Issue 114718 - forms/qa/unoapi: crash in remote async release call
Summary: forms/qa/unoapi: crash in remote async release call
Status: CLOSED FIXED
Alias: None
Product: gsl
Classification: Code
Component: code (show other issues)
Version: current
Hardware: All All
: P3 Trivial (vote)
Target Milestone: OOo 3.x
Assignee: Stephan Bergmann
QA Contact: issues@gsl
URL:
Keywords:
: 114669 117365 (view as issue list)
Depends on:
Blocks:
 
Reported: 2010-09-24 09:29 UTC by Stephan Bergmann
Modified: 2017-05-20 10:30 UTC (History)
3 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments
fix (11.55 KB, text/plain)
2011-02-03 15:40 UTC, Stephan Bergmann
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description Stephan Bergmann 2010-09-24 09:29:02 UTC
On DEV300_m88 based CWS sb123, unxsoli4 non-pro, executing forms/qa/unoapi once
crashed when executing UNO release calls sent from the Java client (at arbitrary
times, triggered by Java GC) with

  ---- called from signal handler with signal 11 (SIGSEGV) ------
  [25] 0x1000300(0x8587e20, 0x8bde678, 0xf14deb14, 0xf851d526), at 0x1000300
  [26] s_stub_defenv_revokeInterface(0xf14debd8), at 0xf851d7bb
  [27] s_environment_invoke_v(0x0, 0x8587e20, 0xf851d518, 0xf14debd8), at 0xf8524ec7
  [28] uno_Environment_invoke_v(0x8587e20, 0xf851d518, 0xf14debd8, 0xf8524f84),
at 0xf8524f5b
  [29] uno_Environment_invoke(0x8587e20, 0xf851d518, 0x8587e20, 0x8bde678), at
0xf8524fa3
  [30] defenv_revokeInterface(0x8587e20, 0x8bde678, 0x8587e20, 0xf84ca358), at
0xf851d9fb
  [31] bridges::cpp_uno::shared::releaseProxy(0x8bde678, 0x0), at 0xf84ca388
  [32] bridges_remote::Uno2RemoteStub::~Uno2RemoteStub(0x8ccec68, 0x0), at
0xf103f8a1
  [33] bridges_remote::freeUno2RemoteStub(0x84c27f0, 0x8ccec68, 0xf14decc8,
0xf851d526), at 0xf103f58f
  [34] s_stub_defenv_revokeInterface(0xf14ded8c), at 0xf851d7bb
  [35] s_environment_invoke_v(0x0, 0x84c27f0, 0xf851d518, 0xf14ded8c), at 0xf8524ec7
  [36] uno_Environment_invoke_v(0x84c27f0, 0xf851d518, 0xf14ded8c, 0xf8524f84),
at 0xf8524f5b
  [37] uno_Environment_invoke(0x84c27f0, 0xf851d518, 0x84c27f0, 0x8ccf8e8), at
0xf8524fa3
  [38] defenv_revokeInterface(0x84c27f0, 0x8ccf8e8), at 0xf851d9fb
  [39] thisRelease(0x8ccf8e8, 0x1000000, 0x0, 0xf102ed6d), at 0xf103e859
  [40] bridges_urp::ServerMultiJob::execute(0x8d28fe0, 0xf8541fe8, 0xfc12ac29,
0xf102ccc0), at 0xf102f16f
  [41] doit(0x8d28fe0, 0x10, 0x0, 0xf852ab8e), at 0xf102ccd2
  [42] cppu_threadpool::JobQueue::enter(0x84d1428, 0x85a6388, 0x0, 0x1), at
0xf852ad29
  [43] cppu_threadpool::ORequestThread::run(0x85a6388), at 0xf852b9ff
  [44] cppu_requestThreadWorker(0x85a6388, 0xf14defb0, 0xf14defd8, 0xf14defb0),
at 0xf852b2e2
  [45] osl_thread_start_Impl(0x8bff020), at 0xfec7bb0f
  [46] _thr_setup(0xfeab3200), at 0xfef271c0
  [47] _lwp_start(0x45, 0x6, 0xfef9d000, 0xf14de1fc, 0xfeed1ed3, 0x45), at
0xfef274b0

