Bug 1117853

Summary: [fix available] impress killed by SIGABRT on paste into outline view at a position where the slide has no title object
Product: Red Hat Enterprise Linux 7 Reporter: David Jaša <djasa>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: djasa, dtardon, lkolacek, tpelka, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:06e8c5a783441c35e9b2fe9fa171f77e1596c874
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 08:50:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1119709    
Bug Blocks:    
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
File: binary
none
File: sosreport.tar.xz none

Description David Jaša 2014-07-09 13:58:28 UTC 
Description of problem:
1. I opened a template, made it editable (pencil icon)
2. I opened a longish presentation (~40 slides but no slides nor formatting beyond bold text), copied it's outline
3. I pasted the outline to now-editable template from point 1

Actual result:
LO crashed (even after a fresh start)

Expected result:
LO keeps running

Version-Release number of selected component:
libreoffice-core-4.1.4.2-3.el7

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 4
cmdline:        /usr/lib64/libreoffice/program/soffice.bin --impress --splash-pipe=6
crash_function: std::__throw_bad_alloc
executable:     /usr/lib64/libreoffice/program/soffice.bin
kernel:         3.10.0-123.1.2.el7.x86_64
runlevel:       N 5
type:           CCpp
uid:            16189

Truncated backtrace:
Thread no. 1 (10 frames)
 #6 std::__throw_bad_alloc at ../../../../../libstdc++-v3/src/c++11/functexcept.cc:52
 #7 allocate at /usr/include/c++/4.8.2/ext/new_allocator.h:102
 #8 _M_allocate at /usr/include/c++/4.8.2/bits/stl_vector.h:168
 #9 _M_create_storage at /usr/include/c++/4.8.2/bits/stl_vector.h:181
 #10 _Vector_base at /usr/include/c++/4.8.2/bits/stl_vector.h:136
 #11 vector at /usr/include/c++/4.8.2/bits/stl_vector.h:270
 #12 Outliner::CreateParaObject at /usr/src/debug/libreoffice-4.1.4.2/editeng/source/outliner/outliner.cxx:411
 #13 sd::OutlineViewShell::UpdateTitleObject at /usr/src/debug/libreoffice-4.1.4.2/sd/source/ui/view/outlnvsh.cxx:1696
 #14 sd::OutlineView::UpdateDocument at /usr/src/debug/libreoffice-4.1.4.2/sd/source/ui/view/outlview.cxx:1583
 #15 sd::OutlineView::EndModelChange at /usr/src/debug/libreoffice-4.1.4.2/sd/source/ui/view/outlview.cxx:1553
Comment 1 David Jaša 2014-07-09 13:58:31 UTC 
Created attachment 916776 [details]
File: backtrace
Comment 2 David Jaša 2014-07-09 13:58:32 UTC 
Created attachment 916777 [details]
File: cgroup
Comment 3 David Jaša 2014-07-09 13:58:33 UTC 
Created attachment 916778 [details]
File: core_backtrace
Comment 4 David Jaša 2014-07-09 13:58:35 UTC 
Created attachment 916779 [details]
File: dso_list
Comment 5 David Jaša 2014-07-09 13:58:36 UTC 
Created attachment 916780 [details]
File: environ
Comment 6 David Jaša 2014-07-09 13:58:37 UTC 
Created attachment 916781 [details]
File: limits
Comment 7 David Jaša 2014-07-09 13:58:42 UTC 
Created attachment 916782 [details]
File: maps
Comment 8 David Jaša 2014-07-09 13:58:43 UTC 
Created attachment 916783 [details]
File: open_fds
Comment 9 David Jaša 2014-07-09 13:58:45 UTC 
Created attachment 916784 [details]
File: proc_pid_status
Comment 10 David Jaša 2014-07-09 13:58:46 UTC 
Created attachment 916785 [details]
File: var_log_messages
Comment 11 David Jaša 2014-07-09 13:58:47 UTC 
Created attachment 916786 [details]
File: binary
Comment 12 David Jaša 2014-07-09 13:59:53 UTC 
Created attachment 916787 [details]
File: sosreport.tar.xz
Comment 14 David Jaša 2014-07-09 14:03:09 UTC 
A minor clarification: I selected slides 2-47 to copy.
Comment 17 David Tardon 2014-07-10 08:39:11 UTC 
(In reply to David Jaša from comment #0)
> Description of problem:
> 1. I opened a template, made it editable (pencil icon)
> 2. I opened a longish presentation (~40 slides but no slides nor formatting
> beyond bold text), copied it's outline
> 3. I pasted the outline to now-editable template from point 1

