Bug 37974 - crash when inserting footpage notes
Summary: crash when inserting footpage notes
Status: CLOSED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
3.4.0 release
Hardware: x86 (IA32) Windows (All)
: medium normal
Assignee: Caolán McNamara
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-06 01:43 UTC by ribotb
Modified: 2011-08-02 04:21 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:

Attachments
Word document and LibO model in a zip file (22.09 KB, application/zip)
2011-06-06 01:43 UTC, ribotb 		Details
speculative fix (1.08 KB, patch)
2011-06-09 04:39 UTC, Caolán McNamara 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ribotb 2011-06-06 01:43:59 UTC 
Created attachment 47588 [details]
Word document and LibO model in a zip file

I want to convert to ODF format a Word document containing footpage notes
I proceed as follows:
- opening the file doc
- Opening a new document from a template ott
- Ctrl + A then Ctrl + C in the file doc
- Ctrl + V in the file no name 1 " after a page break
- registration in odt format
- deleting and recreating one by one footpage notes:
  + selecting the text of the note and then ctrl + C
  + deleting note by deleting the note call
  + creating a new note in the same location
  Insert> Footpage note
  + choosing automatic numbering notes
Click OK > crash

Crash also occurs with the choice : character, instead of numbering

Testing with a new profile : crash occurs earlier, when deleting note by deleting the note call. 

No problem with LibO332 under Windows XP SP3 and Windows 7 SP1. Problem occurs with LibO340.
Comment 1 Andras Timar 2011-06-07 00:58:35 UTC 
It crashes only on Windows.
Comment 2 Don't use this account, use tml@iki.fi 2011-06-07 06:49:03 UTC 
Backtrace at crash:

 	swmi.dll!std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >(boost::shared_ptr<sw::mark::IMark> * _Ptr=0x12326f10, const std::_Container_base_aux * _Pvector=0x1226d2d4)  Line 79	C++
 	swmi.dll!std::_Vector_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >::_Vector_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >(boost::shared_ptr<sw::mark::IMark> * _Ptr=0x12326f10, const std::_Container_base_aux * _Pvector=0x1226d2d4)  Line 328	C++
 	swmi.dll!std::vector<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >::_Make_iter(std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > > _Where={px=0x12327400 pn={...} })  Line 661 + 0x10 bytes	C++
 	swmi.dll!std::vector<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >::erase(std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > > _Where={px=0x12327400 pn={...} })  Line 1022 + 0x14 bytes	C++
>	swmi.dll!sw::mark::MarkManager::deleteMark(std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > > ppMark={px=0x12327400 pn={...} })  Line 720	C++
 	swmi.dll!SwUndoSaveCntnt::DelCntntIndex(const SwPosition & rMark={...}, const SwPosition & rPoint={...}, unsigned short nDelCntntType=0x000f)  Line 870	C++
 	swmi.dll!SwUndoSaveSection::SaveSection(SwDoc * __formal=0x05cee928, const SwNodeRange & rRange={...})  Line 913	C++
 	swmi.dll!SwUndoSaveSection::SaveSection(SwDoc * pDoc=0x05cee928, const SwNodeIndex & rSttIdx={...})  Line 903	C++
 	swmi.dll!SwHistorySetFootnote::SwHistorySetFootnote(SwTxtFtn * pTxtFtn=0x12123ca8, unsigned long nNodePos=0x00000045)  Line 460	C++
 	swmi.dll!SwHistory::Add(SwTxtAttr * pHint=0x12123ca8, unsigned long nNodeIdx=0x00000045, bool bNewAttr=false)  Line 1076 + 0x2a bytes	C++
 	swmi.dll!SwUndoSaveCntnt::DelCntntIndex(const SwPosition & rMark={...}, const SwPosition & rPoint={...}, unsigned short nDelCntntType=0x000f)  Line 604	C++
 	swmi.dll!SwUndoDelete::SwUndoDelete(SwPaM & rPam={...}, unsigned char bFullPara=0x00, unsigned char bCalledByTblCpy=0x00)  Line 149	C++
 	swmi.dll!SwDoc::DeleteRangeImplImpl(SwPaM & rPam={...})  Line 1690 + 0x33 bytes	C++
 	swmi.dll!SwDoc::DeleteRangeImpl(SwPaM & rPam={...}, const bool __formal=false)  Line 1618 + 0xc bytes	C++
 	swmi.dll!SwDoc::DeleteAndJoinImpl(SwPaM & rPam={...}, const bool bForceJoinNext=false)  Line 1597 + 0xe bytes	C++
 	swmi.dll!lcl_DoWithBreaks(SwDoc & rDoc={...}, SwPaM & rPam={...}, bool (SwPaM &, bool)* pFunc=0x0d6121ac, const bool bForceJoinNext=false)  Line 1492 + 0x12 bytes	C++
 	swmi.dll!SwDoc::DeleteAndJoin(SwPaM & rPam={...}, const bool bForceJoinNext=false)  Line 1819 + 0x6a bytes	C++
 	swmi.dll!SwEditShell::DeleteSel(SwPaM & rPam={...}, unsigned char * pUndo=0x00cff19b)  Line 111	C++
 	swmi.dll!SwEditShell::Delete()  Line 138	C++
 	swmi.dll!SwWrtShell::DelLeft()  Line 244 + 0x8 bytes	C++
 	swmi.dll!SwBaseShell::ExecDelete(SfxRequest & rReq={...})  Line 240	C++
 	swmi.dll!SfxStubSwBaseShellExecDelete(SfxShell * pShell=0x122e6908, SfxRequest & rReq={...})  Line 1626 + 0xf bytes	C++


