linux-image-4.13.0-12-generic, linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic | Regression: many user-space apps crashing

Bug #1699772 reported by Gunter Ohrner on 2017-06-22
334
This bug affects 53 people
Affects Status Importance Assigned to Milestone
LibreOffice
Won't Fix
Critical
linux (Debian)
Fix Released
Unknown
linux (Ubuntu)
Critical
Joseph Salisbury
Xenial
Critical
Joseph Salisbury
Artful
Critical
Joseph Salisbury
Bionic
Critical
Joseph Salisbury

Bug Description

Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)

linux-image-4.4.0-81-generic appears to contain a regression, probably related to the CVE-2017-1000364 fix backport / patch.

Using this kernel, the Oracle Java browser plugin always crashes during stack-related actions on initialization. This means, the plugin completely stopped working.

It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which also contains a fix for CVE-2017-1000364.

uname -a:

> Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as well as Iceweasel / Firefox/3.5.16 in a chroot.

Using linux-image-4.4.0-81-generic it crashes in all combinations while with both other kernels it works.

I was not able to obtain any detailed crash information from Firefox 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a stack trace which shows the relation to stack operations performed by the plugin, even without proper debug symbols:

> (gdb) bt full
> #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> No symbol table info available.
> #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*, unsigned char*) ()
> from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> No symbol table info available.
> #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> No symbol table info available.
> #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> No symbol table info available.
> #4 <signal handler called>

I first assumed a bug in the Java plugin, but it works fine in Linux 4.11.6.

The crash will be triggered by any applet, for example the test applet at:

* https://java.com/en/download/installed8.jsp

I'm running the Ubuntu 16.04 based KDE Neon distribution which somehow apparently does not allow me to use apport to report this bug:

> $ LANG= apport-cli linux-image-4.4.0-81-generic
>
> *** Collecting problem information
>
> The collected information can be sent to the developers to improve the
> application. This might take a few minutes.
> .........
>
> *** Problem in linux-image-4.4.0-81-generic
>
> The problem cannot be reported:
>
> This is not an official KDE package. Please remove any third party package and try again.

If someone can tell me how to get apport working for this package, I can use it to collect additional information, but (unfortunately?) the problem should be fairly easy to reproduce...

CVE References

Created attachment 134111
starting backtrace with scalc

I started scalc V6.0.0.0alpha1 with backtrace
and it crashed
its not always reproduced

affects: mesa (Ubuntu) → linux (Ubuntu)
84 comments hidden view all 124 comments
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Jarda Sladek (jaroslav-sladek) wrote :

The same bug appears on 17.04. 4.10.0-24-generic, which contains CVE-2017-1000364 fix, causes Oracle java plugin to crash. 4.10.0-22-generic, in exactly the same setup, works fine. The console error from Firefox (what most users will see) is

###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv

This makes Java Plugin on latest version of Ubuntu completely unusable.

Yuexiang Zhang (xfeep) wrote :

This bug affects not only Oracle Java plugin but also those applications based on JNI Invocation API. Here is a very simple example to reproduce it.

#include <jni.h>

int main(int argc, char *args[]) {
     JavaVM *jvm;
     JNIEnv *env;
     JavaVMInitArgs vm_args;
     JavaVMOption options [1];
     options[0].optionString = "-Djava.class.path=/usr/lib/java";
     vm_args.version = JNI_VERSION_1_6;
     vm_args.nOptions = 1;
     vm_args.options = options;
     vm_args.ignoreUnrecognized = 0;

     JNI_CreateJavaVM(&jvm, (void**)&env, &vm_args); //crash at this line
            /**............**/

     (*jvm)->DestroyJavaVM(jvm);
            return 0;
}

Norbert (nrbrtx) on 2017-06-22
tags: added: xenial
Damjan Jovanovic (damjan-jov) wrote :

This is a ***MASSIVE REGRESSION*** affecting many or even all native applications that use the Java Invocation API, including at least Eclipse (crashes a few seconds after startup), and LibreOffice Base with any JDBC database connector (instant crash as soon as it tries to load the JVM).

