
Andrea Bernabei (faenil) wrote :

full strace (sorry, internal as it may contain private info)

https://pastebin.canonical.com/148214/

let me know how to proceed :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity8 (Ubuntu):
status: New → Confirmed
Revision history for this message
Albert Astals Cid (aacid) wrote :

Mir uses libprotobuf-lite
telephony-service (though libphonenumber) uses libprotobuf

According to Alberto both are incompatible so we need to make Mir use libprotobuf or make libphonenumber use libprotobuf-lite

Anyone knows what would be a better idea/possible?

Changed in mir (Ubuntu):
status: Invalid → New
Revision history for this message
Albert Astals Cid (aacid) wrote :

When i say telephony-service i mean libtelephonyservice-qml.so that unity8 uses as a plugin.

Revision history for this message
Tiago Salem Herrmann (tiagosh) wrote :

It is possible to link libphonenumber against protobuf-lite with this patch: http://pastebin.ubuntu.com/14680746/ .

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Indeed libprotobuf-lite is more desirable than libprotobuf. It was a significant step forward when Alberto made it possible for Mir to switch to "lite". Although both protobuf versions suffer for coexistence problems, obviously.

Changed in mir (Ubuntu):
status: New → Won't Fix
Changed in mir:
status: Invalid → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libphonenumber (Ubuntu):
status: New → Confirmed
Changed in telephony-service (Ubuntu):
status: New → Confirmed
Revision history for this message
Andrea Bernabei (faenil) wrote :

was this fixed in libphonenumber already?

I can logout after today's upgrade...

Revision history for this message
Christopher Townsend (townsend) wrote :

I still this crash on a fully updated Xenial machine.

Daniel van Vugt (vanvugt)
summary: - Unity8 crashes on session logout on desktop
+ Unity8 crashes on session logout on desktop [double free in
+ google::protobuf::ShutdownProtobufLibrary()]
Daniel van Vugt (vanvugt)
summary: - Unity8 crashes on session logout on desktop [double free in
+ Unity8 crashes [double free in
google::protobuf::ShutdownProtobufLibrary()]
Revision history for this message
Daniel van Vugt (vanvugt) wrote : Re: Unity8 crashes [double free in google::protobuf::ShutdownProtobufLibrary()]

libphonenumber still uses the /unsafe/ library on xenial:
$ ldd /usr/lib/x86_64-linux-gnu/libphonenumber.so.7.0
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007f4aebb5d000)

However I'm not sure that's the primary problem. I'm getting a very similar crash on Unity8 login now. Although that could just be this same shutdown crash triggered by some other start-up failure.

summary: - Unity8 crashes [double free in
- google::protobuf::ShutdownProtobufLibrary()]
+ Unity8 crashes with "Error in `unity8': double free or corruption"
Changed in unity8 (Ubuntu):
importance: Undecided → High
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Sorry, my unity8.log's are from yesterday as I can see evidence of me running clients. My crashing unity8 on login is doing so without a trace :(

Daniel van Vugt (vanvugt)
Changed in libphonenumber (Ubuntu):
importance: Undecided → Critical
Changed in unity8 (Ubuntu):
importance: High → Critical
summary: Unity8 crashes with "Error in `unity8': double free or corruption"
+ called from libprotobuf.so.9, called from libprotobuf-lite.so.9
tags: added: black-screen
Daniel van Vugt (vanvugt)
summary: - Unity8 crashes with "Error in `unity8': double free or corruption"
- called from libprotobuf.so.9, called from libprotobuf-lite.so.9
+ Unity8 crashes on logout with "Error in `unity8': double free or
+ corruption" called from libprotobuf.so.9, called from libprotobuf-
+ lite.so.9
Revision history for this message
Daniel van Vugt (vanvugt) wrote : Re: Unity8 crashes on logout with "Error in `unity8': double free or corruption" called from libprotobuf.so.9, called from libprotobuf-lite.so.9

If we are to solve this crash, we either need Mir to switch from libprotobuf-lite back to libprotobuf, or all of these to switch to libprotobuf-lite:

/usr/lib/x86_64-linux-gnu/history-service/plugins/libsqlitehistoryplugin.so:
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007fe06ea55000)
/usr/lib/x86_64-linux-gnu/libhistoryservice.so.0.0.0:
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007f8120b7d000)
/usr/lib/x86_64-linux-gnu/libhistoryservice.so.0:
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007fdf2a6ce000)
/usr/lib/x86_64-linux-gnu/libphonenumber.so.7.0:
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007f3dd1822000)
/usr/lib/x86_64-linux-gnu/libphonenumber.so.7:
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007fa96806a000)
/usr/lib/x86_64-linux-gnu/qt5/qml/Ubuntu/Telephony/libtelephonyservice-qml.so:
 libprotobuf.so.9 => /usr/lib/x86_64-linux-gnu/libprotobuf.so.9 (0x00007fd491586000)

