Bug 949238 - libreoffice-impress crashes (divide by 0 in valueset.cxx pageup/down handler)
Summary: libreoffice-impress crashes (divide by 0 in valueset.cxx pageup/down handler)
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libreoffice   
(Show other bugs)
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Caolan McNamara
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-07 07:32 UTC by Joachim Backes
Modified: 2013-04-20 01:09 UTC (History)
6 users (show)

Fixed In Version: libreoffice-3.6.6.2-2.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-20 01:09:36 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Such an impress document (805.98 KB, application/vnd.oasis.opendocument.presentation)
2013-04-07 07:32 UTC, Joachim Backes
no flags Details
window of LO if pressing PageDown (364.79 KB, image/png)
2013-04-08 13:25 UTC, Joachim Backes
no flags Details

Description Joachim Backes 2013-04-07 07:32:16 UTC
Created attachment 732294 [details]
Such an impress document

Description of problem:

Opening some Libreoffice impress document, pressing the mouse key to the first slide (middle of the LO window) and then pressing the page down key.

Result: libreoffice crashes.

This does not happen, if you first goto page #2 or higher (by clicking with the mouse key on some slide (in the slide column on the left side).

Version-Release number of selected component (if applicable):
libreoffice-3.6.6.2-1.fc18.x86_64

How reproducible:
each time

Steps to Reproduce:
1.See description
2.
3.
  
Actual results:
LO crashes

Expected results:
Page down done

Additional info:

Comment 1 Joachim Backes 2013-04-07 07:38:35 UTC
Very strange: If I download the attached odp doc and open it then by LO, the described effect does not appear. But I swear that the original attached doc shows the described effect.

Comment 2 Joachim Backes 2013-04-07 08:12:41 UTC
I found out when the crash happens: Only open the odp doc, but do not click in the LO window. Go with the mouse somewhere over the doc (activate the window!), and then click the page down key! Then LO will crash!

Comment 3 Joachim Backes 2013-04-07 08:20:29 UTC
You do not need to use the attached doc! Even if creating a new impress doc (can remain empty), the very first use of the page down key lets crash LO.

Comment 4 Joachim Backes 2013-04-07 08:44:08 UTC
usage of gdb:
===================================================================0

gdb /usr/lib64/libreoffice/program/soffice.bin
GNU gdb (GDB) Fedora (7.5.1-37.fc18)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib64/libreoffice/program/soffice.bin...Reading symbols from /usr/lib64/libreoffice/program/soffice.bin...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install libreoffice-core-3.6.6.2-1.fc18.x86_64
(gdb) run
Starting program: /usr/lib64/libreoffice/program/soffice.bin 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffea117700 (LWP 23489)]
warning: cannot close "/usr/lib64/libreoffice/program/libdesktop_detectorlo.so": Invalid operation
warning: cannot close "/lib64/libSM.so.6": Invalid operation
warning: cannot close "/lib64/libICE.so.6": Invalid operation
warning: cannot close "/lib64/libuuid.so.1": Invalid operation
warning: cannot close "/usr/lib64/libreoffice/program/libdesktop_detectorlo.so": Invalid operation
[New Thread 0x7fffdd5dc700 (LWP 23490)]
[New Thread 0x7fffdcddb700 (LWP 23491)]
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.
[New Thread 0x7fffd52c3700 (LWP 23492)]
warning: cannot close "/usr/lib64/gio/modules/libgiofam.so": Invalid operation
warning: cannot close "/lib64/libfam.so.0": Invalid operation
[New Thread 0x7fffd4ac2700 (LWP 23493)]
[New Thread 0x7fffcbfff700 (LWP 23494)]
warning: cannot close "/usr/lib64/libreoffice/program/libqstart_gtklo.so": Invalid operation
[New Thread 0x7fffcb18e700 (LWP 23495)]
[New Thread 0x7fffbe0c1700 (LWP 23497)]
[Thread 0x7fffbe0c1700 (LWP 23497) exited]
[Thread 0x7fffdd5dc700 (LWP 23490) exited]
[New Thread 0x7fffdd5dc700 (LWP 23499)]
[New Thread 0x7fffbe0c1700 (LWP 23500)]
[Thread 0x7fffbe0c1700 (LWP 23500) exited]
[Thread 0x7fffdd5dc700 (LWP 23499) exited]

Program received signal SIGFPE, Arithmetic exception.

