Bug 160906 - Crash when changing formatting (e.g. font) inside Text Box Form Control
Summary: Crash when changing formatting (e.g. font) inside Text Box Form Control
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
24.2.0.0 alpha0+
Hardware: x86-64 (AMD64) All
: medium critical
Assignee: Armin Le Grand (allotropia)
URL:
Whiteboard: target:24.8.0 target:24.2.4
Keywords: bibisected, bisected, haveBacktrace, regression
Depends on:
Blocks: Form-Controls Crash
  Show dependency treegraph
 
Reported: 2024-05-02 11:34 UTC by Stéphane Guillou (stragu)
Modified: 2024-05-15 22:43 UTC (History)
3 users (show)

See Also:
Crash report or crash signature: ["SfxEnumItem<FontWeight>::operator==(SfxPoolItem const &)","SfxEnumItem<FontItalic>::operator==(SfxPoolItem const &)","libmergedlo.so","mergedlo.dll"]

Attachments
bt with debug symbols (6.13 KB, text/plain)
2024-05-02 13:41 UTC, Julien Nabet 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stéphane Guillou (stragu) 2024-05-02 11:34:15 UTC 
Steps:
1. Open attachment 132471 [details]
2. Click in large text box control in section 1
3. Right "test"
4. Select the word
5. Change font to Alef

Result: crash.
The above is for Linux, but I needed different steps for Windows: for example, simply clicking Bold or Italic without writing anything was enough.
- Windows, 24.2.2, with signature "SfxEnumItem<FontWeight>::operator==(SfxPoolItem const &)": https://crashreport.libreoffice.org/stats/crash_details/fc31a1fb-5290-4203-bf7c-c19e7848b062
- Windows, 24.2.2, with signature "SfxEnumItem<FontItalic>::operator==(SfxPoolItem const &)" when applying Italic: https://crashreport.libreoffice.org/stats/crash_details/26cc71f2-2080-4a43-95e7-c5e246ad650f
- Windows, 24.2.2, with signature "mergedlo.dll": https://crashreport.libreoffice.org/stats/crash_details/b826a5f4-55b0-4608-967c-6ed8aa60cb94
- Linux, 24.2.2, with signature "libmergedlo.so": https://crashreport.libreoffice.org/stats/crash_details/4bd180a3-32b1-4b68-a2a7-53ba1def5746

No repro in 7.6.6 -> regression.

Bibisected with linux-64-24.2 repo to first bad build [1b7cb4eeeef9b131220865ad098d3c8e1bc53cdb] which points to:

commit ab7c81f55621d7b0d1468c63305163016dd78837
author	Armin Le Grand (allotropia) 	Wed Oct 04 15:42:27 2023 +0200
committer	Armin Le Grand 	Tue Nov 07 18:07:13 2023 +0100
ITEM: Get away from classic 'poolable' Item flag
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157559

Armin, can you please have a look?
Comment 1 Stéphane Guillou (stragu) 2024-05-02 11:35:20 UTC 
(
still reproduced in recent trunk build, of course:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ce454f382d0d005dd3de021c7820be3ffa0bb582
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: CL threaded
)
Comment 2 Julien Nabet 2024-05-02 13:41:25 UTC 
Created attachment 193940 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.
Comment 3 Armin Le Grand (allotropia) 2024-05-07 11:37:00 UTC 
Taking a look...
Comment 4 Armin Le Grand (allotropia) 2024-05-07 11:39:44 UTC 
Yes, typical use of deleted Item: In OParametrizedAttributeDispatcher::convertDispatchArgsToItem a SfxPoolItem* is returned. It gets fetched from a local temporary SfxAllItemSet aParameterSet. Of course when the ItemSet gets destroyed, the Item gets destroyed -> a deleted Item is returned.
For that cases we nowadays have SfxPoolItemHolder, so have to change it to use that...
Comment 5 Armin Le Grand (allotropia) 2024-05-07 12:03:26 UTC 
Added https://gerrit.libreoffice.org/c/core/+/167274
Comment 6 Armin Le Grand (allotropia) 2024-05-07 12:06:57 UTC 
NOTE: I checked forms/source/richtext/parametrizedattributedispatcher.cxx and OParametrizedAttributeDispatcher::convertDispatchArgsToItem, but it was always done that way -> former versions just 'survived' working with that deleted Item as it seems...
Comment 7 Commit Notification 2024-05-08 18:50:27 UTC 
Armin Le Grand (allotropia) committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/24d78fcb5399b2c783ab7908263a1b54bb687a22

tdf#160906 use SfxPoolItemHolder

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Stéphane Guillou (stragu) 2024-05-10 23:56:31 UTC 
Verified in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ad1f0bdeac30fca1dc56a08803ef23f2aca4db05
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: CL threaded

Thanks Armin!
Comment 9 Commit Notification 2024-05-15 22:43:26 UTC 
Armin Le Grand (allotropia) committed a patch related to this issue.
It has been pushed to "libreoffice-24-2":

https://git.libreoffice.org/core/commit/01bdb97829d103d06175fb50746ddeefddbaa3b3

tdf#160906 use SfxPoolItemHolder

It will be available in 24.2.4.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.