Moritz Bechler (bechler) wrote :

This should affect all embedded java uses which launch the JVM on the main thread (the regular java launcher does not do that) and is caused by the known buggy (http://www.openwall.com/lists/oss-security/2017/06/22/6) custom CVE-2017-1000364 fix. Testing the upstream patch on debian it seems to be fine (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865549).

nezero (nezero) on 2017-06-23
no longer affects: commons-daemon (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in commons-daemon (Ubuntu):
status: New → Confirmed
Changed in eclipse (Ubuntu):
status: New → Confirmed
Changed in imagej (Ubuntu):
status: New → Confirmed
Changed in libreoffice (Ubuntu):
status: New → Confirmed
Norbert (nrbrtx) on 2017-06-23
summary: - linux-image-4.4.0-81-generic Regression: Oracle Java plugin crashes
+ linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
+ many user-space apps crashing
3 comments hidden view all 124 comments

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in scilab (Ubuntu):
status: New → Confirmed
Norbert (nrbrtx) wrote :

Scilab is affected too. It uses openjdk-8.
See bug 1699892 for details.
Scilab is crashing with new kernel (linux-image-3.13.0-121-generic in Trusty / linux-image-4.4.0-81-generic in Xenial), but works with previous one (linux-image-3.13.0-119-generic in Trusty / linux-image-4.4.0-78-generic in Xenial).

Norbert (nrbrtx) wrote :

Also you can check comments on bug 1698919.
The (incomplete) list of affected applications include:
* LPCxpresso (see https://community.nxp.com/thread/453939 )
* RMongo (see https://stackoverflow.com/a/44699417 )
* Ubiquity UniFi (see
https://community.ubnt.com/t5/UniFi-Wireless/UniFi-Controller-failed-after-dist-upgrade/td-p/1967779
)

tags: added: trusty
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in octave (Ubuntu):
status: New → Confirmed
Norbert (nrbrtx) wrote :

Octave in Trusty is affected too (see bug 1699594).

Download full text (3.9 KiB)

Interestingly, octave 4.2 comes up successfully under 4.40-81 under Ubuntu
16.04.

On Jun 23, 2017 4:45 PM, "Norbert" <email address hidden> wrote:

> Octave in Trusty is affected too (see bug 1699594).
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699594).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic
> Regression: many user-space apps crashing
>
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Confirmed
> Status in octave package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #4 <signal handler called>
>
>
> I first assumed a bug in the Java plugin, but it works fine in Linux
> 4.11.6.
>
>
> The crash will be triggered by any applet, for example the test applet
> at:
>
> * https://java.com/en/download/installed8.jsp
>
>
> I'm running the Ubuntu 16.04 based KDE Neon distribution which somehow
> apparently does not allow me t...

Read more...

Applications that use jsvc can increase their thread stack space with -Xss1280k or larger (Red Hat, for example, suggested -Xss2m which is much larger).

Norbert (nrbrtx) wrote :

I confirm issue with full installation of Octave 3.8.1-1ubuntu1 on Trusty
(
dpkg -l | grep octave | grep "^ii" | awk '{print $2;}'
liboctave2:i386 octave octave-audio octave-benchmark octave-biosig octave-common octave-communications octave-communications-common octave-control octave-data-smoothing octave-dataframe
octave-doc octave-econometrics octave-epstk octave-financial octave-fpl octave-ga octave-gdf octave-general octave-geometry octave-gmt octave-gsl octave-htmldoc octave-image octave-info octave-io octave-lhapdf:i386 octave-linear-algebra octave-mapping octave-miscellaneous octave-missing-functions octave-mpi octave-nan octave-nlopt octave-nnet octave-nurbs octave-ocs octave-octcdf octave-octgpr octave-odepkg octave-openmpi-ext octave-optim octave-optiminterp octave-parallel octave-pfstools octave-plot octave-psychtoolbox-3 octave-quaternion octave-signal octave-sockets octave-specfun octave-splines octave-statistics octave-strings octave-struct octave-sundials octave-symbolic octave-tsa octave-vlfeat:i386 octave-vrml octave-zenity qtoctave
)
it crashes on 3.13.0-121-generic. strace says that segmentation fault is after loading openjdk and mmap something. Octave starts normally with 3.13.0-119-generic.

