[Upstream] soffice.bin crashed with SIGSEGV in unlink_nodes()

Bug #917342 reported by Christopher M. Penalver on 2012-01-16
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
LibreOffice
Fix Released
Critical
libreoffice (Ubuntu)
Medium
Björn Michaelsen

Bug Description

1) lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

2) apt-cache policy libreoffice-writer
libreoffice-writer:
  Installed: 1:3.4.4-0ubuntu1
  Candidate: 1:3.4.4-0ubuntu1
  Version table:
 *** 1:3.4.4-0ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages
        100 /var/lib/dpkg/status
     1:3.4.3-3ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages

3) What is expected to happen in LibreOffice Writer via the Terminal:

cd ~/Desktop && wget https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/917262/+attachment/2677806/+files/XMLform-1-Text-Field.odt && lowriter -nologo XMLform-1-Text-Field.odt

highlight the object -> turn on Design mode -> double click the object and the menu comes up.

4) What happens instead is Writer crashes. A screenshot of Writer as it is crashing may be found at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/917262/+attachment/2677583/+files/Screenshot%20at%202012-01-16%2010%3A41%3A44.png .

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: libreoffice-core 1:3.4.4-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-13.22-generic-pae 3.0.6
Uname: Linux 3.0.0-13-generic-pae i686
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Mon Jan 16 14:48:57 2012
EcryptfsInUse: Yes
ExecutablePath: /usr/lib/libreoffice/program/soffice.bin
InstallationMedia: Xubuntu 11.10 "Oneiric Ocelot" - Beta i386 (20110921.3)
ProcCmdline: /usr/lib/libreoffice/program/soffice.bin --writer /home/username/Desktop/XMLform-1-Text-Field.odt --splash-pipe=7
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0xac26120a <boost::unordered_detail::hash_table<boost::unordered_detail::map<rtl::OUString, rtl::OUStringHash, std::equal_to<rtl::OUString>, std::allocator<std::pair<rtl::OUString const, pcr::ListBoxLine> > > >::erase_return_iterator(boost::unordered_detail::hash_iterator_base<std::allocator<std::pair<rtl::OUString const, pcr::ListBoxLine> >, boost::unordered_detail::ungrouped>)+106>: mov (%eax),%eax
 PC (0xac26120a) ok
 source "(%eax)" (0x00290065) not located in a known VMA region (needed readable region)!
 destination "%eax" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: libreoffice
StacktraceTop:
 unlink_nodes (end=0x0, begin=0x90e3748, b=...) at /usr/include/boost/unordered/detail/node.hpp:63
 unlink_node (n=0x90e3748, b=...) at /usr/include/boost/unordered/detail/node.hpp:76
 boost::unordered_detail::hash_table<boost::unordered_detail::map<rtl::OUString, rtl::OUStringHash, std::equal_to<rtl::OUString>, std::allocator<std::pair<rtl::OUString const, pcr::ListBoxLine> > > >::erase_return_iterator (this=0x8b400ac, r=...) at /usr/include/boost/unordered/detail/table.hpp:708
 erase (position=<optimized out>, this=<optimized out>) at /usr/include/boost/unordered/unordered_map.hpp:370
 pcr::OBrowserListBox::RemoveEntry (this=0x8b3fce0, _rName=...) at /build/buildd/libreoffice-3.4.4/libreoffice-build/build/libreoffice-3.4.3.2/extensions/source/propctrlr/browserlistbox.cxx:1094
Title: soffice.bin crashed with SIGSEGV in unlink_nodes()
UpgradeStatus: Upgraded to oneiric on 2011-10-19 (89 days ago)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Download full text (6.8 KiB)

LibO 3.4.3 rc1 on OSX 10.6.8

Open Writer, click File, New, XML Form Document
In Form Control toolbox, click any control and then click to put it in your document.
Double click control to edit it.
Crash

Process: soffice [2280]
Path: /Applications/LibreOffice.app/Contents/MacOS/soffice
Identifier: org.libreoffice.script
Version: 3.4.3 (???)
Code Type: X86 (Native)
Parent Process: launchd [127]

Date/Time: 2011-08-20 22:39:16.539 -0400
OS Version: Mac OS X 10.6.8 (10K549)
Report Version: 6

