Bug 118416 - SEGV when Calc exits when it tries to export an image of a whole column on the system clipboard
Summary: SEGV when Calc exits when it tries to export an image of a whole column on th...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All Linux (All)
: medium normal
Assignee: Tor Lillqvist
URL:
Whiteboard: target:6.2.0 target:6.1.3
Keywords:
: 120616 121093 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-06-27 15:11 UTC by Tor Lillqvist
Modified: 2018-11-02 18:03 UTC (History)
6 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tor Lillqvist 2018-06-27 15:11:07 UTC
Description:
In a developer build, with --enable-debug:

make debugrun
r --calc
add some numbers into A1 and A2
click the column header, Control-C
Control-Q, click "Don't Save"
Boom. Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault.

Stack trace:

> #0  0x00007ffff73e6530 in __memset_sse2_unaligned_erms () at /lib64/libc.so.6
> #1  0x00007fffe0095475 in _cairo_xlib_surface_create_similar_shm () at /lib64/libcairo.so.2
> #2  0x00007fffe0068b17 in cairo_surface_create_similar_image () at /lib64/libcairo.so.2
> #3  0x00007fffe0068d08 in cairo_surface_create_similar () at /lib64/libcairo.so.2
> #4  0x00007fffec574d4d in SvpSalVirtualDevice::SetSizeUsingBuffer(long, long, unsigned char*) (
>     this=0x2f55e10, nNewDX=85, nNewDY=17895697, pBuffer=0x0) at /ssd1/lo/fedora/vcl/headless/svpvd.cxx:107
> #5  0x00007fffec574ae7 in SvpSalVirtualDevice::SetSize(long, long) (this=0x2f55e10, nNewDX=85, nNewDY=17895697)
>     at /ssd1/lo/fedora/vcl/headless/svpvd.cxx:63
> #6  0x00007fffec262de2 in VirtualDevice::InnerImplSetOutputSizePixel(Size const&, bool, unsigned char*) (
>     this=0x26eeb10, rNewSize=Size = {...}, bErase=true, pBuffer=0x0) at /ssd1/lo/fedora/vcl/source/gdi/virdev.cxx:304
> #7  0x00007fffec263376 in VirtualDevice::ImplSetOutputSizePixel(Size const&, bool, unsigned char*) (this=0x26eeb10, rNewSize=Size = {...}, bErase=true, pBuffer=0x0) at /ssd1/lo/fedora/vcl/source/gdi/virdev.cxx:379
> #8  0x00007fffec263690 in VirtualDevice::SetOutputSizePixel(Size const&, bool) (this=0x26eeb10, rNewSize=Size = {...}, bErase=true)
>     at /ssd1/lo/fedora/vcl/source/gdi/virdev.cxx:425
> #9  0x00007fffc320cfe6 in ScTransferObj::GetData(com::sun::star::datatransfer::DataFlavor const&, rtl::OUString const&) (
>     this=0x686c640, rFlavor=...) at /ssd1/lo/fedora/sc/source/ui/app/transobj.cxx:378
> #10 0x00007fffee789e8c in TransferableHelper::getTransferData2(com::sun::star::datatransfer::DataFlavor const&, rtl::OUString const&) (this=0x686c640, rFlavor=..., rDestDoc="") at /ssd1/lo/fedora/svtools/source/misc/transfer.cxx:377
> #11 0x00007fffee789009 in TransferableHelper::getTransferData(com::sun::star::datatransfer::DataFlavor const&) (this=0x686c640, rFlavor=...) at /ssd1/lo/fedora/svtools/source/misc/transfer.cxx:275
> #12 0x00007fffee789093 in non-virtual thunk to TransferableHelper::getTransferData(com::sun::star::datatransfer::DataFlavor const&) ()
>     at /usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/stl_iterator.h:794
> #13 0x00007fffd1267f3a in VclToGtkHelper::setSelectionData(com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&, _GtkSelectionData*, unsigned int) (this=0x22fb0b0, rTrans=uno::Reference to (ScTransferObj *) 0x686c668, selection_data=0x7ffffffedb50, info=5) at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkinst.cxx:488
> #14 0x00007fffd1267d44 in VclGtkClipboard::ClipboardGet(_GtkSelectionData*, unsigned int) (
>     this=0x22fafa0, selection_data=0x7ffffffedb50, info=5) at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkinst.cxx:357
> #15 0x00007fffd126a2ef in (anonymous namespace)::ClipboardGetFunc(_GtkClipboard*, _GtkSelectionData*, unsigned int, void*) (selection_data=0x7ffffffedb50, info=5, user_data_or_owner=0x22fafa0) at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkinst.cxx:385
> #16 0x00007ffff5d18add in g_closure_invoke () at /lib64/libgobject-2.0.so.0
> #17 0x00007ffff5d2bf43 in signal_emit_unlocked_R () at /lib64/libgobject-2.0.so.0
