Re: kio slaves + kcrash + drkonqi

[Harald Sitter]

On Sun, Sep 16, 2018 at 10:48 AM David Faure  wrote:
> How about just killing the KDE_DEBUG check *and* the code that prints out a
> backtrace?

I'm always in favor of less code, so I'll prepare a diff for this.

> > - Possibly KCRASH_AUTO_RESTARTED needs setting by something in KIO.
> > From what I see, if I make a slave crash on every invocation, KIO
> > would try to repeat the action it wanted to do by restarting the salve
> > ad infinitum when instead it should abort at some point so as to not
> > spam the user with drkonqis.
>
> I don't see why KIO would try to repeat the action.
> The app creates a job, it fails because the kioslave crashed, end of story.
> There is no autorestart here.
>
> Although, I can imagine that if you copy one directory with 1000 files and the
> kioslave only crashes in the file copy code, you'd get 1000 drkonqis.
> But this seems a bit corner case and is all unrelated to this KF5 porting
> issue (the missing call to KCrash::initialize).

I had an assert fail in GetFileSystemFreeSpace which caused a drkonqi
to repeatedly start, but with what I've learned since then I think
that was caused by dolphin repeatedly trying to get the info. This
isn't something restart handling would or could prevent. With that in
mind this type of issue likely needs solving in drkonqi, i.e. I think
the problem is with the presentation of the repeated crashing more
than the crashing itself.

> > The end result is that we still have the stderr backtrace, which I
> > think is very useful.
>
> Did you test it? Was it really useful?

Well, it was more useful than no backtrace at all, but as you say the
actual symbol names are useless as far as the salve is concerned.

> > In fact, by dropping the KDE_DEBUG condition
> > it's always enabled even when the user disables drkonqi using
> > KDE_DEBUG=1.
>
> Either this is unsafe (because of memory allocations) and we shouldn't do it,
> or if we think it's safe and useful, then as you say it should be done by
> kcrash. Conclusion, no, this code shouldn't be kept at all in SlaveBase...
>
> More details on whether this is safe: the man page says
>
> "backtrace() and backtrace_symbols_fd() don't call malloc() explicitly, but
> they are part of libgcc, which gets loaded dynamically when first used.
> Dynamic loading usually triggers a call to malloc(3).  If you need certain
> calls to these two functions to not allocate memory (in signal handlers, for
> example), you need to make sure libgcc is loaded beforehand."
>
> I'm pretty sure we don't do that...

I've had a look and indeed I can not find any explicit call to make
sure libgcc is loaded.

> > (In fact, I'd even argue that maybe kcrash itself should do the
> > backtrace() print. It seems useful in all crash scenarios I'd imagine,
> > in particular consider drkonqi can be disabled or not installed. But
> > then I don't know if/what performance penalty it'd entail with regards
> > to auto restarts.)
>
> My opinion is that a debugger is much better suited for getting useful
> backtraces (including parameter values, and the ability to inspect local
> variables).

Yes I agree.

So, the new plan is to remove the handler code from SlaveBase and
instead initialize KCrash. backtrace() code goes away entirely.
If someone wants the backtrace() feature it should be moved to KCrash
and before setting the crash handler libgcc needs to be explicitly
lazy-loaded with a call to any libgcc function. I would suggest people
check out coredumpd or another core handler though.

HS

Re: kio slaves + kcrash + drkonqi

[David Faure]

Hi Harald,

On mardi 11 septembre 2018 14:25:15 CEST Harald Sitter wrote:
> The debugging faq [1] suggest that this should behave like KCrash. by
> default all crashes get drkonqi'd unless you set KDE_DEBUG at which
> point drkonqi is disabled. However, having quickly jumped through the
> kdelibs history I am not sure that was true even before the kf5 shake
> up...

Well, it used to be that *just* linking to KCrash would enable it.
The need to call initialize() is new in KF5.
So when KDE_DEBUG wasn't set, I'm pretty sure you would get drkonqi,
and when it was set, the point was to disable drkonqi anyway.

> More importantly, why would one bypass kcrash at all?

I personally disable drkonqi globally and look for core dumps instead,
so I can use gdb to e.g. print local variables.
 
> - SlaveBase calls KCrash::initialize()

Yes. That's what's missing.

> - SlaveBase drops the KDE_DEBUG check

If you want, I suppose KCrash itself will check for it anyway.

> - SlaveBase uses KCrash::setCrashHandler to set its own crash handler
> to print the backtrace on stderr

I'm not sure about this part.
1) that code itself might crash, especially if it has to allocate memory [more 
on that below]
2) such backtraces are often useless because they only contain exported 
symbols. Due to hidden visibility being enabled by default, everything else is 
"???" (the glibc backtrace functionality isn't as clever as gdb...).
When this code was written, we didn't have hidden visibility, so it was more 
useful.

How about just killing the KDE_DEBUG check *and* the code that prints out a 
backtrace?

> - Possibly KCRASH_AUTO_RESTARTED needs setting by something in KIO.
> From what I see, if I make a slave crash on every invocation, KIO
> would try to repeat the action it wanted to do by restarting the salve
> ad infinitum when instead it should abort at some point so as to not
> spam the user with drkonqis.

