Bug 126138 - -fsanitize=dynamic-type-mismatch in SwTabFrame::FindLastContent (SwTabFrame vs. SwContentFrame) during --convert-to pdf
Summary: -fsanitize=dynamic-type-mismatch in SwTabFrame::FindLastContent (SwTabFrame v...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Michael Stahl (allotropia)
URL:
Whiteboard: target:6.4.0
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-27 15:50 UTC by Stephan Bergmann
Modified: 2019-08-01 09:02 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2019-06-27 15:50:54 UTC 
At least on recent master built with UBSan, `--headless --convert-to pdf doc/fdo53816-2.doc` as obtained by bin/get-bugzilla-attachments-by-mimetype (i.e., attachment 65809 [details] at bug 53816 comment 1) fails with

> sw/source/core/layout/tabfrm.cxx:3429:12: runtime error: downcast of address 0x612000459640 which does not point to an object of type 'SwContentFrame'
> 0x612000459640: note: object is of type 'SwTabFrame'
>  43 01 80 13  b0 50 5c b7 a5 7f 00 00  bd 18 00 00 00 00 00 00  0d 18 1b 00 00 00 00 00  40 11 00 00
>               ^~~~~~~~~~~~~~~~~~~~~~~
>               vptr for 'SwTabFrame'
>  #0 in SwTabFrame::FindLastContent() at sw/source/core/layout/tabfrm.cxx:3429:12 (instdir/program/../program/libswlo.so +0xe0a351a)
>  #1 in SwFrame::GetNextLeaf(MakePageType) at sw/source/core/layout/flowfrm.cxx:918:64 (instdir/program/../program/libswlo.so +0xd9d8eb4)
>  #2 in SwFrame::GetLeaf(MakePageType, bool) at sw/source/core/layout/flowfrm.cxx:821:19 (instdir/program/../program/libswlo.so +0xd9d88b8)
>  #3 in SwFlowFrame::MoveBwd(bool&) at sw/source/core/layout/flowfrm.cxx:2363:37 (instdir/program/../program/libswlo.so +0xda0e4c3)
>  #4 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2086:18 (instdir/program/../program/libswlo.so +0xe07380c)
>  #5 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:364:5 (instdir/program/../program/libswlo.so +0xd8f72fc)
>  #6 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #7 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:248:25 (instdir/program/../program/libswlo.so +0xd8f30ac)
>  #8 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #9 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:248:25 (instdir/program/../program/libswlo.so +0xd8f30ac)
>  #10 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #11 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:248:25 (instdir/program/../program/libswlo.so +0xd8f30ac)
>  #12 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #13 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2579:47 (instdir/program/../program/libswlo.so +0xe081647)
>  #14 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:364:5 (instdir/program/../program/libswlo.so +0xd8f72fc)
>  #15 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #16 in lcl_InnerCalcLayout(SwFrame*, long, bool) at sw/source/core/layout/tabfrm.cxx:1583:21 (instdir/program/../program/libswlo.so +0xe05a672)
>  #17 in lcl_InnerCalcLayout(SwFrame*, long, bool) at sw/source/core/layout/tabfrm.cxx:1585:25 (instdir/program/../program/libswlo.so +0xe05aa57)
>  #18 in lcl_InnerCalcLayout(SwFrame*, long, bool) at sw/source/core/layout/tabfrm.cxx:1585:25 (instdir/program/../program/libswlo.so +0xe05aa57)
>  #19 in lcl_RecalcRow(SwRowFrame*, long) at sw/source/core/layout/tabfrm.cxx:1620:16 (instdir/program/../program/libswlo.so +0xe089530)
>  #20 in lcl_RecalcTable(SwTabFrame&, SwLayoutFrame*, SwLayNotify&) at sw/source/core/layout/tabfrm.cxx:1724:9 (instdir/program/../program/libswlo.so +0xe087c61)
>  #21 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2114:21 (instdir/program/../program/libswlo.so +0xe074a1e)
>  #22 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2536:42 (instdir/program/../program/libswlo.so +0xe07f7b0)