> #18 0x00007ffff5d3506a in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
> #19 0x00007ffff5d35b44 in g_signal_emit_by_name () at /lib64/libgobject-2.0.so.0
> #20 0x00007fffd0b570db in gtk_selection_invoke_handler () at /lib64/libgtk-3.so.0
> #21 0x00007fffd0b58c8e in _gtk_selection_request () at /lib64/libgtk-3.so.0
> #22 0x00007fffd0ac67a8 in _gtk_marshal_BOOLEAN__BOXEDv () at /lib64/libgtk-3.so.0
> #23 0x00007ffff5d18d36 in _g_closure_invoke_va () at /lib64/libgobject-2.0.so.0
> #24 0x00007ffff5d34ae4 in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
> #25 0x00007ffff5d35663 in g_signal_emit () at /lib64/libgobject-2.0.so.0
> #26 0x00007fffd0c14134 in gtk_widget_event_internal () at /lib64/libgtk-3.so.0
> #27 0x00007fffd0ac5716 in gtk_main_do_event () at /lib64/libgtk-3.so.0
> #28 0x00007fffd05ce639 in _gdk_event_emit () at /lib64/libgdk-3.so.0
> #29 0x00007fffd05ffe76 in gdk_event_source_dispatch () at /lib64/libgdk-3.so.0
> #30 0x00007ffff5a3d8ad in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
> #31 0x00007ffff5a3dc78 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
> #32 0x00007ffff5a3dfa2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
> #33 0x00007fffd0c3ddee in gtk_clipboard_wait_for_contents () at /lib64/libgtk-3.so.0
> #34 0x00007fffd0c3e5bc in gtk_clipboard_wait_for_targets () at /lib64/libgtk-3.so.0
> #35 0x00007fffd1268559 in VclGtkClipboard::OwnerPossiblyChanged(_GtkClipboard*) (this=0x67d4d30, clipboard=0x1cb85e0)
>     at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkinst.cxx:420
> #36 0x00007fffd1268909 in (anonymous namespace)::handle_owner_change(_GtkClipboard*, _GdkEvent*, void*) (clipboard=0x1cb85e0, user_data=0x67d4d30) at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkinst.cxx:397
> #37 0x00007ffff5d18add in g_closure_invoke () at /lib64/libgobject-2.0.so.0
> #38 0x00007ffff5d2bf43 in signal_emit_unlocked_R () at /lib64/libgobject-2.0.so.0
> #39 0x00007ffff5d3506a in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
> #40 0x00007ffff5d35663 in g_signal_emit () at /lib64/libgobject-2.0.so.0
> #41 0x00007fffd0ac53dd in gtk_main_do_event () at /lib64/libgtk-3.so.0
> #42 0x00007fffd05ce639 in _gdk_event_emit () at /lib64/libgdk-3.so.0
> #43 0x00007fffd05ffe76 in gdk_event_source_dispatch () at /lib64/libgdk-3.so.0
> #44 0x00007ffff5a3d8ad in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
> #45 0x00007ffff5a3dc78 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
> #46 0x00007ffff5a3dfa2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
> #47 0x00007fffd0c3cdd6 in gtk_clipboard_real_store () at /lib64/libgtk-3.so.0
> #48 0x00007fffd12692c4 in VclGtkClipboard::flushClipboard() (this=0x22fafa0) at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkinst.cxx:551
> #49 0x00007fffee788d41 in TransferableHelper::ImplFlush() (this=0x686c640) at /ssd1/lo/fedora/svtools/source/misc/transfer.cxx:522
> #50 0x00007fffee788c8d in TransferableHelper::TerminateListener::notifyTermination(com::sun::star::lang::EventObject const&) (this=0x686c3b0) at /ssd1/lo/fedora/svtools/source/misc/transfer.cxx:254
> #51 0x00007fffc5617504 in framework::Desktop::impl_sendTerminateToClipboard() (this=0x1e71640)
>     at /ssd1/lo/fedora/framework/source/services/desktop.cxx:1655
> #52 0x00007fffc5616096 in framework::Desktop::terminate() (this=0x1e71640) at /ssd1/lo/fedora/framework/source/services/desktop.cxx:327
> #53 0x00007ffff1962b6c in SfxApplication::MiscExec_Impl(SfxRequest&) (this=0x1e841d0, rReq=...)
>     at /ssd1/lo/fedora/sfx2/source/appl/appserv.cxx:428
> #54 0x00007ffff1942eb5 in SfxStubSfxApplicationMiscExec_Impl(SfxShell*, SfxRequest&) (pShell=0x1e841d0, rReq=...)
>     at /ssd1/lo/fedora/workdir/SdiTarget/sfx2/sdi/sfxslots.hxx:1228
> #55 0x00007ffff1aaed62 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) (this=0x1e841d0, pFunc=0x7ffff1942e90 <SfxStubSfxApplicationMiscExec_Impl(SfxShell*, SfxRequest&)>, rReq=...) at /ssd1/lo/fedora/include/sfx2/shell.hxx:211