Backtrace:
=============================================================================

0x00007ffff4c52e3f in ValueSet::KeyInput(KeyEvent const&) ()
   from /usr/lib64/libreoffice/program/libsvtlo.so
(gdb) bt
#0  0x00007ffff4c52e3f in ValueSet::KeyInput(KeyEvent const&) ()
   from /usr/lib64/libreoffice/program/libsvtlo.so
#1  0x00007ffff38ccc6d in ImplHandleKey(Window*, unsigned short, unsigned short, unsigned short, unsigned short, unsigned char) ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#2  0x00007ffff38cf6db in ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) () from /usr/lib64/libreoffice/program/libvcllo.so
#3  0x00007fffe32f17d9 in GtkSalFrame::doKeyCallback(unsigned int, unsigned int, unsigned short, unsigned char, unsigned int, unsigned short, bool, bool) ()
   from /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#4  0x00007fffe32f1e39 in GtkSalFrame::signalKey(_GtkWidget*, _GdkEventKey*, void*) () from /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#5  0x00007fffe2399fac in _gtk_marshal_BOOLEAN__BOXED ()
   from /lib64/libgtk-x11-2.0.so.0
#6  0x00007fffe2bf4910 in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#7  0x00007fffe2c05d08 in signal_emit_unlocked_R ()
   from /lib64/libgobject-2.0.so.0
#8  0x00007fffe2c0d8c7 in g_signal_emit_valist ()
   from /lib64/libgobject-2.0.so.0
#9  0x00007fffe2c0dde2 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#10 0x00007fffe24cdb5e in gtk_widget_event_internal ()
   from /lib64/libgtk-x11-2.0.so.0
#11 0x00007fffe2397e07 in gtk_propagate_event ()
---Type <return> to continue, or q <return> to quit---
   from /lib64/libgtk-x11-2.0.so.0
#12 0x00007fffe23980b3 in gtk_main_do_event () from /lib64/libgtk-x11-2.0.so.0
#13 0x00007fffe1feef0c in gdk_event_dispatch () from /lib64/libgdk-x11-2.0.so.0
#14 0x00007fffe290aa55 in g_main_context_dispatch ()
   from /lib64/libglib-2.0.so.0
#15 0x00007fffe290ad88 in g_main_context_iterate.isra.24 ()
   from /lib64/libglib-2.0.so.0
#16 0x00007fffe290ae44 in g_main_context_iteration ()
   from /lib64/libglib-2.0.so.0
#17 0x00007fffe32d65f1 in GtkData::Yield(bool, bool) ()
   from /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#18 0x00007ffff365e7e4 in Application::Yield(bool) ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#19 0x00007ffff365e887 in Application::Execute() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#20 0x00007ffff7928450 in desktop::Desktop::Main() ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#21 0x00007ffff3666c99 in ImplSVMain() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#22 0x00007ffff3666d25 in SVMain() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#23 0x00007ffff7954d05 in soffice_main ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
---Type <return> to continue, or q <return> to quit---    
#24 0x00000000004006fb in main ()

Comment 5 Caolan McNamara 2013-04-08 11:58:57 UTC
hmm, I can't reproduce this. What (if any) control is visible in the taskpanel on the right when you open the .odp ?, is it "Table Design" or a different one.

caolanm->dtardon: commit 3acbdb2dee458cba6904a636733f1777b47e9fc1 sounds plausibly related to this in that it adds page down/up support to ValueSet, which is what's crashing here apparently. Given that its Arithmetic exception, then I assume its a divide by 0 so some valueset seems to have 0 columns or rows or something like that, e.g. lcl_gotoLastLine with a 0 nCols.

Without line numbers I can't see which one is the div-by-zero.

caolanm->joachim.backes@rhrk: can you tell me what panel of the task pane is visible when you press page down, and if you could additionally debuginfo-install libreoffice and get the backtrace again that'd help massively

Comment 6 Joachim Backes 2013-04-08 13:25:55 UTC
Created attachment 732673 [details]
window of LO if pressing PageDown

Comment 7 Joachim Backes 2013-04-08 13:27:15 UTC
(In reply to comment #6)
> Created attachment 732673 [details]
> window of LO if pressing PageDown

