Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibreOffice is crashing with 1.7.0 #618

Closed
khaledhosny opened this issue Nov 14, 2017 · 5 comments
Closed

LibreOffice is crashing with 1.7.0 #618

khaledhosny opened this issue Nov 14, 2017 · 5 comments

Comments

@khaledhosny
Copy link
Collaborator

See https://ci.libreoffice.org/job/lo_gerrit/22098/Config=linux_clang_dbgutil_64/console

@mhosken thinks it might be related to atexit, I couldn’t debug it locally myself. Not sure what changed in HarfBuzz in 1.7.0, but 1.6.3 was working fine.
@mhosken
Copy link
Contributor

mhosken commented Nov 14, 2017

Further from valgrind we see:

==10138== Invalid read of size 4
==10138==    at 0xFF1D709: hb_font_funcs_destroy (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFF1FC10: hb_font_destroy (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFE80836: FreetypeFont::~FreetypeFont() (freetype_glyphcache.cxx:487)
==10138==    by 0xFE84D0F: GlyphCache::InvalidateAllGlyphs() (glyphcache.cxx:59)
==10138==    by 0xFE84D8B: GlyphCache::~GlyphCache() (glyphcache.cxx:48)
==10138==    by 0xFE84DD8: GlyphCache::~GlyphCache() (glyphcache.cxx:50)
==10138==    by 0xFE7C3B9: std::unique_ptr<GlyphCache, std::default_delete<GlyphCache> >::~unique_ptr() (unique_ptr.h:268)
==10138==    by 0x5C79EBF: __run_exit_handlers (exit.c:83)
==10138==    by 0x5C79F19: exit (exit.c:105)
==10138==    by 0x5C5F1C7: (below main) (libc-start.c:342)
==10138==  Address 0x1fce97e0 is 0 bytes inside a block of size 432 free'd
==10138==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10138==    by 0x5C79EBF: __run_exit_handlers (exit.c:83)
==10138==    by 0x5C79F19: exit (exit.c:105)
==10138==    by 0x5C5F1C7: (below main) (libc-start.c:342)
==10138==  Block was alloc'd at
==10138==    at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10138==    by 0xFF1D5EF: hb_font_funcs_create (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFF2AC24: hb_ot_font_set_funcs (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFD7313C: createHbFont(hb_face_t*) (CommonSalLayout.cxx:116)
==10138==    by 0xFD73250: CommonSalLayout::InitFromFreetypeFont() (CommonSalLayout.cxx:273)

Which implies a race condition over freeing something in a font between two exit handlers. Shame valgrind can't tell us which exit handlers. But I'm assuming one is the harfbuzz exit handlers and the other the libo test. Does a font reference a static that it tries to free or something?

1 similar comment
@mhosken
Copy link
Contributor

mhosken commented Nov 14, 2017

Further from valgrind we see:

==10138== Invalid read of size 4
==10138==    at 0xFF1D709: hb_font_funcs_destroy (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFF1FC10: hb_font_destroy (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFE80836: FreetypeFont::~FreetypeFont() (freetype_glyphcache.cxx:487)
==10138==    by 0xFE84D0F: GlyphCache::InvalidateAllGlyphs() (glyphcache.cxx:59)
==10138==    by 0xFE84D8B: GlyphCache::~GlyphCache() (glyphcache.cxx:48)
==10138==    by 0xFE84DD8: GlyphCache::~GlyphCache() (glyphcache.cxx:50)
==10138==    by 0xFE7C3B9: std::unique_ptr<GlyphCache, std::default_delete<GlyphCache> >::~unique_ptr() (unique_ptr.h:268)
==10138==    by 0x5C79EBF: __run_exit_handlers (exit.c:83)
==10138==    by 0x5C79F19: exit (exit.c:105)
==10138==    by 0x5C5F1C7: (below main) (libc-start.c:342)
==10138==  Address 0x1fce97e0 is 0 bytes inside a block of size 432 free'd
==10138==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10138==    by 0x5C79EBF: __run_exit_handlers (exit.c:83)
==10138==    by 0x5C79F19: exit (exit.c:105)
==10138==    by 0x5C5F1C7: (below main) (libc-start.c:342)
==10138==  Block was alloc'd at
==10138==    at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10138==    by 0xFF1D5EF: hb_font_funcs_create (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFF2AC24: hb_ot_font_set_funcs (in /home/mhosken/Work/dev/OpenOffice/libo/libo/instdir/program/libvcllo.so)
==10138==    by 0xFD7313C: createHbFont(hb_face_t*) (CommonSalLayout.cxx:116)
==10138==    by 0xFD73250: CommonSalLayout::InitFromFreetypeFont() (CommonSalLayout.cxx:273)

