Bug 160906

Summary: Crash when changing formatting (e.g. font) inside Text Box Form Control
Product: LibreOffice Reporter: Stéphane Guillou (stragu) <stephane.guillou>
Component: WriterAssignee: Armin Le Grand <Armin.Le.Grand>
Status: VERIFIED FIXED    
Severity: critical CC: Armin.Le.Grand, serval2412, telesto
Priority: medium Keywords: bibisected, bisected, haveBacktrace, regression
Version: 24.2.0.0 alpha0+   
Hardware: x86-64 (AMD64)   
OS: All   
See Also: https://bugs.documentfoundation.org/show_bug.cgi?id=160907
https://bugs.documentfoundation.org/show_bug.cgi?id=107092
Whiteboard: target:24.8.0 target:24.2.4
Crash report or crash signature: ["SfxEnumItem<FontWeight>::operator==(SfxPoolItem const &)","SfxEnumItem<FontItalic>::operator==(SfxPoolItem const &)","libmergedlo.so","mergedlo.dll"] Regression By:
Bug Depends on:    
Bug Blocks: 107742, 133092    
Attachments: bt with debug symbols

Description Stéphane Guillou (stragu) 2024-05-02 11:34:15 UTC 
Steps:
1. Open attachment 132471 [details]
2. Click in large text box control in section 1
3. Right "test"
4. Select the word
5. Change font to Alef

Result: crash.
The above is for Linux, but I needed different steps for Windows: for example, simply clicking Bold or Italic without writing anything was enough.
- Windows, 24.2.2, with signature "SfxEnumItem<FontWeight>::operator==(SfxPoolItem const &)": https://crashreport.libreoffice.org/stats/crash_details/fc31a1fb-5290-4203-bf7c-c19e7848b062
- Windows, 24.2.2, with signature "SfxEnumItem<FontItalic>::operator==(SfxPoolItem const &)" when applying Italic: https://crashreport.libreoffice.org/stats/crash_details/26cc71f2-2080-4a43-95e7-c5e246ad650f
- Windows, 24.2.2, with signature "mergedlo.dll": https://crashreport.libreoffice.org/stats/crash_details/b826a5f4-55b0-4608-967c-6ed8aa60cb94
- Linux, 24.2.2, with signature "libmergedlo.so": https://crashreport.libreoffice.org/stats/crash_details/4bd180a3-32b1-4b68-a2a7-53ba1def5746

No repro in 7.6.6 -> regression.

Bibisected with linux-64-24.2 repo to first bad build [1b7cb4eeeef9b131220865ad098d3c8e1bc53cdb] which points to:

commit ab7c81f55621d7b0d1468c63305163016dd78837
author	Armin Le Grand (allotropia) 	Wed Oct 04 15:42:27 2023 +0200
committer	Armin Le Grand 	Tue Nov 07 18:07:13 2023 +0100
ITEM: Get away from classic 'poolable' Item flag
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157559

Armin, can you please have a look?
Comment 1 Stéphane Guillou (stragu) 2024-05-02 11:35:20 UTC 
(
still reproduced in recent trunk build, of course:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ce454f382d0d005dd3de021c7820be3ffa0bb582
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: CL threaded
)
Comment 2 Julien Nabet 2024-05-02 13:41:25 UTC 
Created attachment 193940 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.
Comment 3 Armin Le Grand 2024-05-07 11:37:00 UTC 
Taking a look...
Comment 4 Armin Le Grand 2024-05-07 11:39:44 UTC 
Yes, typical use of deleted Item: In OParametrizedAttributeDispatcher::convertDispatchArgsToItem a SfxPoolItem* is returned. It gets fetched from a local temporary SfxAllItemSet aParameterSet. Of course when the ItemSet gets destroyed, the Item gets destroyed -> a deleted Item is returned.
For that cases we nowadays have SfxPoolItemHolder, so have to change it to use that...
Comment 5 Armin Le Grand 2024-05-07 12:03:26 UTC 
Added https://gerrit.libreoffice.org/c/core/+/167274
Comment 6 Armin Le Grand 2024-05-07 12:06:57 UTC 
NOTE: I checked forms/source/richtext/parametrizedattributedispatcher.cxx and OParametrizedAttributeDispatcher::convertDispatchArgsToItem, but it was always done that way -> former versions just 'survived' working with that deleted Item as it seems...
Comment 7 Commit Notification 2024-05-08 18:50:27 UTC 
Armin Le Grand (allotropia) committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/24d78fcb5399b2c783ab7908263a1b54bb687a22

tdf#160906 use SfxPoolItemHolder

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Stéphane Guillou (stragu) 2024-05-10 23:56:31 UTC 
Verified in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ad1f0bdeac30fca1dc56a08803ef23f2aca4db05
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: CL threaded

Thanks Armin!
Comment 9 Commit Notification 2024-05-15 22:43:26 UTC 
Armin Le Grand (allotropia) committed a patch related to this issue.
It has been pushed to "libreoffice-24-2":

https://git.libreoffice.org/core/commit/01bdb97829d103d06175fb50746ddeefddbaa3b3

tdf#160906 use SfxPoolItemHolder

It will be available in 24.2.4.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.