Changed in mir:
status: Won't Fix → Opinion
Changed in mir (Ubuntu):
status: Won't Fix → Opinion
Changed in mir:
status: Opinion → New
Changed in mir (Ubuntu):
status: Opinion → New
Changed in mir:
importance: Undecided → High
Changed in libphonenumber (Ubuntu):
importance: Critical → High
Changed in unity8 (Ubuntu):
importance: Critical → High
Changed in mir:
status: New → Confirmed
Changed in mir (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in telephony-service (Ubuntu):
importance: Undecided → High
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Or for someone to fix protobuf itself, of course.

Changed in protobuf (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Alan Griffiths (alan-griffiths) wrote :

I suspect the right solution is to fix the approach taken in Mesa to detecting Mir:

All the above modules should be loaded with RTLD_LOCAL. As far as I can tell they are so they shouldn't interact.

However, Mir's mesa.so.X client platform module reloads itself with RTLD_GLOBAL so that Mesa can find a Mir entry point. (Yes, this is an ugly hack.)

That is likely what causes symbols to be resolved from the wrong protobuf library and the problems seen here.

Daniel van Vugt (vanvugt)
tags: added: egl-platform-mir
Revision history for this message
dinamic (dinamic6661) wrote :
Daniel van Vugt (vanvugt)
tags: added: unity8-desktop
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

I was wondering why we don't get more heat from users on this crash since it happens every time you log out of Unity8. Turns out we do get the crash reports and nobody noticed...

https://errors.ubuntu.com/problem/72327e33abf9e9da2cd9ed1ac28b9d843c18b5bb

Daniel van Vugt (vanvugt)
Changed in mir:
assignee: nobody → Daniel van Vugt (vanvugt)
milestone: none → 0.25.0
status: Confirmed → In Progress
Daniel van Vugt (vanvugt)
Changed in mir:
status: In Progress → Triaged
assignee: Daniel van Vugt (vanvugt) → nobody
milestone: 0.25.0 → none
Revision history for this message
Andrea Azzarone (azzar1) wrote :

This prevents to cleanly restart unity8 too.

Daniel van Vugt (vanvugt)
summary: - Unity8 crashes on logout with "Error in `unity8': double free or
+ Unity8 crashes on exit with "Error in `unity8': double free or
corruption" called from libprotobuf.so.9, called from libprotobuf-
lite.so.9
Daniel van Vugt (vanvugt)
description: updated
Daniel van Vugt (vanvugt)
summary: - Unity8 crashes on exit with "Error in `unity8': double free or
- corruption" called from libprotobuf.so.9, called from libprotobuf-
- lite.so.9
+ Unity8 reliably crashes on exit due to heap corruption (libprotobuf.so.9
+ called from libprotobuf-lite.so.9), causing delays while it dumps core
+ and reports errors.
Changed in canonical-devices-system-image:
status: New → Confirmed
importance: Undecided → High
Daniel van Vugt (vanvugt)
Changed in canonical-devices-system-image:
milestone: none → u8c-1
summary: - Unity8 reliably crashes on exit due to heap corruption (libprotobuf.so.9
- called from libprotobuf-lite.so.9), causing delays while it dumps core
- and reports errors.
+ Unity8 reliably crashes on logout due to heap corruption
+ (libprotobuf.so.9 called from libprotobuf-lite.so.9), causing delays
+ while it dumps core and reports errors.
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
assignee: nobody → Stephen M. Webb (bregma)
kevin gunn (kgunn72)
Changed in canonical-devices-system-image:
status: Confirmed → In Progress
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Not in progress any more; that was just an experiment in the branch attached.

Although I have not verified this bug still happens. The last known definite record of it was dupe bug 1654308 from 5 January.

Changed in canonical-devices-system-image:
status: In Progress → Confirmed
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
milestone: u8c-1 → u8c-2
status: Confirmed → Incomplete
Daniel van Vugt (vanvugt)
Changed in mir:
status: Triaged → Won't Fix
Changed in mir (Ubuntu):
status: Confirmed → Won't Fix
Changed in canonical-devices-system-image:
status: Incomplete → Won't Fix
Changed in unity8 (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.