Backtrace with debuginfo:
==================================

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff4c52e3f in ValueSet::KeyInput (this=0x1774610, rKEvt=...)
    at /usr/src/debug/libreoffice-3.6.6.2/svtools/source/control/valueset.cxx:1441
1441	            mnCurCol = nItemPos % mnCols;
Missing separate debuginfos, use: debuginfo-install GConf2-3.2.5-3.fc18.x86_64 PackageKit-gtk3-module-0.8.7-1.fc18.x86_64 adwaita-gtk2-theme-3.6.5-1.fc18.x86_64 atk-2.6.0-1.fc18.x86_64 avahi-libs-0.6.31-6.fc18.x86_64 cairo-1.12.14-1.fc18.x86_64 clucene-contribs-lib-2.3.3.4-7.fc18.x86_64 clucene-core-2.3.3.4-7.fc18.x86_64 cups-libs-1.5.4-20.fc18.x86_64 dbus-glib-0.100-1.fc18.x86_64 dbus-libs-1.6.8-2.fc18.x86_64 expat-2.1.0-4.fc18.x86_64 fontconfig-2.10.2-2.fc18.x86_64 freetype-2.4.10-4.fc18.x86_64 gamin-0.1.10-13.fc18.x86_64 gdk-pixbuf2-2.26.5-1.fc18.x86_64 glib2-2.34.2-2.fc18.x86_64 glibc-2.16-30.fc18.x86_64 gnome-keyring-3.6.3-1.fc18.x86_64 gnutls-2.12.23-1.fc18.x86_64 graphite2-1.1.1-4.fc18.x86_64 gtk2-2.24.16-1.fc18.x86_64 gvfs-1.14.2-3.fc18.x86_64 harfbuzz-0.9.12-2.fc18.x86_64 hunspell-1.3.2-10.fc18.x86_64 hyphen-2.8.5-2.fc18.x86_64 ibus-gtk2-1.5.1-2.fc18.x86_64 ibus-libs-1.5.1-2.fc18.x86_64 keyutils-libs-1.5.5-3.fc18.x86_64 krb5-libs-1.10.3-14.fc18.x86_64 lcms2-2.4-1.fc18.x86_64 libICE-1.0.8-2.fc18.x86_64 libSM-1.2.1-2.fc18.x86_64 libX11-1.5.0-3.fc18.x86_64 libXau-1.0.6-4.fc18.x86_64 libXcomposite-0.4.3-4.fc18.x86_64 libXcursor-1.1.13-2.fc18.x86_64 libXdamage-1.1.3-4.fc18.x86_64 libXext-1.3.1-2.fc18.x86_64 libXfixes-5.0-3.fc18.x86_64 libXi-1.6.2-1.fc18.x86_64 libXinerama-1.1.2-2.fc18.x86_64 libXrandr-1.4.0-1.fc18.x86_64 libXrender-0.9.7-2.fc18.x86_64 libXxf86vm-1.1.2-2.fc18.x86_64 libbluray-0.2.3-1.fc18.x86_64 libcom_err-1.42.5-1.fc18.x86_64 libdb-5.3.21-3.fc18.x86_64 libdrm-2.4.42-1.fc18.x86_64 libffi-3.0.10-3.fc18.x86_64 libgcc-4.7.2-8.fc18.x86_64 libgcrypt-1.5.0-8.fc18.x86_64 libgpg-error-1.10-3.fc18.x86_64 libicu-49.1.1-8.fc18.x86_64 libjpeg-turbo-1.2.90-1.fc18.x86_64 libpng-1.5.13-1.fc18.x86_64 libselinux-2.1.12-7.3.fc18.x86_64 libstdc++-4.7.2-8.fc18.x86_64 libtasn1-2.14-1.fc18.x86_64 libuuid-2.22.2-6.fc18.x86_64 libwayland-client-1.0.5-1.fc18.x86_64 libwayland-server-1.0.5-1.fc18.x86_64 libxcb-1.9-1.fc18.x86_64 libxml2-2.9.0-3.fc18.x86_64 libxslt-1.1.28-1.fc18.x86_64 mesa-libEGL-9.1-3.fc18.x86_64 mesa-libGL-9.1-3.fc18.x86_64 mesa-libgbm-9.1-3.fc18.x86_64 mesa-libglapi-9.1-3.fc18.x86_64 mythes-1.2.3-2.fc18.x86_64 nss-softokn-freebl-3.14.3-1.fc18.x86_64 openssl-libs-1.0.1e-4.fc18.x86_64 p11-kit-0.14-1.fc18.x86_64 pango-1.32.3-1.fc18.x86_64 pcre-8.31-4.fc18.x86_64 pixman-0.28.0-1.fc18.x86_64 systemd-libs-197-1.fc18.2.x86_64 xz-libs-5.1.2-2alpha.fc18.x86_64 zlib-1.2.7-9.fc18.x86_64
(gdb) bt
#0  0x00007ffff4c52e3f in ValueSet::KeyInput (this=0x1774610, rKEvt=...)
    at /usr/src/debug/libreoffice-3.6.6.2/svtools/source/control/valueset.cxx:1441
#1  0x00007ffff38ccc6d in ImplHandleKey (pWindow=0x12f6580, nSVEvent=nSVEvent@entry=4, nKeyCode=<optimized out>, nCharCode=0, 
    nRepeat=0, bForward=bForward@entry=1 '\001') at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/window/winproc.cxx:1113
#2  0x00007ffff38cf6db in ImplWindowFrameProc (pWindow=0x12f6580, nEvent=5, pEvent=0x7fffffffd060)
    at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/window/winproc.cxx:2445
#3  0x00007fffe32f17d9 in CallCallback (pEvent=0x7fffffffd060, nEvent=5, this=0x1380000)
    at /usr/src/debug/libreoffice-3.6.6.2/vcl/inc/salframe.hxx:281
#4  GtkSalFrame::doKeyCallback (this=this@entry=0x1380000, state=0, keyval=keyval@entry=65366, hardware_keycode=117, 
    time=<optimized out>, aOrigCode=0, bDown=bDown@entry=true, bSendRelease=bSendRelease@entry=false)
    at /usr/src/debug/libreoffice-3.6.6.2/vcl/unx/gtk/window/gtkframe.cxx:436
#5  0x00007fffe32f1e39 in GtkSalFrame::signalKey (pEvent=0x7fffcc003720, frame=0x1380000)
    at /usr/src/debug/libreoffice-3.6.6.2/vcl/unx/gtk/window/gtkframe.cxx:3433
#6  0x00007fffe2399fac in _gtk_marshal_BOOLEAN__BOXED () from /lib64/libgtk-x11-2.0.so.0
#7  0x00007fffe2bf4910 in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#8  0x00007fffe2c05d08 in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
#9  0x00007fffe2c0d8c7 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#10 0x00007fffe2c0dde2 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#11 0x00007fffe24cdb5e in gtk_widget_event_internal () from /lib64/libgtk-x11-2.0.so.0
#12 0x00007fffe2397e07 in gtk_propagate_event () from /lib64/libgtk-x11-2.0.so.0
#13 0x00007fffe23980b3 in gtk_main_do_event () from /lib64/libgtk-x11-2.0.so.0
#14 0x00007fffe1feef0c in gdk_event_dispatch () from /lib64/libgdk-x11-2.0.so.0
#15 0x00007fffe290aa55 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#16 0x00007fffe290ad88 in g_main_context_iterate.isra.24 () from /lib64/libglib-2.0.so.0
#17 0x00007fffe290ae44 in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#18 0x00007fffe32d65f1 in GtkData::Yield (this=0x60d790, bWait=true, bHandleAllCurrentEvents=<optimized out>)
    at /usr/src/debug/libreoffice-3.6.6.2/vcl/unx/gtk/app/gtkdata.cxx:601
#19 0x00007ffff365e7e4 in ImplYield (i_bAllEvents=false, i_bWait=true)
    at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/app/svapp.cxx:451
#20 Application::Yield (i_bAllEvents=false) at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/app/svapp.cxx:485
#21 0x00007ffff365e887 in Application::Execute () at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/app/svapp.cxx:430
#22 0x00007ffff7928450 in desktop::Desktop::Main (this=0x7fffffffdd60)
    at /usr/src/debug/libreoffice-3.6.6.2/desktop/source/app/app.cxx:1718
#23 0x00007ffff3666c99 in ImplSVMain () at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/app/svmain.cxx:183
#24 0x00007ffff3666d25 in SVMain () at /usr/src/debug/libreoffice-3.6.6.2/vcl/source/app/svmain.cxx:220
#25 0x00007ffff7954d05 in soffice_main () at /usr/src/debug/libreoffice-3.6.6.2/desktop/source/app/sofficemain.cxx:83
#26 0x00000000004006fb in sal_main () at /usr/src/debug/libreoffice-3.6.6.2/desktop/source/app/main.c:34
#27 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libreoffice-3.6.6.2/desktop/source/ap

