Description: Crash when moving images around in a multipage table Steps to Reproduce: 1. Open the attached file 2. Start moving images at the bottom of the document It does crash once in a while, but not always because lack of exact steps Actual Results: Crashes eventually (or loops) Expected Results: No crash Reproducible: Always User Profile Reset: No Additional Info: Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: c4a58634753a84b09f20f7271d6525a6656522d3 CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win Locale: nl-NL (nl_NL); UI: en-US Calc: CL threaded
Created attachment 186728 [details] Screencast
Created attachment 186729 [details] Sample
Created attachment 186730 [details] BT without symbols
Created attachment 186843 [details] GDB trace of crash from debug build It took some time, but I was able to make it crash by moving the images Arch Linux 64-bit, X11 Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 0293724d05953be608287629ed6178a7c05383a6 CPU threads: 8; OS: Linux 6.2; UI render: default; VCL: kf5 (cairo+xcb) Locale: fi-FI (fi_FI.UTF-8); UI: en-US Calc: threaded Built on 21 April 2023
Was also able to repro on Win10 64-bit: Version: 7.3.2.2 (x64) / LibreOffice Community Build ID: 49f2b1bff42cfccbd8f788c8dc32c1c309559be0 CPU threads: 4; OS: Windows 10.0 Build 19045; UI render: Skia/Raster; VCL: win Locale: en-US (en_US); UI: en-US Calc: threaded
I have reliable set of repro steps to make it crash, so I tried to bibisect it, but it crashes even in 3.3, so not a regression. Updated version.
Fix is tracked in: https://gerrit.libreoffice.org/c/core/+/162151
After several try, repro: Version: 7.3.7.2 / LibreOffice Community Build ID: 30(Build:2) CPU threads: 12; OS: Linux 6.2; UI render: default; VCL: gtk3 Locale: it-IT (it_IT.UTF-8); UI: it-IT Ubuntu package version: 1:7.3.7-0ubuntu0.22.04.4 Calc: threaded
(In reply to Luigi Gorgone from comment #8) > After several try, repro: > Version: 7.3.7.2 / LibreOffice Community > Build ID: 30(Build:2) > CPU threads: 12; OS: Linux 6.2; UI render: default; VCL: gtk3 > Locale: it-IT (it_IT.UTF-8); UI: it-IT > Ubuntu package version: 1:7.3.7-0ubuntu0.22.04.4 > Calc: threaded Do you mean you were able to repro with my patch applied, or just on your install of 7.3.7.2? This bug repros on all versions from 3.3 to 24.8, but shouldn't with the patch.
(In reply to Matt K from comment #9) > (In reply to Luigi Gorgone from comment #8) > > After several try, repro: > > Version: 7.3.7.2 / LibreOffice Community > > Build ID: 30(Build:2) > > CPU threads: 12; OS: Linux 6.2; UI render: default; VCL: gtk3 > > Locale: it-IT (it_IT.UTF-8); UI: it-IT > > Ubuntu package version: 1:7.3.7-0ubuntu0.22.04.4 > > Calc: threaded > > Do you mean you were able to repro with my patch applied, or just on your > install of 7.3.7.2? This bug repros on all versions from 3.3 to 24.8, but > shouldn't with the patch. Let's ping Luigi.
Matt K committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/4eaa50802d724b8744218c8993364fe7b6f03eaa tdf#154863 Fix crashes when moving images in a large document It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
As a unit test is being researched, maybe this helps: If I select Image29 in attachment 186729 [details] and hit up arrow 8 times, it hangs in a build without the fix.
Created attachment 192273 [details] Easy crash sample (move Image26) Simply move Image26 (several Vases on page 27) into the text section above it and it will crash. I'm able to crash it also via the following Basic Macro: Sub MoveImg Dim oImg as Object Doc = ThisComponent DrawPage = Doc.DrawPage For i = 0 To DrawPage.Count - 1 oImg = DrawPage.getByIndex(i) If oImg.Name = "Image26" Then oImg.VertOrient = 0 oImg.VertOrientPosition = 3000 End If Next i End Sub Sub Main MoveImg() End Sub But, I cannot seem to crash it with the following CppUnit code: createSwDoc("img-move-crash.docx"); uno::Reference<drawing::XShape> xShape(getShapeByName(u"Image26"), uno::UNO_QUERY); uno::Reference<beans::XPropertySet> xShapeProps(xShape, uno::UNO_QUERY); xShapeProps->setPropertyValue("VertOrient", uno::Any(static_cast<sal_Int32>(0))); xShapeProps->setPropertyValue("VertOrientPosition", uno::Any(static_cast<sal_Int32>(3000))); CPPUNIT_ASSERT(true); Any ideas why it won't crash in CppUnit?
