Bug 93778 - gestureLongPress cores being passed a NULL frame
Summary: gestureLongPress cores being passed a NULL frame
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.0.1.2 release
Hardware: Other All
: high major
Assignee: Not Assigned
URL:
Whiteboard: backtrace target:5.0.2
Keywords:
: 94385 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-08-30 06:57 UTC by Richard PALO
Modified: 2015-09-23 21:36 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard PALO 2015-08-30 06:57:34 UTC 
with 5.0.1.2 I happened to come across an action causing a core .

gestureLongPress seems to be called with a NULL frame
(this is a pstack core piped through gc++flt)
>-----------------  lwp# 1 / thread# 1  --------------------
> fa8f8b58 GtkSalFrame::gestureLongPress(_GtkGestureLongPress*, void*) (d561750, 0, 409c1c00, 0, 40809000, e5ceb48) + 78
> f9eb26ca ffi_call_SYSV (f9eb1f70, 8047254, 20, 0, 80472e0, fa8f8ae0) + 1a
> f9eb239e ffi_call (8047358, fa8f8ae0, 80472e0, 80472a0, 0, 409c1c00) + 7e
> f9f04d2e g_cclosure_marshal_generic_va (e16d378, 0, d561750, 804753c, 0, 2) + 1de
> f9f04453 _g_closure_invoke_va (e16d378, 0, d561750, 804752c, 2, d55e5f0) + 143
> f9f1d3cd g_signal_emit_valist (d561750, c4, 0, 804752c) + 81d
> f9f1dbd4 g_signal_emit (d561750, c4, 0, 0, 409c1c00, 0) + 24
> f964660c _gtk_gesture_long_press_timeout (d561750, fa85d0d0, 8047588, fa7e4b7c) + 5c
> fa7e4b97 gdk_threads_dispatch (d298300, 7fffffff, f9e39c2b, f9df493d, f9ea8a80, 10994a68) + 37
> f9df494f g_timeout_dispatch (12bdbf58, fa7e4b60, d298300, 80475e8, e3e025e8, 80475e8) + 1f
> f9df3d39 g_main_context_dispatch (d250b18, 7fffffff, 1077faf8, 5) + 129
> f9df4139 g_main_context_iterate.isra.29 (1, 0, 8047688, f9df422d, 80733a0, 0) + 209
> f9df420a g_main_context_iteration (0, 1, 80476d8, fa8d0411) + 3a
> fa8d04ca GtkData::Yield(bool, bool) (806c830, 1, 0, fa8d167d) + fa
> fa8d1693 GtkInstance::Yield(bool, bool) (806af38, 1, 0, fd4b9085, fd5d90b8, fd694c80) + 43
> fd4b90c5 Application::Yield() (feae54cc, 8047700, 80478d8, fea852cf, 8047760, feffb0a8) + 55
> fd4b9165 Application::Execute() (8047760, feffb0a8, feffc500, 80477bc, fea86230, 80477e8) + 35
> fea852cf desktop::Desktop::Main() (8047958, 1, 8047918, fd4bf075, 8047910, fefc2320) + 10df
> fd4bf13b ImplSVMain() (feaac51f, 0, 0, 67abfd50, feae54cc, 8047954) + eb
> fd4bf1ae SVMain() (805126e, feb30018, fea577bc, feaf19c0, fedd7e00, 80699d0) + 2e
> feaac51f soffice_main (2, 8047a1c, 80479d8, 805720a, 80678c4, 80479d8) + 9f
> 080572bd main     (fef00a37, fef796e8, 8047a10, 8051af3, 2, 8047a1c) + 2d
> 08051af3 _start   (2, 8047b20, 8047b53, 0, 8047b63, 8047b9d) + 83


Steps to repeat (in default french locale):
1. launch LO
2. create new document
3. double click the "show" slider on the extreme right side of window

effect is immediate.

what is weird, I tried launching LO with LANG=C to do the same thing.

In default english the action seems to work by showing the docked right toolbar.
If I now go back to the default, fr_FR locale, things seem alright and can no longer repeat the core dumps.

Perhaps this is somehow an issue with defaults in non default en_US locales?
I'm perplexed
Comment 1 Richard PALO 2015-09-07 16:05:15 UTC 
Now I can reproduce easily in, for example, localc.
As the name of the routine indicates, click anywhere holding it for a long moment.
Comment 2 Chris Halls 2015-09-12 15:07:40 UTC 
Also seen in Debian bug 798591 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798591) by 2 separate users on 5.0.1

> Version: 1:5.0.1-1

> I updated some machines with the version 5 of Libre Office and now when user
> holds the left button of mouse to select some text or cells, the program
> closes, losing user data.