at

[...]
5: LOG> enableRepeat(): PASSED.OK
5: ***** State for forms.OFormattedControl::com::sun::star::awt::XSpinField ******
5: Whole interface: PASSED.OK
5: *******************************************************************************
5: LOG> Log started 23.08.2010 - 23:04:40
5: checking: [forms.OFormattedControl::com::sun::star::awt::XControl] is iface:
[com.sun.star.awt.XControl] testcode: [ifc.awt._XControl]
5: LOG> Execute: setContext()
5: Method setContext() finished with state OK
5: LOG> setContext(): PASSED.OK
5: 
5: LOG> Execute: getContext()
5: LOG> starting required method: setContext()
5: Method getContext() finished with state OK
5: LOG> getContext(): PASSED.OK
5: 
5: LOG> Execute: createPeer()
5: Method createPeer() finished with state OK
5: LOG> createPeer(): PASSED.OK
5: 
5: LOG> Execute: getPeer()
5: LOG> starting required method: createPeer()
5: Method getPeer() finished with state OK
5: LOG> getPeer(): PASSED.OK
5: 
5: LOG> Execute: setModel()
5: Method setModel() finished with state OK
5: LOG> setModel(): PASSED.OK
5: 
5: LOG> Execute: getModel()
5: LOG> starting required method: setModel()
5: Method getModel() finished with state OK
5: LOG> getModel(): PASSED.OK
5: 
5: LOG> Execute: getView()
5: Method getView() finished with state OK
5: LOG> getView(): PASSED.OK
5: 
5: LOG> Execute: setDesignMode()
5: Method setDesignMode() finished with state OK
5: LOG> setDesignMode(): PASSED.OK
5: 
5: LOG> Execute: isDesignMode()
5: LOG> starting required method: setDesignMode()
5: Method isDesignMode() finished with state OK
5: LOG> isDesignMode(): PASSED.OK
5: 
5: LOG> Execute: isTransparent()
5: Method isTransparent() finished with state OK
5: LOG> isTransparent(): PASSED.OK
5: ***** State for forms.OFormattedControl::com::sun::star::awt::XControl ******
5: Whole interface: PASSED.OK
5: *****************************************************************************
5: LOG> Log started 23.08.2010 - 23:04:40
5: checking: [forms.OFormattedControl::com::sun::star::awt::XTextComponent] is
iface: [com.sun.star.awt.XTextComponent] testcode: [ifc.awt._XTextComponent]
5: LOG> Execute: addTextListener()
5: sh:
/net/so-cwsserv02/export/cws/sb123/DEV300/unxsoli4/installation/opt/openoffice.org3/program/../program/crashrep:
not found
5: Application Error
5: 
5: Fatal exception: Signal 6
Comment 1 philipp.lohmann 2010-09-24 09:49:39 UTC
"it once crashed (at arbitrary times)" ? Sorry, I don't know what that could
mean. The stack is purely in the UNO remote bridge, which I think is your's ?
Comment 2 Stephan Bergmann 2010-09-24 10:02:34 UTC
@pl:  The stack shows that UNO tries to call "release" on an object that had
been mapped out via URP.  The most plausible cause for the stack is that the
to-be-released object had problems (already destroyed?, overwritten?) so
somewhere along the path within the "release" call jumped to wild 0x1000300.  It
is, of course, hard to impossible to tell what kind of object that was and why
it had problems.

If you don't want to have the issue, I have no problem parking it under my account.
Comment 3 Stephan Bergmann 2011-02-03 15:39:21 UTC
Executing forms/qa/unoapi on DEV300_m98 based CWS sb138, unxlngx6 non-pro,
revealed that frm::OFormattedFieldWrapper is the problematic object that is
released one time too often (see below).  And indeed,
OFormattedFieldWrapper::read can hold on to pBasicReader via
xHoldBasicReaderAlive while setting itself as delegator at pBasicReader, so that
xHoldBasicReaderAlive's acquire goes to pBasicReader while its release goes to
this OFormattedFieldWrapper.  The attached formattedfieldwrapper.patch fixes this.

