Bug 1006850 - writer crash at SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@entry=true)
Summary: writer crash at SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@en...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libreoffice
Version: 19
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Caolan McNamara
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-11 11:41 UTC by matti aarnio
Modified: 2013-09-14 02:30 UTC (History)
7 users (show)

Fixed In Version: libreoffice-4.1.1.2-4.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-14 02:30:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description matti aarnio 2013-09-11 11:41:46 UTC 
Description of problem:

   Request to open second window on a large (200+ pages) ODT document.

   Opening a much smaller document, and trying this same operation does
   not crash.


Version-Release number of selected component (if applicable):

libreoffice-writer-4.1.1.2-3.fc19.x86_64

How reproducible:
  Way too easily

Steps to Reproduce:
1. Open a large (200+ pages) odt document at libreoffice writer
2. Select "Window" -> "New Window"
3. Crash happens

Actual results:

Program received signal SIGSEGV, Segmentation fault.
SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@entry=true)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:1570
1570        unsigned long aWidth = (unsigned long)(mpWrtShell->GetViewOptions()->GetZoom() * 1.8);
Cannot access memory at address 0x60
(gdb) up
#1  0x00007fffd79c5597 in SwCommentRuler::GetCommentControlRegion (this=this@entry=0x1567db0)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/misc/swruler.cxx:254
254         long nRight  = nLeft+ pPostItMgr->GetSidebarWidth(true) + pPostItMgr->GetSidebarBorderWidth(true);
Comment 1 Caolan McNamara 2013-09-11 13:18:28 UTC 
I wish we had a bit more of the backtrace, is it possible to get more lines of it. I can't reproduce the crash here with the same tactics on e.g. the 800+ page ODF specification so there might be a bit of a timing issue preventing me getting the same result.

Clearly pPostItMgr is NULL so I can bodge it to not crash by detecting that, but I'd prefer to know the exact code route to get a full fix.
Comment 2 matti aarnio 2013-09-11 14:05:50 UTC 
I will try.  gdb spins like mad and grows memory footprint to about 5 GB...
Back trace printout takes a lot of time too with CPU running at 99.6% load and malloc() being called all the time to expand some more space  (I have 16 GB, but still I find that rather seriously broken behavior..)


(gdb) where
#0  SwPostItMgr::GetSidebarWidth (this=this@entry=0x0, bPx=bPx@entry=true)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:1570
#1  0x00007ffdb658e597 in SwCommentRuler::GetCommentControlRegion (this=this@entry=0x3398b70)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/misc/swruler.cxx:254
#2  0x00007ffdb658ef53 in SwCommentRuler::Update (this=0x3398b70)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/misc/swruler.cxx:228
#3  0x00007ffdb661c88e in ForceUpdate (this=<optimized out>) at /usr/src/debug/libreoffice-4.1.1.2/include/svx/ruler.hxx:251
#4  SwView::InvalidateRulerPos (this=this@entry=0x33d9850)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/viewport.cxx:125
#5  0x00007ffdb661f961 in SwView::SetVisArea (this=0x33d9850, rRect=..., bUpdateScrollbar=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/viewport.cxx:290
#6  0x00007ffdb661eee0 in SwView::DocSzChgd (this=0x33d9850, rSz=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/viewport.cxx:198
#7  0x00007ffdb63ee064 in ViewShell::UISizeNotify (this=0x3262670)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/view/viewsh.cxx:2116
#8  0x00007ffdb63efe16 in ViewShell::ImplEndAction (this=this@entry=0x3262670, bIdleEnd=bIdleEnd@entry=0 '\000')
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/view/viewsh.cxx:402
#9  0x00007ffdb5f6c819 in EndAction (bIdleEnd=0 '\000', this=0x3262670)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/inc/viewsh.hxx:594
#10 SwCrsrShell::EndAction (this=this@entry=0x3262670, bIdleEnd=bIdleEnd@entry=0 '\000')
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/crsr/crsrsh.cxx:257
#11 0x00007ffdb60ca362 in SwEditShell::EndAllAction (this=0x49087f0)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/core/edit/edws.cxx:119
#12 0x00007ffdb6535d95 in SwPostItMgr::AddPostIts (this=this@entry=0x490be10, bCheckExistance=bCheckExistance@entry=false, 
    bFocus=bFocus@entry=false) at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:1131
#13 0x00007ffdb6535fa9 in SwPostItMgr::SwPostItMgr (this=0x490be10, pView=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/docvw/PostItMgr.cxx:149
#14 0x00007ffdb6605af5 in SwView::SwView (this=0x48d9c70, _pFrame=<optimized out>, pOldSh=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/view.cxx:932
#15 0x00007ffdb66073a5 in SwView::CreateInstance (pFrame=0x48e0550, pOldView=0x0)
    at /usr/src/debug/libreoffice-4.1.1.2/sw/source/ui/uiview/view0.cxx:81
#16 0x00000034641485cc in SfxBaseModel::createViewController (this=0x7ffdd03ee538, i_rViewName=..., i_rArguments=..., 
    i_rFrame=...) at /usr/src/debug/libreoffice4.1.1.2/sfx2/source/doc/sfxbasemodel.cxx:4273

