Destruction of GuiRunner's EventManager causes a segfault at exit

[azeey]

Environment

• OS Version: Ubuntu 20.04
• Source or binary build? main, b2549dd04078a3f31d43215b8a858d05a2de9565

Description

• Expected behavior: No segfault at exit
• Actual behavior: A segfault occurs when the GUI terminates due to what appears to be the destruction of GuiRunner's EventManager object. I believe the cause for this is as follows:
  • GuiRunner's EventManager object contains ignition::common::EventT objects created by GUI plugins. Since these are templates, the vtable for the objects is stored in the shared library of the GUI plugin that creates the EventT objects.
  • event::SceneUpdate is emitted in RenderUtil.cc which is part of libignition-gazebo7-rendering.so. And libGzSceneManager.so depends on libignition-gazebo7-rendering.so. Emitting that event creates the EventT object which is stored in GuiRunner's EventManager object, but the vtable is stored in libignition-gazebo7-rendering.so.
  • When the GUI terminates, libGzSceneManager.so is unloaded, which in turn unloades libignition-gazebo7-rendering.so. This invalidates the vtable for the event::SceneUpdate object contained in GuiRunner's EventManager object.
  • When it's time for GuiRunner's EventManager object to be destroyed, the virtual destructor for the event::SceneUpdate object is called, but since the pointer to the destructor points to an address that is no longer accessible, a segfault occurs.

Other notes:

• This is a similar issue to #1158, but this time it involves EventT.
• This segfault does not occur in ign-gazebo6. I'm not sure what changed between ign-gazebo6 and main, but the only difference I can tell so far is in main, libGzSceneManager.so is unloaded in when you exit before GuiRunner is destroyed. In ign-gazebo6, it never gets unloaded.

Steps to reproduce

1. Run ign gazebo empty.sdf
2. Type ctrl-c on the terminal

Output

Stack trace

``` #31 Object "/home/addisu/.rbenv/versions/2.5.1/lib/libruby.so.2.5", at 0x7f192f6eec78, in #30 Object "/home/addisu/.rbenv/versions/2.5.1/lib/ruby/2.5.0/x86_64-linux/fiddle.so", at 0x7f192e01d8b4, in #29 Object "/home/addisu/.rbenv/versions/2.5.1/lib/libruby.so.2.5", at 0x7f192f6c3ee7, in rb_thread_call_without_gvl #28 Object "/home/addisu/.rbenv/versions/2.5.1/lib/ruby/2.5.0/x86_64-linux/fiddle.so", at 0x7f192e01da77, in #27 Object "/usr/lib/x86_64-linux-gnu/libffi.so.6", at 0x7f192ddd171e, in ffi_call #26 Object "/usr/lib/x86_64-linux-gnu/libffi.so.6", at 0x7f192ddd1dad, in ffi_call_unix64 #25 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-ign.so.7.0.0~pre1", at 0x7f192d0ff9d0, in runGui #24 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd2eb39, in ignition::gazebo::v7::gui::runGui(int&, char**, char const*, char const*) #23 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd30677, in std::unique_ptr >::~unique_ptr() #22 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd31403, in std::default_delete::operator()(ignition::gui::Application*) const #21 Object "/home/addisu/ws/garden/install/lib/libignition-gui7.so.7", at 0x7f192ac365cc, in ignition::gui::Application::~Application() #20 Object "/home/addisu/ws/garden/install/lib/libignition-gui7.so.7", at 0x7f192ac36326, in ignition::gui::Application::~Application() #19 Object "/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5", at 0x7f192a6c949d, in QApplication::~QApplication() #18 Object "/usr/lib/x86_64-linux-gnu/libQt5Core.so.5", at 0x7f192af2a97d, in QCoreApplication::~QCoreApplication() #17 Object "/usr/lib/x86_64-linux-gnu/libQt5Core.so.5", at 0x7f192af5c4be, in QObject::~QObject() #16 Object "/usr/lib/x86_64-linux-gnu/libQt5Core.so.5", at 0x7f192af51eed, in QObjectPrivate::deleteChildren() #15 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd425d9, in ignition::gazebo::v7::GuiRunner::~GuiRunner() #14 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd425ad, in ignition::gazebo::v7::GuiRunner::~GuiRunner() #13 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd7354f, in std::unique_ptr::~unique_ptr() #12 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd7a403, in void ignition::utils::detail::DefaultDelete(ignition::gazebo::v7::GuiRunner::Implementation*) #11 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd7a31d, in ignition::gazebo::v7::GuiRunner::Implementation::~Implementation() #10 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd732ab, in ignition::gazebo::v7::EventManager::~EventManager() #9 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd7326b, in std::unordered_map, std::unique_ptr >, ignition::gazebo::v7::EventManager::Hasher, ignition::gazebo::v7::EventManager::EqualTo, std::allocator const, std::unique_ptr > > > >::~unordered_map() #8 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd7a2df, in std::_Hashtable, std::pair const, std::unique_ptr > >, std::allocator const, std::unique_ptr > > >, std::__detail::_Select1st, ignition::gazebo::v7::EventManager::EqualTo, ignition::gazebo::v7::EventManager::Hasher, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits >::~_Hashtable() #7 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd7fe8b, in std::_Hashtable, std::pair const, std::unique_ptr > >, std::allocator const, std::unique_ptr > > >, std::__detail::_Select1st, ignition::gazebo::v7::EventManager::EqualTo, ignition::gazebo::v7::EventManager::Hasher, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits >::clear() #6 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd851ab, in std::__detail::_Hashtable_alloc const, std::unique_ptr > >, true> > >::_M_deallocate_nodes(std::__detail::_Hash_node const, std::unique_ptr > >, true>*) #5 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd88fbc, in std::__detail::_Hashtable_alloc const, std::unique_ptr > >, true> > >::_M_deallocate_node(std::__detail::_Hash_node const, std::unique_ptr > >, true>*) #4 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd8c3e8, in void std::allocator_traits const, std::unique_ptr > >, true> > >::destroy const, std::unique_ptr > > >(std::allocator const, std::unique_ptr > >, true> >&, std::pair const, std::unique_ptr > >*) #3 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd92ef9, in void __gnu_cxx::new_allocator const, std::unique_ptr > >, true> >::destroy const, std::unique_ptr > > >(std::pair const, std::unique_ptr > >*) #2 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd92ed5, in std::pair const, std::unique_ptr > >::~pair() #1 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd95c5d, in std::unique_ptr >::~unique_ptr() #0 Object "/home/addisu/ws/garden/install/lib/libignition-gazebo7-gui.so.7", at 0x7f192cd9731e, in std::default_delete::operator()(ignition::common::Event*) const Segmentation fault (Address not mapped to object [0x7f18eece5cb8]) ```

[adlarkin]

This segfault does not occur in ign-gazebo6. I'm not sure what changed between ign-gazebo6 and main, but the only difference I can tell so far is in main, libGzSceneManager.so is unloaded in when you exit before GuiRunner is destroyed. In ign-gazebo6, it never gets unloaded.

Is there any reason why libGzSceneManager.so is unloaded in main, but not on ign-gazebo6? I guess one patch for this issue is to never unload libGzSceneManager.so in main, but I'm guessing we don't want to do that since that could technically result in memory leaks.

[azeey]

Fixed by https://github.com/gazebosim/gz-gui/pull/469