(In reply to Matt K from comment #13) Note that there's also CppunitTest_sw_macros_test; so testing using Basic code is an option.
(In reply to Mike Kaganski from comment #14) > (In reply to Matt K from comment #13) > > Note that there's also CppunitTest_sw_macros_test; so testing using Basic > code is an option. I tried to write a macro test but macros do not save in .docx files and I can't repro the crash when I save the file as .odt. I also tried .docm format and it doesn't save macros there either. Is there a way to save the macro in .docx format?
(In reply to Matt K from comment #13) > But, I cannot seem to crash it with the following CppUnit code: > > createSwDoc("img-move-crash.docx"); > uno::Reference<drawing::XShape> xShape(getShapeByName(u"Image26"), > uno::UNO_QUERY); > uno::Reference<beans::XPropertySet> xShapeProps(xShape, uno::UNO_QUERY); > xShapeProps->setPropertyValue("VertOrient", > uno::Any(static_cast<sal_Int32>(0))); > xShapeProps->setPropertyValue("VertOrientPosition", > uno::Any(static_cast<sal_Int32>(3000))); > CPPUNIT_ASSERT(true); > > Any ideas why it won't crash in CppUnit? This roughly looks OK to me, I can't spot an obvious problem. Just guessing, one idea: is it possible that when you run the macro, the crash is not while running the macro, but rather in an idle handler that reacts to the changed model? And in that case cppunit would not instantly crash, since idles are not yet processed? If so, try calling Scheduler::ProcessEventsToIdle() or IdleTask::waitUntilIdleDispatched(), does that make any difference?
Created attachment 192297 [details] Modified sample from comment 13, with the macro provided there, in DOCM format
(In reply to Mike Kaganski from comment #17) > Created attachment 192297 [details] > Modified sample from comment 13, with the macro provided there, in DOCM > format I can't get the crash to repro in that file :(
(In reply to Matt K from comment #18) > I can't get the crash to repro in that file :( It crashed 24.2.0.3 reliably for me...
(In reply to Miklos Vajna from comment #16) > And in that case cppunit would not instantly crash, since idles are not yet > processed? > > If so, try calling Scheduler::ProcessEventsToIdle() or > IdleTask::waitUntilIdleDispatched(), does that make any difference? Yes, that made the difference! New unit test patch available at https://gerrit.libreoffice.org/c/core/+/162857.
(In reply to Mike Kaganski from comment #19) > (In reply to Matt K from comment #18) > > I can't get the crash to repro in that file :( > > It crashed 24.2.0.3 reliably for me... Also, thanks to Mike for the document. I was able to repro after realizing I was testing with the fix in place and reverted it.
Matt K committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/16d46e25e03cd506576ac3dcb6be56270b47b4a6 tdf#154863 Add unit test to cover crash on image move It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/332faa63407305852f5044e4bbc41302ccfe46cd Revert "tdf#154863 Add unit test to cover crash on image move" It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Matt, this could be closed as fixed, correct?
(In reply to Stéphane Guillou (stragu) from comment #24) > Matt, this could be closed as fixed, correct? No, we're still trying to eliminate ASAN errors exposed by the unit test, see: https://gerrit.libreoffice.org/c/core/+/162940
Matt K committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/1b5010bfb745a3a7f0e596b237ab70694484fc33 tdf#154863 Add unit test to cover crash on image move It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Now this should be fixed.
Great, thanks Matt! Couldn't crash it with attachment 192273 [details] from comment 13 and: Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 53c5d570cab036b23f4969b858a648c8f0c24f93 CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: CL threaded