The source line in question is:
m_vMarks.erase(m_vMarks.begin() + (ppMark - m_vMarks.begin())); // clumsy const-cast
Comment 3 Don't use this account, use tml@iki.fi 2011-06-07 06:53:05 UTC 
The value of m_vMarks as displayed by Visual Studio is:
		m_vMarks	[0xffffffff]({px=0x12327400 pn={...} },{px=0x12326efc pn={...} },{px=0x12326efc pn={...} },{px=0x12326efc pn={...} },{px=0x12326eac pn={...} },{px=0x12326eac pn={...} },{px=0x12326eac pn={...} },{px=0x00000000 pn={...} },{px=0x00000000 pn={...} },{px=0x11785c55 pn={...} },{px=0x00000000 pn={...} },{px=0x00000000 pn={...} },{px=0x00000000 pn={...} },{px=0x00000000 pn={...} },{px=0x00000000 pn= },...,...)	std::vector<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >

whatever that then means... the 0xffffffff looks weird?
Comment 4 Don't use this account, use tml@iki.fi 2011-06-08 02:55:41 UTC 
The problem seems to be that sw::mark::MarkManager::deleteMark() gets called recursively:

 	swmi.dll!sw::mark::MarkManager::deleteMark(std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > > ppMark={px=0x05668608 pn={...} })  Line 721	C++
 	swmi.dll!SwTrnsfrDdeLink::Disconnect(unsigned char bRemoveDataAdvise=0x00)  Line 3599 + 0x3d bytes	C++
>	swmi.dll!SwTrnsfrDdeLink::DataChanged(const String & __formal={...}, const String & __formal={...})  Line 3513	C++
 	sfxmi.dll!64d60919() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for sfxmi.dll]	
 	swmi.dll!sw::mark::DdeBookmark::~DdeBookmark()  Line 220	C++
 	swmi.dll!sw::mark::DdeBookmark::`vbase destructor'()  + 0x12 bytes	C++
 	swmi.dll!sw::mark::DdeBookmark::`scalar deleting destructor'()  + 0x12 bytes	C++
 	swmi.dll!boost::checked_delete<sw::mark::DdeBookmark>(sw::mark::DdeBookmark * x=0x056685c8)  Line 34 + 0x3b bytes	C++
 	swmi.dll!boost::detail::sp_counted_impl_p<sw::mark::DdeBookmark>::dispose()  Line 78 + 0xc bytes	C++
 	swmi.dll!boost::detail::sp_counted_base::release()  Line 103	C++
 	swmi.dll!boost::detail::shared_count::~shared_count()  Line 221	C++
 	swmi.dll!boost::shared_ptr<sw::mark::IMark>::~shared_ptr<sw::mark::IMark>()  + 0x3f bytes	C++
 	swmi.dll!boost::shared_ptr<sw::mark::IMark>::`scalar deleting destructor'()  + 0xf bytes	C++
 	swmi.dll!std::_Destroy<boost::shared_ptr<sw::mark::IMark> >(boost::shared_ptr<sw::mark::IMark> * _Ptr=0x129626a0)  Line 60	C++
 	swmi.dll!std::allocator<boost::shared_ptr<sw::mark::IMark> >::destroy(boost::shared_ptr<sw::mark::IMark> * _Ptr=0x129626a0)  Line 160 + 0x9 bytes	C++
 	swmi.dll!std::_Destroy_range<std::allocator<boost::shared_ptr<sw::mark::IMark> > >(boost::shared_ptr<sw::mark::IMark> * _First=0x129626a0, boost::shared_ptr<sw::mark::IMark> * _Last=0x129626a8, std::allocator<boost::shared_ptr<sw::mark::IMark> > & _Al={...}, std::_Nonscalar_ptr_iterator_tag __formal={...})  Line 234 + 0xc bytes	C++
 	swmi.dll!std::_Destroy_range<std::allocator<boost::shared_ptr<sw::mark::IMark> > >(boost::shared_ptr<sw::mark::IMark> * _First=0x129626a0, boost::shared_ptr<sw::mark::IMark> * _Last=0x129626a8, std::allocator<boost::shared_ptr<sw::mark::IMark> > & _Al={...})  Line 225 + 0x29 bytes	C++
 	swmi.dll!std::vector<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >::_Destroy(boost::shared_ptr<sw::mark::IMark> * _First=0x129626a0, boost::shared_ptr<sw::mark::IMark> * _Last=0x129626a8)  Line 1119 + 0x14 bytes	C++
