Bug 41712 - FILEOPEN soffice.bin crashed with SIGSEGV in SwTxtFrm::HideAndShowObjects()
Summary: FILEOPEN soffice.bin crashed with SIGSEGV in SwTxtFrm::HideAndShowObjects()
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
3.4.3 release
Hardware: x86 (IA32) All
: medium critical
Assignee: Michael Stahl (allotropia)
URL:
Whiteboard: target:3.4.6 target:3.5.1 target:3.6....
Keywords: regression
Depends on:
Blocks:
 
Reported: 2011-10-12 01:30 UTC by Chris Peñalver
Modified: 2012-02-14 06:40 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments
examplex1.odt (11.47 KB, application/vnd.oasis.opendocument.text)
2011-10-12 01:30 UTC, Chris Peñalver
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Peñalver 2011-10-12 01:30:17 UTC
Created attachment 52254 [details]
examplex1.odt

Downstream bug may be found at:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/872716

1) lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

2) apt-cache policy libreoffice-writer
libreoffice-writer:
  Installed: 1:3.4.3-3ubuntu2
  Candidate: 1:3.4.3-3ubuntu2
  Version table:
 *** 1:3.4.3-3ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

3) What is expected to happen via the Terminal:

cd ~/Desktop && wget https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/753183/+attachment/2005949/+files/examplex1.odt && cp examplex1.odt examplex2.odt && lowriter -nologo examplex1.odt examplex2.odt

is both files open successfully.

4) What happens is LibreOffice Writer crashes consistently. Also occurs with LibreOffice 3.4.3 OOO340m1 (Build:302) Microsoft Windows Vista Business 6.0.6002 Service Pack 2 Build 6002
Comment 1 Björn Michaelsen 2011-12-23 12:34:21 UTC
[This is an automated message.]
This bug was filed before the changes to Bugzilla on 2011-10-16. Thus it
started right out as NEW without ever being explicitly confirmed. The bug is
changed to state NEEDINFO for this reason. To move this bug from NEEDINFO back
to NEW please check if the bug still persists with the 3.5.0 beta1 or beta2 prereleases.
Details on how to test the 3.5.0 beta1 can be found at:
http://wiki.documentfoundation.org/QA/BugHunting_Session_3.5.0.-1

more detail on this bulk operation: http://nabble.documentfoundation.org/RFC-Operation-Spamzilla-tp3607474p3607474.html
Comment 2 Chris Peñalver 2012-01-03 15:14:27 UTC
Unreproducible in:
LOdev 3.5.0beta2 
Build ID: 8589e48-760cc4d-f39cf3d-1b2857e-60db978
Microsoft Windows Vista Business 6.0.6002 Service Pack 2 Build 6002
Comment 3 Michael Stahl (allotropia) 2012-02-10 09:42:56 UTC
accidentally found out that i can reproduce this on master and ~3.5.0 on Linux.

reverting cc3d0d182cafef9649e45f4657233ac2221fdd0a makes it not crash.

bugdoc is rather pathological, bunch of text:p with 10k x letters
and no space in between.

FindMaster() returns a deleted SwTxtFrm:

==22045== Invalid read of size 8
==22045==    at 0x2CB9D758: SwFlowFrm::HasFollow() const (in /data/lo/core_master/solver/unxlngx6/lib/libswlo.so)
==22045==    by 0x2CEE5C5C: SwCntntFrm::FindMaster() const (flowfrm.cxx:692)
==22045==    by 0x2D038205: SwTxtFormatInfo::Init() (inftxt.cxx:1447)
==22045==    by 0x2D037DD2: SwTxtFormatInfo::CtorInitTxtFormatInfo(SwTxtFrm*, unsigned char, unsigned char, unsigned char) (inftxt.cxx:1388)
==22045==    by 0x2D02917B: SwTxtFormatInfo::SwTxtFormatInfo(SwTxtFrm*, unsigned char, unsigned char, unsigned char) (in /data/lo/core_master/solver/unxlngx6/lib/libswlo.so)
==22045==    by 0x2D026AB5: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1731)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==  Address 0x1fe52368 is 200 bytes inside a block of size 272 free'd
==22045==    at 0x4A0662E: free (vg_replace_malloc.c:366)
==22045==    by 0x4C44B32: rtl_freeMemory_SYSTEM(void*) (alloc_global.cxx:285)
==22045==    by 0x4C44D97: rtl_freeMemory (alloc_global.cxx:355)
==22045==    by 0x4C4342B: rtl_cache_free (alloc_cache.cxx:1277)
==22045==    by 0x85DDA23: FixedMemPool::Free(void*) (mempool.cxx:82)
==22045==    by 0x2CF0E582: SwTxtFrm::operator delete(void*, unsigned long) (in /data/lo/core_master/solver/unxlngx6/lib/libswlo.so)
==22045==    by 0x2D09A318: SwTxtFrm::~SwTxtFrm() (txtfrm.cxx:398)
==22045==    by 0x2D02328F: SwTxtFrm::JoinFrm() (frmform.cxx:683)
==22045==    by 0x2D022E43: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:593)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
==22045==    by 0x2CED0D7C: SwFrm::PrepareMake() (calcmove.cxx:386)
==22045==    by 0x2CBED189: SwFrm::Calc() const (frame.hxx:1054)
==22045==    by 0x2D021D23: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315)
==22045==    by 0x2D022EE6: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607)
==22045==    by 0x2D024CAC: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1155)
==22045==    by 0x2D0265AC: SwTxtFrm::_Format(SwTxtFormatter&, SwTxtFormatInfo&, unsigned char) (frmform.cxx:1618)
==22045==    by 0x2D026B06: SwTxtFrm::_Format(SwParaPortion*) (frmform.cxx:1737)
==22045==    by 0x2D0279AA: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1914)
==22045==    by 0x2CED6025: SwCntntFrm::MakeAll() (calcmove.cxx:1428)
Comment 5 Cédric Bosdonnat 2012-02-13 09:39:13 UTC
Fixed on 3.5 and 3.4 as well.