Norbert (nrbrtx) wrote :

Current state of the problem: Ubuntu kernel developers will prepare new patch in a few days (see https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2017-June/017507.html).

John Johansen:
"The kernel team is aware of the issue, and will be releasing updated
kernels when they are available.

There are currently no plans to revert the kernel patch until the
replacement patches are ready due to the nature of the security
vulnerability. If the regression is preventing you from using the
applications you require then we currently recommend you reboot into
the previous kernel."

Other Xenial kernels (linux-image-4.8.0-56-generic, linux-image-4.10.0-24-generic) are affected too.

For today there is only one kernel with fixed problems - 4.11.6-1 in Debian sid (https://packages.debian.org/sid/linux-image-4.11.0-1-686).

summary: - linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
- many user-space apps crashing
+ linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
+ image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression: many
+ user-space apps crashing
Norbert (nrbrtx) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-jpype (Ubuntu):
status: New → Confirmed
Changed in linux (Debian):
status: Unknown → Confirmed
Norbert (nrbrtx) wrote :

Scilab is still crashing with kernel from xenial-proposed (4.4.0-82.105).
"JAVA_TOOL_OPTIONS=-Xss1280k scilab" helps, but it is not a solution.

61 comments hidden view all 124 comments

René Engelhard pointed to something similar:
https://buildd.debian.org/status/fetch.php?pkg=libreoffice&arch=i386&ver=1%3A5.3.4-1&stamp=1498442560&raw=0)

#0 0xead28975 in _expand_stack_to(unsigned char*) () from /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so

He commented:
"Linux's stack clash fixes break Java (and thus whenever LO tries to use Java)"

Not sure, if related.

the JVM regularly receives SIGSEGV especially during startup,
and that is annoying but not a problem at all.

if Calc does indeed crash, that must be a later SIGSEGV that is
not handled by the JVM.

please attach a backtrace of the last SIGSEGV i.e. the one
that is in LO code and isn't handled by JVM.

thanks for the info and i have tested with openjdk7 and no crashes anymore
second i fond that it loaded the file faster than with openjdk8

thanks again

Sorry is spoke to soon
crashes with openjdk7 i have backtrace and strace logs

Created attachment 134315
bactrace for openjdk7

Created attachment 134316
strace for openjdk

wil test without java in advance options

i have downloaded the 5.3.4.2 and there are is no crash
now i don't now anymore

66 comments hidden view all 124 comments
Norbert (nrbrtx) wrote :

With latest proposed kernel (4.4.0-83.106) Scilab does not crash.

Norbert (nrbrtx) wrote :
no longer affects: rustc
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rustc (Ubuntu):
status: New → Confirmed
nezero (nezero) wrote :

4.4.0-83.106 appears to be in the release repo's now and looks like it's fixed the issue for JSVC (commons-daemon (Ubuntu))

Damjan Jovanovic (damjan-jov) wrote :

4.4.0-83 fixes Eclipse, but LibreOffice Base still crashes with JDBC drivers.

Lachezar Dobrev (lachezar) wrote :

Kernel 4.10.0-26 (deb version 4.10.0-26.30) seems to have fixed crashes in Eclipse.

Upgrade to "Linux ... 4.10.0-26-generic #30-Ubuntu SMP Tue Jun 27 09:30:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux" (Ubuntu 17.04 with XFCE under VMware WS Pro 12.5.7 build-5813279) fixed my problems with "jsvc" (starting "tomcat" 8.5.16) and kernel 4.10.0-24.28 ... catching "signal 11" immediately after start.

Many thanks to all of You, having helped to solve the problem!

Norbert (nrbrtx) wrote :

Scilab and test C-Java program from bug 1700270 work normally with linux-image-4.4.0-83-generic, linux-image-4.8.0-58-generic, linux-image-4.10.0-26-generic.
Thank you!

