Bug 1351369

Summary: Reproducible crash in LibreOffice GTK3 VCL plug-in
Product: [Fedora] Fedora Reporter: David H. Gutteridge <dhgutteridge>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 24CC: caolanm, dtardon, erack, mstahl, sbergman
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreoffice-5.1.4.2-6.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 15:52:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
GDB backtrace of the crash
none
GDB backtrace for 5.1.4.2-4.
none
Sample large document I can reproduce this with none

Description David H. Gutteridge 2016-06-29 22:09:31 UTC 
Description of problem:

When using the GTK3 VCL plug-in, basic interactions with the GUI cause immediate crashes. Note this is reproducible (for me anyway) only on i686, not on x86_64. I don't know if it's an issue with 64-bit assumptions (which would then potentially impact ARMv7 as well), or just something architecture-specific, or I just happen to be unlucky with one laptop and not the other.

Version-Release number of selected component (if applicable):
5.1.4.2-3.fc24

How reproducible:
Always

Steps to Reproduce:
1. Open a document in Writer.
2. Resize the document view to something different.
3. Open the find bar.
4. Type in a search string that is known to exist in the document and press the down arrow to search forward.
5. Immediate segfault.

(I'm not sure why this particular series of steps works, but I can reproduce it every time doing exactly that.)

Actual results:
Immediate crash, which invokes the document recovery process.

Expected results:
UI should work normally.

Additional info:
(An additional weirdness is that after document recovery is completed, when the application reopens, it gets stuck in a small window that will not resize, and the menu entries in the Gnome activity bar at the top are greyed out. Totally unrelated, but also annoying.)
Comment 1 David H. Gutteridge 2016-06-29 22:11:41 UTC 
I forgot to add, I cannot reproduce this crash if I do not use the GTK3 VCL plug-in. If I use the GTK2 or X11 plug-ins, things work fine. So the workaround is to use one of those others.
Comment 2 David H. Gutteridge 2016-06-29 22:13:39 UTC 
Created attachment 1174222 [details]
GDB backtrace of the crash

GDB "bt full" backtrace results from the crash.
Comment 3 Caolan McNamara 2016-06-30 09:31:10 UTC 
doesn't happen for me under wayland or X yet.

cause the ClipboardClear is called on an apparently broken VclGtkClipboard I assume this is a use after free and its apparently triggered by the gtk_clipboard_clear call in ::setContents

Due to bug 1350478 I had to rework the c-n-p again, and it so happens that there isn't that explicit gtk_clipboard_clear call in the rework, which may fix this, or move the problem around to somewhere else

lets check in the next update once it gets out of the arm build
Comment 4 David H. Gutteridge 2016-06-30 21:05:25 UTC 
I can still reproduce the crash with 5.1.4.2-4. (I can also trigger crashes at random by doing other things, e.g. once it crashed while the file selection window was opening after I clicked on "save as", but my original method reproduces consistently.) I'll attach a revised backtrace.
Comment 5 David H. Gutteridge 2016-06-30 21:07:43 UTC 
Created attachment 1174735 [details]
GDB backtrace for 5.1.4.2-4.
Comment 6 David H. Gutteridge 2016-06-30 21:33:12 UTC 
I just reproduced this on x86_64, so it's not an architecture-specific issue after all. (I didn't hit this before following the same steps, but now I do.)
Comment 7 David H. Gutteridge 2016-07-09 22:10:17 UTC 
I saw a fix went in for another clipboard-related issue (bug 1352965), so I re-tested with 5.1.4.2-5. It still segfaults, and the backtrace is basically identical.

(Separately, I'm also seeing random crashes in Calc that occur after it's been left idle for some time, also occurring only with the GTK3 VCL. I don't have a usable backtrace for these yet, they only occur intermittently.)
Comment 8 Caolan McNamara 2016-07-11 15:50:25 UTC 
Is this under wayland or X. I can't get this to happen for me under either, but I know there's a bug with the primary selection under wayland in gtk3 itself
Comment 9 David H. Gutteridge 2016-07-11 20:18:07 UTC 
It's under X.

Where I said "resize the document view to something different" in the reproduction steps, I can only reproduce this when I click on the view percentage in the bottom right corner of the screen and then interact with the resulting menu that way. If I use View->Zoom, it doesn't happen, or so it seems. It also seems to require a large document to trigger the problem. And while I've encountered it on x86_64, it's really only consistently reproducible on i686 as far as I've found. I'll attach a sample document I can reproduce this with.
Comment 10 David H. Gutteridge 2016-07-11 20:18:47 UTC 
Created attachment 1178531 [details]
Sample large document I can reproduce this with
Comment 11 Caolan McNamara 2016-07-12 18:57:10 UTC 
hmm, while I can't reproduce this I have a feeling that we might be deleting our clipboard implementation through reference counting hitting 0 under some circumstances.
Comment 12 Caolan McNamara 2016-07-12 19:36:40 UTC 
I'll generate some builds to test the theory
Comment 13 David H. Gutteridge 2016-07-17 20:54:14 UTC 
That seems to have fixed it. I can't duplicate the crash anymore with any of the actions and documents in question. Thanks!
Comment 14 Fedora Update System 2016-07-18 15:21:42 UTC 
libreoffice-5.1.4.2-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-cb25df449f