 	swmi.dll!std::vector<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > >::erase(std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > > _Where={px=0x05668608 pn={...} })  Line 1021	C++
 	swmi.dll!sw::mark::MarkManager::deleteMark(std::_Vector_const_iterator<boost::shared_ptr<sw::mark::IMark>,std::allocator<boost::shared_ptr<sw::mark::IMark> > > ppMark={px=0x05668608 pn={...} })  Line 724	C++
 	swmi.dll!SwUndoSaveCntnt::DelCntntIndex(const SwPosition & rMark={...}, const SwPosition & rPoint={...}, unsigned short nDelCntntType=0x000f)  Line 870	C++
 	swmi.dll!SwUndoSaveSection::SaveSection(SwDoc * __formal=0x05820258, const SwNodeRange & rRange={...})  Line 913	C++
 	swmi.dll!SwUndoSaveSection::SaveSection(SwDoc * pDoc=0x05820258, const SwNodeIndex & rSttIdx={...})  Line 903	C++
 	swmi.dll!SwHistorySetFootnote::SwHistorySetFootnote(SwTxtFtn * pTxtFtn=0x1296c040, unsigned long nNodePos=0x00000045)  Line 460	C++
 	swmi.dll!SwHistory::Add(SwTxtAttr * pHint=0x1296c040, unsigned long nNodeIdx=0x00000045, bool bNewAttr=false)  Line 1076 + 0x2a bytes	C++
 	swmi.dll!SwUndoSaveCntnt::DelCntntIndex(const SwPosition & rMark={...}, const SwPosition & rPoint={...}, unsigned short nDelCntntType=0x000f)  Line 604	C++
 	swmi.dll!SwUndoDelete::SwUndoDelete(SwPaM & rPam={...}, unsigned char bFullPara=0x00, unsigned char bCalledByTblCpy=0x00)  Line 149	C++
 	swmi.dll!SwDoc::DeleteRangeImplImpl(SwPaM & rPam={...})  Line 1690 + 0x33 bytes	C++
 	swmi.dll!SwDoc::DeleteRangeImpl(SwPaM & rPam={...}, const bool __formal=false)  Line 1618 + 0xc bytes	C++
 	swmi.dll!SwDoc::DeleteAndJoinImpl(SwPaM & rPam={...}, const bool bForceJoinNext=false)  Line 1597 + 0xe bytes	C++
 	swmi.dll!lcl_DoWithBreaks(SwDoc & rDoc={...}, SwPaM & rPam={...}, bool (SwPaM &, bool)* pFunc=0x0e2a21b6, const bool bForceJoinNext=false)  Line 1492 + 0x12 bytes	C++
 	swmi.dll!SwDoc::DeleteAndJoin(SwPaM & rPam={...}, const bool bForceJoinNext=false)  Line 1819 + 0x6a bytes	C++
 	swmi.dll!SwEditShell::DeleteSel(SwPaM & rPam={...}, unsigned char * pUndo=0x016df17b)  Line 111	C++
 	swmi.dll!SwEditShell::Delete()  Line 138	C++
 	swmi.dll!SwWrtShell::DelLeft()  Line 244 + 0x8 bytes	C++
 	swmi.dll!SwBaseShell::ExecDelete(SfxRequest & rReq={...})  Line 240	C++
 	swmi.dll!SfxStubSwBaseShellExecDelete(SfxShell * pShell=0x12973420, SfxRequest & rReq={...})  Line 1626 + 0xf bytes	C++
Comment 5 Don't use this account, use tml@iki.fi 2011-06-08 05:23:53 UTC 
Nah, I give up.
Comment 6 Caolán McNamara 2011-06-09 04:39:32 UTC 
Created attachment 47763 [details]
speculative fix

tor: I can't reproduce the crash, but looking at the stack under linux I have serious doubts about the reentering of ::deleteMark from the destructor of a mark called during std::vector::erase. Does the attached patch make a difference ?, i.e. defer actual destruction of element until after its removed from the vector
Comment 7 Caolán McNamara 2011-06-09 07:26:33 UTC 
reportedly works
Comment 8 Caolán McNamara 2011-06-09 07:44:01 UTC 
checked in, and cherry-picked to 3-4 branch
Comment 9 Rainer Bielefeld Retired 2011-06-10 02:57:27 UTC 
RC2 is bit by bit identical with release version, so separate items in the version picker are useless. Changes have been discussed with Michael Meeks.
Comment 10 Rainer Bielefeld Retired 2011-07-30 02:22:08 UTC 
@Caolán:
Is this fix in 3.4.1?
Comment 12 ribotb 2011-08-02 04:21:28 UTC 
Hello,

Yes it seems ok (re-tested with LibO 3.4.2).

Thanks,
Bernard