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Download full text (4.3 KiB)

Thanks very much. I have installed it, and you're right.

Art Edwards

On Jun 29, 2017 3:02 PM, "Norbert" <email address hidden> wrote:

> Scilab and test C-Java program from bug 1700270 work normally with
> linux-image-4.4.0-83-generic, linux-image-4.8.0-58-generic,
> linux-image-4.10.0-26-generic.
> Thank you!
>
> ** Changed in: linux (Ubuntu)
> Status: Confirmed => Fix Released
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699594).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
> image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
> many user-space apps crashing
>
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Fix Released
> Status in octave package in Ubuntu:
> Confirmed
> Status in python-jpype package in Ubuntu:
> Confirmed
> Status in rustc package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
> Status in linux package in Debian:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/li...

Read more...

Changed in linux (Debian):
status: Confirmed → Fix Released
Changed in linux (Debian):
status: Fix Released → Confirmed
Arthur Edwards (edwardsah3) wrote :
Download full text (4.1 KiB)

Thanks!

On Jul 4, 2017 3:41 PM, "Bug Watch Updater" <email address hidden>
wrote:

> ** Changed in: linux (Debian)
> Status: Fix Released => Confirmed
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699594).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
> image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
> many user-space apps crashing
>
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Fix Released
> Status in octave package in Ubuntu:
> Confirmed
> Status in python-jpype package in Ubuntu:
> Confirmed
> Status in rustc package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
> Status in linux package in Debian:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #4 <signal handler called>
>
>
> I first assumed a bug in the Java plugin, but it works fine in Linux
> 4.11.6.
>
>
> The crash will be triggered by any applet, for example th...

Read more...

58 comments hidden view all 124 comments

That specific crash has been reported both on debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865303) and ubuntu (https://launchpad.net/bugs/1702165). It started happening with a recent linux kernel update related to stack clash fixes (see https://launchpad.net/bugs/1699772). Subsequent kernel updates appear to have fixed all userspace apps affected by that crash, except for libreoffice on x86, which is still crashing. Libreoffice on x86-64 is fine.

I can reliably reproduce the crash in an Ubuntu 17.04 x86 virtual machine by ensuring that java is enabled in libreoffice's advanced options (using the openjdk-8 package), launching base and creating a new database.

A full backtrace with debug symbols is available there: https://launchpadlibrarian.net/326892034/libreoffice-base-zesty-full-backtrace.txt.

Created attachment 134497
full backtrace with debug symbols of base crashing at database creation

Attaching the full backtrace I mentioned above.

Norbert (nrbrtx) on 2017-07-05
no longer affects: linux

Created attachment 134499
backtrace for LibreOffice Writer 5.2.7.2 on Debian Stretch x86

This problem was discovered in LibreOffice Writer 5.2.7.2 on Debian Stretch (see for example my backtrace at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865303#220 ) or in attachment.
In brief:
#0 0xa904a975 in _expand_stack_to(address) (bottom=0xbf805fff <error: Cannot access memory at address 0xbf805fff>, bottom@entry=0xbf805000 <error: Cannot access memory at address 0xbf805000>)
    at ./src/hotspot/src/os/linux/vm/os_linux.cpp:673
        sp = 0xbfffcc88 "\r"
        size = 8350857
        p = 0xbf805fe0 <error: Cannot access memory at address 0xbf805fe0>
#1 0xa904d184 in os::Linux::manually_expand_stack(JavaThread*, unsigned char*) (t=0x8106c800, addr=0xbf805000 <error: Cannot access memory at address 0xbf805000>) at ./src/hotspot/src/os/linux/vm/os_linux.cpp:686
        mask_all = {__val = {2147483647, 4294967294, 4294967295 <repeats 30 times>}}
        old_sigset =
            {__val = {0, 0, 3221212536, 3221212568, 2829768134, 96, 3221212536, 2835641696, 3017451961, 2164710288, 2164710288, 2839724032, 2835430804, 2164710320, 2837838588, 63, 2835430768, 2839724032, 2164717328, 3221212616, 2835654623, 2164710288, 0, 2837838588, 1, 180, 3221212616, 2835654507, 2839724032, 2164717328, 2164717328, 3221212648}}
        t = 0x8106c800
        addr = 0xbf805000 <error: Cannot access memory at address 0xbf805000>

I do not know how many users use Java in Writer, but it is enabled by default and Writer silently crashes.
It's critical bug!

