Debugging

This section includes documentation on how to debug Flatpak apps.

Debug packages

Before debugging, it is essential to install the debug packages used by the application. This can be done by:

$ flatpak install --include-sdk --include-debug $FLATPAK_ID

This will install the SDK, the Debug SDK and the Debug extension for the application.

Debug shell

A debugging environment can be created by starting a shell inside the sandbox:

$ flatpak run --command=sh --devel --filesystem=$(pwd) $FLATPAK_ID

This creates a sandbox for the application with the given ID and, instead of running the application, runs a shell inside the sandbox. The --devel option tells Flatpak to use the SDK as the runtime, which includes various debugging tools and it also adjusts the sandbox setup to enable debugging.

It is also possible to get a shell inside an application sandbox without having to install it. This is done using flatpak-builder’s --run option:

$ flatpak-builder --run <build-dir> <manifest> sh

This sets up a sandbox that is populated with the build results found in the build directory, and runs a shell inside it.

Using GDB in the sandbox

Note that Debug packages must be installed to get meaningful traces from GDB. Once inside the Debug shell to run the application with gdb

$ gdb /app/bin/<application-binary>

To pass arguments to the application:

$ gdb --args /app/bin/<application-binary> <arguments>
$ (gdb) run

A breakpoint can also be set for example on the main function and once it is reached the source code can be listed:

$ (gdb) break main
  (gdb) run
  (gdb) list

Once the bug is reproduced, if it is a crash it will automatically return to the gdb prompt. In case of a freeze pressing Ctrl+c will cause it to return to the gdb prompt. Now enable logging to a file (this will be saved in the working directory and the Flatpak needs filesystem access to that --filesystem=$(pwd)):

$ (gdb) set logging enabled on

Then to get the backtrace:

$ (gdb) bt full

Or for all threads, in case of a multi-threaded program:

$ (gdb) thread apply all backtrace

Note that gdb inside the sandbox cannot use debug symbols from host’s debuginfod servers.

Please also see the GDB user manual for a more complete overview on how to use GDB.

Getting stacktraces from a crash

If an application crashed and the system has coredumps and systemd-coredump enabled, a coredump will be logged. Get the PID from that coredump:

$ coredumpctl list

Now run flatpak-coredumpctl (this requires Debug packages to be installed):

$ flatpak-coredumpctl -m <PID> $FLATPAK_ID
(gdb) bt full

Using other debugging tools

org.freedesktop.Sdk also includes other debugging tools like Valgrind which is useful to find memory leaks. Once inside the Debug shell, it can be run with:

$ valgrind --leak-check=full --track-origins=yes --show-leak-kinds=all --log-file="valgrind.log" /app/bin/<application-binary>

Strace can be useful to check what an application is doing. For example, to trace openat(), read() calls:

$ strace -e trace=openat,read -o strace.log -f /app/bin/<application-binary>

Perf requires access to --filesystem=/sys to run:

$ flatpak run --command=perf --filesystem=/sys --filesystem=$(pwd) --devel $FLATPAK_ID record -v -- <command>

Creating a Debug extension

Like many other packaging systems, Flatpak separates bulky debug information from regular content and ships it separately, in a Debug extension.

When an application is built, flatpak-builder automatically creates a Debug extension. This can be disabled with the no-debuginfo option.

To install the Debug extension created locally, pass --install to flatpak-builder which will set up a new remote for the build. The remotes available can be checked with:

$ flatpak remotes --columns=name,url

Then install the Debug extension from that remote:

$ flatpak install foo-origin $FLATPAK_ID.Debug

Overriding sandbox permissions

It is sometimes useful to have extra permissions in a sandbox when debugging. This can be achieved using the various sandbox options that are accepted by the run command. For example:

$ flatpak run --devel --command=sh --system-talk-name=org.freedesktop.login1 <application-id>

This command runs a shell in the sandbox for the given application, granting it system bus access to the bus name owned by logind.

Inspecting portal permissions

Flatpak has a number of commands that allow to manage portal permissions for applications.

To see all portal permissions of an application, use:

$ flatpak permission-show <application-id>

To reset all portal permissions of an application, use:

$ flatpak permission-reset <application-id>

Interacting with running sandboxes

You can see all the apps that are currently running in Flatpak sandboxes (since 1.2):

$ flatpak ps

And, if you need to, you can terminate one by force (since 1.2):

$ flatpak kill <application-id>

Audit session or system bus traffic

A --socket=session-bus or a --socket=system-bus permission must not be present for the logging to work.

Session or system bus traffic can be audited by passing --log-session-bus and --log-system-bus respectively to flatpak run:

flatpak run --log-session-bus <application-id>

This can be useful to figure out the bus names used by an application and the corresponding --talk-name or --own-name permissions required:

flatpak --log-session-bus run <application-id>| grep '(required 1)'