  #17 0x00000034641c9afe in SfxFrameLoader_Impl::impl_createDocumentView (this=this@entry=0x7ffda8993790, i_rModel=..., 
    i_rFrame=..., i_rViewFactoryArgs=..., i_rViewName=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/frmload.cxx:497
#18 0x00000034641cb230 in SfxFrameLoader_Impl::load (this=0x7ffda8993790, rArgs=..., _rTargetFrame=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/frmload.cxx:620
#19 0x00007ffdca0f33ed in framework::LoadEnv::impl_loadContent (this=this@entry=0x7fff950d8950)
    at /usr/src/debug/libreoffice-4.1.1.2/framework/source/loadenv/loadenv.cxx:1168
#20 0x00007ffdca0f3cd8 in framework::LoadEnv::startLoading (this=this@entry=0x7fff950d8950)
    at /usr/src/debug/libreoffice-4.1.1.2/framework/source/loadenv/loadenv.cxx:397
#21 0x00007ffdca0f4037 in framework::LoadEnv::loadComponentFromURL (xLoader=..., xSMGR=..., sURL=..., sTarget=..., 
    nFlags=nFlags@entry=0, lArgs=...) at /usr/src/debug/libreoffice-4.1.1.2/framework/source/loadenv/loadenv.cxx:168
#22 0x00007ffdca135623 in framework::Frame::loadComponentFromURL (this=0x7ffda89cf380, sURL=..., sTargetFrameName=..., 
    nSearchFlags=0, lArguments=...) at /usr/src/debug/libreoffice-4.1.1.2/framework/source/services/frame.cxx:328
#23 0x00000034641e25e6 in SfxViewFrame::LoadViewIntoFrame_Impl (i_rDoc=..., i_rFrame=..., i_rLoadArgs=..., 
    i_nViewId=i_nViewId@entry=2, i_bHidden=i_bHidden@entry=false)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/viewfrm.cxx:1967
#24 0x00000034641e4108 in SfxViewFrame::LoadViewIntoFrame_Impl_NoThrow (i_rDoc=..., i_rFrame=..., i_nViewId=i_nViewId@entry=2, 
    i_bHidden=i_bHidden@entry=false) at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/viewfrm.cxx:1913
#25 0x00000034641e5755 in SfxViewFrame::ExecView_Impl (this=0x36a73d0, rReq=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/view/viewfrm.cxx:2304
#26 0x0000003464208bf8 in SfxShell::CallExec (this=0x36a73d0, 
    pFunc=0x34641e57d0 <SfxStubSfxViewFrameExecView_Impl(SfxShell*, SfxRequest&)>, rReq=...)
    at /usr/src/debug/libreoffice-4.1.1.2/include/sfx2/shell.hxx:185
#27 0x000000346420259e in SfxDispatcher::Call_Impl (this=0x2f30c50, rShell=..., rSlot=..., rReq=..., bRecord=1 '\001')
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/dispatch.cxx:243
#28 0x0000003464204170 in SfxDispatcher::_Execute (this=0x2f30c50, rShell=..., rSlot=..., rReq=..., eCallMode=4)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/dispatch.cxx:924
#29 0x0000003463fc13ed in SfxBindings::Execute_Impl (this=0x3377b40, aReq=..., 
    pSlot=pSlot@entry=0x3464503b88 <aSfxViewFrameSlots_Impl+840>, pShell=pShell@entry=0x36a73d0)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/bindings.cxx:1293
#30 0x0000003463ff542a in SfxDispatchController_Impl::dispatch (this=0x428c2f0, aURL=..., aArgs=..., rListener=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/unoctitm.cxx:736
#31 0x0000003463ff6932 in SfxOfficeDispatch::dispatch (this=0x7ffda89926d8, aURL=..., aArgs=...)
    at /usr/src/debug/libreoffice-4.1.1.2/sfx2/source/control/unoctitm.cxx:369
#32 0x00007ffdca1d5ead in framework::MenuBarManager::Select (this=0x7ffda95e70b0, pMenu=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/framework/source/uielement/menubarmanager.cxx:1121
#33 0x000000346097ed1b in Call (pCaller=0x33e2a70, this=0x33e2ad8)
    at /usr/src/debug/libreoffice-4.1.1.2/include/tools/link.hxx:123
#34 Menu::Select (this=0x33e2a70) at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/menu.cxx:1131
#35 0x0000003460978cb5 in ImplCallSelect (this=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/menu.cxx:3003
#36 Menu::LinkStubImplCallSelect (pThis=<optimized out>, pCaller=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/menu.cxx:3000
#37 0x00000034609e985a in Call (pCaller=<optimized out>, this=<optimized out>)
    at /usr/src/debug/libreoffice-4.1.1.2/include/tools/link.hxx:123