Norbert (nrbrtx) on 2017-07-05
tags: added: zesty

Created attachment 134502
backtrace for LibreOffice Base 5.2.7.2 on Debian Stretch x86

Base in Debian Stretch x86 is affected too (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865303#225 ).

I ran "gdb --args /usr/lib/libreoffice/program/soffice.bin --base", 'run', in Database Wizard selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb.

Backtrace in brief:
#0 0xa24e7975 in _expand_stack_to(address) (bottom=0xbf805fff <error: Cannot access memory at address 0xbf805fff>, bottom@entry=0xbf805000 <error: Cannot access memory at address 0xbf805000>)
    at ./src/hotspot/src/os/linux/vm/os_linux.cpp:673
        sp = 0xbfffc6c8 "\r"
        size = 8349385
        p = 0xbf805fe0 <error: Cannot access memory at address 0xbf805fe0>
#1 0xa24ea184 in os::Linux::manually_expand_stack(JavaThread*, unsigned char*) (t=0x8112d800, addr=0xbf805000 <error: Cannot access memory at address 0xbf805000>) at ./src/hotspot/src/os/linux/vm/os_linux.cpp:686
        mask_all = {__val = {2147483647, 4294967294, 4294967295 <repeats 30 times>}}
        old_sigset =
            {__val = {0, 0, 3221211064, 3221211096, 2717164998, 96, 3221211064, 2723038560, 3017451961, 2165500688, 2165500688, 2727120896, 2722827668, 2165500720, 2725235452, 63, 2722827632, 2727120896, 2165500504, 3221211144, 2723051487, 2165500688, 0, 2725235452, 1, 180, 3221211144, 2723051371, 2727120896, 2165500504, 2165500504, 3221211176}}
        t = 0x8112d800
        addr = 0xbf805000 <error: Cannot access memory at address 0xbf805000>

60 comments hidden view all 124 comments

I can confirm that LibreOffice Base is crashing on Ubuntu 17.04 during database creation (launched Base, in 'Database Wizard' selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb). After that Base is crashing silently.
I can't install libreoffice-dbg package on zesty (I reported bug 1702556 about it).
LibreOffice Writer does not crash in Zesty.

61 comments hidden view all 124 comments

LibreOffice Base 5.3.1.2 on Ubuntu 17.04 x86 is affected too. I can't get backtrace here.

60 comments hidden view all 124 comments
Norbert (nrbrtx) wrote :

Libreoffice Base 5.1.6.2 is crashing on Ubuntu 16.04 LTS.
What I did:
0. Installed all updates, "uname -a"
 Linux flash-1604 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:25 UTC 2017 i686 i686 i686 GNU/Linux
1. "sudo apt-get install libreoffice-dbg ure-dbg uno-libs3-dbg libglib2.0-0-dbg"
3. run "gdb --args /usr/lib/libreoffice/program/soffice.bin --base", in Database Wizard selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb.
   "run"
   "bt full"
    Got this backtrace: (see atachment).

61 comments hidden view all 124 comments

Created attachment 134504
backtrace for LibreOffice Writer 5.1.6.2 on Ubuntu 16.04 LTS x86

LibreOffice Base 5.1.6.2 on Ubuntu 16.04 LTS x86 is affected too.
See attached backtrace (jfw_plugin_startJavaVirtualMachine is mentioned here).

It seems that bug may be fixed soon in kernel (see https://lkml.org/lkml/2017/7/3/1008 ), not in LibreOffice.
I'm sorry for the noise.

