Crash on exit: ScCsvGrid leaks past vcl lifetime

Bug #1566050 reported by M. Edward (Ed) Borasky on 2016-04-04
64
This bug affects 7 people
Affects Status Importance Assigned to Milestone
LibreOffice
Fix Released
Medium
libreoffice (Ubuntu)
High
Björn Michaelsen
Xenial
Undecided
Unassigned
Yakkety
High
Björn Michaelsen

Bug Description

Reproduction scenario:
1/ open a csv file with libreoffice calc
2/ Import wizard appears -> press Cancel
3/ Exit LibreOffice

Expected behaviour:
LibreOffice shuts down cleanly.

Actual behaviour:
LibreOffice crashes on exit. (not entirely reproducable, but repeating steps 1/ and 2/ a few times usually soon triggers this)

ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: libreoffice-core 1:5.1.1-0ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-16.32-generic 4.4.6
Uname: Linux 4.4.0-16-generic x86_64
ApportVersion: 2.20.1-0ubuntu1
Architecture: amd64
CurrentDesktop: GNOME
Date: Mon Apr 4 15:57:52 2016
ExecutablePath: /usr/lib/libreoffice/program/soffice.bin
InstallationDate: Installed on 2016-04-03 (1 days ago)
InstallationMedia: Ubuntu-GNOME 16.04 LTS "Xenial Xerus" - Beta amd64 (20160323.1)
ProcCmdline: /usr/lib/libreoffice/program/soffice.bin --calc file:///tmp/mozilla_znmeb0/DKSalaries-1.csv --splash-pipe=5
ProcEnviron:
 PATH=(custom, user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
 LD_LIBRARY_PATH=<set>
SegvAnalysis:
 Segfault happened at: 0x299c100: push %rax
 PC (0x0299c100) in non-executable VMA region: 0x016e7000-0x02c4d000 rw-p [heap]
 source "%rax" ok
 destination "(%rsp)" (0x7fffed7e99f0) ok
SegvReason: executing writable VMA [heap]
Signal: 11
SourcePackage: libreoffice
StacktraceTop:
 ?? ()
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 Menu::~Menu() () from /usr/lib/libreoffice/program/libmergedlo.so
 ScCsvGrid::~ScCsvGrid() () from /usr/lib/libreoffice/program/../program/libsclo.so
Title: soffice.bin crashed with SIGSEGV in Menu::~Menu()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip docker libvirtd lpadmin plugdev sambashare sudo

information type: Private → Public

StacktraceTop:
 ?? ()
 MenuItemData::~MenuItemData (this=0x2972470, __in_chrg=<optimized out>) at /build/libreoffice-ViFeg2/libreoffice-5.1.1/vcl/source/window/menuitemlist.cxx:44
 MenuItemList::~MenuItemList (this=0x29301a0, __in_chrg=<optimized out>) at /build/libreoffice-ViFeg2/libreoffice-5.1.1/vcl/source/window/menuitemlist.cxx:50
 Menu::~Menu (this=0x2933638, __in_chrg=<optimized out>) at /build/libreoffice-ViFeg2/libreoffice-5.1.1/vcl/source/window/menu.cxx:174
 ScCsvGrid::~ScCsvGrid (this=0x2933390, __in_chrg=<optimized out>) at /build/libreoffice-ViFeg2/libreoffice-5.1.1/sc/source/ui/dbgui/csvgrid.cxx:88

Changed in libreoffice (Ubuntu):
importance: Undecided → Medium
summary: - soffice.bin crashed with SIGSEGV in Menu::~Menu()
+ soffice.bin crashed with SIGSEGV in MenuItemData::~MenuItemData()
tags: removed: need-amd64-retrace

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu):
status: New → Confirmed
Changed in libreoffice (Ubuntu):
assignee: nobody → Björn Michaelsen (bjoern-michaelsen)
status: Confirmed → New
Changed in libreoffice (Ubuntu):
status: New → Confirmed
Changed in libreoffice (Ubuntu):
importance: Medium → High
description: updated

This appears to be a regression from https://github.com/LibreOffice/core/commit/2660d24a07866e083c5135ea263030f3e3a2e729 (havent verified that yet):

1/ Since that change mxAccessible in ScCsvGrid holds a rtl::Reference on a ScAccessibleCsvGrid
2/ Which in turn holds a VclPtr<> (aka a rtl::Reference with lipstick) on the ScCsvControl

These are a circular references, making both of them live forever and leak past the point where on LibreOffice close all of Vcl is long gone, when these are dtored. Trying to kill Vcl stuff at that point then blows up (because the stuff to kill is long dead).