> #56 0x00007ffff1aa4790 in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) (this=0x2014710, rShell=..., rSlot=..., rReq=..., bRecord=true) at /ssd1/lo/fedora/sfx2/source/control/dispatch.cxx:355
> #57 0x00007ffff1aa9d47 in SfxDispatcher::PostMsgHandler(SfxRequest*) (this=0x2014710, pReq=0x67ac060)
>     at /ssd1/lo/fedora/sfx2/source/control/dispatch.cxx:1126
> #58 0x00007ffff1aa4d78 in SfxDispatcher::LinkStubPostMsgHandler(void*, SfxRequest*) (instance=0x2014710, data=0x67ac060)
>     at /ssd1/lo/fedora/sfx2/source/control/dispatch.cxx:1106
> #59 0x00007ffff1eec468 in Link<SfxRequest*, void>::Call(SfxRequest*) const (this=0x2066760, data=0x67ac060)
>     at /ssd1/lo/fedora/include/tools/link.hxx:84
> #60 0x00007ffff1eec3db in SfxHintPoster::DoEvent_Impl(void*) (this=0x2066750, pPostedHint=0x67ac060)
>     at /ssd1/lo/fedora/sfx2/source/notify/hintpost.cxx:44
> #61 0x00007ffff1eec3a8 in SfxHintPoster::LinkStubDoEvent_Impl(void*, void*) (instance=0x2066750, data=0x67ac060)
>     at /ssd1/lo/fedora/sfx2/source/notify/hintpost.cxx:42
> #62 0x00007fffebdd27d8 in Link<void*, void>::Call(void*) const (this=0x688c1b8, data=0x67ac060)
>     at /ssd1/lo/fedora/include/tools/link.hxx:84
> #63 0x00007fffebdcfa5c in ImplHandleUserEvent(ImplSVEvent*) (pSVEvent=0x688c1b0) at /ssd1/lo/fedora/vcl/source/window/winproc.cxx:1928
> #64 0x00007fffebdcd02d in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (
>     _pWindow=0x1ea61d0, nEvent=SalEvent::UserEvent, pEvent=0x688c1b0) at /ssd1/lo/fedora/vcl/source/window/winproc.cxx:2479
> #65 0x00007fffec55d6e5 in SalFrame::CallCallback(SalEvent, void const*) const (this=0x1ea6910, nEvent=SalEvent::UserEvent, pEvent=0x688c1b0) at /ssd1/lo/fedora/vcl/inc/salframe.hxx:280
> #66 0x00007fffec5751df in SalGenericDisplay::ProcessEvent(SalUserEventList::SalUserEvent) (this=0x1c1cfa0, aEvent=...)
>     at /ssd1/lo/fedora/vcl/unx/generic/app/gendisp.cxx:67
> #67 0x00007fffec32ec24 in SalUserEventList::DispatchUserEvents(bool) (this=0x1c1cfa0, bHandleAllCurrentEvents=false)
>     at /ssd1/lo/fedora/vcl/source/app/salusereventlist.cxx:109
> #68 0x00007fffec575135 in SalGenericDisplay::DispatchInternalEvent(bool) (this=0x1c1cfa0, bHandleAllCurrentEvent=false)
>     at /ssd1/lo/fedora/vcl/unx/generic/app/gendisp.cxx:52
> #69 0x00007fffd1263643 in call_userEventFn(void*) (data=0x6fc9f0) at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkdata.cxx:784
> #70 0x00007ffff5a3a1cb in g_idle_dispatch () at /lib64/libglib-2.0.so.0
> #71 0x00007ffff5a3d8ad in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
> #72 0x00007ffff5a3dc78 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
> #73 0x00007ffff5a3dd10 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
> #74 0x00007fffd1262272 in GtkSalData::Yield(bool, bool) (this=0x6fc9f0, bWait=true, bHandleAllCurrentEvents=false)
>     at /ssd1/lo/fedora/vcl/unx/gtk3/gtk3gtkdata.cxx:459
> #75 0x00007fffd12668e7 in GtkInstance::DoYield(bool, bool) (this=0x6fc7f0, bWait=true, bHandleAllCurrentEvents=false)
>     at /ssd1/lo/fedora/vcl/unx/gtk3/../gtk/gtkinst.cxx:399
> #76 0x00007fffec392e01 in ImplYield(bool, bool) (i_bWait=true, i_bAllEvents=false) at /ssd1/lo/fedora/vcl/source/app/svapp.cxx:470
> #77 0x00007fffec38da44 in Application::Yield() () at /ssd1/lo/fedora/vcl/source/app/svapp.cxx:535
> #78 0x00007fffec38d9d0 in Application::Execute() () at /ssd1/lo/fedora/vcl/source/app/svapp.cxx:450
> #79 0x00007ffff7744f79 in desktop::Desktop::Main() (this=0x7fffffff2340) at /ssd1/lo/fedora/desktop/source/app/app.cxx:1634
> #80 0x00007fffec3a2605 in ImplSVMain() () at /ssd1/lo/fedora/vcl/source/app/svmain.cxx:200
> #81 0x00007fffec3a41e8 in SVMain() () at /ssd1/lo/fedora/vcl/source/app/svmain.cxx:238
> #82 0x00007ffff77b1dc5 in soffice_main() () at /ssd1/lo/fedora/desktop/source/app/sofficemain.cxx:169
> #83 0x000000000040089d in sal_main () at /ssd1/lo/fedora/desktop/source/app/main.c:48
> #84 0x0000000000400877 in main (argc=2, argv=0x7fffffff24f8) at /ssd1/lo/fedora/desktop/source/app/main.c:47

