Bug 75657 - if <page-down> past a certain point, SIGABRT or SEGFAULT upon exit
Summary: if <page-down> past a certain point, SIGABRT or SEGFAULT upon exit
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
(earliest affected) Master
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Not Assigned
Keywords: haveBacktrace
Depends on:
Reported: 2014-03-02 02:12 UTC by Terrence Enger
Modified: 2016-12-11 00:05 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:
Regression By:

screenshot, document as first displayed (168.26 KB, image/png)
2014-03-02 02:14 UTC, Terrence Enger
screenshot, document window after 38 times <page-down> (120.25 KB, image/png)
2014-03-02 02:15 UTC, Terrence Enger
screenshot, document window after 39th <page-down> (133.75 KB, image/png)
2014-03-02 02:16 UTC, Terrence Enger
typescript with backtrace with symbols (42.06 KB, text/plain)
2014-03-02 02:17 UTC, Terrence Enger
typescript with segfault; backtrace is at line 400 (47.66 KB, text/plain)
2015-04-22 16:47 UTC, Terrence Enger

Note You need to log in before you can comment on or make changes to this bug.
Description Terrence Enger 2014-03-02 02:12:30 UTC
Steps to reproduce

(1) Download file "DOC-export footnote Error.odt" attached to bug
    73095 "Writer's UI crashes when scrolling pages if formatting
    marks are visible".

(2) Open the file from the command line.  The program presents the
    document window un-maximized as per first screenshot.  Make sure
    that your screen shows the same amount of the document as mine

(3) Type <page-down> 38 times.  But when I was running under gdb, the
    behaviour was a bit different:
        (a) The window opened initially showing more of the document;
            I made the window less high accordingly.
        (b) It took 41 times <page-down> to reach the particular point
            in the document.
    Anyway, the document is now positioned as in the second

(4) Type <page-down>.  The document is positioned as in the third

(5) Take menu options File > Close.  SIGABRT.

I do not observe the crash after a mere 38 <page-down>'s, but any
larger number gives me a crash when I close the program.

My LibreOffice is master commit 295bc87, fetched 2014-02-24 UTC,
configured as:


For comparison, I do not see the crash with LO version, but
the "canary" pointer (all nines) evident in the backtrace makes me
suspect that my debug build is a factor in causing the crash.
Comment 1 Terrence Enger 2014-03-02 02:14:28 UTC
Created attachment 94947 [details]
screenshot, document as first displayed
Comment 2 Terrence Enger 2014-03-02 02:15:42 UTC
Created attachment 94948 [details]
screenshot,  document window after 38 times <page-down>
Comment 3 Terrence Enger 2014-03-02 02:16:36 UTC
Created attachment 94949 [details]
screenshot, document window after 39th <page-down>
Comment 4 Terrence Enger 2014-03-02 02:17:42 UTC
Created attachment 94950 [details]
typescript with backtrace with symbols
Comment 5 Terrence Enger 2014-03-02 02:19:37 UTC
Setting status NEW.
Comment 6 Terrence Enger 2014-03-02 02:25:47 UTC
Bugzilla search does not go into attachments, so let me note here that
the backtrace shows STL debug objects near the top of the stack.
Comment 7 Julien Nabet 2015-04-19 10:45:08 UTC
On pc Debian x86-64 with master sources updated today, I don't reproduce this.

Could you give a try with a recent LO version?
Comment 8 Terrence Enger 2015-04-22 16:47:28 UTC
Created attachment 115010 [details]
typescript with segfault; backtrace is at line 400

The problem is now a segfault in master commit 69262e4, fetched
2014-04-15 21:42 UTC, configured
    --enable-option-checking=fatal --enable-dbgutil --enable-crashdump
    --without-system-postgresql --without-myspell-dicts
    --with-extra-buildid --without-doxygen
    --enable-online-update --disable-gstreamer-1-0
built and running on debian-wheezy.

I have a different (smaller) display now, so needed more <page-down>'s
and may not have gone exactly as far down the document as I did
in 2014.  I do not know whether this can account for different
behaviour now.

As before, "canary" pointer value all-nines in the frame at the top of
the call stack suggests that only a debug build will show the problem
in this particular way.

