Created attachment 1441246 [details] Sample document with crashing tables Description of problem: LibreOffice writer 6.0.x reliably crash every time I try to merge cells in a table in a specific document. Version-Release number of selected component (if applicable): libreoffice-writer-6.0.3.2-10.fc28.x86_64 Flatpak (from Flathub): 6.0.4.2 How reproducible: Always Steps to Reproduce: 1. Open the attached document with LibreOffice. 2. Select 2 adjacent cells. 3. Click "Merge Cells" from table toolbar in the bottom. Actual results: LibreOffice crashes. Expected results: LibreOffice merges the selected cells into one. Additional info: ABRT can't catch the crash (SIGSEV) but coredumpctl could.
Created attachment 1441247 [details] Coredump of LibreOffice Writer PID: 23898 (soffice.bin) UID: 1000 (anass) GID: 1000 (anass) Signal: 11 (SEGV) Timestamp: Thu 2018-05-24 23:04:26 EET (11min ago) Command Line: /usr/lib64/libreoffice/program/soffice.bin --splash-pipe=5 Executable: /usr/lib64/libreoffice/program/soffice.bin Control Group: /user.slice/user-1000.slice/user/dbus.service Unit: user User Unit: dbus.service Slice: user-1000.slice Owner UID: 1000 (anass) Boot ID: b8a75767047b4756b0872cff1c0e0081 Machine ID: fe5660cf957c4ac6bd8d3ab170ec772b Hostname: anass-galago Storage: /var/lib/systemd/coredump/core.soffice\x2ebin.1000.b8a75767047b4756b0872cff1c0e0081.23898.1527195866000000.lz4 Message: Process 23898 (soffice.bin) of user 1000 dumped core. Stack trace of thread 23898: #0 0x00007f2b4bc3aa0d _ZNK10SfxItemSet3GetEtb (libsvllo.so) #1 0x00007f2b08e9e63d n/a (libswlo.so) #2 0x00007f2b08e73c82 _ZNK13SwCursorShell14HasReadonlySelEv (libswlo.so) #3 0x00007f2b096992c8 _ZN11SwTextShell10StateFieldER10SfxItemSet (libswlo.so) #4 0x00007f2b4c244530 _ZN8SfxShell12GetSlotStateEtPK12SfxInterfaceP10SfxItemSet (libsfxlo.so) #5 0x00007f2b4c225d9f _ZN13SfxDispatcher10QueryStateEtRN3com3sun4star3uno3AnyE (libsfxlo.so) #6 0x00007f2b4c26d61c n/a (libsfxlo.so) #7 0x00007f2b4c271a56 n/a (libsfxlo.so) #8 0x00007f2b4a4c36ac _ZN3svt17ToolboxController12bindListenerEv (libsvtlo.so) #9 0x00007f2b1e2c0938 n/a (libfwklo.so) #10 0x00007f2b1e2c0d2c n/a (libfwklo.so) #11 0x00007f2b48e497d1 _ZN9Scheduler21ProcessTaskSchedulingEv (libvcllo.so) #12 0x00007f2b29ec910b n/a (libvclplug_gtk3lo.so) #13 0x00007f2b4f2147cd g_main_context_dispatch (libglib-2.0.so.0) #14 0x00007f2b4f214b98 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #15 0x00007f2b4f214c30 g_main_context_iteration (libglib-2.0.so.0) #16 0x00007f2b29eca663 n/a (libvclplug_gtk3lo.so) #17 0x00007f2b48e58fd2 _ZN11Application5YieldEv (libvcllo.so) #18 0x00007f2b48bb5a8e _ZN6Dialog7ExecuteEv (libvcllo.so) #19 0x00007f2b4b852067 n/a (libsvxlo.so) #20 0x00007f2b50f00f4d n/a (libsofficeapp.so) #21 0x00007f2b50f01289 n/a (libsofficeapp.so) #22 0x00007f2b48e5e138 n/a (libvcllo.so) #23 0x00007f2b511a4c62 n/a (libuno_sal.so.3) #24 0x00007f2b511cb3e2 n/a (libuno_sal.so.3) #25 0x00007f2b50b50fd0 __restore_rt (libc.so.6) #26 0x00007f2b091abdff _ZNK10SwTableBox9GetSttIdxEv (libswlo.so) #27 0x00007f2b08e0878e n/a (libswlo.so) #28 0x00007f2b08e08b31 n/a (libswlo.so) #29 0x00007f2b08e0daf3 n/a (libswlo.so) #30 0x00007f2b29ec4981 n/a (libvclplug_gtk3lo.so) #31 0x00007f2b29ec4a0e n/a (libvclplug_gtk3lo.so) #32 0x00007f2b29ec4aea n/a (libvclplug_gtk3lo.so) #33 0x00007f2b4de797bc _ZN10comphelper23AccessibleEventNotifier8addEventEjRKN3com3sun4star13accessibility21AccessibleEventObjectE (libcomphelper.so) #34 0x00007f2b08e0e987 