==1659== Invalid read of size 8
==1659==    at 0x15E09C9B:
bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*)
(unointerfaceproxy.cxx:54)
==1659==    by 0x72B424A: s_stub_defenv_revokeInterface (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x72BB275: s_environment_invoke_v(_uno_Environment*,
_uno_Environment*, void (*)(__va_list_tag (*) [1]), __va_list_tag (*) [1]) (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x72BB311: uno_Environment_invoke_v (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x72BB3AD: uno_Environment_invoke (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x72B35E8: defenv_revokeInterface (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x15E09B3F:
bridges::cpp_uno::shared::releaseProxy(_uno_Interface*) (unointerfaceproxy.cxx:96)
==1659==    by 0x1B4967F9:
com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference()
(dispatcher.hxx:95)
==1659==    by 0x1B496B9A: binaryurp::Bridge::SubStub::~SubStub() (bridge.cxx:172)
==1659==    by 0x1B49939D: std::pair<com::sun::star::uno::TypeDescription const,
binaryurp::Bridge::SubStub>::~pair() (stl_pair.h:69)
==1659==    by 0x1B4993F6:
__gnu_cxx::new_allocator<std::pair<com::sun::star::uno::TypeDescription const,
binaryurp::Bridge::SubStub>
>::destroy(std::pair<com::sun::star::uno::TypeDescription const,
binaryurp::Bridge::SubStub>*) (new_allocator.h:110)
==1659==    by 0x1B4999EF: std::_Rb_tree<com::sun::star::uno::TypeDescription,
std::pair<com::sun::star::uno::TypeDescription const,
binaryurp::Bridge::SubStub>,
std::_Select1st<std::pair<com::sun::star::uno::TypeDescription const,
binaryurp::Bridge::SubStub> >, std::less<com::sun::star::uno::TypeDescription>,
std::allocator<std::pair<com::sun::star::uno::TypeDescription const,
binaryurp::Bridge::SubStub> >
>::_M_destroy_node(std::_Rb_tree_node<std::pair<com::sun::star::uno::TypeDescription
const, binaryurp::Bridge::SubStub> >*) (stl_tree.h:400)
==1659==  Address 0x18d5ca20 is 0 bytes inside a block of size 112 free'd
==1659==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==1659==    by 0x4E2D817: rtl_freeMemory (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/lib/libsalalloc_malloc.so.3)
==1659==    by 0x2AC18D72: cppu::OWeakObject::operator delete(void*) (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/basis3.4/program/libfrmlx.so)
==1659==    by 0x2ACA49B0:
frm::OFormattedFieldWrapper::~OFormattedFieldWrapper() (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/basis3.4/program/libfrmlx.so)
==1659==    by 0x7009C1F: cppu::OWeakObject::release() (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppuhelpergcc3.so.3)
==1659==    by 0x7009C79: cppu::OWeakAggObject::release() (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppuhelpergcc3.so.3)
==1659==    by 0x2ACA6267: frm::OFormattedFieldWrapper::release() (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/basis3.4/program/libfrmlx.so)
==1659==    by 0x15E07D49: s_stub_releaseInterface (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libgcc3_uno.so)
==1659==    by 0x72BB275: s_environment_invoke_v(_uno_Environment*,
_uno_Environment*, void (*)(__va_list_tag (*) [1]), __va_list_tag (*) [1]) (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x72BB311: uno_Environment_invoke_v (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x72BB3AD: uno_Environment_invoke (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libuno_cppu.so.3)
==1659==    by 0x15E081AE: releaseInterface (in
/net/so-cwsserv03/export/cws/sb138/DEV300/unxlngx6/installation/opt/openoffice.org/ure/lib/libgcc3_uno.so)
Comment 4 Stephan Bergmann 2011-02-03 15:40:03 UTC
Created attachment 75759 [details]
fix
Comment 5 Stephan Bergmann 2011-02-07 10:13:05 UTC
attached formattedfieldwrapper.patch fix applied as
<http://hg.services.openoffice.org/cws/sb140/rev/670dea756361>
Comment 6 Stephan Bergmann 2011-02-07 10:18:10 UTC
.
Comment 7 Stephan Bergmann 2011-03-17 12:15:16 UTC
*** Issue 117365 has been marked as a duplicate of this issue. ***
Comment 8 Stephan Bergmann 2011-04-05 13:41:47 UTC
*** Issue 114669 has been marked as a duplicate of this issue. ***