Bug 1006850

Summary: writer crash at SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@entry=true)
Product: [Fedora] Fedora Reporter: matti aarnio <matti.aarnio>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: caolanm, dtardon, erack, ltinkl, matti.aarnio, mstahl, sbergman
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libreoffice-4.1.1.2-4.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-14 02:30:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description matti aarnio 2013-09-11 11:41:46 UTC 
Description of problem:

   Request to open second window on a large (200+ pages) ODT document.

   Opening a much smaller document, and trying this same operation does
   not crash.


Version-Release number of selected component (if applicable):

libreoffice-writer-4.1.1.2-3.fc19.x86_64

How reproducible:
  Way too easily

Steps to Reproduce:
1. Open a large (200+ pages) odt document at libreoffice writer
2. Select "Window" -> "New Window"
3. Crash happens

Actual results:

Program received signal SIGSEGV, Segmentation fault.
SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@entry=true)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:1570
1570        unsigned long aWidth = (unsigned long)(mpWrtShell->GetViewOptions()->GetZoom() * 1.8);
Cannot access memory at address 0x60
(gdb) up
#1  0x00007fffd79c5597 in SwCommentRuler::GetCommentControlRegion (this=this@entry=0x1567db0)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/misc/swruler.cxx:254
254         long nRight  = nLeft+ pPostItMgr->GetSidebarWidth(true) + pPostItMgr->GetSidebarBorderWidth(true);
Comment 1 Caolan McNamara 2013-09-11 13:18:28 UTC 
I wish we had a bit more of the backtrace, is it possible to get more lines of it. I can't reproduce the crash here with the same tactics on e.g. the 800+ page ODF specification so there might be a bit of a timing issue preventing me getting the same result.

Clearly pPostItMgr is NULL so I can bodge it to not crash by detecting that, but I'd prefer to know the exact code route to get a full fix.
Comment 2 matti aarnio 2013-09-11 14:05:50 UTC 
I will try.  gdb spins like mad and grows memory footprint to about 5 GB...
Back trace printout takes a lot of time too with CPU running at 99.6% load and malloc() being called all the time to expand some more space  (I have 16 GB, but still I find that rather seriously broken behavior..)


(gdb) where
#0  SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@entry=true)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:1570
#1  0x00007ffdb658e597 in SwCommentRuler::GetCommentControlRegion (this=this@entry=0x3398b70)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/misc/swruler.cxx:254
#2  0x00007ffdb658ef53 in SwCommentRuler::Update (this=0x3398b70)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/misc/swruler.cxx:228
#3  0x00007ffdb661c88e in ForceUpdate (this=<optimized out>) at /usr/src/debug/libreoffice-4.1.1.2/include/svx/ruler.hxx:251
#4  SwView::InvalidateRulerPos (this=this@entry=0x33d9850)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/viewport.cxx:125
#5  0x00007ffdb661f961 in SwView::SetVisArea (this=0x33d9850, rRect=..., bUpdateScrollbar=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/viewport.cxx:290
#6  0x00007ffdb661eee0 in SwView::DocSzChgd (this=0x33d9850, rSz=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/viewport.cxx:198
#7  0x00007ffdb63ee064 in ViewShell::UISizeNotify (this=0x3262670)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/view/viewsh.cxx:2116
#8  0x00007ffdb63efe16 in ViewShell::ImplEndAction (this=this@entry=0x3262670, bIdleEnd=bIdleEnd@entry=0 '\000')
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/view/viewsh.cxx:402
#9  0x00007ffdb5f6c819 in EndAction (bIdleEnd=0 '\000', this=0x3262670)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/inc/viewsh.hxx:594
#10 SwCrsrShell::EndAction (this=this@entry=0x3262670, bIdleEnd=bIdleEnd@entry=0 '\000')
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/crsr/crsrsh.cxx:257
#11 0x00007ffdb60ca362 in SwEditShell::EndAllAction (this=0x49087f0)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/edit/edws.cxx:119
#12 0x00007ffdb6535d95 in SwPostItMgr::AddPostIts (this=this@entry=0x490be10, bCheckExistance=bCheckExistance@entry=false, 
    bFocus=bFocus@entry=false) at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:1131
#13 0x00007ffdb6535fa9 in SwPostItMgr::SwPostItMgr (this=0x490be10, pView=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:149
#14 0x00007ffdb6605af5 in SwView::SwView (this=0x48d9c70, _pFrame=<optimized out>, pOldSh=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/view.cxx:932
#15 0x00007ffdb66073a5 in SwView::CreateInstance (pFrame=0x48e0550, pOldView=0x0)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/view0.cxx:81
#16 0x00000034641485cc in SfxBaseModel::createViewController (this=0x7ffdd03ee538, i_rViewName=..., i_rArguments=..., 
    i_rFrame=...) at /usr/src/debug/libreoffice4.1.1.2/sfx2/source/doc/sfxbasemodel.cxx:4273