Did you paste it into the outline view too? Or into a text block in a slide?
Comment 18 David Jaša 2014-07-10 08:51:43 UTC 
(In reply to David Tardon from comment #17)
> (In reply to David Jaša from comment #0)
> > Description of problem:
> > 1. I opened a template, made it editable (pencil icon)
> > 2. I opened a longish presentation (~40 slides but no slides nor formatting
> > beyond bold text), copied it's outline
> > 3. I pasted the outline to now-editable template from point 1
> 
> Did you paste it into the outline view too? Or into a text block in a slide?

Yes, to Outline as well
Comment 19 Caolan McNamara 2014-07-17 10:13:41 UTC 
blast thing refuses to throw bad alloc for me, and valgrind doesn't show any particularly huge leaks or other problems. Perhaps we have some insane temporary peak memory use here.

caolanm->djasa: What's the output of

ulimit -a && free && uname -a
Comment 20 David Jaša 2014-07-17 11:03:00 UTC 
$ ulimit -a && free && uname -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 92215
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 92215
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
             total       used       free     shared    buffers     cached
Mem:      11825196   10784312    1040884    1259400     132340    3237352
-/+ buffers/cache:    7414620    4410576
Swap:            0          0          0
Linux cihla.spice.brq.redhat.com 3.10.0-123.1.2.el7.x86_64 #1 SMP Wed Jun 4 15:22:01 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux


I could possibly run LO in valgrind if you give me a suitable invocation.
Comment 21 Caolan McNamara 2014-07-17 12:20:30 UTC 
nah, on second examination its not a memory thing, its a negative number used in new.

Somehow ParagraphList::GetAbsPos( pPara ) didn't find the paragraph, returns -1 for not found and that goes on to get used elsewhere is a disastrous manner. We know that pPara is not NULL so its hard to see what that happened.

I can probably bodge things based on the bt to not crash, but the real mystery is why I cannot reproduce this. Here's my exact step-by-step. 

a) Open both attached documents, 
b In spice-debugging switch to outline tab, put mouse at the start of "Components", ctrl + shift + end, ctrl + c
c) switch to InternalPresoTemplate, click on outline, ctrl + v
Comment 22 David Jaša 2014-07-17 14:23:26 UTC 
(In reply to Caolan McNamara from comment #21)
...
> Here's my exact step-by-step. 
> 
> a) Open both attached documents, 
> b In spice-debugging switch to outline tab, put mouse at the start of
> "Components", ctrl + shift + end, ctrl + c
> c) switch to InternalPresoTemplate, click on outline,

go to second slide, you'll get the crash

> ctrl + v

(in the 4.1, any slide would do. I pasted to 2. to keep first slide empty for headers...)
Comment 23 Caolan McNamara 2014-07-17 15:49:39 UTC 
reproducible now
Comment 24 Caolan McNamara 2014-07-18 09:06:52 UTC 
fixed upstream now as http://cgit.freedesktop.org/libreoffice/core/commit/?id=a5793f5e0013b156600fd718d8f77870a9e73032
Comment 25 Caolan McNamara 2014-08-19 08:49:18 UTC 
*** Bug 1115472 has been marked as a duplicate of this bug. ***
Comment 29 errata-xmlrpc 2015-03-05 08:50:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0377.html