The function names in frames 2 through 47 on the current backtrace are
same as in frames 9 through 54 of the backtrace from 2014-03-02.
Comment 9 Terrence Enger 2015-04-22 16:48:57 UTC
setting status NEW and changing "sigabrt" to "segfault" in summary.
Comment 10 Julien Nabet 2015-09-08 21:00:51 UTC
Taking a look at some not recent bugs, I just noticed this:
#6  0x00007f85a9697d86 in accessibility::AccessibleProxyEditSource_Impl::AccessibleProxyEditSource_Impl (this=0x3506920, rObj=..., rView=..., rViewWindow=...)
    at /home/terry/lo_hacking/git/libo2/svx/source/accessibility/AccessibleEmptyEditSource.cxx:179

Do you have accessibility options enabled? If yes, could you give a try after having disabled them?
Comment 11 Terrence Enger 2015-09-16 14:54:59 UTC
I have reproduced a SIGABRT with two set of settings in "Tools >
    Options... > LibreOfficeDev > Accessibility" ...

    Miscellaneous Options
        Use text selection cursor in read-only text documents       ( )  ( )
        Allow animated graphics                                     (x)  ( )
        Allow animaged text                                         (x)  ( )
    Options for High Contrase Appearance
        Automatically detect high contrast mode of operating system ( )  ( )
        Use automatic font color for screen display                 ( )  ( )
        Use system colors for page previews                         (x)  ( )
                                                                     |    |
                                                as found (SIGABRT) --+    |
                                               next test (SIGABRT) -------+

Most recently, with daily dbgutil bibisect version 2015-09-16, when I
close the document the terminal output includes ...

    warn:legacy.osl:5015:1:editeng/source/items/frmitems.cxx:476: unknown MemberId
    warn:legacy.osl:5015:1:sw/source/core/access/accmap.cxx:1707: Frame map should be empty after disposing the root frame
    warn:legacy.osl:5015:1:sw/source/core/access/accmap.cxx:1724: Object map should be empty after disposing the root frame
    warn:legacy.osl:5015:1:sw/source/core/access/accmap.cxx:175: draw model listener is disposed
    /usr/include/c++/4.8/debug/vector:346:error: attempt to subscript container 
        with out-of-bounds index 139898641233528, but container only holds 6 

    Objects involved in the operation:
    sequence "this" @ 0x0x34aa288 {
      type = NSt7__debug6vectorIP11SfxListenerSaIS2_EEE;
    Application Error

    Fatal exception: Signal 6

Just to confuse the issue (sigh!) ...

(a) My screen only lets me enlarge the document window to almost one
    (footnote) line shorter that it was when I first reported the bug.

(b) In an earlier test, I paused occasionally among the <page-down>
    keystrokes until the program repainted the document window.  The
    program quit abruptly, i.e. before I had a chance to close the

(c) Now, I have done <page-down> 40 times in quick tempo.  The
    document window still shows the top of the document; soffice.bin
    has pegged the CPU and has accumulated 8 minutes of CPU time.  The
    tail of the terminal output is ...

        warn:legacy.osl:5127:1:sw/source/core/access/acccontext.cxx:1154: child context should have a size
        warn:legacy.osl:5127:1:vcl/source/gdi/image.cxx:392: ImageAryData::Load: failed to load image 'cmd/lc_changecasetolower.png'
        warn:legacy.osl:5127:1:vcl/source/gdi/image.cxx:392: ImageAryData::Load: failed to load image 'cmd/lc_changecasetoupper.png'
        W: Unknown node under /registry/extlang: deprecated
        W: Unknown node under /registry/grandfathered: comments
        W: Unknown node under /registry/grandfathered: comments
        warn:legacy.osl:5127:1:editeng/source/items/frmitems.cxx:476: unknown MemberId
        warn:legacy.osl:5127:1:editeng/source/items/frmitems.cxx:476: unknown MemberId
        warn:legacy.osl:5127:1:sw/source/core/access/acccontext.cxx:305: Vis area of child is wrong. Did it exist already?
Comment 12 QA Administrators 2016-09-20 10:32:18 UTC Comment hidden (obsolete)
Comment 13 Terrence Enger 2016-12-11 00:05:03 UTC
I no longer see the bug in commit b157b82a, pulled around 2016-12-10
02:45 UTC, configured ...
    CC=ccache /usr/bin/gcc
    CXX=ccache /usr/bin/g++
built and running on debian-stretch.

I am setting status RESOLVED WORKSFORME.