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000044220000
Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 libpcrmxi.dylib 0x2e4ecbb2 component_getFactory + 196898
1 libpcrmxi.dylib 0x2e4eba8d component_getFactory + 192509
2 libpcrmxi.dylib 0x2e587f76 component_getFactory + 832742
3 libpcrmxi.dylib 0x2e4c5f76 component_getFactory + 38118
4 libpcrmxi.dylib 0x2e5051c9 component_getFactory + 296761
5 libpcrmxi.dylib 0x2e5041d8 component_getFactory + 292680
6 libpcrmxi.dylib 0x2e50433a component_getFactory + 293034
7 libpcrmxi.dylib 0x2e4c0380 component_getFactory + 14576
8 libpcrmxi.dylib 0x2e4c936e component_getFactory + 51422
9 libpcrmxi.dylib 0x2e4c9c4f component_getFactory + 53695
10 libpcrmxi.dylib 0x2e4c9d7c component_getFactory + 53996
11 libsvxmxi.dylib 0x1fecaf9b FmPropBrw::implSetNewSelection(std::set<com::sun::star::uno::Reference<com::sun::star::uno::XInterface>, comphelper::OInterfaceCompare<com::sun::star::uno::XInterface>, std::allocator<com::sun::star::uno::Reference<com::sun::star::uno::XInterface> > > const&) + 603
12 libsvxmxi.dylib 0x1fecdebc FmPropBrw::StateChanged(unsigned short, unsigned short, SfxPoolItem const*) + 204
13 libsfxmxi.dylib 0x00490a6e SfxStateCache::SetState_Impl(unsigned short, SfxPoolItem const*, unsigned char) + 414
14 libsfxmxi.dylib 0x00475fef SfxBindings::UpdateControllers_Impl(SfxInterface const*, SfxFoundCache_Impl const*, SfxPoolItem const*, unsigned short) + 495
15 libsfxmxi.dylib 0x0047640e SfxBindings::Update_Impl(SfxStateCache*) + 542
16 libsfxmxi.dylib 0x00477737 SfxBindings::NextJob_Impl(Timer*) + 455
17 libvclmxi.dylib 0x01720cbc Timer::Timeout() + 28
18 libvclmxi.dylib 0x01720dd9 Timer::ImplTimerCallbackProc() + 121
19 libvclmxi.dylib 0x01a29c21 SalGetDesktopEnvironment() + 24929
20 com.apple.Foundation 0x904055b1 __NSFireTimer + 282
21 com.apple.CoreFoundation 0x9a697a6b __CFRunLoopRun + 8059
22 com.apple.CoreFoundation 0x9a6953f4 CFRunLoopRunSpecific + 452
23 com.apple.CoreFoundation 0x9a695221 CFRunLoopRunInMode + 97
24 com.apple.HIToolbox 0x91fddd60 RunCurrentEventLoopInMode + 392
25 com.apple.HIToolbox 0x91fddb17 ReceiveNextEventCommon + 354
26 com.apple.HITool...

Read more...

I got a crash in LibO 3.4.3 rc1 on Ubuntu 10.04 x86_64 when playing with some button. What I did:
- File > New > XML form document
- In Form Design toolbar click the button XML then Form Controls toolbar appears
- In Form Control toolbar click on the button "List Box" then the mouse pointer becomes a + and you are able to draw a rectangle in the text doc
- select the rectangle and double-click in it
=> a new dialog start to be visible then crash.

Reproduced with LibO 3.4.3 rc1 and master.
I do not know if the crash isn't already in 3.4.2.

Best regards. JBF

(In reply to comment #1)
> [...]
> I do not know if the crash isn't already in 3.4.2.

Same crash in LibO 3.4.2 under Ubuntu 10.04 x86_64

Confirmed in Win7 too.

Also present in master dev build

LibO-dev 3.5.0
Build ID:
 a7325bf-a24c961-aea73ba-bf01663-c53c461
 04f358b-fd28b6a-9ae1a63-4de147c-e8d28c5
 de7d101-890c60f-48568db-6a9703b-b31b807
 745f015-9832101-a6ba297-c943149

on Mac OSX.

Alex

FWIW, I did a time profile using Shark (Mac dev debugging tool) of the soffice process and events leading up to the crash with a 5ms interval after the initial XForm document had been instantiated - have posted the output as an attachment.

Alex

Created attachment 50545
Time profile of soffice process leading up to crash

Additional information :

When the form control is double-clicked, the Property window rectangle and background are drawn (window frame and grey background). However, this window is never filled with the properties of the control, which is where the crash happens. The question is whether it is because the properties take too long to be obtained and/or drawn, or whether there is actually an error in the code that intersects the properties onto the Property window (union function). I don't understand the code well enough for that. Race condition ?

Alex

Changed title to better reflect behaviour.

[This is an automated message.]
This bug was filed before the changes to Bugzilla on 2011-10-16. Thus it
started right out as NEW without ever being explicitly confirmed. The bug is
changed to state NEEDINFO for this reason. To move this bug from NEEDINFO back
to NEW please check if the bug still persists with the 3.5.0 beta1 or beta2 prereleases.
Details on how to test the 3.5.0 beta1 can be found at:
http://wiki.documentfoundation.org/QA/BugHunting_Session_3.5.0.-1

more detail on this bulk operation: http://nabble.documentfoundation.org/RFC-Operation-Spamzilla-tp3607474p3607474.html

Crash confirmed in LO 3.5.0 beta2+ (LibreOffice 3.5.0beta2+ Version ID : 8f03437-7f15fca-1fc8c06-ca8e46d-b96fade).