#38 ImplHandleUserEvent (pSVEvent=0x4768ed0) at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/winproc.cxx:1986
#39 ImplWindowFrameProc (pWindow=<optimized out>, nEvent=<optimized out>, pEvent=0x4768ed0)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/window/winproc.cxx:2601
#40 0x00000034609eff08 in CallCallback (pEvent=0x4768ed0, nEvent=22, this=0x2d0f9b0)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/inc/salframe.hxx:243
#41 SalGenericDisplay::DispatchInternalEvent (this=0x256b480)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/generic/app/gendisp.cxx:91
#42 0x0000003a8938d31f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /lib64/libQtCore.so.4
#43 0x0000003a8938c62c in QObject::event(QEvent*) () from /lib64/libQtCore.so.4
#44 0x00007ffdd215e68c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib64/libQtGui.so.4
#45 0x00007ffdd2162b0a in QApplication::notify(QObject*, QEvent*) () from /lib64/libQtGui.so.4
#46 0x0000003a8d2415ba in KApplication::notify (this=0x239bba0, receiver=0x237c870, event=0x7fff950d9f20)
    at /usr/src/debug/kdelibs-4.10.5/kdeui/kernel/kapplication.cpp:311
#47 0x0000003a89377d4e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /lib64/libQtCore.so.4
#48 0x0000003a893a8ee2 in QTimerInfoList::activateTimers() () from /lib64/libQtCore.so.4
#49 0x0000003a893a5ee4 in timerSourceDispatch(_GSource*, int (*)(void*), void*) () from /lib64/libQtCore.so.4
#50 0x0000003a7de47e06 in g_main_dispatch (context=0x23a5bf0) at gmain.c:3054
#51 g_main_context_dispatch (context=context@entry=0x23a5bf0) at gmain.c:3630
#52 0x0000003a7de48158 in g_main_context_iterate (context=context@entry=0x23a5bf0, block=block@entry=0, 
    dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701
#53 0x0000003a7de481fc in g_main_context_iteration (context=0x23a5bf0, may_block=0) at gmain.c:3762
#54 0x0000003a893a6676 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib64/libQtCore.so.4
#55 0x00007ffdd21fe92e in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /lib64/libQtGui.so.4
#56 0x00007ffdd33af1b7 in KDEXLib::processYield (this=<optimized out>, bWait=<optimized out>, 
    bHandleAllCurrentEvents=<optimized out>) at /usr/src/debug/libreoffice-4.1.1.2/vcl/unx/kde4/KDEXLib.cxx:319
#57 0x000000346071bf14 in ImplYield (i_bAllEvents=false, i_bWait=true)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svapp.cxx:422
#58 Application::Yield (i_bAllEvents=i_bAllEvents@entry=false)
    at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svapp.cxx:456
#59 0x000000346071bfb7 in Application::Execute () at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svapp.cxx:401
#62 0x0000003460723d52 in SVMain () at /usr/src/debug/libreoffice-4.1.1.2/vcl/source/app/svmain.cxx:198
#63 0x000000346564bb15 in soffice_main () at /usr/src/debug/libreoffice-4.1.1.2/desktop/source/app/sofficemain.cxx:82
#64 0x000000000040071b in sal_main () at /usr/src/debug/libreoffice-4.1.1.2/desktop/source/app/main.c:48
#65 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libreoffice-4.1.1.2/desktop/source/app/main.c:47

(Back-trace run took 26 CPU minutes on 3300 MHz AMD Phenom-II)
Comment 3 Caolan McNamara 2013-09-12 10:08:22 UTC 
thanks, that exactly what I wanted to know. Fix committed, will be in next build
Comment 4 Fedora Update System 2013-09-12 15:28:24 UTC 
libreoffice-4.1.1.2-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/libreoffice-4.1.1.2-4.fc19
Comment 5 Fedora Update System 2013-09-13 01:10:15 UTC 
Package libreoffice-4.1.1.2-4.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libreoffice-4.1.1.2-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16606/libreoffice-4.1.1.2-4.fc19
then log in and leave karma (feedback).
Comment 6 matti aarnio 2013-09-13 12:23:26 UTC 
works for me.  (and done bodhi +1)
Comment 7 Fedora Update System 2013-09-14 02:30:13 UTC 
libreoffice-4.1.1.2-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.