This bug was filed from the crash reporting server and is br-b9a5deef-9bb7-4c21-adeb-6ac1c41c5ae5. ========================================= Open an .docx file. The file contains private data, so I can't upload it.
Regarding to https://bugs.documentfoundation.org/show_bug.cgi?id=130775# crashes started with LO 6.2. Is it possible for you, to check with LO 6.1?
Yes, 6.1.6.3 can open it without an crash.
(In reply to frank.buettner from comment #2) > Yes, 6.1.6.3 can open it without an crash. Thanks for checking Closing as RESOLVED WORKSFORME
(In reply to Xisco Faulí from comment #3) > (In reply to frank.buettner from comment #2) > > Yes, 6.1.6.3 can open it without an crash. > > Thanks for checking > Closing as RESOLVED WORKSFORME Xisco, I don't understand, why you closed the report. If there is no crash in LO 6.1 and it crashes in 6.4 it is a bug with a regression, isn't it? => UNCONFIRMED
ooh, my bad, I misread the commets... @Frank, would it be possible to privately send the document to me by email? I would only use it to investigate this issue without sharing it with a third party...
Hi Xisco, yes I can do this. But I need your S/MIME certificate or your gpg key for encryption.
Created attachment 158783 [details] minimized document
Regression introduced by: https://cgit.freedesktop.org/libreoffice/core/commit/?id=6f9f9491bdef676f969898bd653db9905d14f5e8 author Miklos Vajna <vmiklos@collabora.co.uk> 2017-07-11 09:04:23 +0200 committer Miklos Vajna <vmiklos@collabora.co.uk> 2017-07-11 14:10:13 +0200 commit 6f9f9491bdef676f969898bd653db9905d14f5e8 (patch) tree b0962fbec2172518069362c6332ac06d53f16d3f parent 2a22696546ace75c38a72ad13f7383aedd00e06a (diff) tdf#106132 DOCX import: fix handling of nested textbox margins Bisected with: bibisect-linux64-6.0 Adding Cc: to Miklos Vajna
I looked at this, but then ran out of time, so I'm just dumping my notes here, so in case I get back to this in the future or somebody else takes a look it's not necessary to start from scratch. The direct problem is that SwTextAdjuster::CalcRightMargin() works on a list of portions, we set pLast to a value, then call CalcFlyPortion(), then we continue using pLast. But this is not safe, because pLast may be deleted while CalcFlyPortion() is called. Here is how the delete happens: #0 SwLinePortion::~SwLinePortion (this=0x6040007b4950) at sw/source/core/text/porlin.cxx:57 #1 0x00007fff55977768 in SwTextPortion::~SwTextPortion (this=0x6040007b4950) at sw/source/core/text/portxt.hxx:27 #2 0x00007fff55d4e445 in SwTextPortion::~SwTextPortion (this=0x6040007b4950) at sw/source/core/text/portxt.hxx:27 #3 0x00007fff55c90648 in SwLinePortion::Truncate_ (this=0x61800003b080) at sw/source/core/text/porlin.cxx:165 #4 0x00007fff5591e6f2 in SwLinePortion::Truncate (this=0x61800003b080) at sw/source/core/text/porlin.hxx:199 #5 0x00007fff55b97f97 in SwLineLayout::~SwLineLayout (this=0x61800003b080) at sw/source/core/text/porlay.cxx:201 #6 0x00007fff55bd2013 in SwParaPortion::~SwParaPortion (this=0x61800003b080) at sw/source/core/text/porlay.cxx:2376 #7 0x00007fff55bd2075 in SwParaPortion::~SwParaPortion (this=0x61800003b080) at sw/source/core/text/porlay.cxx:2375 #8 0x00007fff55db3492 in std::default_delete<SwParaPortion>::operator() (this=0x6040012bafb8, __ptr=0x61800003b080) at /home/vmiklos/git/libreoffice/lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:78 #9 0x00007fff55db29fa in std::unique_ptr<SwParaPortion, std::default_delete<SwParaPortion> >::reset (this=0x6040012bafb8, __p=0x61800003b080) at /home/vmiklos/git/libreoffice/lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:376 #10 0x00007fff55db0fb1 in SwTextLine::SetPara (this=0x6040012baf90, pNew=0x0, bDelete=true) at sw/source/core/text/txtcache.hxx:45 #11 0x00007fff55daf0fc in SwTextFrame::ClearPara (this=0x61200040a140) at sw/source/core/text/txtcache.cxx:112 #12 0x00007fff55e5eacc in SwTextFrame::Init (this=0x61200040a140) at sw/source/core/text/txtfrm.cxx:753 #13 0x00007fff55eafc8a in SwTextFrame::Prepare (this=0x61200040a140, ePrep=PrepareHint::FlyFrameArrive, pVoid=0x7fff8345f820, bNotify=true) at sw/source/core/text/txtfrm.cxx:3071 #14 0x00007fff54e6102c in lcl_NotifyContent (pThis=0x615000644900, pCnt=0x61200040a140, rRect=SwRect = {...}, eHint=PrepareHint::FlyFrameArrive) at sw/source/core/layout/frmtool.cxx:3146 #15 0x00007fff54e59757 in Notify_Background (pObj=0x615000644900, pPage=0x612000405640, rRect=SwRect = {...}, eHint=PrepareHint::FlyFrameArrive, bInva=true) at sw/source/core/layout/frmtool.cxx:3224 #16 0x00007fff541560d6 in lcl_NotifyBackgroundOfObj (_rDrawContact=..., _rObj=..., _pOldObjRect=0x0) at sw/source/core/draw/dcontact.cxx:937 #17 0x00007fff5415ff07 in SwDrawContact::SwClientNotify (this=0x6130001cf700, rMod=..., rHint=...) at sw/source/core/draw/dcontact.cxx:1437 #18 0x00007fff522392c6 in SwModify::CallSwClientNotify (this=0x6130001cf380, rHint=...) at sw/source/core/attr/calbck.cxx:373 #19 0x00007fff522395c6 in sw::BroadcastingModify::CallSwClientNotify (this=0x6130001cf380, rHint=...) at sw/source/core/attr/calbck.cxx:378 #20 0x00007fff52240408 in SwModify::ModifyBroadcast (this=0x6130001cf380, pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at sw/inc/calbck.hxx:199 #21 0x00007fff52236818 in SwModify::NotifyClients (this=0x6130001cf380, pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at sw/source/core/attr/calbck.cxx:201 #22 0x00007fff5227d9fb in SwFormat::Modify (this=0x6130001cf380, pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at sw/source/core/attr/format.cxx:322 #23 0x00007fff54b6ceb2 in SwFrameFormat::Modify (this=0x6130001cf380, pOld=0x7fff8365bb00, pNew=0x7fff8365bb40) at sw/source/core/layout/atrfrm.cxx:2581 #24 0x00007fff52244154 in SwClient::ModifyNotification (this=0x6130001cf380, pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at sw/inc/calbck.hxx:154 #25 0x00007fff52289492 in SwFormat::SetFormatAttr (this=0x6130001cf380, rSet=SfxItemSet of pool 0x603001241f80 with parent 0x0 and Which ranges: [(88, 130), (151, 151), (1014, 1033)] = {...}) at sw/source/core/attr/format.cxx:643 #26 0x00007fff52e04653 in lcl_SetFlyFrameAttr (rDoc=..., pSetFlyFrameAnchor= (sal_Int8 (SwDoc::*)(SwDoc * const, SwFrameFormat &, SfxItemSet &, bool)) 0x7fff52df8f40 <SwDoc::SetFlyFrameAnchor(SwFrameFormat&, SfxItemSet&, bool)>, rFlyFormat=..., rSet=SfxItemSet of pool 0x603001241f80 with parent 0x0 and Which ranges: [(102, 103)] = {...}) at sw/source/core/doc/docfly.cxx:476 #27 0x00007fff52e027f8 in SwDoc::SetFlyFrameAttr (this=0x61900016ee80, rFlyFormat=..., rSet=SfxItemSet of pool 0x603001241f80 with parent 0x0 and Which ranges: [(102, 103)] = {...