  #17 0x00000034641c9afe in SfxFrameLoader_Impl::impl_createDocumentView (this=this@entry=0x7ffda8993790, i_rModel=..., 
    i_rFrame=..., i_rViewFactoryArgs=..., i_rViewName=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/frmload.cxx:497
#18 0x00000034641cb230 in SfxFrameLoader_Impl::load (this=0x7ffda8993790, rArgs=..., _rTargetFrame=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/frmload.cxx:620
#19 0x00007ffdca0f33ed in framework::LoadEnv::impl_loadContent (this=this@entry=0x7fff950d8950)
    at /usr/src/debug/libreoffice-4.1.1.2/framework/source/loadenv/loadenv.cxx:1168
#20 0x00007ffdca0f3cd8 in framework::LoadEnv::startLoading (this=this@entry=0x7fff950d8950)
    at /usr/src/debug/libreoffice-4.1.1.2/framework/source/loadenv/loadenv.cxx:397
#21 0x00007ffdca0f4037 in framework::LoadEnv::loadComponentFromURL (xLoader=..., xSMGR=..., sURL=..., sTarget=..., 
    nFlags=nFlags@entry=0, lArgs=...) at /usr/src/debug/libreoffice-4.1.1.2/framework/source/loadenv/loadenv.cxx:168
#22 0x00007ffdca135623 in framework::Frame::loadComponentFromURL (this=0x7ffda89cf380, sURL=..., sTargetFrameName=..., 
    nSearchFlags=0, lArguments=...) at /usr/src/debug/libreoffice-4.1.1.2/framework/source/services/frame.cxx:328
#23 0x00000034641e25e6 in SfxViewFrame::LoadViewIntoFrame_Impl (i_rDoc=..., i_rFrame=..., i_rLoadArgs=..., 
    i_nViewId=i_nViewId@entry=2, i_bHidden=i_bHidden@entry=false)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/viewfrm.cxx:1967
#24 0x00000034641e4108 in SfxViewFrame::LoadViewIntoFrame_Impl_NoThrow (i_rDoc=..., i_rFrame=..., i_nViewId=i_nViewId@entry=2, 
    i_bHidden=i_bHidden@entry=false) at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/viewfrm.cxx:1913
#25 0x00000034641e5755 in SfxViewFrame::ExecView_Impl (this=0x36a73d0, rReq=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/viewfrm.cxx:2304
#26 0x0000003464208bf8 in SfxShell::CallExec (this=0x36a73d0, 
    pFunc=0x34641e57d0 <SfxStubSfxViewFrameExecView_Impl(SfxShell*, SfxRequest&)>, rReq=...)
    at /usr/src/debug/libreoffice-4.1.1.2/include/sfx2/shell.hxx:185
#27 0x000000346420259e in SfxDispatcher::Call_Impl (this=0x2f30c50, rShell=..., rSlot=..., rReq=..., bRecord=1 '\001')
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/dispatch.cxx:243
#28 0x0000003464204170 in SfxDispatcher::_Execute (this=0x2f30c50, rShell=..., rSlot=..., rReq=..., eCallMode=4)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/dispatch.cxx:924
#29 0x0000003463fc13ed in SfxBindings::Execute_Impl (this=0x3377b40, aReq=..., 
    pSlot=pSlot@entry=0x3464503b88 <aSfxViewFrameSlots_Impl+840>, pShell=pShell@entry=0x36a73d0)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/bindings.cxx:1293
#30 0x0000003463ff542a in SfxDispatchController_Impl::dispatch (this=0x428c2f0, aURL=..., aArgs=..., rListener=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/unoctitm.cxx:736
#31 0x0000003463ff6932 in SfxOfficeDispatch::dispatch (this=0x7ffda89926d8, aURL=..., aArgs=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/unoctitm.cxx:369
#32 0x00007ffdca1d5ead in framework::MenuBarManager::Select (this=0x7ffda95e70b0, pMenu=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/framework/source/uielement/menubarmanager.cxx:1121
#33 0x000000346097ed1b in Call (pCaller=0x33e2a70, this=0x33e2ad8)
    at /usr/src/debug/libreoffice-4.1.1.2/include/tools/link.hxx:123
#34 Menu::Select (this=0x33e2a70) at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/menu.cxx:1131
#35 0x0000003460978cb5 in ImplCallSelect (this=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/menu.cxx:3003
#36 Menu::LinkStubImplCallSelect (pThis=<optimized out>, pCaller=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/menu.cxx:3000
#37 0x00000034609e985a in Call (pCaller=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/include/tools/link.hxx:123
