Bug 1003179

Summary: [abrt] libreoffice-core-4.1.1.2-2.fc19: SetFormatIgnoreStart: Process /usr/lib/libreoffice/program/soffice.bin was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: Met Merilius <nikt>
Component: libreofficeAssignee: Michael Stahl <mstahl>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: andy.blight, caolanm, dtardon, erack, jonathonpoppleton, ltinkl, mstahl, sbergman
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:51984b8991d932007ec62dfd16a07e9d16d1aa08
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-09 12:51:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Met Merilius 2013-08-31 14:30:30 UTC 
Description of problem:
- Enable tracking changes
- right-click on a misspelled word to correct it (choose the correct something from the popup menu)
- immediately press Ctrl+z

Version-Release number of selected component:
libreoffice-core-4.1.1.2-2.fc19

Additional info:
reporter:       libreport-2.1.6
backtrace_rating: 4
cmdline:        /usr/lib/libreoffice/program/soffice.bin --writer file:///home/balwierz/SkypeTransfer/CareerPlan_MaciejWiktor.doc
crash_function: SetFormatIgnoreStart
executable:     /usr/lib/libreoffice/program/soffice.bin
kernel:         3.10.5-201.fc19.i686.PAE
runlevel:       N 5
uid:            670

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 SetFormatIgnoreStart at /usr/src/debug/libreoffice-4.1.1.2/sw/inc/txatbase.hxx:101
 #1 SwHistorySetTxt::SetInDoc at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/undo/rolbck.cxx:246
 #2 SwHistory::TmpRollback at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/undo/rolbck.cxx:1158
 #3 SwUndoDelete::UndoImpl at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/undo/undel.cxx:898
 #4 SwUndo::UndoWithContext at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/undo/undobj.cxx:230
 #5 SfxListUndoAction::UndoWithContext at /usr/src/debug/libreoffice-4.1.1.2/svl/source/undo/undo.cxx:1334
 #7 SfxUndoManager::ImplUndo at /usr/src/debug/libreoffice-4.1.1.2/svl/source/undo/undo.cxx:794
 #8 SfxUndoManager::UndoWithContext at /usr/src/debug/libreoffice-4.1.1.2/svl/source/undo/undo.cxx:761
 #9 sw::UndoManager::impl_DoUndoRedo at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/undo/docundo.cxx:476
 #10 sw::UndoManager::Undo at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/undo/docundo.cxx:503
Comment 1 Met Merilius 2013-08-31 14:30:35 UTC 
Created attachment 792423 [details]
File: backtrace
Comment 2 Met Merilius 2013-08-31 14:30:39 UTC 
Created attachment 792424 [details]
File: cgroup
Comment 3 Met Merilius 2013-08-31 14:30:43 UTC 
Created attachment 792425 [details]
File: core_backtrace
Comment 4 Met Merilius 2013-08-31 14:30:46 UTC 
Created attachment 792426 [details]
File: dso_list
Comment 5 Met Merilius 2013-08-31 14:30:50 UTC 
Created attachment 792427 [details]
File: environ
Comment 6 Met Merilius 2013-08-31 14:30:53 UTC 
Created attachment 792428 [details]
File: exploitable
Comment 7 Met Merilius 2013-08-31 14:30:56 UTC 
Created attachment 792429 [details]
File: limits
Comment 8 Met Merilius 2013-08-31 14:31:00 UTC 
Created attachment 792430 [details]
File: maps
Comment 9 Met Merilius 2013-08-31 14:31:03 UTC 
Created attachment 792431 [details]
File: open_fds
Comment 10 Met Merilius 2013-08-31 14:31:07 UTC 
Created attachment 792432 [details]
File: proc_pid_status
Comment 11 Met Merilius 2013-08-31 14:31:10 UTC 
Created attachment 792433 [details]
File: var_log_messages
Comment 12 Caolan McNamara 2013-09-04 08:33:30 UTC 
caolanm->mstahl: I can't reproduce this with a new simple document, but according to the bt at sw/source/core/undo/rolbck.cxx:246 pAttr is NULL and there is an assert(pAttr). A quick bodge to not crash with pAttr of NULL is possible of course, but any idea how that NULL could arise ?
Comment 13 Michael Stahl 2013-09-05 22:25:10 UTC 
SETATTR_NOTXTATRCHR and SETATTR_NOHINTADJUST there (and the fact
that this is Undo so the same hint was inserted previously)
ought to skip pretty much every failure mode that could happen in
InsertItem.

Met, can you perhaps reproduce the problem?

it must be caused by some particular text attributes in the document
and happens when Undo a deletion of text.
Comment 14 Andy Blight 2013-09-24 10:51:35 UTC 
Edited document that had not been saved.
1. Auto formatting had been applied (hanging indent that I didn't want).
2. Undid changes using Ctrl Z perhaps too many times as it was responsding slowly.
3. Pasted additional text. 
4. Auto format reapplied.
Did this two or three times before it crashed. 

reporter:       libreport-2.1.7
backtrace_rating: 4
cmdline:        /usr/lib64/libreoffice/program/soffice.bin --writer '/home/andy/Documents/Job Hunt/CV/CV2013Full_v4.doc' --splash-pipe=5
crash_function: SetFormatIgnoreStart
executable:     /usr/lib64/libreoffice/program/soffice.bin
kernel:         3.11.1-200.fc19.x86_64
package:        libreoffice-core-4.1.1.2-5.fc19
reason:         Process /usr/lib64/libreoffice/program/soffice.bin was killed by signal 11 (SIGSEGV)
runlevel:       N 5
type:           CCpp
uid:            1000
Comment 15 Michael Stahl 2013-10-08 20:47:40 UTC 
fortunately Arnaud found an easily reproducible scenario where
no-extent RSID-only AUTOFMT hints would survive some editing
operations and then cause this crash on Undo.

my hope is that the fix is sufficiently generic to handle
various different operations.
Comment 16 Michael Stahl 2013-11-08 12:20:18 UTC 
*** Bug 1028415 has been marked as a duplicate of this bug. ***