https://bugs.documentfoundation.org/show_bug.cgi?id=155262
Bug ID: 155262
Summary: LibreOffice crashes in server mode with "free():
corrupted unsorted chunks"
Product: LibreOffice
Version: 7.4.5.1 release
Hardware: x86-64 (AMD64)
OS: Linux (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: libreoffice-bugs@lists.freedesktop.org
Reporter: mity...@debian.org
Created attachment 187223
--> https://bugs.documentfoundation.org/attachment.cgi?id=187223&action=edit
gdb trace
We are using libreoffice to convert docx files to PDF in server mode. It is
started with the following flags:
libreoffice --headless --invisible --nocrashreport --nodefault --nologo
--nofirststartwizard --norestore
--accept='socket,host=127.0.0.1,port=44970,tcpNoDelay=1;urp;StarOffice.ComponentContext'
As the client code, we are using unoconvert (the client part of unoserver):
https://github.com/unoconv/unoserver/blob/master/src/unoserver/converter.py
After a few hours of running, libreoffice crashes with "free(): corrupted
unsorted chunks" error (SIGABRT). Usually it happens when it receives two
requests within the same second. Sometimes, the error message is printed, but
the process keeps running and does not respond to requests.
You can make it crash much faster (after a few seconds) if you increase load
and send multiple requests every second.
Stack trace:
#0 __pthread_kill_implementation (threadid=<optimized out>,
signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
#1 0x00007fb6898a9d2f in __pthread_kill_internal (signo=6, threadid=<optimized
out>) at ./nptl/pthread_kill.c:78
#2 0x00007fb68985aef2 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#3 0x00007fb689845472 in __GI_abort () at ./stdlib/abort.c:79
#4 0x00007fb68989e2d0 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7fb6899b8459 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#5 0x00007fb6898b364a in malloc_printerr (str=str@entry=0x7fb6899bb1c0
"free(): corrupted unsorted chunks") at ./malloc/malloc.c:5660
#6 0x00007fb6898b573c in _int_free (av=0x7fb664000030, p=0x7fb664652210,
have_lock=<optimized out>, have_lock@entry=0) at ./malloc/malloc.c:4626
#7 0x00007fb6898b7d2f in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3385
#8 0x00007fb68de34413 in rtl::OUString::~OUString() (this=0x7fb61c8fef78,
__in_chrg=<optimized out>) at ./include/rtl/ustring.hxx:526
#9 bridges::cpp_uno::shared::UnoInterfaceProxy::~UnoInterfaceProxy()
(this=0x7fb61c8fef40, __in_chrg=<optimized out>) at
./bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:122
#10 bridges::cpp_uno::shared::freeUnoInterfaceProxy(uno_ExtEnvironment*, void*)
(pEnv=<optimized out>, pProxy=0x7fb61c8fef40) at
./bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:49
#11 0x00007fb6877a3b32 in (anonymous
namespace)::s_stub_defenv_revokeInterface(va_list*) (pParam=<optimized out>) at
./cppu/source/uno/lbenv.cxx:372
#12 0x00007fb68779ead6 in s_environment_invoke_v(uno_Environment*,
uno_Environment*, uno_EnvCallee*, va_list*) (pCurrEnv=0x0,
pTargetEnv=<optimized out>, pCallee=0x7fb6877a38a0 <(anonymous n
amespace)::s_stub_defenv_revokeInterface(va_list*)>,
pParam=pParam@entry=0x7fb670ff7120) at ./cppu/source/uno/EnvStack.cxx:293
#13 0x00007fb68779ec27 in uno_Environment_invoke_v(uno_Environment*,
uno_EnvCallee*, va_list*) (pTargetEnv=<optimized out>, pCallee=<optimized out>,
pParam=pParam@entry=0x7fb670ff7120) at ./
cppu/source/uno/EnvStack.cxx:312
#14 0x00007fb68779ecc4 in uno_Environment_invoke(uno_Environment*,
uno_EnvCallee*, ...) (pEnv=<optimized out>, pCallee=<optimized out>) at
./cppu/source/uno/EnvStack.cxx:321
#15 0x00007fb683239caa in
com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference()
(this=<optimized out>, this=<optimized out>) at
./include/uno/dispatcher.hxx:107
#16 binaryurp::Bridge::releaseStub(rtl::OUString const&,
com::sun::star::uno::TypeDescription const&) (type=...,
oid="560086a7ac30;gcc3[0];99a260952b14ad884c4eb10855e962", this=0x7fb67800154
0) at ./binaryurp/source/bridge.cxx:514
#17 binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*,
std::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*)
const (outArguments=<optimized out>, returnVal
ue=<optimized out>, this=0x7fb650249ab0) at
./binaryurp/source/incomingrequest.cxx:138
#18 binaryurp::IncomingRequest::execute() const (this=0x7fb650249ab0) at
./binaryurp/source/incomingrequest.cxx:79
#19 binaryurp::(anonymous namespace)::request(void*)
(pThreadSpecificData=0x7fb650249ab0) at ./binaryurp/source/reader.cxx:86
#20 0x00007fb68778ee17 in cppu_threadpool::JobQueue::enter(void const*, bool)
(this=0x7fb6503926f0, nDisposeId=nDisposeId@entry=0x7fb6182fd3a0,
bReturnWhenNoJob=bReturnWhenNoJob@entry=true)
at ./cppu/source/threadpool/jobqueue.cxx:100
#21 0x00007fb68778f4d1 in cppu_threadpool::ORequestThread::run()
(this=0x7fb6182fd3a0) at ./cppu/source/threadpool/thread.cxx:165
#22 0x00007fb68778f720 in osl::threadFunc(void*) (param=0x7fb6182fd3b0) at
./include/osl/thread.hxx:189
#23 0x00007fb68de73c3b in osl_thread_start_Impl(void*) (pData=0x7fb61876fa60)
at ./sal/osl/unx/thread.cxx:265
#24 0x00007fb6898a7fd4 in start_thread (arg=<optimized out>) at
./nptl/pthread_create.c:442
#25 0x00007fb6899285bc in clone3 () at
../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Full gdb log with stack traces of all threads is attached.
This stack trace was obtained with LibreOffice version from Debian testing
(4:7.4.5-2).
--
You are receiving this mail because:
You are the assignee for the bug.
