Bug 1719378

Summary: crash in Draw after starting a drag
Product: [Fedora] Fedora Reporter: Dan Horák <dan>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: caolanm, dtardon, erack, hannsj_uhl, sbergman, spectre
Target Milestone: ---   
Target Release: ---   
Hardware: ppc64le   
OS: Unspecified   
Whiteboard:
Fixed In Version: libreoffice-6.2.4.2-2.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 00:54:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1071880    
Attachments:
Description Flags
workaround we used in the past none

Description Dan Horák 2019-06-11 15:53:16 UTC 
Description of problem:
A crash happens in Draw after starting a drag action.

Version-Release number of selected component (if applicable):
libreoffice-core-6.2.4.2-1.fc30.ppc64le

How reproducible:
100%

Steps to Reproduce:
1. start LO Draw
2. put a rectangle to a new doc
3. click and hold on a corner, like when starting a drag action

Actual results:
crash

Expected results:
no crash

Additional info:
(gdb) where
#0  0x00007fffa80d2628 in raise () at /lib64/libc.so.6
#1  0x00007fffa80b470c in abort () at /lib64/libc.so.6
#2  0x00007fffa843e738 in  () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007fffa84804e8 in <signal handler called> () at arch/powerpc/kernel/vdso64/sigtramp.S
#4  0x918a0639ec1b3700 in  ()
#5  0x00007fff9c95ccac in SalFrame::CallCallback(SalEvent, void const*) const (pEvent=0x7fffea948e78, nEvent=SalEvent::LongPress, this=0x7fffea949150)
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/include/vcl/vclptr.hxx:186
#6  0x00007fff9c95ccac in GtkSalFrame::CallCallbackExc(SalEvent, void const*) const
    (this=this@entry=0x7fffea949150, nEvent=nEvent@entry=SalEvent::LongPress, pEvent=pEvent@entry=0x7fffea948e78)
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/unx/gtk3/gtk3gtkframe.cxx:4506
#7  0x00007fff9c95cf8c in GtkSalFrame::gestureLongPress(_GtkGestureLongPress*, void*) (frame=0x7fffea949150, gesture=0x1466010d0 [GtkGestureLongPress])
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/unx/gtk3/gtk3gtkframe.cxx:2883
#8  0x00007fff9c95cf8c in GtkSalFrame::gestureLongPress(_GtkGestureLongPress*, void*) (gesture=0x1466010d0 [GtkGestureLongPress], frame=0x7fffea949150)
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/unx/gtk3/gtk3gtkframe.cxx:2869
#9  0x00007fff9e0374e0 in ffi_call_LINUX64 () at ../src/powerpc/linux64.S:133
#10 0x00007fff9e036084 in ffi_call (cif=0x7fffea949150, fn=<optimized out>, rvalue=0x7fffea9490f0, avalue=0x7fffa08a25e8 <typeinfo for com::sun::star::graphic::XPrimitive2D>)
    at ../src/powerpc/ffi.c:100
#11 0x00007fff9fc28970 in g_cclosure_marshal_generic_va
    (closure=<optimized out>, return_value=0x0, instance=<optimized out>, args_list=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x1466f8bd0)
    at ../gobject/gclosure.c:1614
#12 0x00007fff9fc279f0 in _g_closure_invoke_va (closure=0x146b4d990, return_value=0x0, instance=0x1466010d0, args=0x7fffea9494d8 "", n_params=<optimized out>, param_types=0x1466f8bd0)
    at ../gobject/gclosure.c:873
#13 0x00007fff9fc4fd28 in g_signal_emit_valist (instance=0x1466010d0, signal_id=<optimized out>, detail=<optimized out>, var_args=0x7fffea9494d8 "") at ../gobject/gsignal.c:3300
#14 0x00007fff9fc50120 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../gobject/gsignal.c:3447
#15 0x00007fff9c1e4e70 in _gtk_gesture_long_press_timeout (user_data=0x1466010d0) at gtkgesturelongpress.c:108
#16 0x00007fff9bde1820 in gdk_threads_dispatch (data=0x146725100) at gdk.c:772
#17 0x00007fff9faebb98 in g_timeout_dispatch (source=0x147aa65d0, callback=<optimized out>, user_data=<optimized out>) at ../glib/gmain.c:4678
#18 0x00007fff9faea9ac in g_main_dispatch (context=0x1456c39a0) at ../glib/gmain.c:3189
#19 0x00007fff9faea9ac in g_main_context_dispatch (context=0x1456c39a0) at ../glib/gmain.c:3854
#20 0x00007fff9faeaec8 in g_main_context_iterate (context=context@entry=0x1456c39a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3927
#21 0x00007fff9faeafc8 in g_main_context_iteration (context=0x1456c39a0, may_block=<optimized out>) at ../glib/gmain.c:3988
#22 0x00007fff9c8cfba0 in GtkSalData::Yield(bool, bool) (this=0x14555e5a0, bWait=<optimized out>, bHandleAllCurrentEvents=<optimized out>)
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/unx/gtk3/gtk3gtkdata.cxx:464
#23 0x00007fff9c8d2814 in GtkInstance::DoYield(bool, bool) (this=<optimized out>, bWait=<optimized out>, bHandleAllCurrentEvents=<optimized out>)
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/inc/unx/gtk/gtkdata.hxx:197
#24 0x00007fffa416347c in ImplYield(bool, bool) (i_bWait=<optimized out>, i_bAllEvents=<optimized out>) at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/source/app/svapp.cxx:439
#25 0x00007fffa4166b14 in Application::Execute() () at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/source/app/svapp.cxx:420
#26 0x00007fffa82ffbd8 in desktop::Desktop::Main() (this=0x7fffea949b50) at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/desktop/source/app/app.cxx:1635
#27 0x00007fffa4170c9c in ImplSVMain() () at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/source/app/svmain.cxx:203
#28 0x00007fffa4170ea8 in SVMain() () at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/vcl/source/app/svmain.cxx:237
#29 0x00007fffa8335928 in soffice_main() () at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/desktop/source/app/sofficemain.cxx:169
#30 0x00000001258108c0 in sal_main () at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/desktop/source/app/main.c:48
#31 0x00000001258108c0 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/desktop/source/app/main.c:47
Comment 1 Dan Horák 2019-06-11 15:58:36 UTC 
a bit more info from gdb