}) at sw/source/core/doc/docfly.cxx:554 #28 0x00007fff54154b92 in SwDrawContact::Changed_ (this=0x6130001cf700, rObj=..., eType=SdrUserCallType::Resize, pOldBoundRect=0x7fff833415a0) at sw/source/core/draw/dcontact.cxx:1286 #29 0x00007fff5414eb9e in SwDrawContact::Changed (this=0x6130001cf700, rObj=..., eType=SdrUserCallType::Resize, rOldBoundRect=...) at sw/source/core/draw/dcontact.cxx:987 #30 0x00007fffd3fe2cd5 in SdrObject::SendUserCall (this=0x615000644900, eUserCall=SdrUserCallType::Resize, rBoundRect=...) at svx/source/svdraw/svdobj.cxx:2654 #31 0x00007fffd400564f in SdrObject::Resize (this=0x615000644900, rRef=Point = {...}, xFact=..., yFact=..., bUnsetRelative=false) at svx/source/svdraw/svdobj.cxx:1497 #32 0x00007fff54ae93de in SwAnchoredDrawObject::GetObjBoundRect (this=0x6130001cf730) at sw/source/core/layout/anchoreddrawobject.cxx:663 #33 0x00007fff54aff458 in SwAnchoredObject::GetObjRectWithSpaces (this=0x6130001cf730) at sw/source/core/layout/anchoredobject.cxx:573 #34 0x00007fff55e0f961 in SwTextFly::InitAnchoredObjList (this=0x7fff8360a620) at sw/source/core/text/txtfly.cxx:892 #35 0x00007fff55e22599 in SwTextFly::GetAnchoredObjList (this=0x7fff8360a620) at sw/source/core/inc/txtfly.hxx:305 #36 0x00007fff55dfd177 in SwTextFly::ForEach (this=0x7fff8360a620, rRect=SwRect = {...}, pRect=0x7fff8360a6d0, bAvoid=true) at sw/source/core/text/txtfly.cxx:1015 #37 0x00007fff55dfc4cb in SwTextFly::GetFrame_ (this=0x7fff8360a620, rRect=SwRect = {...}) at sw/source/core/text/txtfly.cxx:379 #38 0x00007fff559ede27 in SwTextFly::GetFrame (this=0x7fff8360a620, rRect=SwRect = {...}) at sw/source/core/inc/txtfly.hxx:358 #39 0x00007fff559e571a in SwTextAdjuster::CalcFlyPortion (this=0x7fff8383f280, nRealWidth=9383, rCurrRect=SwRect = {...}) at sw/source/core/text/itradj.cxx:703 #40 0x00007fff559db798 in SwTextAdjuster::CalcRightMargin (this=0x7fff8383f280, pCurrent=0x61800003b080, nReal=0) at sw/source/core/text/itradj.cxx:550 The invariant is that the layout calculation only reads the doc model, does not mutate it, so the above pLast usage is safe. But then this is violated in SwAnchoredDrawObject::GetObjBoundRect(), which calls a Resize(). I think that's the root cause. But it's not trivial to decide how to fix that: if we call NbcResize() to avoid the broadcase, it's not clear what would break. If we do broadcast, then the caller code is clearly not prepared for that. This root problem was introduced in core.git commit d4474dd0411d7de29ce42e181c97cbf032bf57ea (sw: implement page-relative size for drawing objects and import them from docx, 2012-09-26). I.e. it's not a recent regression, rather an implementation error in the "shapes with relative sizes" feature. Adjusting keywords accordingly. (Debug builds typically don't crash, but optimized builds so, and it's reliably happens in sanitizer builds.)
No crash Version: 7.2.0.0.alpha1+ (x64) / LibreOffice Community Build ID: 239b4bb27fd8db26e8416045b3015688a8b1b0ae CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win Locale: nl-NL (nl_NL); UI: en-US Calc: CL
Issue fixed by author Tibor Nagy <nagy.tibor2@nisz.hu> 2020-07-09 09:54:15 +0200 committer László Németh <nemeth@numbertext.org> 2020-07-15 16:22:38 +0200 commit ee6cd34eb3a2bd1f1340063ee4b90a72ff0c9532 (patch) tree 218888235b4bbf7f3b32fd1edd3d018ae33c0eeb parent ac90bb44f53e099bd8743662b20d0e5ae1752fa2 (diff) tdf#123621 sw: fix textbox position according to DOCX