Note the nNewDX=85, nNewDY=17895697 at #5.

Steps to Reproduce:
.

Actual Results:
.

Expected Results:
.


Reproducible: Always


User Profile Reset: No



Additional Info:
.
Comment 1 Tor Lillqvist 2018-06-27 15:13:00 UTC
Related to bug #69460. No idea why this issue hasn't come up more often?
Comment 2 Tor Lillqvist 2018-06-27 15:45:45 UTC
Not sure why I don't get any message from the shell when running soffice and doing the same thing that the process would have been killed by that SEGV. Does cairo actually catch it? Anyway, even if it does, surely what the code tries to do is insane?

The code in ScTransferObj::GetData() already shrinks the range handled in the case of RTF or RICHTEXT. Most likely it should do that for *all* cases. But Eike points out on IRC that it should not use the ShrinkToUsedDataArea() function to do it, as that will apparently drop empty cells that still have some visible formatting applied to them. Probably it should use ScTable::GetPrintArea().
Comment 3 Xisco Faulí 2018-06-27 22:10:23 UTC
No problem with

Version: 6.2.0.0.alpha0+
Build ID: 6ebc026e34d0c119067e7dfbad8d932f92844760
CPU threads: 4; OS: Linux 4.13; UI render: default; VCL: gtk3; 
Locale: ca-ES (ca_ES.UTF-8); Calc: group threaded

I guess it's only in debug mode ?
Comment 4 Tor Lillqvist 2018-06-28 06:32:39 UTC
When you say "no problem", you mean that you did not get the SEGV when running LO under gdb, after first selecting an entire column and then attempting to quit LO?

