Bug 155262 - LibreOffice crashes in server mode with "free(): corrupted unsorted chunks"
Summary: LibreOffice crashes in server mode with "free(): corrupted unsorted chunks"
Status: UNCONFIRMED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
7.4.5.1 release
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: haveBacktrace
Depends on:
Blocks: Crash
  Show dependency treegraph
 
Reported: 2023-05-12 10:56 UTC by Dmitry Shachnev
Modified: 2023-05-30 03:16 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
gdb trace (123.24 KB, text/x-log)
2023-05-12 10:56 UTC, Dmitry Shachnev 		Details
first gdb trace with 7.5.4 rc1 (52.62 KB, text/plain)
2023-05-29 15:11 UTC, Dmitry Shachnev 		Details
second gdb trace with 7.5.4 rc1 (58.55 KB, text/plain)
2023-05-29 15:13 UTC, Dmitry Shachnev 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Shachnev 2023-05-12 10:56:40 UTC 
Created attachment 187223 [details]
gdb trace

We are using libreoffice to convert docx files to PDF in server mode. It is started with the following flags:

libreoffice --headless --invisible --nocrashreport --nodefault --nologo --nofirststartwizard --norestore --accept='socket,host=127.0.0.1,port=44970,tcpNoDelay=1;urp;StarOffice.ComponentContext'

As the client code, we are using unoconvert (the client part of unoserver):

https://github.com/unoconv/unoserver/blob/master/src/unoserver/converter.py

After a few hours of running, libreoffice crashes with "free(): corrupted unsorted chunks" error (SIGABRT). Usually it happens when it receives two requests within the same second. Sometimes, the error message is printed, but the process keeps running and does not respond to requests.

You can make it crash much faster (after a few seconds) if you increase load and send multiple requests every second.

Stack trace:

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
#1  0x00007fb6898a9d2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  0x00007fb68985aef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007fb689845472 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007fb68989e2d0 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fb6899b8459 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007fb6898b364a in malloc_printerr (str=str@entry=0x7fb6899bb1c0 "free(): corrupted unsorted chunks") at ./malloc/malloc.c:5660
#6  0x00007fb6898b573c in _int_free (av=0x7fb664000030, p=0x7fb664652210, have_lock=<optimized out>, have_lock@entry=0) at ./malloc/malloc.c:4626
#7  0x00007fb6898b7d2f in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3385
#8  0x00007fb68de34413 in rtl::OUString::~OUString() (this=0x7fb61c8fef78, __in_chrg=<optimized out>) at ./include/rtl/ustring.hxx:526
#9  bridges::cpp_uno::shared::UnoInterfaceProxy::~UnoInterfaceProxy() (this=0x7fb61c8fef40, __in_chrg=<optimized out>) at ./bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:122
#10 bridges::cpp_uno::shared::freeUnoInterfaceProxy(uno_ExtEnvironment*, void*) (pEnv=<optimized out>, pProxy=0x7fb61c8fef40) at ./bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:49
#11 0x00007fb6877a3b32 in (anonymous namespace)::s_stub_defenv_revokeInterface(va_list*) (pParam=<optimized out>) at ./cppu/source/uno/lbenv.cxx:372
#12 0x00007fb68779ead6 in s_environment_invoke_v(uno_Environment*, uno_Environment*, uno_EnvCallee*, va_list*) (pCurrEnv=0x0, pTargetEnv=<optimized out>, pCallee=0x7fb6877a38a0 <(anonymous n
amespace)::s_stub_defenv_revokeInterface(va_list*)>, pParam=pParam@entry=0x7fb670ff7120) at ./cppu/source/uno/EnvStack.cxx:293
#13 0x00007fb68779ec27 in uno_Environment_invoke_v(uno_Environment*, uno_EnvCallee*, va_list*) (pTargetEnv=<optimized out>, pCallee=<optimized out>, pParam=pParam@entry=0x7fb670ff7120) at ./
cppu/source/uno/EnvStack.cxx:312
#14 0x00007fb68779ecc4 in uno_Environment_invoke(uno_Environment*, uno_EnvCallee*, ...) (pEnv=<optimized out>, pCallee=<optimized out>) at ./cppu/source/uno/EnvStack.cxx:321
#15 0x00007fb683239caa in com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference() (this=<optimized out>, this=<optimized out>) at ./include/uno/dispatcher.hxx:107
#16 binaryurp::Bridge::releaseStub(rtl::OUString const&, com::sun::star::uno::TypeDescription const&) (type=..., oid="560086a7ac30;gcc3[0];99a260952b14ad884c4eb10855e962", this=0x7fb67800154
0) at ./binaryurp/source/bridge.cxx:514
#17 binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*) const (outArguments=<optimized out>, returnVal
ue=<optimized out>, this=0x7fb650249ab0) at ./binaryurp/source/incomingrequest.cxx:138
#18 binaryurp::IncomingRequest::execute() const (this=0x7fb650249ab0) at ./binaryurp/source/incomingrequest.cxx:79
#19 binaryurp::(anonymous namespace)::request(void*) (pThreadSpecificData=0x7fb650249ab0) at ./binaryurp/source/reader.cxx:86
#20 0x00007fb68778ee17 in cppu_threadpool::JobQueue::enter(void const*, bool) (this=0x7fb6503926f0, nDisposeId=nDisposeId@entry=0x7fb6182fd3a0, bReturnWhenNoJob=bReturnWhenNoJob@entry=true) 
at ./cppu/source/threadpool/jobqueue.cxx:100
#21 0x00007fb68778f4d1 in cppu_threadpool::ORequestThread::run() (this=0x7fb6182fd3a0) at ./cppu/source/threadpool/thread.cxx:165
#22 0x00007fb68778f720 in osl::threadFunc(void*) (param=0x7fb6182fd3b0) at ./include/osl/thread.hxx:189
#23 0x00007fb68de73c3b in osl_thread_start_Impl(void*) (pData=0x7fb61876fa60) at ./sal/osl/unx/thread.cxx:265
#24 0x00007fb6898a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#25 0x00007fb6899285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Full gdb log with stack traces of all threads is attached.

This stack trace was obtained with LibreOffice version from Debian testing (4:7.4.5-2).
Comment 1 Stéphane Guillou (stragu) 2023-05-28 23:01:38 UTC 
7.4 shouldn't see further bugfix versions. Can you please test again with version 7.5?
Comment 2 Dmitry Shachnev 2023-05-29 15:11:44 UTC 
Created attachment 187582 [details]
first gdb trace with 7.5.4 rc1
Comment 3 Dmitry Shachnev 2023-05-29 15:13:22 UTC 
Created attachment 187583 [details]
second gdb trace with 7.5.4 rc1

Tested with 7.5.4 release candidate 1 (from Debian experimental).

The bug is still there. The error message is the same (free(): corrupted unsorted chunks). I ran it two times and saw two different stack traces. Attaching both.
Comment 4 QA Administrators 2023-05-30 03:16:11 UTC Comment hidden (obsolete)