Bug 864281

Summary: [abrt] libreoffice-core-3.5.6.2-5.fc17: GetSwAttrSet: Process /usr/lib64/libreoffice/program/soffice.bin was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: nicolae <nicolae.b3>
Component: libreofficeAssignee: Caolan McNamara <caolanm>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: caolanm, dtardon, erack, ltinkl, mstahl, sbergman
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:94ccb5b381bfad724ec6eefb4eae75d1a3686eff
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-19 03:26:18 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
File: core_backtrace
none
File: environ
none
File: backtrace
none
File: limits
none
File: cgroup
none
File: maps
none
File: dso_list
none
File: var_log_messages
none
File: open_fds none

Description nicolae 2012-10-08 23:37:46 EDT
Description of problem:
do not know

Version-Release number of selected component:
libreoffice-core-3.5.6.2-5.fc17

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        /usr/lib64/libreoffice/program/soffice.bin --writer file:///home/nicolae/Documents/seral13.odt --splash-pipe=6
crash_function: GetSwAttrSet
kernel:         3.5.5-2.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 GetSwAttrSet at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/layout/findfrm.cxx:1784
: #1 SwFrm::GetAttrSet at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/layout/findfrm.cxx:643
: #2 SwAccessibleFrame::IsOpaque at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accframe.cxx:392
: #3 SwAccessibleContext::InitStates at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/acccontext.cxx:69
: #4 SwAccessibleContext::SwAccessibleContext at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/acccontext.cxx:535
: #5 SwAccessibleParagraph::SwAccessibleParagraph at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accpara.cxx:491
: #6 SwAccessibleMap::GetContext at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accmap.cxx:1364
: #7 SwAccessibleMap::GetContextImpl at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/accmap.cxx:1473
: #8 SwAccessibleContext::getAccessibleChild at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/access/acccontext.cxx:584
: #9 AtkListener::updateChildList at /usr/src/debug/libreoffice-3.5.6.2/vcl/unx/gtk/a11y/atklistener.cxx:128
Comment 1 nicolae 2012-10-08 23:37:53 EDT
Created attachment 623869 [details]
File: core_backtrace
Comment 2 nicolae 2012-10-08 23:37:55 EDT
Created attachment 623870 [details]
File: environ
Comment 3 nicolae 2012-10-08 23:38:02 EDT
Created attachment 623871 [details]
File: backtrace
Comment 4 nicolae 2012-10-08 23:38:06 EDT
Created attachment 623872 [details]
File: limits
Comment 5 nicolae 2012-10-08 23:38:11 EDT
Created attachment 623873 [details]
File: cgroup
Comment 6 nicolae 2012-10-08 23:38:21 EDT
Created attachment 623874 [details]
File: maps
Comment 7 nicolae 2012-10-08 23:38:25 EDT
Created attachment 623875 [details]
File: dso_list
Comment 8 nicolae 2012-10-08 23:38:28 EDT
Created attachment 623876 [details]
File: var_log_messages
Comment 9 nicolae 2012-10-08 23:38:33 EDT
Created attachment 623877 [details]
File: open_fds
Comment 10 Michael Stahl 2012-10-10 16:17:14 EDT
so evidently in Writer table cells are being merged,
with A11y support enabled.

crash in SwFrm::GetAttrSet on a paragraph likely means that the
SwFrm doesn't point to a node.(since SwTxtNode appears to always
have attrset); perhaps the SwFrm is in some unhealthy state...
but the dtor of SwTxtFrm/SwCntntFrm don't seem to clear its node.

but the weird thing is that SwAccessibleContext::getAccessibleChild
is actually called in this situation, because:

#23 0x00007f16de115cc9 in SwCellFrm::~SwCellFrm (this=0x7f16dc0703f8, __in_chrg=<optimized out>) at /usr/src/debug/libreoffice-3.5.6.2/sw/source/core/layout/tabfrm.cxx:4712

should have deleted all accessible objects in the cell and its children
(paragraphs) recursively:

        pRootFrm->GetCurrShell()->Imp()->DisposeAccessibleFrm( this, sal_True );

which would mean that at the time the SwTxtFrm inside the SwCellFrm
is deleted it shouldn't have an SwAccessible object to notify any more.
Comment 11 Michael Stahl 2012-10-10 16:17:41 EDT
so ... no idea what to do about this. is the problem reproducible?