Bug 864281

Summary: [abrt] libreoffice-core-3.5.6.2-5.fc17: GetSwAttrSet: Process /usr/lib64/libreoffice/program/soffice.bin was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: nicolae <nicolae.b3>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: caolanm, dtardon, erack, ltinkl, mstahl, sbergman
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:94ccb5b381bfad724ec6eefb4eae75d1a3686eff
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-19 08:26:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
File: core_backtrace
none
File: environ
none
File: backtrace
none
File: limits
none
File: cgroup
none
File: maps
none
File: dso_list
none
File: var_log_messages
none
File: open_fds none

Description nicolae 2012-10-09 03:37:46 UTC
Description of problem:
do not know

Version-Release number of selected component:
libreoffice-core-3.5.6.2-5.fc17

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        /usr/lib64/libreoffice/program/soffice.bin --writer file:///home/nicolae/Documents/seral13.odt --splash-pipe=6
crash_function: GetSwAttrSet
kernel:         3.5.5-2.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 GetSwAttrSet at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/layout/findfrm.cxx:1784
: #1 SwFrm::GetAttrSet at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/layout/findfrm.cxx:643
: #2 SwAccessibleFrame::IsOpaque at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accframe.cxx:392
: #3 SwAccessibleContext::InitStates at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/acccontext.cxx:69
: #4 SwAccessibleContext::SwAccessibleContext at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/acccontext.cxx:535
: #5 SwAccessibleParagraph::SwAccessibleParagraph at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accpara.cxx:491
: #6 SwAccessibleMap::GetContext at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accmap.cxx:1364
: #7 SwAccessibleMap::GetContextImpl at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accmap.cxx:1473
: #8 SwAccessibleContext::getAccessibleChild at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/acccontext.cxx:584
: #9 AtkListener::updateChildList at /usr/src/debug/libreoffice-3.5.6.2/vcl/unx/gtk/a11y/atklistener.cxx:128

Comment 1 nicolae 2012-10-09 03:37:53 UTC
Created attachment 623869 [details]
File: core_backtrace

Comment 2 nicolae 2012-10-09 03:37:55 UTC
Created attachment 623870 [details]
File: environ

Comment 3 nicolae 2012-10-09 03:38:02 UTC
Created attachment 623871 [details]
File: backtrace

Comment 4 nicolae 2012-10-09 03:38:06 UTC
Created attachment 623872 [details]
File: limits

Comment 5 nicolae 2012-10-09 03:38:11 UTC
Created attachment 623873 [details]
File: cgroup

Comment 6 nicolae 2012-10-09 03:38:21 UTC
Created attachment 623874 [details]
File: maps

Comment 7 nicolae 2012-10-09 03:38:25 UTC
Created attachment 623875 [details]
File: dso_list

Comment 8 nicolae 2012-10-09 03:38:28 UTC
Created attachment 623876 [details]
File: var_log_messages

Comment 9 nicolae 2012-10-09 03:38:33 UTC
Created attachment 623877 [details]
File: open_fds

Comment 10 Michael Stahl 2012-10-10 20:17:14 UTC
so evidently in Writer table cells are being merged,
with A11y support enabled.

crash in SwFrm::GetAttrSet on a paragraph likely means that the
SwFrm doesn't point to a node.(since SwTxtNode appears to always
have attrset); perhaps the SwFrm is in some unhealthy state...
but the dtor of SwTxtFrm/SwCntntFrm don't seem to clear its node.

but the weird thing is that SwAccessibleContext::getAccessibleChild
is actually called in this situation, because:

#23 0x00007f16de115cc9 in SwCellFrm::~SwCellFrm (this=0x7f16dc0703f8, __in_chrg=<optimized out>) at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/layout/tabfrm.cxx:4712

should have deleted all accessible objects in the cell and its children
(paragraphs) recursively:

        pRootFrm->GetCurrShell()->Imp()->DisposeAccessibleFrm( this, sal_True );

which would mean that at the time the SwTxtFrm inside the SwCellFrm
is deleted it shouldn't have an SwAccessible object to notify any more.

Comment 11 Michael Stahl 2012-10-10 20:17:41 UTC
so ... no idea what to do about this. is the problem reproducible?