>  #23 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:364:5 (instdir/program/../program/libswlo.so +0xd8f72fc)
>  #24 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #25 in SwLayAction::IsShortCut(SwPageFrame*&) at sw/source/core/layout/layact.cxx:1088:31 (instdir/program/../program/libswlo.so +0xdc501e6)
>  #26 in SwLayAction::InternalAction(OutputDevice*) at sw/source/core/layout/layact.cxx:482:44 (instdir/program/../program/libswlo.so +0xdc3eec0)
>  #27 in SwLayAction::Action(OutputDevice*) at sw/source/core/layout/layact.cxx:349:5 (instdir/program/../program/libswlo.so +0xdc3b6f0)
>  #28 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:2965:17 (instdir/program/../program/libswlo.so +0xde3a4c3)
>  #29 in SwViewShell::PrintOrPDFExport(OutputDevice*, SwPrintData const&, int, bool) at sw/source/core/view/vprint.cxx:542:30 (instdir/program/../program/libswlo.so +0x103bb673)
>  #30 in SwXTextDocument::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sw/source/uibase/uno/unotxdoc.cxx:3051:32 (instdir/program/../program/libswlo.so +0x1277e95a)
>  #31 in PDFExport::ExportSelection(vcl::PDFWriter&, com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, com::sun::star::uno::Any const&, StringRangeEnumerator const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) at filter/source/pdf/pdfexport.cxx:227:34 (instdir/program/../program/libpdffilterlo.so +0x2db226)
>  #32 in PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdfexport.cxx:939:28 (instdir/program/../program/libpdffilterlo.so +0x2f35d5)
>  #33 in PDFFilter::implExport(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdffilter.cxx:155:24 (instdir/program/../program/libpdffilterlo.so +0x33dc9f)
>  #34 in PDFFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdffilter.cxx:216:23 (instdir/program/../program/libpdffilterlo.so +0x33eb1f)
>  #35 in SfxObjectShell::ExportTo(SfxMedium&) at sfx2/source/doc/objstor.cxx:2422:25 (instdir/program/libsfxlo.so +0x4ba8653)
>  #36 in SfxObjectShell::SaveTo_Impl(SfxMedium&, SfxItemSet const*) at sfx2/source/doc/objstor.cxx:1513:19 (instdir/program/libsfxlo.so +0x4b986d2)
>  #37 in SfxObjectShell::PreDoSaveAs_Impl(rtl::OUString const&, rtl::OUString const&, SfxItemSet const&) at sfx2/source/doc/objstor.cxx:2828:39 (instdir/program/libsfxlo.so +0x4bc7b1c)
>  #38 in SfxObjectShell::CommonSaveAs_Impl(INetURLObject const&, rtl::OUString const&, SfxItemSet&) at sfx2/source/doc/objstor.cxx:2685:9 (instdir/program/libsfxlo.so +0x4bc15b3)
>  #39 in SfxObjectShell::APISaveAs_Impl(rtl::OUString const&, SfxItemSet&) at sfx2/source/doc/objserv.cxx:330:19 (instdir/program/libsfxlo.so +0x4b37598)
>  #40 in SfxBaseModel::impl_store(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, bool) at sfx2/source/doc/sfxbasemodel.cxx:3026:42 (instdir/program/libsfxlo.so +0x4d242b6)
>  #41 in SfxBaseModel::storeToURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sfx2/source/doc/sfxbasemodel.cxx:1697:13 (instdir/program/libsfxlo.so +0x4d2a9ab)
>  #42 in desktop::DispatchWatcher::executeDispatchRequests(std::__debug::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) at desktop/source/app/dispatchwatcher.cxx:655:48 (instdir/program/libsofficeapp.so +0x9060f8)
>  #43 in desktop::RequestHandler::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&, bool) at desktop/source/app/officeipcthread.cxx:1360:38 (instdir/program/libsofficeapp.so +0x972cb0)
>  #44 in desktop::Desktop::OpenClients() at desktop/source/app/app.cxx:2148:14 (instdir/program/libsofficeapp.so +0x7e4739)
>  #45 in desktop::Desktop::OpenClients_Impl(void*) at desktop/source/app/app.cxx:1935:9 (instdir/program/libsofficeapp.so +0x7de8c1)
>  #46 in desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) at desktop/source/app/app.cxx:1918:1 (instdir/program/libsofficeapp.so +0x7d9d7a)
