soffice.bin crashed with SIGSEGV in ImplDevFontListData::~ImplDevFontListData()

Bug #1219245 reported by j de lima on 2013-08-31
118
This bug affects 15 people
Affects Status Importance Assigned to Milestone
LibreOffice
Fix Released
Medium
libreoffice (Fedora)
Fix Released
Undecided
libreoffice (Ubuntu)
High
Björn Michaelsen
Trusty
Undecided
Unassigned

Bug Description

[Impact]

 * crash, high counts of stack traces on errors.ubuntu.com

[Test Case]

 * no good reproduction scenario known

[Regression Potential]

 * limited:
   - patch is on master upstream
   - patch has been released to the LibreOffice PPA for a while without
     any negative feedback
   - changes limited to vcl

[Other Info]

 * backport of fix by RedHat

original report:

ubuntustudio 13.10

ProblemType: Crash
DistroRelease: Ubuntu 13.10
Package: libreoffice-core 1:4.1.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.11.0-2.1-lowlatency 3.11.0-rc5
Uname: Linux 3.11.0-2-lowlatency x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.12.1-0ubuntu3
Architecture: amd64
Date: Sat Aug 31 17:27:00 2013
ExecutablePath: /usr/lib/libreoffice/program/soffice.bin
InstallationDate: Installed on 2013-08-28 (3 days ago)
InstallationMedia: Ubuntu-Studio 13.10 "Saucy Salamander" - Alpha amd64 (20130824)
MarkForUpload: True
ProcCmdline: /usr/lib/libreoffice/program/soffice.bin --splash-pipe=5
SegvAnalysis:
 Segfault happened at: 0x7f1e300bfd30: mov 0x58(%rdi),%rdx
 PC (0x7f1e300bfd30) ok
 source "0x58(%rdi)" (0x00000056) not located in a known VMA region (needed readable region)!
 destination "%rdx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: libreoffice
StacktraceTop:
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 ImplDevFontList::Clear() () from /usr/lib/libreoffice/program/libmergedlo.so
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 SalGenericDisplay::DispatchInternalEvent() () from /usr/lib/libreoffice/program/libmergedlo.so
Title: soffice.bin crashed with SIGSEGV in ImplDevFontList::Clear()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip fuse lpadmin netdev plugdev sambashare scanner sudo video

j de lima (jdelima307-ziggo) wrote :

StacktraceTop:
 ImplDevFontListData::~ImplDevFontListData (this=0x2f4b750, __in_chrg=<optimized out>) at /build/buildd/libreoffice-4.1.1/vcl/source/gdi/outdev3.cxx:970
 ImplDevFontList::Clear (this=0x1423a10) at /build/buildd/libreoffice-4.1.1/vcl/source/gdi/outdev3.cxx:1186
 OutputDevice::ImplUpdateAllFontData (bNewFontLists=<optimized out>) at /build/buildd/libreoffice-4.1.1/vcl/source/gdi/outdev3.cxx:244
 ImplHandleSalSettings (nEvent=<optimized out>, pWindow=0x1fabcb0) at /build/buildd/libreoffice-4.1.1/vcl/source/window/winproc.cxx:2216
 ImplWindowFrameProc (pWindow=0x1fabcb0, nEvent=<optimized out>, pEvent=<optimized out>) at /build/buildd/libreoffice-4.1.1/vcl/source/window/winproc.cxx:2597

Changed in libreoffice (Ubuntu):
importance: Undecided → Medium
summary: - soffice.bin crashed with SIGSEGV in ImplDevFontList::Clear()
+ soffice.bin crashed with SIGSEGV in
+ ImplDevFontListData::~ImplDevFontListData()
tags: removed: need-amd64-retrace
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu):
status: New → Confirmed