I know that there is no *apparent* problem (no visible indication something went wrong) when running LO otherwise. But my theory is that not all of the kinds of formats that LO tries to put on the clipboard actually end up there.
Comment 5 Tor Lillqvist 2018-06-28 06:44:07 UTC
Using the xclip command to list what "targets" (formats?) are available on the X11 clipboard after quitting LO (this time running it "normally", not under gdb):

When I copy just two cells:

> TARGETS
> MULTIPLE
> application/x-libreoffice-internal-id-9270
> STRING
> UTF8_STRING
> text/plain;charset=utf-8
> text/richtext
> text/rtf
> application/x-libreoffice-tsvc
> text/plain;charset=utf-16
> application/x-openoffice-dif;windows_formatname="DIF"
> application/x-openoffice-link;windows_formatname="Link"
> application/x-openoffice-sylk;windows_formatname="Sylk"
> text/html
> image/bmp
> application/x-openoffice-bitmap;windows_formatname="Bitmap"
> image/png
> application/x-openoffice-wmf;windows_formatname="Image WMF"
> application/x-openoffice-emf;windows_formatname="Image EMF"
> application/x-openoffice-gdimetafile;windows_formatname="GDIMetaFile"
> application/x-openoffice-objectdescriptor-xml;windows_formatname="Star Object Descriptor (XML)";classname="47BBB4CB-CE4C-4E80-a591-42d9ae74950f";typename="LibreOfficeDev 6.2 Spreadsheet";displayname="file:///tmp/testcalccopypastecolumn.ods";viewaspect="1";width="2259";height="904";posx="0";posy="0"
> application/x-openoffice-embed-source-xml;windows_formatname="Star Embed Source (XML)"

When I copy a whole column (by clicking on the column header, for instance "B"):

*nothing*

So clearly something does go wrong. xclip complains "Error: target TARGETS not available"
Comment 6 Tor Lillqvist 2018-06-28 06:47:43 UTC
And if I copy just a few cells and quit LO, and then run:

> xclip -o -target image/png -selection clipboard >afewcells.png

the afewcells.png indeed contains an image of those cells "printed".
Comment 7 Commit Notification 2018-07-16 19:36:31 UTC
Tor Lillqvist committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=48c977dd945130051a7e37d7fcb7eb11b767ead3

tdf#69460, tdf#118416: Don't copy whole columns to the clipboard

It will be available in 6.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Xisco Faulí 2018-08-16 08:22:44 UTC
A polite ping to Tor Lillqvist:
Is this bug fixed? if so, could you please close it as RESOLVED FIXED ? Otherwise, Could you please explain what's missing?
Thanks
Comment 9 Xisco Faulí 2018-10-15 14:14:56 UTC
*** Bug 120616 has been marked as a duplicate of this bug. ***
Comment 10 Xisco Faulí 2018-10-15 14:19:15 UTC
Hi Tor, Eike,
the fix for this issue also fixes bug 120616, which is a crash.
Any chance the commit could be backported to 6.1? Gerrit's cherry-pick prompts a merge conflict
Comment 11 Timur 2018-10-17 10:07:30 UTC
*** Bug 120616 has been marked as a duplicate of this bug. ***
Comment 12 Commit Notification 2018-10-17 19:46:43 UTC
Tor Lillqvist committed a patch related to this issue.
It has been pushed to "libreoffice-6-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=7139b259394f0b2075794bc6c42dd9c64005096b&h=libreoffice-6-1

tdf#69460, tdf#118416: Don't copy whole columns to the clipboard

It will be available in 6.1.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 13 ayca.yassi 2018-10-18 13:03:44 UTC
We are using Libreoffice calc 6.0.6 in Manjaro. If we close the clipman, we don't get the error.
Comment 14 Commit Notification 2018-10-21 22:27:39 UTC
Tor Lillqvist committed a patch related to this issue.
It has been pushed to "libreoffice-6-1-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=037f9f91c1cb6ddb8077e59d01d62a5be5602d76&h=libreoffice-6-1-3

tdf#69460, tdf#118416: Don't copy whole columns to the clipboard

It will be available in 6.1.3.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 15 Xisco Faulí 2018-11-02 18:03:17 UTC
*** Bug 121093 has been marked as a duplicate of this bug. ***