Bug 245738
Summary: | Crash when loading Word document (pow?) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||||||
Component: | openoffice.org | Assignee: | Caolan McNamara <caolanm> | ||||||||
Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 7 | CC: | jakub, mcepl | ||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||
Target Release: | --- | ||||||||||
Hardware: | x86_64 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2007-07-20 08:50:21 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Matěj Cepl
2007-06-26 12:42:02 UTC
Created attachment 157901 [details] mapped backtrace Because the debuginfo is so insanely huge, see http://fedoraproject.org/wiki/OpenOffice.org for ooomapstack which maps this back to source lines. Though I've done this for this example. But apparently this crashed in "pow", which strikes me as totally insane beyond words. mpColorTable = new sal_uInt8[ 256 ]; for ( sal_Int32 i = 0; i < 256; i++ ) mpColorTable[ i ] = (sal_uInt8)(pow((double)i/255.0, fInvGamma) * 255.0 + 0.5); Is this reproducible ? Just curious -- how bis is "insanely huge"? (no, I don't want to install it, just curious). To your question: no, I hope it is not reproducible -- when I opened the same document from the Evolution again (well, after two crashes of Evolution -- but instability of Evo in F7 is another story, I suppose) it opened without a problem and I have never encountered this bug before (crash in pow()??? -- that's really weird). 450 Megs. rats, I hate the irreproducible ones. Indeed a pow crash is a new one on me. The source is from loading the png file for use as the icon for the toplevel window. I guess I can try and run in valgrind a few times to see if there's anything suspicious going on. Is this default setting for OOo ? i.e. no customization of the openoffice.org theme ? Created attachment 157996 [details]
mapped backtrace, including glibc
If you mean extensions, only your ooblogger (which doesn't work anyway). I can't see any reason why this would fail, especially once and not everytime. I can't imagine that "pow" was busted on x86_64! :-), unless jakub knows different. So it must be some other problem that I can't recapture, going to have to give up on this one unless anyone has any other insight. Do you know the exact value of fInvGamma in this case, even if you can't reproduce the crash? no way to know without a reproducer with fInvGamma might have been. #define VIEWING_GAMMA 2.35 #define DISPLAY_GAMMA 1.0 sal_uInt32 nGammaValue = /*, where foo is read from the png file...*/ double fGamma = ( ( VIEWING_GAMMA / DISPLAY_GAMMA ) * ( (double)nGammaValue / 100000 ) ); double fInvGamma = ( fGamma <= 0.0 || fGamma > 10.0 ) ? 1.0 : ( 1.0 / fGamma ); Matej, do you have the document which caused this crash? Can you find out that value from the embedded png file in it (or multiple if there is more than one)? j = v.i[LOW_HALF]&0x0007ffff; j = j+j+j; eps = u.x - uu*vv; ov = vj.x[j]; lv1 = vj.x[j+1]; lv2 = vj.x[j+2]; is where it crashed. The vj array is actually shorter than 0x80000*3 entries, so it doesn't surprise me, but the code is quite convoluted and this can be reached only in very rare circumstances, therefore a testcase would be extremely helpful for fixing this issue. Created attachment 158884 [details]
x86_64 pngcrush binary
FWIW, with this attachment "pngcrush", then
pngcrush -v -n file.png | grep gamma
will output the gamma in number/10000 where number is the fGamma value used in
the above code.
FWIW the OOo icon theme and so on are of course .pngs, here're the gammas for
the default theme on F-7
i.e.
unzip /usr/lib64/openoffice.org/share/config/images.zip
unzip -o /usr/lib64/openoffice.org/share/config/images_tango.zip
find . -name "*.png" -exec /tmp/pngcrush {} -n -v {} \; | grep gamma|sort|uniq
gamma=(22727/100000)
gamma=(37096/100000)
gamma=(45454/100000)
gamma=(45455/100000)
gamma=(45470/100000)
gamma=(55000/100000)
The code in question is the SetIcon code, which I *think* should be loading a
png from the above collection.
number = nGammaValue I mean of course, not fGamma, i.e. nGammaValue should in theory be one of those 7 values from 22727 to 55000 Can't reproduce. I ran #include <math.h> unsigned int arr[] = { 22727, 37096, 45454, 45455, 45470, 55000 }; volatile unsigned int v; int main (void) { #define VIEWING_GAMMA 2.35 #define DISPLAY_GAMMA 1.0 for (int j = 0; j < 1000000; j++) { double fGamma = ((VIEWING_GAMMA / DISPLAY_GAMMA) * ((double) j / 100000)); double fInvGamma = (fGamma <= 0.0 || fGamma > 10.0) ? 1.0 : (1.0 / fGamma); for (int i = 0; i < 256; i++) v = (unsigned int) pow((double) i / 255.0, fInvGamma) * 255.0 + 0.5; } return 0; } against a modified libm which would abort if j=j+j+j was bigger or equal than 2175 (size of vj.x array) - right before the exact instruction where you saw the crash. It succeeded, so if the above is what OOo really does, then the crash is not possible. Starting OOo under GNOME with default installed theme does use a subset of the above pngcrush reported values for nGammaValue. I can't see where any strange value could have come from, except from some other corruption, so we're back to can't reproduce. Can't reproduce, or identify a plausible reason for a bizarre gamma value |