Comment 8 Joachim Backes 2013-04-08 13:27:58 UTC
Last line was incorrect: Should be:

main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libreoffice-3.6.6.2/desktop/source/app/main.c:33

Comment 9 Caolan McNamara 2013-04-08 14:35:08 UTC
reproducible. Trick is to shrink the size of the task panel to make it invisible, then restart office and then press page down

Comment 10 Caolan McNamara 2013-04-08 14:50:11 UTC
fixed it upstream as http://cgit.freedesktop.org/libreoffice/core/commit/?id=626bac2f5ccec91eb9962c700564381158f826bc

pending 4-0 approval will add to own packages

Comment 11 Joachim Backes 2013-04-08 15:28:33 UTC
(In reply to comment #9)
> reproducible. Trick is to shrink the size of the task panel to make it
> invisible, then restart office and then press page down

Thank you! By making the task panel visible, I could get rid from the bug too.

Comment 12 Fedora Update System 2013-04-09 08:20:02 UTC
libreoffice-3.6.6.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libreoffice-3.6.6.2-2.fc18

Comment 13 Fedora Update System 2013-04-10 01:37:01 UTC
Package libreoffice-3.6.6.2-2.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libreoffice-3.6.6.2-2.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5289/libreoffice-3.6.6.2-2.fc18
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2013-04-16 19:08:59 UTC
libreoffice-3.6.6.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libreoffice-3.6.6.2-3.fc18

Comment 15 Fedora Update System 2013-04-20 01:09:38 UTC
libreoffice-3.6.6.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.