this->mProc is the faulty address

(gdb) up 5
#5  0x00007fff9c95ccac in SalFrame::CallCallback (pEvent=0x7fffea948e78, nEvent=SalEvent::LongPress, this=0x7fffea949150)
    at /usr/src/debug/libreoffice-6.2.4.2-1.fc30.ppc64le/include/vcl/vclptr.hxx:186
186	    operator reference_type * () const
(gdb) l
181	    {
182	        m_rInnerRef.set(pBody);
183	        return *this;
184	    }
185	
186	    operator reference_type * () const
187	    {
188	        return m_rInnerRef.get();
189	    }
(gdb) p this
$1 = (const SalFrame * const) 0x7fffea949150
(gdb) p *this
$2 = {<vcl::DeletionNotifier> = {m_aListeners = std::__cxx11::list = {[0] = 0x7fff9e0378d8 <ffi_type_double>, 
      [1] = 0x0<error reading variable: Cannot access memory at address 0x8>...}}, <SalGeometryProvider> = {_vptr.SalGeometryProvider = 0x40000000b}, m_pWindow = {
    m_rInnerRef = rtl::Reference to 0x4}, m_pProc = 0x918a0639ec1b3700, m_xFrameWeld = std::unique_ptr<weld::Window> = {get() = 0x0}, maGeometry = {nX = 140737128995055, 
    nY = 140737128995104, nWidth = 140737128994008, nHeight = 0, nLeftDecoration = 0, nTopDecoration = 4, nRightDecoration = 5481224592, nBottomDecoration = 140735874205912, 
    nDisplayScreenNumber = 0}}
Comment 2 Caolan McNamara 2019-06-11 15:59:43 UTC 
Created attachment 1579464 [details]
workaround we used in the past
Comment 3 Caolan McNamara 2019-06-11 16:02:55 UTC 
hmph, have we that signal signature wrong all this time, or did it change at some point
Comment 4 Caolan McNamara 2019-06-11 16:13:39 UTC 
https://gerrit.libreoffice.org/#/c/73829/
Comment 5 Dan Horák 2019-06-11 16:20:16 UTC 
I've had a case where a wrong signature for a callback let to a crash on ppc64le, but worked fine everywhere else. Thanks, this was fast.
Comment 6 Fedora Update System 2019-06-12 08:00:10 UTC 
FEDORA-2019-a8343bd43b has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a8343bd43b
Comment 7 Fedora Update System 2019-06-13 00:55:53 UTC 
libreoffice-6.2.4.2-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a8343bd43b
Comment 8 Fedora Update System 2019-06-14 00:54:40 UTC 
libreoffice-6.2.4.2-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.