Apache OpenOffice (AOO) Bugzilla – Issue 114718
forms/qa/unoapi: crash in remote async release call
Last modified: 2017-05-20 10:30:42 UTC
On DEV300_m88 based CWS sb123, unxsoli4 non-pro, executing forms/qa/unoapi once crashed when executing UNO release calls sent from the Java client (at arbitrary times, triggered by Java GC) with ---- called from signal handler with signal 11 (SIGSEGV) ------ [25] 0x1000300(0x8587e20, 0x8bde678, 0xf14deb14, 0xf851d526), at 0x1000300 [26] s_stub_defenv_revokeInterface(0xf14debd8), at 0xf851d7bb [27] s_environment_invoke_v(0x0, 0x8587e20, 0xf851d518, 0xf14debd8), at 0xf8524ec7 [28] uno_Environment_invoke_v(0x8587e20, 0xf851d518, 0xf14debd8, 0xf8524f84), at 0xf8524f5b [29] uno_Environment_invoke(0x8587e20, 0xf851d518, 0x8587e20, 0x8bde678), at 0xf8524fa3 [30] defenv_revokeInterface(0x8587e20, 0x8bde678, 0x8587e20, 0xf84ca358), at 0xf851d9fb [31] bridges::cpp_uno::shared::releaseProxy(0x8bde678, 0x0), at 0xf84ca388 [32] bridges_remote::Uno2RemoteStub::~Uno2RemoteStub(0x8ccec68, 0x0), at 0xf103f8a1 [33] bridges_remote::freeUno2RemoteStub(0x84c27f0, 0x8ccec68, 0xf14decc8, 0xf851d526), at 0xf103f58f [34] s_stub_defenv_revokeInterface(0xf14ded8c), at 0xf851d7bb [35] s_environment_invoke_v(0x0, 0x84c27f0, 0xf851d518, 0xf14ded8c), at 0xf8524ec7 [36] uno_Environment_invoke_v(0x84c27f0, 0xf851d518, 0xf14ded8c, 0xf8524f84), at 0xf8524f5b [37] uno_Environment_invoke(0x84c27f0, 0xf851d518, 0x84c27f0, 0x8ccf8e8), at 0xf8524fa3 [38] defenv_revokeInterface(0x84c27f0, 0x8ccf8e8), at 0xf851d9fb [39] thisRelease(0x8ccf8e8, 0x1000000, 0x0, 0xf102ed6d), at 0xf103e859 [40] bridges_urp::ServerMultiJob::execute(0x8d28fe0, 0xf8541fe8, 0xfc12ac29, 0xf102ccc0), at 0xf102f16f [41] doit(0x8d28fe0, 0x10, 0x0, 0xf852ab8e), at 0xf102ccd2 [42] cppu_threadpool::JobQueue::enter(0x84d1428, 0x85a6388, 0x0, 0x1), at 0xf852ad29 [43] cppu_threadpool::ORequestThread::run(0x85a6388), at 0xf852b9ff [44] cppu_requestThreadWorker(0x85a6388, 0xf14defb0, 0xf14defd8, 0xf14defb0), at 0xf852b2e2 [45] osl_thread_start_Impl(0x8bff020), at 0xfec7bb0f [46] _thr_setup(0xfeab3200), at 0xfef271c0 [47] _lwp_start(0x45, 0x6, 0xfef9d000, 0xf14de1fc, 0xfeed1ed3, 0x45), at 0xfef274b0 at [...] 5: LOG> enableRepeat(): PASSED.OK 5: ***** State for forms.OFormattedControl::com::sun::star::awt::XSpinField ****** 5: Whole interface: PASSED.OK 5: ******************************************************************************* 5: LOG> Log started 23.08.2010 - 23:04:40 5: checking: [forms.OFormattedControl::com::sun::star::awt::XControl] is iface: [com.sun.star.awt.XControl] testcode: [ifc.awt._XControl] 5: LOG> Execute: setContext() 5: Method setContext() finished with state OK 5: LOG> setContext(): PASSED.OK 5: 5: LOG> Execute: getContext() 5: LOG> starting required method: setContext() 5: Method getContext() finished with state OK 5: LOG> getContext(): PASSED.OK 5: 5: LOG> Execute: createPeer() 5: Method createPeer() finished with state OK 5: LOG> createPeer(): PASSED.OK 5: 5: LOG> Execute: getPeer() 5: LOG> starting required method: createPeer() 5: Method getPeer() finished with state OK 5: LOG> getPeer(): PASSED.OK 5: 5: LOG> Execute: setModel() 5: Method setModel() finished with state OK 5: LOG> setModel(): PASSED.OK 5: 5: LOG> Execute: getModel() 5: LOG> starting required method: setModel() 5: Method getModel() finished with state OK 5: LOG> getModel(): PASSED.OK 5: 5: LOG> Execute: getView() 5: Method getView() finished with state OK 5: LOG> getView(): PASSED.OK 5: 5: LOG> Execute: setDesignMode() 5: Method setDesignMode() finished with state OK 5: LOG> setDesignMode(): PASSED.OK 5: 5: LOG> Execute: isDesignMode() 5: LOG> starting required method: setDesignMode() 5: Method isDesignMode() finished with state OK 5: LOG> isDesignMode(): PASSED.OK 5: 5: LOG> Execute: isTransparent() 5: Method isTransparent() finished with state OK 5: LOG> isTransparent(): PASSED.OK 5: ***** State for forms.OFormattedControl::com::sun::star::awt::XControl ****** 5: Whole interface: PASSED.OK 5: ***************************************************************************** 5: LOG> Log started 23.08.2010 - 23:04:40 5: checking: [forms.OFormattedControl::com::sun::star::awt::XTextComponent] is iface: [com.sun.star.awt.XTextComponent] testcode: [ifc.awt._XTextComponent] 5: LOG> Execute: addTextListener() 5: sh: /net/so-cwsserv02/export/cws/sb123/DEV300/unxsoli4/installation/opt/openoffice.org3/program/../program/crashrep: not found 5: Application Error 5: 5: Fatal exception: Signal 6
"it once crashed (at arbitrary times)" ? Sorry, I don't know what that could mean. The stack is purely in the UNO remote bridge, which I think is your's ?