Version-Release number of selected component:
libreoffice-core-4.1.4.2-4.fc20

Additional info:
reporter: libreport-2.1.11
backtrace_rating: 4
cmdline: /usr/lib64/libreoffice/program/soffice.bin --impress --splash-pipe=5
crash_function: ServerFont::Release
executable: /usr/lib64/libreoffice/program/soffice.bin
kernel: 3.12.8-300.fc20.x86_64
runlevel: N 5
type: CCpp
uid: 1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 ServerFont::Release at /usr/src/debug/libreoffice-4.1.4.2/vcl/generic/glyphs/glyphcache.cxx:341
 #1 GlyphCache::UncacheFont at /usr/src/debug/libreoffice-4.1.4.2/vcl/generic/glyphs/glyphcache.cxx:236
 #2 X11SalGraphics::setFont at /usr/src/debug/libreoffice-4.1.4.2/vcl/unx/generic/gdi/salgdi3.cxx:166
 #3 X11SalGraphics::SetFont at /usr/src/debug/libreoffice-4.1.4.2/vcl/unx/generic/gdi/salgdi3.cxx:508
 #4 ReleaseFonts at /usr/src/debug/libreoffice-4.1.4.2/vcl/inc/salgdi.hxx:224
 #5 OutputDevice::ImplUpdateFontData at /usr/src/debug/libreoffice-4.1.4.2/vcl/source/gdi/outdev3.cxx:186
 #7 OutputDevice::ImplUpdateAllFontData at /usr/src/debug/libreoffice-4.1.4.2/vcl/source/gdi/outdev3.cxx:262
 #8 ImplHandleSalSettings at /usr/src/debug/libreoffice-4.1.4.2/vcl/source/window/winproc.cxx:2216
 #9 ImplWindowFrameProc at /usr/src/debug/libreoffice-4.1.4.2/vcl/source/window/winproc.cxx:2597
 #10 CallCallback at /usr/src/debug/libreoffice-4.1.4.2/vcl/inc/salframe.hxx:243

Potential duplicate: bug 1045497

Created attachment 855640
File: backtrace

Created attachment 855641
File: cgroup

Created attachment 855642
File: core_backtrace

Created attachment 855643
File: dso_list

Created attachment 855644
File: environ

Created attachment 855645
File: exploitable

Created attachment 855646
File: limits

Created attachment 855647
File: maps

Created attachment 855648
File: open_fds

Created attachment 855649
File: proc_pid_status

Created attachment 855650
File: var_log_messages

It is not reproducible, I presume?

No, it doesn't seem reproducible.

I don't know if this is relevant, but I should add that I was updating the system with yum when this happened, and looking at yum history, that day at that time the following packages were updated:
rpm
yum
yum-metadata-parser
gnome-shell
google-crosextra-caladea-fonts
rtkittigervnc-license
tigervnc-server-minimal
webkitgtk
webkitgtk3

Yum history info says:
Begin time : Sun Jan 26 10:12:47 2014
End time : 10:12:55 2014 (8 seconds)

According to comment #12, the crash happened gen 26 10:12:53

I suppose it was reinstallation of google-crosextra-caladea-fonts that caused this. Trying that locally, with the font used in an opened document, does not lead to any crash, but valgrind is not happy about it...

fixed upstream

tags: added: trusty

*** Bug 1070497 has been marked as a duplicate of this bug. ***

libreoffice-4.1.5.3-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/libreoffice-4.1.5.3-4.fc19

Package libreoffice-4.1.5.3-4.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libreoffice-4.1.5.3-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3458/libreoffice-4.1.5.3-4.fc19
then log in and leave karma (feedback).

information type: Private → Public
Changed in libreoffice (Ubuntu):
assignee: nobody → Björn Michaelsen (bjoern-michaelsen)
importance: Medium → High

LibreOffice shows crashes on clearing the FontListData, unfortunately there is no good reproduction scenario yet, but this issue ranks high on http://errors.ubuntu.com and also happens on Fedora. Errors.ubuntu.com reports this stacktrace to first appear on version 4.0.2.

A stacktrace (which has been reported multiple times) can be found on the Launchpad bug.

While the description of the reports by users do provide no conclusive reproduction scenario, there are:
- two report of "crash on close"
- one report of "crash while installing a font"
- one report of "crash while upgrading"

The latter two might actually be the same as upgrades might install new fonts.

confirmed by multiple Ubuntu reports and a Fedora report.

