41712 – FILEOPEN soffice.bin crashed with SIGSEGV in SwTxtFrm::HideAndShowObjects()

Bug 41712 - FILEOPEN soffice.bin crashed with SIGSEGV in SwTxtFrm::HideAndShowObjects()

Summary: FILEOPEN soffice.bin crashed with SIGSEGV in SwTxtFrm::HideAndShowObjects()

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Writer (show other bugs)
Version: (earliest affected)	3.4.3 release
Hardware:	x86 (IA32) All

Importance:	medium critical
Assignee:	Michael Stahl (allotropia)

URL:
Whiteboard:	target:3.4.6 target:3.5.1 target:3.6....
Keywords:	regression

Depends on:
Blocks:

Reported:	2011-10-12 01:30 UTC by Chris Peñalver
Modified:	2012-02-14 06:40 UTC (History)
CC List:	2 users (show)

See Also:
Crash report or crash signature:

Attachments
examplex1.odt (11.47 KB, application/vnd.oasis.opendocument.text) 2011-10-12 01:30 UTC, Chris Peñalver	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Peñalver 2011-10-12 01:30:17 UTC

Created attachment 52254 [details]
examplex1.odt

Downstream bug may be found at:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/872716

1) lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

2) apt-cache policy libreoffice-writer
libreoffice-writer:
  Installed: 1:3.4.3-3ubuntu2
  Candidate: 1:3.4.3-3ubuntu2
  Version table:
 *** 1:3.4.3-3ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

3) What is expected to happen via the Terminal:

cd ~/Desktop && wget https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/753183/+attachment/2005949/+files/examplex1.odt && cp examplex1.odt examplex2.odt && lowriter -nologo examplex1.odt examplex2.odt

is both files open successfully.

4) What happens is LibreOffice Writer crashes consistently. Also occurs with LibreOffice 3.4.3 OOO340m1 (Build:302) Microsoft Windows Vista Business 6.0.6002 Service Pack 2 Build 6002

Comment 1 Björn Michaelsen 2011-12-23 12:34:21 UTC

[This is an automated message.]
This bug was filed before the changes to Bugzilla on 2011-10-16. Thus it
started right out as NEW without ever being explicitly confirmed. The bug is
changed to state NEEDINFO for this reason. To move this bug from NEEDINFO back
to NEW please check if the bug still persists with the 3.5.0 beta1 or beta2 prereleases.
Details on how to test the 3.5.0 beta1 can be found at:
http://wiki.documentfoundation.org/QA/BugHunting_Session_3.5.0.-1

more detail on this bulk operation: http://nabble.documentfoundation.org/RFC-Operation-Spamzilla-tp3607474p3607474.html

Comment 2 Chris Peñalver 2012-01-03 15:14:27 UTC

Unreproducible in:
LOdev 3.5.0beta2 
Build ID: 8589e48-760cc4d-f39cf3d-1b2857e-60db978
Microsoft Windows Vista Business 6.0.6002 Service Pack 2 Build 6002

Comment 3 Michael Stahl (allotropia) 2012-02-10 09:42:56 UTC

accidentally found out that i can reproduce this on master and ~3.5.0 on Linux.

reverting cc3d0d182cafef9649e45f4657233ac2221fdd0a makes it not crash.

bugdoc is rather pathological, bunch of text:p with 10k x letters
and no space in between.

FindMaster() returns a deleted SwTxtFrm:

==22045== Invalid read of size 8
==22045==    at 0x2CB9D758: SwFlowFrm::HasFollow() const (in /data/lo/core_master/solver/unxlngx6/lib/libswlo.so)
==22045==    by 0x2CEE5C5C: SwCntntFrm::FindMaster() const (flowfrm.cxx:692)
==22045==    by 0x2D038205: SwTxtFormatInfo::Init() (inftxt.cxx:1447)
==22045==    by 0x2D037DD2: SwTxtFormatInfo::CtorInitTxtFormatInfo(SwTxtFrm*, unsigned char, unsigned char, unsigned char) (inftxt.cxx:1388)
==22045==    by 0x2D02917B: SwTxtFormatInfo::SwTxtFormatInfo(SwTxtFrm*, unsigned char, unsigned char, unsigned char) (in /data/lo/core_master/solver/unxlngx6/lib/libswlo.so)
==22045==    by 0x2D026AB5: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1731)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==  Address 0x1fe52368 is 200 bytes inside a block of size 272 free'd
==22045==    at 0x4A0662E: free (vg_replace_malloc.c:366)
==22045==    by 0x4C44B32: rtl_freeMemory_SYSTEM(void*) (alloc_global.cxx:285)
==22045==    by 0x4C44D97: rtl_freeMemory (alloc_global.cxx:355)
==22045==    by 0x4C4342B: rtl_cache_free (alloc_cache.cxx:1277)
==22045==    by 0x85DDA23: FixedMemPool::Free(void*) (mempool.cxx:82)
==22045==    by 0x2CF0E582: SwTxtFrm::operator delete(void*, unsigned long) (in /data/lo/core_master/solver/unxlngx6/lib/libswlo.so)
==22045==    by 0x2D09A318: SwTxtFrm::~SwTxtFrm() (txtfrm.cxx:398)
==22045==    by 0x2D02328F: SwTxtFrm::JoinFrm() (frmform.cxx:683)
==22045==    by 0x2D022E43: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:593)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)

Comment 4 Michael Stahl (allotropia) 2012-02-13 03:56:49 UTC

fixed on master:

http://cgit.freedesktop.org/libreoffice/core/commit/?id=657c500e2e9e9ad2e38e9da278b20fb82c109001

http://cgit.freedesktop.org/libreoffice/core/commit/?id=a9f6e5323eaa3078f0a3a00a37cee169ba7dedbc

Comment 5 Cédric Bosdonnat 2012-02-13 09:39:13 UTC

Fixed on 3.5 and 3.4 as well.