Which implies a race condition over freeing something in a font between two exit handlers. Shame valgrind can't tell us which exit handlers. But I'm assuming one is the harfbuzz exit handlers and the other the libo test. Does a font reference a static that it tries to free or something?

@atsampson
Copy link

I'm seeing this as well -- svgio.test crashes on exit (glibc reports malloc corruption) when libreoffice 5.4.3.2 is built against harfbuzz 1.7.0. Here's the valgrind output:

==22730== Memcheck, a memory error detector
==22730== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==22730== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==22730== Command: /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Executable/cppunittester /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so --headless -env:BRAND_BASE_DIR=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir -env:BRAND_SHARE_SUBDIR=share -env:UserInstallation=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/CppunitTest/svgio.test.user -env:CONFIGURATION_LAYERS=xcsxcu:file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/share/registry\ xcsxcu:file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/unittest/registry -env:UNO_TYPES=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/types.rdb\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/types/offapi.rdb -env:UNO_SERVICES=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/CppunitTest/svgio/svgio.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/Rdb/ure/services.rdb\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/configmgr/source/configmgr.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/dtrans/util/mcnttype.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/framework/util/fwk.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/i18npool/util/i18npool.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/package/source/xstor/xstor.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/package/util/package2.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/toolkit/util/tk.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/sfx2/util/sfx.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/ucb/source/core/ucb1.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/ucb/source/ucp/file/ucpfile1.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/unotools/util/utl.component\ file:///src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/ComponentTarget/sax/source/expatwrap/expwrap.component -env:URE_INTERNAL_LIB_DIR=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program -env:LO_LIB_DIR=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program -env:LO_JAVA_DIR=file:///src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/classes --protector /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Library/unoexceptionprotector.so unoexceptionprotector --protector /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Library/unobootstrapprotector.so unobootstrapprotector --protector /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Library/libvclbootstrapprotector.so vclbootstrapprotector -env:CPPUNITTESTTARGET=/src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/CppunitTest/svgio.test
==22730==
(anonymous namespace)::Test::testStyles finished in: 1278ms
(anonymous namespace)::Test::testTdf87309 finished in: 140ms
(anonymous namespace)::Test::testFontsizeKeywords finished in: 68686ms
(anonymous namespace)::Test::testFontsizePercentage finished in: 35ms
(anonymous namespace)::Test::testFontsizeRelative finished in: 655ms
(anonymous namespace)::Test::testTdf45771 finished in: 39ms
(anonymous namespace)::Test::testTdf97941 finished in: 49ms
(anonymous namespace)::Test::testTdf85770 finished in: 72ms
(anonymous namespace)::Test::testTdf79163 finished in: 31ms
(anonymous namespace)::Test::testTdf97542_1 finished in: 553ms
(anonymous namespace)::Test::testTdf97542_2 finished in: 545ms
(anonymous namespace)::Test::testTdf97543 finished in: 37ms
(anonymous namespace)::Test::testRGBColor finished in: 39ms
(anonymous namespace)::Test::testRGBAColor finished in: 24ms
(anonymous namespace)::Test::testTdf97936 finished in: 50ms