Changed in df-libreoffice:
importance: Unknown → Critical
status: Unknown → Confirmed
61 comments hidden view all 124 comments
Norbert (nrbrtx) wrote :

Libreoffice Base 5.3.1.2 is crashing on Ubuntu 17.04.
What I did:
0. Installed all updates, "uname -a"
 Linux ubuntu-zesty 4.10.0-26-generic #30-Ubuntu SMP Tue Jun 27 09:29:33 UTC 2017 i686 i686 i686 GNU/Linux
1. "apt-get install libreoffice-core-dbgsym libreoffice-writer-dbgsym ure-dbgsym uno-libs3-dbgsym libreoffice-gtk3-dbgsym libglib2.0-0-dbgsym"
3. run "gdb --args /usr/lib/libreoffice/program/soffice.bin --base", in Database Wizard selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb.
   "run"
   "bt full"
    Got this backtrace: (see atachment).

62 comments hidden view all 124 comments

(In reply to Norbert X from comment #14)
> It seems that bug may be fixed soon in kernel (see
> https://lkml.org/lkml/2017/7/3/1008 ), not in LibreOffice.
> I'm sorry for the noise.

Thank your very much for investigating it.
I guess we can close this as RESOLVED NOTOURBUG

61 comments hidden view all 124 comments

Hi,
problem still present on linux-image-4.8.0-58-generic with these conditions:
    - while executing JVM launched from >>32-bit<< C (on 64-bit kernel)
    - defining "higher" JVM stack size (eg. -Xss2048k JVM argument)

=> causes JVM segmentation fault

Attached test case (sources + binary + output logs): Bug1699772_i386_jvm_segfault_problem.tgz
test_case1.c (32-bit) => using -Xss1024k => RUNS OK.
test_case2.c (32-bit) => using -Xss2048k => Segmentation fault.
test_case1.c (64-bit) => using -Xss1024k => RUNS OK.
test_case2.c (64-bit) => using -Xss2048k => RUNS OK.

My system:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

with linux-generic-hwe-16.04

uname -a
Linux L34001100621 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Changed in df-libreoffice:
status: Confirmed → Won't Fix
Changed in linux (Debian):
status: Confirmed → Fix Released
Changed in linux (Debian):
status: Fix Released → Confirmed
61 comments hidden view all 124 comments

There are 2 workarounds for this issue:

Add kernel parameter stack_guard_gap=1

Or

Start Libreoffice, click on Tools, click on options and under Libreoffice section click on Advanced.
And instead of changing parameteres, considering I don't use java in Libreoffice, I've simply deselected "Use a Java runtime environment".

from: https://bbs.archlinux.org/viewtopic.php?id=227597

pointers to the openjdk code / showing why only 32bit is affected

https://<email address hidden>/msg1437925.html

*** Bug 109327 has been marked as a duplicate of this bug. ***

*** Bug 108854 has been marked as a duplicate of this bug. ***

*** Bug 109101 has been marked as a duplicate of this bug. ***

Olivier Tilloy (osomon) on 2017-08-02
Changed in linux (Ubuntu):
status: Fix Released → Confirmed

*** Bug 110748 has been marked as a duplicate of this bug. ***

Adolfo Jayme (fitojb) on 2017-08-08
Changed in linux (Ubuntu):
importance: Undecided → Critical

*** Bug 109014 has been marked as a duplicate of this bug. ***

*** Bug 112357 has been marked as a duplicate of this bug. ***

*** Bug 112479 has been marked as a duplicate of this bug. ***

The build time manifestation of this bug is a CppunitTest_dbaccess_hsqldb_test or CppunitTest_dbaccess_RowSetClones test failure. For details see:

http://nabble.documentfoundation.org/CppunitTest-dbaccess-hsqldb-test-CppunitTest-dbaccess-RowSetClones-Failing-after-System-Update-td4218769.html

