Bug 97879

Summary: CRASH: Writer hangs with 100% cpu when FILEOPEN particular odt with particular styles.xml
Product: LibreOffice Reporter: domike <astroxeu>
Component: WriterAssignee: Caolán McNamara <caolan.mcnamara>
Status: VERIFIED FIXED    
Severity: major CC: astroxeu, h3734236, ilmari.lauhakangas
Priority: medium Keywords: haveBacktrace
Version: 5.1.1.1 rc   
Hardware: All   
OS: All   
Whiteboard: target:5.2.0 target:5.1.4
Crash report or crash signature: Regression By:
Attachments: styles.xml for reproducer steps b.

Description domike 2016-02-15 15:50:22 UTC 
1a. Open the attachment "domanda short list 2016 .odt" at http://it.libreofficeforum.org/node/12624#attachments
2a. LO hangs while loading the file. top says it consumes 90% to 100% CPU.

In the linked forum topic, user Carlo81 has reproduced this on LO 5.0.5 + Linux, LO 5.0.4 + Windows 8.1, Windows XP, LO 4.4 on Mac OS X.

He also reports that the file can be opened successfully on Microsoft Office 2007 and Microsoft Office Online.
Comment 1 domike 2016-02-15 15:51:54 UTC 
Created attachment 122665 [details]
styles.xml for reproducer steps b.
Comment 2 domike 2016-02-15 15:52:14 UTC 
It seems the culprit is a portion of styles.xml in the odt archive; I have attached the minimal styles.xml that reproduces the issue, please follow these steps:
1b. Save a new Writer document as test.odt.
2b. Save the attachment styles.xml in the same directory as test.odt.
3b. zip -r test.odt styles.xml
4b. Open test.odt, LO will hang as above.

Reproduced on LO 5.1.1.1 + Linux Mint 17 (downloadarchive.documentfoundation.org) with both procedures, a and b.
Comment 3 domike 2016-02-15 15:55:01 UTC 
gdb was attached to LibreOffice  while it was loading the file (5.1.1.1 from downloadarchive.documentfoundation.org, on Linux Mint 17.2). Here it is the output:

(gdb) info threads
  Id   Target Id         Frame 
  8    Thread 0x7f40aa389700 (LWP 3790) "rtl_cache_wsupd" pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
  7    Thread 0x7f40a5794700 (LWP 3795) "OfficeIPCThread" 0x00007f40b91c61ed in accept () at ../sysdeps/unix/syscall-template.S:81
  6    Thread 0x7f409dbc2700 (LWP 3796) "gdbus" 0x00007f40b91b812d in poll ()
    at ../sysdeps/unix/syscall-template.S:81
  5    Thread 0x7f409cadd700 (LWP 3797) "ICEConnectionWo" 0x00007f40b91b812d in poll () at ../sysdeps/unix/syscall-template.S:81
  4    Thread 0x7f4091da5700 (LWP 3798) "SelectionManage" 0x00007f40b91b812d in poll () at ../sysdeps/unix/syscall-template.S:81
  3    Thread 0x7f40835b6700 (LWP 3802) "WakeUpThread" pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
  2    Thread 0x7f40a5f95700 (LWP 3807) "UpdateCheckThre" pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
* 1    Thread 0x7f40bdf16a40 (LWP 3789) "soffice.bin" 0x00007f40b2274ead in __cxxabiv1::__vmi_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(gdb) bt
#0  0x00007f40b2274ead in __cxxabiv1::__vmi_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00007f40b2274d39 in __cxxabiv1::__vmi_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#2  0x00007f40b22721c8 in __dynamic_cast ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007f4090d37f36 in SwXStyleFamily::_FindStyle(rtl::OUString const&) const () from /opt/libreoffice5.1/program/../program/libswlo.so
#4  0x00007f4090d3ac0f in SwXStyleFamily::getByName(rtl::OUString const&) ()
   from /opt/libreoffice5.1/program/../program/libswlo.so
#5  0x00007f40bc564371 in lcl_HasListStyle(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::container::XNameContainer> const&, SvXMLImport&, rtl::OUString const&, rtl::OUString const&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#6  0x00007f40bc56a329 in XMLTextImportHelper::SetOutlineStyles(bool) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#7  0x00007f4090e5d129 in SwXMLDocStylesContext_Impl::EndElement() ()
   from /opt/libreoffice5.1/program/../program/libswlo.so
#8  0x00007f40bc37d3b5 in SvXMLImport::endElement(rtl::OUString const&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#9  0x00007f4091dbb17e in call_callbackEndElement ()
   from /opt/libreoffice5.1/program/../program/libexpwraplo.so
#10 0x00007f4091dd99ff in doContent (parser=parser@entry=0x3050f20, 
    startTagLevel=startTagLevel@entry=0, enc=<optimized out>, 
    s=<optimized out>, 
    end=0x3090e2c "yle:style style:name=\"WW8Num4z3\" style:display-name=\"WW8Num4z3\" style:family=\"text\"/><style:style style:name=\"WW8Num4z4\" style:display-name=\"WW8Num4z4\" style:family=\"text\"/><style:style style:name=\"WW"..., 
    nextPtr=0x3050f50, haveMore=1 '\001')
    at /home/buildslave/build/workdir/UnpackedTarball/expat/lib/xmlparse.c:2532
#11 0x00007f4091dda34e in contentProcessor (parser=0x3050f20, 
    start=<optimized out>, end=<optimized out>, endPtr=<optimized out>)
    at /home/buildslave/build/workdir/UnpackedTarball/expat/lib/xmlparse.c:2105
#12 0x00007f4091ddc48f in XML_ParseBuffer (parser=0x3050f20, 
    len=<optimized out>, isFinal=0)
    at /home/buildslave/build/workdir/UnpackedTarball/expat/lib/xmlparse.c:1651
#13 0x00007f4091db777a in (anonymous namespace)::SaxExpatParser_Impl::parse()
    () from /opt/libreoffice5.1/program/../program/libexpwraplo.so
#14 0x00007f4091db893f in (anonymous namespace)::SaxExpatParser::parseStream(com::sun::star::xml::sax::InputSource const&) ()
   from /opt/libreoffice5.1/program/../program/libexpwraplo.so
#15 0x00007f4090e44ada in (anonymous namespace)::ReadThroughComponent(com::sun::star::uno::Reference<com::sun::star::embed::XStorage>, com::sun::star::uno::Reference<com::sun::star::lang::XComponent>, char const*, char const*, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext>&, char const*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, rtl::OUString const&, bool) () from /opt/libreoffice5.1/program/../program/libswlo.so
#16 0x00007f4090e47610 in XMLReader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) () from /opt/libreoffice5.1/program/../program/libswlo.so
#17 0x00007f4090dab8a5 in SwReader::Read(Reader const&) ()
   from /opt/libreoffice5.1/program/../program/libswlo.so
#18 0x00007f4090ea24c9 in SwDocShell::Load(SfxMedium&) ()
   from /opt/libreoffice5.1/program/../program/libswlo.so
#19 0x00007f40bb1bc34a in SfxObjectShell::LoadOwnFormat(SfxMedium&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#20 0x00007f40bb1cb6fd in SfxObjectShell::DoLoad(SfxMedium*) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#21 0x00007f40bb1f7e1a in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#22 0x00007f40bb27a032 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#23 0x00007f40bac24b1c in framework::LoadEnv::impl_loadContent() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#24 0x00007f40bac2535e in framework::LoadEnv::startLoading() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#25 0x00007f40babb71b5 in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) () from /opt/libreoffice5.1/program/libmergedlo.so
#26 0x00007f40babb8068 in framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /opt/libreoffice5.1/program/libmergedlo.so
#27 0x00007f40b3c19fea in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /opt/libreoffice5.1/program/libcomphelper.so
#28 0x00007f40bb2d3405 in desktop::DispatchWatcher::executeDispatchRequests(std::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#29 0x00007f40bb2dd677 in desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#30 0x00007f40bb2c1de0 in desktop::Desktop::OpenClients() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#31 0x00007f40bb2c2ae0 in desktop::Desktop::OpenClients_Impl(void*) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#32 0x00007f40bbfcb469 in ImplWindowFrameProc(vcl::Window*, SalFrame*, unsigned short, void const*) () from /opt/libreoffice5.1/program/libmergedlo.so
#33 0x00007f40bc22a6d8 in SalGenericDisplay::DispatchInternalEvent() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#34 0x00007f40a8e32209 in GtkData::userEventFn(void*) ()
   from /opt/libreoffice5.1/program/libvclplug_gtklo.so
#35 0x00007f40a8e32281 in call_userEventFn ()
   from /opt/libreoffice5.1/program/libvclplug_gtklo.so
#36 0x00007f40b5be3ce5 in g_main_context_dispatch ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 0x00007f40b5be4048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#38 0x00007f40b5be40ec in g_main_context_iteration ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#39 0x00007f40a8e3162b in GtkData::Yield(bool, bool) ()
   from /opt/libreoffice5.1/program/libvclplug_gtklo.so
#40 0x00007f40bc1c01f1 in Application::Yield() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#41 0x00007f40bc1c1d05 in Application::Execute() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#42 0x00007f40bb2c3d06 in desktop::Desktop::Main() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#43 0x00007f40bc1c5c09 in ImplSVMain() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#44 0x00007f40bc1c5c52 in SVMain() ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#45 0x00007f40bb2e1302 in soffice_main ()
   from /opt/libreoffice5.1/program/libmergedlo.so
#46 0x000000000040075b in sal_main ()
    at /home/buildslave/source/libo-core/desktop/source/app/main.c:48
#47 main (argc=<optimized out>, argv=<optimized out>)
    at /home/buildslave/source/libo-core/desktop/source/app/main.c:47
(gdb) finish
Run till exit from #0  0x00007f40b2274ead in __cxxabiv1::__vmi_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
0x00007f40b2274d39 in __cxxabiv1::__vmi_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(gdb) finish
Run till exit from #0  0x00007f40b2274d39 in __cxxabiv1::__vmi_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
0x00007f40b22721c8 in __dynamic_cast ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(gdb) finish
Run till exit from #0  0x00007f40b22721c8 in __dynamic_cast ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
0x00007f4090d37f36 in SwXStyleFamily::_FindStyle(rtl::OUString const&) const ()
   from /opt/libreoffice5.1/program/../program/libswlo.so
(gdb) finish
Run till exit from #0  0x00007f4090d37f36 in SwXStyleFamily::_FindStyle(rtl::OUString const&) const () from /opt/libreoffice5.1/program/../program/libswlo.so
0x00007f4090d3ac0f in SwXStyleFamily::getByName(rtl::OUString const&) ()
   from /opt/libreoffice5.1/program/../program/libswlo.so
(gdb) finish
Run till exit from #0  0x00007f4090d3ac0f in SwXStyleFamily::getByName(rtl::OUString const&) () from /opt/libreoffice5.1/program/../program/libswlo.so
0x00007f40bc564371 in lcl_HasListStyle(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::container::XNameContainer> const&, SvXMLImport&, rtl::OUString const&, rtl::OUString const&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
(gdb) finish
Run till exit from #0  0x00007f40bc564371 in lcl_HasListStyle(rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::container::XNameContainer> const&, SvXMLImport&, rtl::OUString const&, rtl::OUString const&) ()
   from /opt/libreoffice5.1/program/libmergedlo.so
<gdb does not return from this function, LibreOffice is hung with 90% CPU>
Comment 4 Buovjaga 2016-02-17 11:57:48 UTC 
Ok, let's set to NEW as Claudio81 reproduced it.
Comment 5 Commit Notification 2016-05-25 20:08:06 UTC 
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e954697a9d39e40473fb9f59a791ccb7129e763c

