Ubuntu
libreoffice package

soffice.bin crashed with SIGSEGV in IsVertical()

Bug #1598938 reported by Dmitry Shachnev
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
LibreOffice
Fix Released
High
libreoffice (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

LibreOffice crashes while I was trying to edit a document; the document is a page copy-pasted from Firefox which has quite a big amount of nested tables.

ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: libreoffice-core 1:5.1.4-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-28.47-generic 4.4.13
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: GNOME-Flashback:Unity
Date: Mon Jul 4 23:29:38 2016
ExecutablePath: /usr/lib/libreoffice/program/soffice.bin
InstallationDate: Installed on 2014-08-23 (681 days ago)
InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140823)
ProcCmdline: /usr/lib/libreoffice/program/soffice.bin --writer file:///tmp/mozilla_dmitry0/F.NAKV+BB.RU.LTU.dot --splash-pipe=5
ProcEnviron:
 LANGUAGE=ru
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0x7f58cd333730 <_ZNK11SwTableLine16hasSoftPageBreakEv+496>: cmpq $0x0,0x50(%rax)
 PC (0x7f58cd333730) ok
 source "$0x0" ok
 destination "0x50(%rax)" (0x00000050) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: libreoffice
StacktraceTop:
 SwTableLine::hasSoftPageBreak() const () at /usr/lib/libreoffice/program/../program/libswlo.so
 () at /usr/lib/libreoffice/program/../program/libswlo.so
 () at /usr/lib/libreoffice/program/../program/libswlo.so
 () at /usr/lib/libreoffice/program/../program/libswlo.so
 () at /usr/lib/libreoffice/program/../program/libswlo.so
Title: soffice.bin crashed with SIGSEGV in SwTableLine::hasSoftPageBreak()
UpgradeStatus: Upgraded to xenial on 2016-04-28 (67 days ago)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Revision history for this message
In , Manuel-defranceschi (manuel-defranceschi) wrote :

Created attachment 125690
Try to delete the outer table and LO crash.

Description:

If I insert five or more tables 10x15 one inside the other and then cancel the outer table(or the column or the row which contain the cell that contain the other tables) LO crashes. It seems that the dimension influence the problem: for example, at 8x13 with five tables LO doesn't crash, but with six tables it does, and at 100x10 it doesn't crash at all.

Steps:
1-Open Writer
2-Insert a table 10x15
3-Repeat step 2 for at least 5 time without change the cursor's position
4-Delete the outer table
At this point LO crash.

Affected version:

Version: 5.0.6.3
Build ID: 490fc03b25318460cfc54456516ea2519c11d1aa
Locale: it-IT (it_IT.UTF-8)
OS: openSUSE Leap 42.1 (x86_64)

Version: 5.1.3.2
Build ID: 644e4637d1d8544fd9f56425bd6cec110e49301b
CPU Threads: 2; UI Render: default;
Locale: it-IT (it_IT.UTF-8)
OS: openSUSE Leap 42.1 (x86_64)

Version: 5.3.0.0.alpha0+
Build ID: a8bd44573b75d1399257d6f5d052611439607189
CPU Threads: 2;
UI Render: default;
TinderBox: Linux-rpm_deb-x86_64@70-TDF, Branch:master, Time: 2016-06-13_23:46:49
Locale: it-IT (it_IT.UTF-8)
OS: openSUSE Leap 42.1 (x86_64)

Not affected version:

Version 3.6.7.2 (Build ID: e183d5b)
OS: openSUSE Leap 42.1 (x86_64)

Versione: 4.4.7.2
Build ID: f3153a8b245191196a4b6b9abd1d0da16eead600
Versione locale: it_IT.UTF-8
OS: openSUSE Leap 42.1 (x86_64)

Revision history for this message
In , Aron Budea (baron-z) wrote :

Thank you for the detailed bug report.
Crash reproduced with LO 5.0.0.5, not reproduced with 4.4.0.3, both in Windows 7 => regression.

Revision history for this message
In , Caolanm (caolanm) wrote :

bibisecting suggests

commit 135e4d5c730b8b252eab3e375580a3a73d8204e6
Author: Michael Stahl <email address hidden>
Date: Thu Apr 23 22:52:39 2015 +0200

    related: tdf#90820 refactor SwFrm destruction

is the trigger, though I rather feel that's not at fault and we just got away with things earlier

Revision history for this message
In , Libreoffice-commits (libreoffice-commits) wrote :

Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e41a694c8b4fd1503b31f3a9da326e9f7ddd1b79

Related: tdf#100421 crash in a11y on load of source odt

It will be available in 5.3.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Revision history for this message
In , Libreoffice-commits (libreoffice-commits) wrote :

Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=4561119a8bab986df25a5ce2a544aa96394cbd5d

Resolves: tdf#100421, don't crash on deleting particular table

It will be available in 5.3.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Revision history for this message
In , Libreoffice-commits (libreoffice-commits) wrote :

Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=f054ba24056dba34576bc43a86abb0b828917585&h=libreoffice-5-2

Related: tdf#100421 crash in a11y on load of source odt

It will be available in 5.2.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Revision history for this message
In , Libreoffice-commits (libreoffice-commits) wrote :

Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=ff7028465c5c5cd30a9bb28ac6aa610e67c4e843&h=libreoffice-5-2

Resolves: tdf#100421, don't crash on deleting particular table

It will be available in 5.2.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Revision history for this message
In , Aron Budea (baron-z) wrote :

Verified no crash in 5.2.0.1.

Revision history for this message
Dmitry Shachnev (mitya57) wrote :
Revision history for this message
penalvch (penalvch) wrote :

Dmitry Shachnev, thank you for reporting this and helping make Ubuntu better.

1) Could you please provide the URL precisely you copied from?
2) Could you please attach the file that demonstrates this problem?
3) Could you please provide keyboard click-for-click instructions on how to reproduce this?
4) Is this consistently reproducible?

Changed in libreoffice (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 IsVertical (this=0x0) at /build/libreoffice-OypX7x/libreoffice-5.1.4/sw/source/core/inc/frame.hxx:897
 SwFrame::Shrink (this=0x7f58b10dea18, nDist=3465, bTst=<optimized out>, bInfo=<optimized out>) at /build/libreoffice-OypX7x/libreoffice-5.1.4/sw/source/core/layout/wsfrm.cxx:1216
 SwLayoutFrame::ShrinkFrame (this=0x7f58cc029910, nDist=<optimized out>, bTst=<optimized out>, bInfo=<optimized out>) at /build/libreoffice-OypX7x/libreoffice-5.1.4/sw/source/core/layout/wsfrm.cxx:2464
 SwFrame::Shrink (this=0x7f58cc029910, nDist=3465, bTst=<optimized out>, bInfo=<optimized out>) at /build/libreoffice-OypX7x/libreoffice-5.1.4/sw/source/core/layout/wsfrm.cxx:1223
 SwLayoutFrame::Cut (this=0x7f58b800f940) at /build/libreoffice-OypX7x/libreoffice-5.1.4/sw/source/core/layout/wsfrm.cxx:1139

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
summary: - soffice.bin crashed with SIGSEGV in SwTableLine::hasSoftPageBreak()
+ soffice.bin crashed with SIGSEGV in IsVertical()
tags: removed: need-amd64-retrace
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

I could answer your question, but it looks like this bug is already resolved upstream in https://cgit.freedesktop.org/libreoffice/core/commit/?id=ff7028465c5c5cd3.

Changed in libreoffice (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Marcus Tomlinson (marcustomlinson) wrote :

Synchronising bug status with upstream.

Changed in libreoffice (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in df-libreoffice:
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.