> I noticed that this happened when the user holds and doesn't move the mouse,
> like a long click. Whatever, if he clicks, holds and moves the mouse, this
> doesn't happen.

and

> I can reproduce this here. Backtrace is identical to Junior Polegato's (except
> different hex addresses.)
> All packages freshly updated from stretch.
Comment 3 Chris Halls 2015-09-12 15:12:08 UTC 
Backtrace from Debian bug report:

Thread 1 (Thread 0xb007f900 (LWP 26877)):
#0  GtkSalFrame::gestureLongPress (gesture=0x8a153c0, frame=0x0) at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/unx/gtk3/window/../../gtk/window/gtksalframe.cxx:3552
#1  0xb04f8d72 in ffi_call_SYSV () from /usr/lib/i386-linux-gnu/libffi.so.6
#2  0xb04f89ec in ffi_call () from /usr/lib/i386-linux-gnu/libffi.so.6
#3  0xb2db341d in g_cclosure_marshal_generic_va () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#4  0xb2db2abf in ?? () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#5  0xb2dcc8d9 in g_signal_emit_valist () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#6  0xb2dcd1b5 in g_signal_emit () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#7  0xaefbf7ac in ?? () from /usr/lib/i386-linux-gnu/libgtk-3.so.0
#8  0xaed49dfc in ?? () from /usr/lib/i386-linux-gnu/libgdk-3.so.0
#9  0xb2cc4a21 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#10 0xb2cc3e03 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#11 0xb2cc4219 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#12 0xb2cc42e6 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#13 0xaf61b8fa in GtkData::Yield (this=0x80b7e00, bWait=true, bHandleAllCurrentEvents=false) at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/unx/gtk3/app/../../gtk/app/gtkdata.cxx:596
#14 0xaf61cbf0 in GtkInstance::Yield (this=0x80b9618, bWait=true, bHandleAllCurrentEvents=false) at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/unx/gtk3/app/../../gtk/app/gtkinst.cxx:407
#15 0xb696fdb5 in ImplYield (i_bAllEvents=false, i_bWait=true) at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/source/app/svapp.cxx:353
#16 Application::Yield () at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/source/app/svapp.cxx:382
#17 0xb696fe55 in Application::Execute () at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/source/app/svapp.cxx:336
#18 0xb59876af in desktop::Desktop::Main (this=0xbffff098) at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/desktop/source/app/app.cxx:1605
#19 0xb69759bb in ImplSVMain () at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/source/app/svmain.cxx:162
#20 0xb6975a29 in SVMain () at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/source/app/svmain.cxx:196
#21 0xb59a7730 in soffice_main () at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/desktop/source/app/sofficemain.cxx:96
#22 0x0804857d in sal_main () at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/desktop/source/app/main.c:48
#23 main (argc=2, argv=0xbffff1d4) at /build/libreoffice-U8a4ZQ/libreoffice-5.0.1/desktop/source/app/main.c:47
Comment 4 Chris Halls 2015-09-14 15:37:35 UTC 
I'm still not able to reproduce the problem here but I have enough
information to see where it is crashing. This is the frame here:

#0  GtkSalFrame::gestureLongPress (gesture=0x8997ad0, frame=0x0) at
/build/libreoffice-U8a4ZQ/libreoffice-5.0.1/vcl/unx/gtk3/window/../../gtk/window/gtksalframe.cxx:3552

gtksalframe.cxx line 3552 is here:


http://sources.debian.net/src/libreoffice/1:5.0.1-1/vcl/unx/gtk/window/gtksalframe.cxx/?hl=3552#L3552

3552    pThis->CallCallback(SALEVENT_LONGPRESS, &aEvent);

That looks like a null pointer was passed in as the frame parameter, and
it is causing the crash.

The code was committed here:

commit 873141fb5be5fa49b56ea413bc912af33f758a0b
Author: Caolán McNamara <caolanm@redhat.com>
Date:   Thu Mar 26 10:20:34 2015 +0000

    add GtkLongPressGesture support and implement long-press in slideshow

    so a long press shows the context menu to e.g. allow switching on/off
    draw-on-slide mode

    Change-Id: Icd6ea52d2172217794f4fc802246ccf13020e134
Comment 5 Commit Notification 2015-09-14 15:57:12 UTC 
Szymon Kłos committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5eb91d291d383c519c5b931bc6218c0c5caa8f3d&h=libreoffice-5-0

Resolves: tdf#93778 fixed crash

It will be available in 5.0.3.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2015-09-16 07:21:39 UTC 
Szymon Kłos committed a patch related to this issue.
It has been pushed to "libreoffice-5-0-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=fae0437caa6a1c51a0c4ab9595069fb8db890ea3&h=libreoffice-5-0-2

Resolves: tdf#93778 fixed crash

It will be available in 5.0.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 7 Buovjaga 2015-09-21 13:47:07 UTC 
*** Bug 94385 has been marked as a duplicate of this bug. ***