@pl: The stack shows that UNO tries to call "release" on an object that had been mapped out via URP. The most plausible cause for the stack is that the to-be-released object had problems (already destroyed?, overwritten?) so somewhere along the path within the "release" call jumped to wild 0x1000300. It is, of course, hard to impossible to tell what kind of object that was and why it had problems. If you don't want to have the issue, I have no problem parking it under my account.
Executing forms/qa/unoapi on DEV300_m98 based CWS sb138, unxlngx6 non-pro, revealed that frm::OFormattedFieldWrapper is the problematic object that is released one time too often (see below). And indeed, OFormattedFieldWrapper::read can hold on to pBasicReader via xHoldBasicReaderAlive while setting itself as delegator at pBasicReader, so that xHoldBasicReaderAlive's acquire goes to pBasicReader while its release goes to this OFormattedFieldWrapper. The attached formattedfieldwrapper.patch fixes this. ==1659== Invalid read of size 8 ==1659== at 0x15E09C9B: bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*) (unointerfaceproxy.cxx:54) ==1659== by 0x72B424A: s_stub_defenv_revokeInterface (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x72BB275: s_environment_invoke_v(_uno_Environment*, _uno_Environment*, void (*)(__va_list_tag (*) [1]), __va_list_tag (*) [1]) (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x72BB311: uno_Environment_invoke_v (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x72BB3AD: uno_Environment_invoke (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x72B35E8: defenv_revokeInterface (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x15E09B3F: bridges::cpp_uno::shared::releaseProxy(_uno_Interface*) (unointerfaceproxy.cxx:96) ==1659== by 0x1B4967F9: com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference() (dispatcher.hxx:95) ==1659== by 0x1B496B9A: binaryurp::Bridge::SubStub::~SubStub() (bridge.cxx:172) ==1659== by 0x1B49939D: std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub>::~pair() (stl_pair.h:69) ==1659== by 0x1B4993F6: __gnu_cxx::new_allocator<std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub> >::destroy(std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub>*) (new_allocator.h:110) ==1659== by 0x1B4999EF: std::_Rb_tree<com::sun::star::uno::TypeDescription, std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub>, std::_Select1st<std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub> >, std::less<com::sun::star::uno::TypeDescription>, std::allocator<std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub> > >::_M_destroy_node(std::_Rb_tree_node<std::pair<com::sun::star::uno::TypeDescription const, binaryurp::Bridge::SubStub> >*) (stl_tree.h:400) ==1659== Address 0x18d5ca20 is 0 bytes inside a block of size 112 free'd ==1659== at 0x4C270BD: free (vg_replace_malloc.c:366) ==1659== by 0x4E2D817: rtl_freeMemory (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/lib/libsalalloc_malloc.so.3) ==1659== by 0x2AC18D72: cppu::OWeakObject::operator delete(void*) (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/basis3.4/program/libfrmlx.so) ==1659== by 0x2ACA49B0: frm::OFormattedFieldWrapper::~OFormattedFieldWrapper() (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/basis3.4/program/libfrmlx.so) ==1659== by 0x7009C1F: cppu::OWeakObject::release() (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppuhelpergcc3.so.3) ==1659== by 0x7009C79: cppu::OWeakAggObject::release() (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppuhelpergcc3.so.3) ==1659== by 0x2ACA6267: frm::OFormattedFieldWrapper::release() (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/basis3.4/program/libfrmlx.so) ==1659== by 0x15E07D49: s_stub_releaseInterface (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libgcc3_uno.so) ==1659== by 0x72BB275: s_environment_invoke_v(_uno_Environment*, _uno_Environment*, void (*)(__va_list_tag (*) [1]), __va_list_tag (*) [1]) (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x72BB311: uno_Environment_invoke_v (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x72BB3AD: uno_Environment_invoke (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3) ==1659== by 0x15E081AE: releaseInterface (in /net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libgcc3_uno.so)
Created attachment 75759 [details] fix
attached formattedfieldwrapper.patch fix applied as <http://hg.services.openoffice.org/cws/sb140/rev/670dea756361>
.
*** Issue 117365 has been marked as a duplicate of this issue. ***
*** Issue 114669 has been marked as a duplicate of this issue. ***