Best regards. JBF

StacktraceTop:
 unlink_nodes (end=0x0, begin=0x90e3748, b=...) at /usr/include/boost/unordered/detail/node.hpp:63
 unlink_node (n=0x90e3748, b=...) at /usr/include/boost/unordered/detail/node.hpp:76
 boost::unordered_detail::hash_table<boost::unordered_detail::map<rtl::OUString, rtl::OUStringHash, std::equal_to<rtl::OUString>, std::allocator<std::pair<rtl::OUString const, pcr::ListBoxLine> > > >::erase_return_iterator (this=0x8b400ac, r=...) at /usr/include/boost/unordered/detail/table.hpp:708
 erase (position=<optimized out>, this=<optimized out>) at /usr/include/boost/unordered/unordered_map.hpp:370
 pcr::OBrowserListBox::RemoveEntry (this=0x8b3fce0, _rName=...) at /build/buildd/libreoffice-3.4.4/libreoffice-build/build/libreoffice-3.4.3.2/extensions/source/propctrlr/browserlistbox.cxx:1094

Changed in libreoffice (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu):
status: New → Confirmed

Reproducible in Precise -> https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/917370

Marking as Triaged.

Changed in libreoffice (Ubuntu):
importance: Medium → Undecided
status: Confirmed → Triaged
importance: Undecided → Medium

Created attachment 55653
XMLform-1-Text-Field.odt

Downstream bug may be found at:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/917342

1) lsb_release -rd
Description: Ubuntu precise (development branch)
Release: 12.04

2) apt-cache policy libreoffice-writer
libreoffice-writer:
  Installed: 1:3.5.0~beta2-2ubuntu3
  Candidate: 1:3.5.0~beta2-2ubuntu3
  Version table:
 *** 1:3.5.0~beta2-2ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        100 /var/lib/dpkg/status

3) What is expected to happen in LibreOffice Writer via the Terminal:

cd ~/Desktop && wget https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/917262/+attachment/2677806/+files/XMLform-1-Text-Field.odt && lowriter -nologo XMLform-1-Text-Field.odt

highlight the object -> turn on Design mode -> double click the object and the menu comes up.

4) What happens instead is Writer crashes. A screenshot of Writer as it is crashing may be found at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/917262/+attachment/2677583/+files/Screenshot%20at%202012-01-16%2010%3A41%3A44.png .

First reported against LO 3.4.4, Version -> 3.4.4

summary: - soffice.bin crashed with SIGSEGV in unlink_nodes()
+ [Upstream] soffice.bin crashed with SIGSEGV in unlink_nodes()
Changed in df-libreoffice:
importance: Unknown → Critical
status: Unknown → Confirmed
visibility: private → public

Created attachment 56595
Bt with symbols on master

I reproduced this problem with master (updated today) on pc Debian x86-64.
I checked the size of m_aOrderedLines and m_aLines, they both equal to 36.

I changed version since I reproduce it also on master.

Julien Nabet, please do not toggle the version. For more on this please see:
http://wiki.documentfoundation.org/BugReport_Details#Version

*** Bug 43567 has been marked as a duplicate of this bug. ***

*** This bug has been marked as a duplicate of bug 40261 ***

*** Bug 44842 has been marked as a duplicate of this bug. ***

Fixed in master + sent for review to the ML, I suppose it will get to libreoffice-3-4 and libreoffice-3-5 shortly.

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8912cf30755a2a19d50acc3bb0f5352506638fad

Jan Holesovsky commited a patch related to this issue to "libreoffice-3-5":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=d5d32eb755c8a53292acbf0648fb82baf6729d8a&g=libreoffice-3-5

fdo#40261: Fix crash in XML Form Document.

Jan Holesovsky commited a patch related to this issue to "libreoffice-3-4":

http://cgit.freedesktop.org/libreoffice/components/commit/?id=af14dfc2b5cf9d46ff8e425fdf6dee0978b7c135&g=libreoffice-3-4

fdo#40261: Fix crash in XML Form Document.

Changed in df-libreoffice:
status: Confirmed → Invalid
Changed in df-libreoffice:
importance: Critical → Unknown
status: Invalid → Unknown
Changed in df-libreoffice:
importance: Unknown → Critical
status: Unknown → Fix Released

*** Bug 45891 has been marked as a duplicate of this bug. ***

and resolved in LOdev 3.5.1rc0

Thx!

*** Bug 46154 has been marked as a duplicate of this bug. ***

tags: added: fixed-in-upstream-3.5.1
Changed in libreoffice (Ubuntu):
assignee: nobody → Björn Michaelsen (bjoern-michaelsen)
milestone: none → ubuntu-12.04
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.