Created attachment 98899
stacktrace with resolved symbols

adding stacktrace

Looking at the errors.ubuntu.com stats of today (14.04 LTS is out relatively new still) - it seems that _all_ todays reports are from the 14.04 distro, while the bug was first seen on 4.0.2. This might suggest that this is indeed an issue of users keeping libreoffice running during an distro upgrade (with fonts and lots of other things changing below their feet).

Changed in df-libreoffice:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in df-libreoffice:
status: Confirmed → Fix Released
no longer affects: libreoffice (Fedora)

*** Bug 78836 has been marked as a duplicate of this bug. ***

bodhi failed to close this bug for some reason...

Please test LibreOffice version 1:4.2.4~rc2-0ubuntu1~trusty3 or later from https://launchpad.net/~libreoffice/+archive/ppa -- it should solve the issue.

Changed in libreoffice (Ubuntu):
status: Confirmed → Fix Committed
description: updated
description: updated
description: updated

Hello j, or anyone else affected,

Accepted libreoffice into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libreoffice/1:4.2.4-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libreoffice (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Adam Conrad (adconrad) wrote :

Hello j, or anyone else affected,

Accepted libreoffice-l10n into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libreoffice-l10n/1:4.2.4-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

So, this is an upstream fix, the bug has no good reproduction scenario. Smoketested the build to contain no obvious regression => verification done.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 1:4.2.4-0ubuntu2

---------------
libreoffice (1:4.2.4-0ubuntu2) trusty; urgency=medium

  * bump upstream version
  * refresh patch queue
  * remove upstreamed patches:
    - fdo-74981.diff
    - fdo-50672.diff
  * bump help virtual version to 4.2
  * fix unity menu after insert formula (LP: #1296715)
  * avoid use of invalidated pointers (LP: #1219245)
  * add VBA macro patch
  * use internal npapi as this breaks with Firefox 30
 -- Bjoern Michaelsen <email address hidden> Fri, 13 Jun 2014 17:11:09 +0200

Changed in libreoffice (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 1:4.2.4-0ubuntu3

---------------
libreoffice (1:4.2.4-0ubuntu3) utopic; urgency=medium

  * No-change rebuild of the trusty-security upload for utopic.
 -- Adam Conrad <email address hidden> Mon, 23 Jun 2014 06:12:25 -0600

Changed in libreoffice (Ubuntu):
status: Fix Committed → Fix Released

Well libreoffice 4.2.5 just crashed for me on Linux Mint 13 (ubuntu 12.04) after i copied some files to my ~/.fonts folder and ran 'fc-cache -fv' to refresh the cache.

Oops... That is because the fix has never made it to 4.2... Pushed for review now.

Weird that it wasnt every put into 4.2 as Bjorn asked me to test it so that 4.2.4 could arrive in ubuntu 14.04's repo.

http://nabble.documentfoundation.org/Libreoffice-qa-Pushing-4-2-4-into-Ubuntu-Update-Repo-tp4112961p4112963.html

https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1219245

Which i replied: while having writer open, it didnt crash when i did a software update including the installation/upgrade of various font related packages (libfontconfig1, fontconfig, libxfont1, fontconfig-config, fonts-opensysmbol).

(In reply to comment #8)
> Weird that it wasnt every put into 4.2 as Bjorn asked me to test it so that
> 4.2.4 could arrive in ubuntu 14.04's repo.

Yes, because this is patches in 4.2.4 on Ubuntu 14.04 with a vendor backport, so I wonder what exact bug you are seeing here as it cant really be the one fixed by this patch. So you likely found a different issue.

Note that the Ubuntu error tracker confirms this as there where >2750 crash reports for lp#1219245 and >560 crash reports for lp#1219732 on on libreoffice version 1:4.2.3~rc3-0ubuntu2 each, but none on 1:4.2.4-0ubuntu3.

If anything, this confirms Davids patch is good. ;)

@David: If you put that patch on gerrit, can you CC me for rubberstamping?

David Tardon committed a patch related to this issue.
It has been pushed to "libreoffice-4-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=dbf5d7e52d0162ba10bb971d5a3187303c386589&h=libreoffice-4-2

fdo#78598 avoid use of invalidated pointers

It will be available in LibreOffice 4.2.7.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Changed in libreoffice (Fedora):
importance: Unknown → Undecided
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.