Resolves: tdf#97879 loop in style hierarchy on odt loop

It will be available in 5.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2016-05-30 08:34:09 UTC 
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=3c4c153f596e3b378a01bdabb78008c02a1d2ff6&h=libreoffice-5-1

Resolves: tdf#97879 loop in style hierarchy on odt loop

It will be available in 5.1.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 7 Daniël van Vuuren 2016-06-03 10:35:24 UTC 
Verified fix in:

Version: 5.3.0.0.alpha0+
Build ID: 6b3b352b06d92ef20194b9a992a521af2ef07b48
CPU Threads: 2; OS Version: Linux 4.4; UI Render: default; 
TinderBox: Linux-rpm_deb-x86@71-TDF, Branch:master, Time: 2016-06-03_01:35:48

Version: 5.2.0.0.beta1+
Build ID: b6230835b927e0053687fae6026fa3603600f321
CPU Threads: 2; OS Version: Linux 4.4; UI Render: default; 
TinderBox: Linux-rpm_deb-x86@71-TDF, Branch:libreoffice-5-2, Time: 2016-06-03_02:09:38

Version: 5.1.5.0.0+
Build ID: 1245bead3a68c9495a870f194f3c523b3b78cf87
CPU Threads: 2; OS Version: Linux 4.4; UI Render: default; 
TinderBox: Linux-rpm_deb-x86@71-TDF, Branch:libreoffice-5-1, Time: 2016-06-02_04:43:39