#38 ImplHandleUserEvent (pSVEvent=0x4768ed0) at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/winproc.cxx:1986
#39 ImplWindowFrameProc (pWindow=<optimized out>, nEvent=<optimized out>, pEvent=0x4768ed0)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/winproc.cxx:2601
#40 0x00000034609eff08 in CallCallback (pEvent=0x4768ed0, nEvent=22, this=0x2d0f9b0)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/inc/salframe.hxx:243
#41 SalGenericDisplay::DispatchInternalEvent (this=0x256b480)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/generic/app/gendisp.cxx:91
#42 0x0000003a8938d31f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /lib64/libQtCore.so.4
#43 0x0000003a8938c62c in QObject::event(QEvent*) () from /lib64/libQtCore.so.4
#44 0x00007ffdd215e68c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib64/libQtGui.so.4
#45 0x00007ffdd2162b0a in QApplication::notify(QObject*, QEvent*) () from /lib64/libQtGui.so.4
#46 0x0000003a8d2415ba in KApplication::notify (this=0x239bba0, receiver=0x237c870, event=0x7fff950d9f20)
    at /usr/src/debug/kdelibs-4.10.5/kdeui/kernel/kapplication.cpp:311
#47 0x0000003a89377d4e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /lib64/libQtCore.so.4
#48 0x0000003a893a8ee2 in QTimerInfoList::activateTimers() () from /lib64/libQtCore.so.4
#49 0x0000003a893a5ee4 in timerSourceDispatch(_GSource*, int (*)(void*), void*) () from /lib64/libQtCore.so.4
#50 0x0000003a7de47e06 in g_main_dispatch (context=0x23a5bf0) at gmain.c:3054
#51 g_main_context_dispatch (context=context@entry=0x23a5bf0) at gmain.c:3630
#52 0x0000003a7de48158 in g_main_context_iterate (context=context@entry=0x23a5bf0, block=block@entry=0, 
    dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701
#53 0x0000003a7de481fc in g_main_context_iteration (context=0x23a5bf0, may_block=0) at gmain.c:3762
#54 0x0000003a893a6676 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib64/libQtCore.so.4
#55 0x00007ffdd21fe92e in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib64/libQtGui.so.4
#56 0x00007ffdd33af1b7 in KDEXLib::processYield (this=<optimized out>, bWait=<optimized out>, 
    bHandleAllCurrentEvents=<optimized out>) at /usr/src/debug/libreoffice-4.1.1.2/vcl/unx/kde4/KDEXLib.cxx:319
#57 0x000000346071bf14 in ImplYield (i_bAllEvents=false, i_bWait=true)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svapp.cxx:422
#58 Application::Yield (i_bAllEvents=i_bAllEvents@entry=false)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svapp.cxx:456
#59 0x000000346071bfb7 in Application::Execute () at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svapp.cxx:401
#62 0x0000003460723d52 in SVMain () at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svmain.cxx:198
#63 0x000000346564bb15 in soffice_main () at /usr/src/debug/libreoffice-4.1.1.2/desktop/source/app/sofficemain.cxx:82
#64 0x000000000040071b in sal_main () at /usr/src/debug/libreoffice-4.1.1.2/desktop/source/app/main.c:48
#65 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libreoffice-4.1.1.2/desktop/source/app/main.c:47

(Back-trace run took 26 CPU minutes on 3300 MHz AMD Phenom-II)
Comment 3 Caolan McNamara 2013-09-12 10:08:22 UTC 
thanks, that exactly what I wanted to know. Fix committed, will be in next build
Comment 4 Fedora Update System 2013-09-12 15:28:24 UTC 
libreoffice-4.1.1.2-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/libreoffice-4.1.1.2-4.fc19
Comment 5 Fedora Update System 2013-09-13 01:10:15 UTC 
Package libreoffice-4.1.1.2-4.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libreoffice-4.1.1.2-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16606/libreoffice-4.1.1.2-4.fc19
then log in and leave karma (feedback).
Comment 6 matti aarnio 2013-09-13 12:23:26 UTC 
works for me.  (and done bodhi +1)
Comment 7 Fedora Update System 2013-09-14 02:30:13 UTC 
libreoffice-4.1.1.2-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.