Norbert (nrbrtx) on 2017-09-29
tags: added: artful
summary: linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
- image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression: many
- user-space apps crashing
+ image-4.4.0-81-generic, linux-image-3.13.0-121-generic, linux-
+ image-4.13.0-12-generic Regression: many user-space apps crashing
summary: - linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
- image-4.4.0-81-generic, linux-image-3.13.0-121-generic, linux-
- image-4.13.0-12-generic Regression: many user-space apps crashing
+ linux-image-4.13.0-12-generic, linux-image-4.10.0-24-generic, linux-
+ image-4.8.0-56-generic, linux-image-4.4.0-81-generic, linux-
+ image-3.13.0-121-generic | Regression: many user-space apps crashing
tags: added: id-599af6610f9a304e95fd9796
ronalddsp (rdsierrap) on 2017-10-04
Changed in python-jpype (Ubuntu):
status: Confirmed → New

*** Bug 112930 has been marked as a duplicate of this bug. ***

Changed in python-jpype (Ubuntu):
status: New → Confirmed

*** Bug 113491 has been marked as a duplicate of this bug. ***

*** Bug 113904 has been marked as a duplicate of this bug. ***

Changed in linux (Debian):
status: Confirmed → Fix Released

*** Bug 114689 has been marked as a duplicate of this bug. ***

*** Bug 114898 has been marked as a duplicate of this bug. ***

*** Bug 114639 has been marked as a duplicate of this bug. ***

*** Bug 114638 has been marked as a duplicate of this bug. ***

*** Bug 114977 has been marked as a duplicate of this bug. ***

Why then every other Java Programm not showing errors?
LibreOffice is the only one.
Thanks,

tags: added: kernel-da-key
Changed in linux (Ubuntu Artful):
assignee: nobody → Joseph Salisbury (jsalisbury)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Bionic):
assignee: nobody → Joseph Salisbury (jsalisbury)
status: Confirmed → In Progress
no longer affects: commons-daemon (Ubuntu)
no longer affects: commons-daemon (Ubuntu Artful)
no longer affects: commons-daemon (Ubuntu Bionic)
no longer affects: eclipse (Ubuntu Artful)
no longer affects: eclipse (Ubuntu Bionic)
no longer affects: eclipse (Ubuntu)
no longer affects: imagej (Ubuntu Artful)
no longer affects: imagej (Ubuntu Bionic)
no longer affects: libreoffice (Ubuntu Artful)
no longer affects: libreoffice (Ubuntu Bionic)
no longer affects: libreoffice (Ubuntu)
no longer affects: imagej (Ubuntu)
no longer affects: octave (Ubuntu Artful)
no longer affects: octave (Ubuntu Bionic)
no longer affects: octave (Ubuntu)
no longer affects: python-jpype (Ubuntu Artful)
no longer affects: python-jpype (Ubuntu Bionic)
no longer affects: python-jpype (Ubuntu)
no longer affects: rustc (Ubuntu Artful)
no longer affects: rustc (Ubuntu Bionic)
no longer affects: rustc (Ubuntu)
no longer affects: scilab (Ubuntu Artful)
no longer affects: scilab (Ubuntu Bionic)
no longer affects: scilab (Ubuntu)
Changed in linux (Ubuntu Xenial):
status: New → In Progress
Changed in linux (Ubuntu Artful):
importance: High → Critical
Changed in linux (Ubuntu Xenial):
importance: Undecided → Critical
assignee: nobody → Joseph Salisbury (jsalisbury)

*** Bug 115631 has been marked as a duplicate of this bug. ***

*** Bug 115222 has been marked as a duplicate of this bug. ***

Changed in linux (Ubuntu Xenial):
status: In Progress → Incomplete
Changed in linux (Ubuntu Artful):
status: In Progress → Incomplete
Changed in linux (Ubuntu Bionic):
status: In Progress → Incomplete

*** Bug 118677 has been marked as a duplicate of this bug. ***

37 comments hidden view all 124 comments

This bug was nominated against a series that is no longer supported, ie artful. The bug task representing the artful nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Artful):
status: Incomplete → Won't Fix
38 comments hidden view all 124 comments
Wladimir Mutel (mwg) wrote :

Is there any chance to have this fixed in Ubuntu 18.04 earlier than 20.04 is released ?

Displaying first 40 and last 40 comments. View all 124 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.