n/a (libswlo.so) #35 0x00007f2b08e09657 n/a (libswlo.so) #36 0x00007f2b08e2770b n/a (libswlo.so) #37 0x00007f2b0945a3b0 n/a (libswlo.so) #38 0x00007f2b09169c09 n/a (libswlo.so) #39 0x00007f2b0915a8da _ZN7SwFrame12DestroyFrameEPS_ (libswlo.so) #40 0x00007f2b0915ac37 n/a (libswlo.so) #41 0x00007f2b0915a8da _ZN7SwFrame12DestroyFrameEPS_ (libswlo.so) #42 0x00007f2b090c4424 n/a (libswlo.so) #43 0x00007f2b090c60e9 n/a (libswlo.so) #44 0x00007f2b08fab600 _ZN7SwTable9DeleteSelEP5SwDocRK10SwSelBoxesPS3_P6SwUndobb (libswlo.so) #45 0x00007f2b0919ed9a _ZN7SwTable8NewMergeEP5SwDocRK10SwSelBoxesS4_P16SwUndoTableMerge (libswlo.so) #46 0x00007f2b08fc7a7b _ZN5SwDoc10MergeTableER5SwPaM (libswlo.so) #47 0x00007f2b090aea0c _ZN9SwFEShell8MergeTabEv (libswlo.so) #48 0x00007f2b096968a6 n/a (libswlo.so) #49 0x00007f2b4c2220b2 n/a (libsfxlo.so) #50 0x00007f2b4c21eeb7 n/a (libsfxlo.so) #51 0x00007f2b4c27332d n/a (libsfxlo.so) #52 0x00007f2b4c2736b3 n/a (libsfxlo.so) #53 0x00007f2b1e26e60d n/a (libfwklo.so) #54 0x00007f2b48c53038 n/a (libvcllo.so) #55 0x00007f2b48e486fb _ZN16SalUserEventList18DispatchUserEventsEb (libvcllo.so) #56 0x00007f2b29ec935d n/a (libvclplug_gtk3lo.so) #57 0x00007f2b4f2110eb g_idle_dispatch (libglib-2.0.so.0) #58 0x00007f2b4f2147cd g_main_context_dispatch (libglib-2.0.so.0) #59 0x00007f2b4f214b98 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #60 0x00007f2b4f214c30 g_main_context_iteration (libglib-2.0.so.0) #61 0x00007f2b29eca663 n/a (libvclplug_gtk3lo.so) #62 0x00007f2b48e58fd2 _ZN11Application5YieldEv (libvcllo.so) #63 0x00007f2b48e5a855 _ZN11Application7ExecuteEv (libvcllo.so) Stack trace of thread 23906: #0 0x00007f2b50c09929 __poll (libc.so.6) #1 0x00007f2b4f214b06 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #2 0x00007f2b4f214ec2 g_main_loop_run (libglib-2.0.so.0) #3 0x00007f2b4864f60a gdbus_shared_thread_func (libgio-2.0.so.0) #4 0x00007f2b4f23ccea g_thread_proxy (libglib-2.0.so.0) #5 0x00007f2b50902564 start_thread (libpthread.so.0) #6 0x00007f2b50c1431f __clone (libc.so.6) Stack trace of thread 23904: #0 0x00007f2b50c09929 __poll (libc.so.6) #1 0x00007f2b4f214b06 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #2 0x00007f2b4f214c30 g_main_context_iteration (libglib-2.0.so.0) #3 0x00007f2b24361e4d dconf_gdbus_worker_thread (libdconfsettings.so) #4 0x00007f2b4f23ccea g_thread_proxy (libglib-2.0.so.0) #5 0x00007f2b50902564 start_thread (libpthread.so.0) #6 0x00007f2b50c1431f __clone (libc.so.6) Stack trace of thread 23901: #0 0x00007f2b5090884a pthread_cond_timedwait@@GLIBC_2.3.2 (libpthread.so.0) #1 0x00007f2b511a8172 n/a (libuno_sal.so.3) #2 0x00007f2b50902564 start_thread (libpthread.so.0) #3 0x00007f2b50c1431f __clone (libc.so.6) Stack trace of thread 25049: #0 0x00007f2b50c0edf9 syscall (libc.so.6) #1 0x00007f2b4f25b44e g_cond_wait_until (libglib-2.0.so.0) #2 0x00007f2b4f1e70e1 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0) #3 0x00007f2b4f1e76d0 g_async_queue_timeout_pop (libglib-2.0.so.0) #4 0x00007f2b4f23d791 g_thread_pool_thread_proxy (libglib-2.0.so.0) #5 0x00007f2b4f23ccea g_thread_proxy (libglib-2.0.so.0) #6 0x00007f2b50902564 start_thread (libpthread.so.0) #7 0x00007f2b50c1431f __clone (libc.so.6) Stack trace of thread 23903: #0 0x00007f2b50c15287 accept (libc.so.6) #1 0x00007f2b511c86e8 osl_acceptPipe (libuno_sal.so.3) #2 0x00007f2b50f2a152 n/a (libsofficeapp.so) #3 0x00007f2b4cbe4cda _ZN9salhelper6Thread3runEv (libuno_salhelpergcc3.so.3) #4 0x00007f2b4cbe4e9e n/a (libuno_salhelpergcc3.so.3) #5 0x00007f2b511ce1c8 n/a (libuno_sal.so.3) #6 0x00007f2b50902564 start_thread (libpthread.so.0) #7 0x00007f2b50c1431f __clone (libc.so.6) Stack trace of thread 25810: #0 0x00007f2b5090884a pthread_cond_timedwait@@GLIBC_2.3.2 (libpthread.so.0) #1 0x00007f2b511c1b38 osl_waitCondition (libuno_sal.so.3) #2 0x00007f2b259fb8e1 n/a (libconfigmgrlo.so) #3 0x00007f2b4cbe4cda _ZN9salhelper6Thread3runEv (libuno_salhelpergcc3.so.3) #4 0x00007f2b4cbe4e9e n/a (libuno_salhelpergcc3.so.3) #5 0x00007f2b511ce1c8 n/a (libuno_sal.so.3) #6 0x00007f2b50902564 start_thread (libpthread.so.0) #7 0x00007f2b50c1431f __clone (libc.so.6) Stack trace of thread 23905: #0 0x00007f2b50c09929 __poll (libc.so.6) #1 0x00007f2b4f214b06 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #2 0x00007f2b4f214c30 g_main_context_iteration (libglib-2.0.so.0) #3 0x00007f2b4f214c81 glib_worker_main (libglib-2.0.so.0) #4 0x00007f2b4f23ccea g_thread_proxy (libglib-2.0.so.0) #5 0x00007f2b50902564 start_thread (libpthread.so.0) #6 0x00007f2b50c1431f __clone (libc.so.6)
Can't reproduce this, upstream backtrace suggests an a11y issue, but toggling a11y on and off in the desktop doesn't help to reproduce.
oh wait, vertically merge and I get a crash, just one time. So there's definitely a problem here somewhere.
(In reply to Caolan McNamara from comment #3) > oh wait, vertically merge and I get a crash, just one time. So there's > definitely a problem here somewhere. To be precise, at the end of each table in the sample document, there's a total cell that I'm trying to merge with the vertical-neighbouring cells. It always (reliably) crash every time on both system package and flatpak package.
(In reply to Anass Ahmed from comment #4) > To be precise, at the end of each table in the sample document, there's a > total cell that I'm trying to merge with the vertical-neighbouring cells. It > always (reliably) crash every time on both system package and flatpak > package. Correction: it's not vertical, it's horizontal.
Created attachment 1441452 [details] Bug Reproduction Video This is a screencast reproducing the issue on the sample document using the system package of libreoffice writer.
Downloaded LibreOfficeDev6.1 to test the issue there; but it doesn't provide a GTK3 VCLPlugin. So it worked with GTK2 instead, and there were no problems in merging cells. Tried again the system package with SAL_USE_VCLPLUGIN=gtk to run the GTK2 interface, and I successfully merged the horizontal cells without any problem. Guess it has something to do with GTK3, then?
I have captured a backtrace under valgrind in the upstream bug which points to an a11y issue, which more suggests its just that the gtk3 a11y works sufficiently well to trigger the writer a11y bug
(In reply to Caolan McNamara from comment #8) > I have captured a backtrace under valgrind in the upstream bug which points > to an a11y issue, which more suggests its just that the gtk3 a11y works > sufficiently well to trigger the writer a11y bug I don't use any accessibility settings at all, though.
libreoffice-6.0.4.2-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0460955f7a
libreoffice-6.0.4.2-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0460955f7a
The update has been successful in solving the issue, I've added to the karma on bodhi to be pushed to stable. Thanks, Caolan McNamara, for the prompt response and fix.
libreoffice-6.0.4.2-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.