I don't see why KIO would try to repeat the action.
The app creates a job, it fails because the kioslave crashed, end of story.
There is no autorestart here.

Although, I can imagine that if you copy one directory with 1000 files and the 
kioslave only crashes in the file copy code, you'd get 1000 drkonqis.
But this seems a bit corner case and is all unrelated to this KF5 porting 
issue (the missing call to KCrash::initialize).

> The end result is that we still have the stderr backtrace, which I
> think is very useful. 

Did you test it? Was it really useful?

> In fact, by dropping the KDE_DEBUG condition
> it's always enabled even when the user disables drkonqi using
> KDE_DEBUG=1.

Either this is unsafe (because of memory allocations) and we shouldn't do it,
or if we think it's safe and useful, then as you say it should be done by 
kcrash. Conclusion, no, this code shouldn't be kept at all in SlaveBase...

More details on whether this is safe: the man page says

"backtrace() and backtrace_symbols_fd() don't call malloc() explicitly, but 
they are part of libgcc, which gets loaded dynamically when first used.  
Dynamic loading usually triggers a call to malloc(3).  If you need certain 
calls to these two functions to not allocate memory (in signal handlers, for 
example), you need to make sure libgcc is loaded beforehand."

I'm pretty sure we don't do that...

> (In fact, I'd even argue that maybe kcrash itself should do the
> backtrace() print. It seems useful in all crash scenarios I'd imagine,
> in particular consider drkonqi can be disabled or not installed. But
> then I don't know if/what performance penalty it'd entail with regards
> to auto restarts.)

My opinion is that a debugger is much better suited for getting useful 
backtraces (including parameter values, and the ability to inspect local 
variables).

-- 
David Faure, fa...@kde.org, http://www.davidfaure.fr
Working on KDE Frameworks 5

kio slaves + kcrash + drkonqi

[Harald Sitter]

Hey

I am a bit confused about crash handling in kio slaves. As in: it's
not working the way it should be working and I don't know why it is
the way it is.

The debugging faq [1] suggest that this should behave like KCrash. by
default all crashes get drkonqi'd unless you set KDE_DEBUG at which
point drkonqi is disabled. However, having quickly jumped through the
kdelibs history I am not sure that was true even before the kf5 shake
up...

kio/src/core/slavebase.cpp has

```
if (qEnvironmentVariableIsEmpty("KDE_DEBUG")) {
::signal(SIGSEGV, _handler);

```

sigsegv_handler is a local crash handler that is bypassing kcrash AND
drkonqi entirely and instead prints a backtrace() to stderr.

i.e. by default a slave crash is logged via the local-to-slave crash
handler to stderr. when setting KDE_DEBUG even that logging gets
disabled.

Now to me that makes no sense at all. Why would one want to disable a
simple backtrace print? More importantly, why would one bypass kcrash
at all?

You might rightfully ask why I even care though. The problems are:

a) kcrash isn't used or initialized -> no drkonqi -> no user visible
crash reports about bugged out slaves (as a result it's near useless
to have any q_asserts or qfatals whatsoever in slaves) and we wouldn't
know if the slave quality is garbage
b) since kcrash isn't used -> no recording in dump handler
applications like coredumpd/apport/ABRT -> no way to retrace/report
after the fact either for sysadmins or distros
c) even if kcrash was used it'd still be overridden by the
local-to-slave handler, meaning a slave author can't even force kcrash
use unless they know about this and know how to force the correct
handler to be installed after the local-to-slave handler.

To me it seems all of this is weird and horrible and what I think
would make much more sense is:

- SlaveBase drops the KDE_DEBUG check
- SlaveBase calls KCrash::initialize()
- SlaveBase uses KCrash::setCrashHandler to set its own crash handler
to print the backtrace on stderr
- SlaveBase's backtrace handler then forwards to
KCrash::defaultCrashHandler so shared logic runs (i.e. drkonqi and
then forwarding to dump handlers on linux)
- Possibly KCRASH_AUTO_RESTARTED needs setting by something in KIO.
>From what I see, if I make a slave crash on every invocation, KIO
would try to repeat the action it wanted to do by restarting the salve
ad infinitum when instead it should abort at some point so as to not
spam the user with drkonqis.

The end result is that we still have the stderr backtrace, which I
think is very useful. In fact, by dropping the KDE_DEBUG condition
it's always enabled even when the user disables drkonqi using
KDE_DEBUG=1. The user will get a GUI in the form of drkonqi enabling
them to file a crash report with us so we actually know that our
slaves are crashing. Through KCrash the crash is also forwarded to
system level crash handlers, if applicable, so sysadmins or distros
also know that our slaves are crashing.

(In fact, I'd even argue that maybe kcrash itself should do the
backtrace() print. It seems useful in all crash scenarios I'd imagine,
in particular consider drkonqi can be disabled or not installed. But
then I don't know if/what performance penalty it'd entail with regards
to auto restarts.)

Thoughts?

[1] https://community.kde.org/KDE/FAQs/Debugging_FAQ