Changed in libreoffice (Ubuntu):
status: Confirmed → Triaged
Changed in df-libreoffice:
assignee: nobody → Björn Michaelsen (bjoern-michaelsen)

Fix submitted, reviewed and commited to upstream master and 5-1 branches as:
https://gerrit.libreoffice.org/#/c/24020
https://gerrit.libreoffice.org/#/c/24021/

description: updated
Changed in df-libreoffice:
status: New → Fix Committed
summary: - soffice.bin crashed with SIGSEGV in MenuItemData::~MenuItemData()
+ Crash on exist: ScCsvGrid leaks past vcl lifetime
summary: - Crash on exist: ScCsvGrid leaks past vcl lifetime
+ Crash on exit: ScCsvGrid leaks past vcl lifetime
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu Xenial):
status: New → Confirmed

Hello M., or anyone else affected,

Accepted libreoffice into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libreoffice/1:5.1.3-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libreoffice (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed

Hard to reproduce, no known reports of this one on 5.1.3 => setting this to verification-done.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 1:5.1.3-0ubuntu1

---------------
libreoffice (1:5.1.3-0ubuntu1) xenial; urgency=medium

  * new upstream bugfix release
  * fix crash with nullptr SdrObjList (LP: #1569500)
  * fix crash with ScCsvGrid living beyond VCL shutdown (LP: #1566050)
  * fix crash with non-empty BlendFrameCache in late VCL shutdown (LP: #1560328)

 -- Bjoern Michaelsen <email address hidden> Thu, 12 May 2016 11:35:38 +0200

Changed in libreoffice (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for libreoffice has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Mathieu Marquer (slasher-fun) wrote :

I just encountered this crash even though I'm using the lastest version:

Package: libreoffice-core 1:5.1.3-0ubuntu1
PackageArchitecture: amd64
ProcVersionSignature: Ubuntu 4.4.0-23.41-generic 4.4.10

SegvAnalysis:
 Segfault happened at: 0x7f8841460837 <__libc_start_main+247>: xor %edx,%edx
 PC (0x7f8841460837) ok
 source "%edx" ok
 destination "%edx" ok
 SP (0x7fff124e6bd0) ok
 Reason could not be automatically determined.
SourcePackage: libreoffice
Stacktrace:
 #0 0x00000000038a2000 in ?? ()
 No symbol table info available.
 #1 0x00007f8843f88c8d in ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 No symbol table info available.
 #2 0x00007f8843f88d8d in ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 No symbol table info available.
 #3 0x00007f8843f7c9c8 in Menu::~Menu() () from /usr/lib/libreoffice/program/libmergedlo.so
 No symbol table info available.
 #4 0x00007f880e4a0165 in ScCsvGrid::~ScCsvGrid() () from /usr/lib/libreoffice/program/../program/libsclo.so
 No symbol table info available.
 #5 0x00007f880e4a0279 in ScCsvGrid::~ScCsvGrid() () from /usr/lib/libreoffice/program/../program/libsclo.so
 No symbol table info available.
 #6 0x00007f8841479fe8 in __run_exit_handlers (status=0, listp=0x7f88418035f8 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
         atfct = <optimized out>
         onfct = <optimized out>
         cxafct = <optimized out>
 #7 0x00007f884147a035 in __GI_exit (status=<optimized out>) at exit.c:104
 No locals.
 #8 0x00007f8841460837 in __libc_start_main (main=0x4006e0, argc=3, argv=0x7fff124e6ca8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff124e6c98) at ../csu/libc-start.c:325
         result = <optimized out>
         unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -916413476825100205, 4196096, 140733500517536, 0, 0, 915949057318686803, 889668460461002835}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x400870, 0x7f884541a8e0 <_dl_fini>}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4196464}}}
         not_first_call = <optimized out>
 #9 0x0000000000400729 in ?? ()
 No symbol table info available.
StacktraceAddressSignature: /usr/lib/libreoffice/program/soffice.bin:11:[heap]+3069000:/usr/lib/libreoffice/program/libmergedlo.so+2528c8d:/usr/lib/libreoffice/program/libmergedlo.so+2528d8d:/usr/lib/libreoffice/program/libmergedlo.so+251c9c8:/usr/lib/libreoffice/program/libsclo.so+796165:/usr/lib/libreoffice/program/libsclo.so+796279:/lib/x86_64-linux-gnu/libc-2.23.so+39fe8:/lib/x86_64-linux-gnu/libc-2.23.so+3a035:/lib/x86_64-linux-gnu/libc-2.23.so+20837:/usr/lib/libreoffice/program/soffice.bin+729
StacktraceTop:
 ?? ()
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 ?? () from /usr/lib/libreoffice/program/libmergedlo.so
 Menu::~Menu() () from /usr/lib/libreoffice/program/libmergedlo.so
 ScCsvGrid::~ScCsvGrid() () from /usr/lib/libreoffice/program/../program/libsclo.so

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 1:5.1.3-0ubuntu4

---------------
libreoffice (1:5.1.3-0ubuntu4) yakkety; urgency=medium

  * use internal copy of mdds and orcus on yakkety for 5.1 series now

 -- Bjoern Michaelsen <email address hidden> Tue, 24 May 2016 14:25:58 +0200

Changed in libreoffice (Ubuntu Yakkety):
status: Triaged → Fix Released

According to https://errors.ubuntu.com/problem/351dcefbdfe5de30957d15c3d9c06233ec575453, this had:
25607 instances reported
_all_ instance reported with LibreOffice 5.1.4 or earlier

Thus assuming resolved.

Changed in df-libreoffice:
assignee: Björn Michaelsen (bjoern-michaelsen) → nobody
importance: Undecided → Unknown
status: Fix Committed → Unknown
Changed in df-libreoffice:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in df-libreoffice:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.