(anonymous namespace)::Test::testClipPathAndParentStyle finished in: 114ms
(anonymous namespace)::Test::testClipPathAndStyle finished in: 51ms
(anonymous namespace)::Test::testi125329 finished in: 80ms
(anonymous namespace)::Test::testMaskingPath07b finished in: 1406ms
(anonymous namespace)::Test::test47446 finished in: 114ms
(anonymous namespace)::Test::test47446b finished in: 56ms
(anonymous namespace)::Test::testMaskText finished in: 102ms
(anonymous namespace)::Test::testTdf99994 finished in: 485ms
(anonymous namespace)::Test::testTdf101237 finished in: 55ms
OK (24)
==22730== Invalid read of size 4
==22730==    at 0x15EE0CD4: hb_object_destroy<hb_font_funcs_t> (hb-object-private.hh:187)
==22730==    by 0x15EE0CD4: hb_font_funcs_destroy (hb-font.cc:456)
==22730==    by 0x15EE3390: hb_font_destroy (hb-font.cc:1260)
==22730==    by 0x143E640F: FreetypeFont::~FreetypeFont() (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x143E877F: GlyphCache::InvalidateAllGlyphs() (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x143E87DA: GlyphCache::~GlyphCache() (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x143E883B: GlyphCache::~GlyphCache() (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x5BEF757: __run_exit_handlers (exit.c:83)
==22730==    by 0x5BEF7A9: exit (exit.c:105)
==22730==    by 0x5BD9F30: (below main) (libc-start.c:342)
==22730==  Address 0x240de850 is 0 bytes inside a block of size 432 free'd
==22730==    at 0x4C2E018: free (vg_replace_malloc.c:530)
==22730==    by 0x5BEF757: __run_exit_handlers (exit.c:83)
==22730==    by 0x5BEF7A9: exit (exit.c:105)
==22730==    by 0x5BD9F30: (below main) (libc-start.c:342)
==22730==  Block was alloc'd at
==22730==    at 0x4C2ED1E: calloc (vg_replace_malloc.c:711)
==22730==    by 0x15EE0BB2: hb_object_create<hb_font_funcs_t> (hb-object-private.hh:138)
==22730==    by 0x15EE0BB2: hb_font_funcs_create (hb-font.cc:406)
==22730==    by 0x15EEF1E4: _hb_ot_get_font_funcs (hb-ot-font.cc:679)
==22730==    by 0x15EEF1E4: hb_ot_font_set_funcs (hb-ot-font.cc:726)
==22730==    by 0x142EE31A: CommonSalLayout::CommonSalLayout(FreetypeFont&) (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x143E351B: CairoTextRender::GetTextLayout(ImplLayoutArgs&, int) (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x141C0521: OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, long const*, SalLayoutFlags, vcl::TextLayoutCache const*) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x141C0824: OutputDevice::GetTextArray(rtl::OUString const&, long*, int, int, vcl::TextLayoutCache const*) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x1439A214: ImplFontMetricData::ImplInitTextLineSize(OutputDevice const*) (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x141BCC6F: OutputDevice::ImplNewFont() const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x141C0697: OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, long const*, SalLayoutFlags, vcl::TextLayoutCache const*) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x141C0824: OutputDevice::GetTextArray(rtl::OUString const&, long*, int, int, vcl::TextLayoutCache const*) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libvcllo.so)
==22730==    by 0x2003110E: drawinglayer::primitive2d::TextLayouterDevice::getTextWidth(rtl::OUString const&, unsigned int, unsigned int) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/instdir/program/libdrawinglayerlo.so)
==22730==    by 0x1FD209FD: svgio::svgreader::SvgCharacterNode::createSimpleTextPrimitive(svgio::svgreader::SvgTextPosition&, svgio::svgreader::SvgStyleAttributes const&) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD212D3: svgio::svgreader::SvgCharacterNode::decomposeTextWithStyle(drawinglayer::primitive2d::Primitive2DContainer&, svgio::svgreader::SvgTextPosition&, svgio::svgreader::SvgStyleAttributes const&) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD41DDF: svgio::svgreader::SvgTextNode::DecomposeChild(svgio::svgreader::SvgNode const&, drawinglayer::primitive2d::Primitive2DContainer&, svgio::svgreader::SvgTextPosition&) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD425D5: svgio::svgreader::SvgTextNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD314F2: svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD3EDD4: svgio::svgreader::SvgSvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&, bool) const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD5211A: svgio::svgreader::XSvgParser::getDecomposition(com::sun::star::uno::Reference<com::sun::star::io::XInputStream> const&, rtl::OUString const&) (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD116BE: (anonymous namespace)::Test::parseSvg(char const*) (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x1FD1C258: (anonymous namespace)::Test::testFontsizeKeywords() (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/CppunitTest/libtest_svgio.so)
==22730==    by 0x4E5E710: CppUnit::TestCaseMethodFunctor::operator()() const (TestCase.cpp:32)
==22730==    by 0xD6846DE: (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Library/unoexceptionprotector.so)
==22730==    by 0x4E548BC: CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (DefaultProtector.cpp:15)
==22730==    by 0x4E5B7D4: operator() (ProtectorChain.cpp:20)
==22730==    by 0x4E5B7D4: CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (ProtectorChain.cpp:86)
==22730==    by 0x4E647BB: CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (TestResult.cpp:182)
==22730==    by 0x4E5E533: CppUnit::TestCase::run(CppUnit::TestResult*) (TestCase.cpp:91)
==22730==    by 0x4E5EAAA: CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) (TestComposite.cpp:64)
==22730==    by 0x4E5E99C: CppUnit::TestComposite::run(CppUnit::TestResult*) (TestComposite.cpp:23)
==22730==    by 0x4E5EAAA: CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) (TestComposite.cpp:64)
==22730==    by 0x4E5E99C: CppUnit::TestComposite::run(CppUnit::TestResult*) (TestComposite.cpp:23)
==22730==    by 0x4E646E0: CppUnit::TestResult::runTest(CppUnit::Test*) (TestResult.cpp:149)
==22730==    by 0x4E672CC: CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (TestRunner.cpp:96)
==22730==    by 0x10D0F3: (anonymous namespace)::ProtectedFixtureFunctor::run() const (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Executable/cppunittester)
==22730==    by 0x10D933: sal_main() (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Executable/cppunittester)
==22730==    by 0x10BD8D: main (in /src/text/libreoffice/work/libreoffice-5.4.3.2/workdir/LinkTarget/Executable/cppunittester)
==22730==
==22730==
==22730== HEAP SUMMARY:
==22730==     in use at exit: 844,012 bytes in 7,628 blocks
==22730==   total heap usage: 2,280,331 allocs, 2,272,703 frees, 695,848,341 bytes allocated
==22730==
==22730== LEAK SUMMARY:
==22730==    definitely lost: 4,144 bytes in 28 blocks
==22730==    indirectly lost: 198,324 bytes in 3,064 blocks
==22730==      possibly lost: 1,352 bytes in 18 blocks
==22730==    still reachable: 640,192 bytes in 4,518 blocks
==22730==                       of which reachable via heuristic:
==22730==                         newarray           : 1,536 bytes in 16 blocks
==22730==                         multipleinheritance: 56 bytes in 1 blocks
==22730==         suppressed: 0 bytes in 0 blocks
==22730== Rerun with --leak-check=full to see details of leaked memory
==22730==
==22730== For counts of detected and suppressed errors, rerun with: -v
==22730== ERROR SUMMARY: 15 errors from 1 contexts (suppressed: 0 from 0)

Based on the allocation site, the static object in question is static_ot_funcs in hb-ot-font.cc. So I'm a bit suspicious of the "inert objects" mechanism in 5daf3bd ("Make returned functions inert")... after free_static_ot_funcs has run, the object is no longer marked as inert, so anything that does still hold a reference to it won't know not to free it?

@behdad
Copy link
Member

behdad commented Nov 14, 2017

Yeah I can see that if other atexit functions try to destruct that, bad things will happen. I'll revert that commit and think about it some more.

@behdad behdad closed this as completed in 93f7c16 Nov 14, 2017
@behdad
Copy link
Member

behdad commented Nov 14, 2017

Release coming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@khaledhosny @behdad @atsampson @mhosken