>  #47 in Link<void*, void>::Call(void*) const at include/tools/link.hxx:112:45 (instdir/program/libvcllo.so +0x6acdbc1)
>  #48 in ImplHandleUserEvent(ImplSVEvent*) at vcl/source/window/winproc.cxx:1964:30 (instdir/program/libvcllo.so +0x6abb56f)
>  #49 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) at vcl/source/window/winproc.cxx:2517:13 (instdir/program/libvcllo.so +0x6aa4645)
>  #50 in SalFrame::CallCallback(SalEvent, void const*) const at vcl/inc/salframe.hxx:299:29 (instdir/program/libvcllo.so +0x9bb7fa8)
>  #51 in SvpSalInstance::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/headless/svpinst.cxx:282:22 (instdir/program/libvcllo.so +0x9c3d8b2)
>  #52 in non-virtual thunk to SvpSalInstance::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/headless/svpinst.cxx (instdir/program/libvcllo.so +0x9c3e2e2)
>  #53 in SalUserEventList::DispatchUserEvents(bool) at vcl/source/app/salusereventlist.cxx:109:17 (instdir/program/libvcllo.so +0x8e746e8)
>  #54 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:427:19 (instdir/program/libvcllo.so +0x9c424f4)
>  #55 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:457:48 (instdir/program/libvcllo.so +0x91af8b3)
>  #56 in Application::Yield() at vcl/source/app/svapp.cxx:521:5 (instdir/program/libvcllo.so +0x91aee37)
>  #57 in Application::Execute() at vcl/source/app/svapp.cxx:438:9 (instdir/program/libvcllo.so +0x91aebac)
>  #58 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1620:17 (instdir/program/libsofficeapp.so +0x7d3700)
>  #59 in ImplSVMain() at vcl/source/app/svmain.cxx:202:35 (instdir/program/libvcllo.so +0x92569bc)
>  #60 in SVMain() at vcl/source/app/svmain.cxx:236:12 (instdir/program/libvcllo.so +0x925ff30)
>  #61 in soffice_main at desktop/source/app/sofficemain.cxx:170:12 (instdir/program/libsofficeapp.so +0x9b47b1)
>  #62 in sal_main at desktop/source/app/main.c:48:15 (instdir/program/soffice.bin +0x323dcc)
>  #63 in main at desktop/source/app/main.c:47:1 (instdir/program/soffice.bin +0x323da6)
>  #64 in __libc_start_main at /usr/src/debug/glibc-2.29-24-g2ec0b166bf/csu/../csu/libc-start.c:308:16 (/lib64/libc.so.6 +0x23f32)
>  #65 in _start at <null> (instdir/program/soffice.bin +0x24e02d)
> 
> SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch sw/source/core/layout/tabfrm.cxx:3429:12 in
Comment 1 Stephan Bergmann 2019-07-23 11:58:49 UTC 
(In reply to Stephan Bergmann from comment #0)
> At least on recent master built with UBSan, `--headless --convert-to pdf
> doc/fdo53816-2.doc` as obtained by bin/get-bugzilla-attachments-by-mimetype
> (i.e., attachment 65809 [details] at bug 53816 comment 1) fails with

same issue with doc/fdo70612-1.doc (i.e., attachment 87816 [details] at bug 70612 comment 0)
Comment 2 Xisco Faulí 2019-07-31 10:58:25 UTC 
Moving to NEW
@Stephan, Do you plan to work on this issue ?
Comment 3 Stephan Bergmann 2019-07-31 11:04:22 UTC 
(In reply to Xisco Faulí from comment #2)
> @Stephan, Do you plan to work on this issue ?

no
Comment 4 Xisco Faulí 2019-07-31 11:20:32 UTC 
Hi Michael,
I'm wonderimg if it's related to your fixes for bug 124677
Comment 5 Commit Notification 2019-08-01 09:02:10 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/+/b93216e8253c984a3ce36a9fc55516aa85f98d5f%5E%21

tdf#126138 sw: invalid static_cast in SwTabFrame::FindLastContent()

It will be available in 6.4.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2019-08-01 09:02:17 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/+/49a32d5567a07ce0deb901a491a9cedb3cd3bbfc%5E%21

tdf#126138 sw: disambiguate SwTabFrame::FindLastContent()

It will be available in 6.4.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 7 Michael Stahl (allotropia) 2019-08-01 09:02:47 UTC 
fixed on master