Bug 58242 - Introspection on Anchor of TextTable crashes LO
Summary: Introspection on Anchor of TextTable crashes LO
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
3.6.1.2 release
Hardware: All All
: medium normal
Assignee: Not Assigned
QA Contact:
URL:
Whiteboard: target:4.1.0 target:4.0.0.2 target:3.6.5
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-13 13:40 UTC by Christoph Lutz
Modified: 2013-01-10 09:34 UTC (History)
7 users (show)

See Also:


Attachments
bt on master (31.09 KB, text/plain)
2012-12-28 15:52 UTC, Julien Nabet
Details
just a patch to test avoiding the core (694 bytes, text/plain)
2013-01-03 17:28 UTC, Noel Power
Details
another version of the patch (3.12 KB, text/plain)
2013-01-03 18:07 UTC, Noel Power
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Lutz 2012-12-13 13:40:28 UTC
To reproduce this issue you need an installed Xray-Extension (for the introspection)

1. open a new document
2. add a new text table (the cursor is now in the first table cell)
3. don't change the cursor and Insert->Bookmark with name "foo"
4. run the following makro

sub Main
	xray ThisComponent.Bookmarks.getByName("foo").getAnchor().TextTable.Anchor
end sub

My LibreOffice 3.6.1 on Windows crashes in this case.
Comment 1 Christoph Lutz 2012-12-13 13:54:07 UTC
The TextRange of the Anchor really seems to be broken.

I also tried to workaround the problem with the following trick, but this did not work:

sub Main
	range = ThisComponent.Bookmarks.getByName("foo").getAnchor().TextTable.Anchor
	range = range.Text.createTextCursorByRange(range) ''<--- Runtime-Exception
	xray range
end sub

In this case I get a RuntimeException with the message "Invalid text range."
Comment 2 Christoph Lutz 2012-12-14 08:09:29 UTC
FYI: It is possible to access the Text-Object of the broken anchor:

xray ThisComponent.Bookmarks.getByName("foo").getAnchor().TextTable.Anchor.Text

doesn't crash.
Comment 3 Julien Nabet 2012-12-27 07:16:34 UTC
Could you give a link to xray extension? (oxt file)
Did you try with latest LO version (3.6.4)?
Comment 4 Christoph Lutz 2012-12-28 11:09:02 UTC
Xray Tool van Beethoven downloaded AT http://bernard.marcelly.perso.sfr.fr/Files_en/XrayTool60_en.odt

contains the installation instruction and an "install" button.

I currently don't have got an installation of LO 3.6.4...
Comment 5 Julien Nabet 2012-12-28 13:42:57 UTC
Christoph: I tried to reproduce but only had some error messages.
In console, I had these:
warn:basic:4757:1:/home/julien/compile-libreoffice/libo/basic/source/uno/namecont.cxx:943: couldn't open sub storage for library "Standard". Exception: (com.sun.star.io.IOException) { { Message = "/home/julien/compile-libreoffice/libo/package/source/xstor/xstorage.cxx:2630: ", Context = (com.sun.star.uno.XInterface) @0 } }
warn:basic.sbx:4757:1:/home/julien/compile-libreoffice/libo/basic/source/sbx/sbxvalue.cxx:541: nicht bei Parent-Prop - sonst CyclicRef
warn:basic.sbx:4757:1:/home/julien/compile-libreoffice/libo/basic/source/sbx/sbxvalue.cxx:541: nicht bei Parent-Prop - sonst CyclicRef
warn:basic.sbx:4757:1:/home/julien/compile-libreoffice/libo/basic/source/sbx/sbxvalue.cxx:541: nicht bei Parent-Prop - sonst CyclicRef
warn:basic.sbx:4757:1:/home/julien/compile-libreoffice/libo/basic/source/sbx/sbxvalue.cxx:190: nicht bei Parent-Prop - sonst CyclicRef
...

with 3.6 sources, I workarounded fdo#56473 but had warn:basic:5094:1:/home/julien/compile-libreoffice/libo_3_6/basic/source/uno/namecont.cxx:911: couldn't open sub storage for library "Standard". Exception: (com.sun.star.io.IOException) { { Message = "/home/julien/compile-libreoffice/libo_3_6/package/source/xstor/xstorage.cxx:2639: ", Context = (com.sun.star.uno.XInterface) @0 } } and some error messages.

Michael:
- would it be possible to cherry-pick fdo#56473 on 3.6 branch?
- is it LO bug or the extension which should evolve (so notourbug)?
Comment 6 Julien Nabet 2012-12-28 15:44:04 UTC
Here's the popup error with master sources:
BASIC runtime error.
An exception occurred 
Type: com.sun.star.container.NoSuchElementException
Message: .
Comment 7 Julien Nabet 2012-12-28 15:52:44 UTC
Created attachment 72216 [details]
bt on master

I retrieved this time a bt.

I've got contradictatory results each time I test, I'm a bit stuck.
Comment 8 Julien Nabet 2012-12-28 16:09:24 UTC
About storage problem during package installation, I added some traces and got this:
m_pImpl->m_nStorageMode 1
embed::ElementModes::WRITE 4
embed::ElementModes::NOCREATE 16
nStorageMode 1
According to this offapi/com/sun/star/embed/ElementModes.idl, 1 = READ
Comment 9 Julien Nabet 2012-12-28 16:34:56 UTC
I update the component to BASIC.

Noel/Uray: you may be interested by this one since it seems "BASIC" component.
Comment 10 Noel Power 2013-01-03 16:42:36 UTC
(In reply to comment #9)
> I update the component to BASIC.
> 
> Noel/Uray: you may be interested by this one since it seems "BASIC"
> component.

imho it's doubtful this is something to do with basic ( just that basic calls the code that has problems )

but.. needs investigation, I'll have a cut at finding out what is going on
Comment 11 Noel Power 2013-01-03 17:18:36 UTC
I can reproduce with latest 3.6 branch

Program received signal SIGSEGV, Segmentation fault.
0x00007fffdd6f4d56 in SwModify::GetDepends (this=0x0) at /data5/Backup/LibreOffice-onegit/core/sw/inc/calbck.hxx:165
(gdb) where
#0  0x00007fffdd6f4d56 in SwModify::GetDepends (this=0x0) at /data5/Backup/LibreOffice-onegit/core/sw/inc/calbck.hxx:165
#1  0x00007fffdd6f471a in SwClientIter::SwClientIter (this=0x7fffffff92d0, rModify=...) at /data5/Backup/LibreOffice-onegit/core/sw/source/core/attr/calbck.cxx:417
#2  0x00007fffdd8d9ee0 in SwIterator<SwFrm, SwModify>::SwIterator (this=0x7fffffff92d0, rSrc=...) at /data5/Backup/LibreOffice-onegit/core/sw/inc/switerator.hxx:39
#3  0x00007fffdd9fe835 in GetFrmOfModify (pLayout=0x1694bf0, rMod=..., nFrmType=49152, pPoint=0x0, pPos=0x0, bCalcFrm=1 '\001') at /data5/Backup/LibreOffice-onegit/core/sw/source/core/layout/frmtool.cxx:3353
#4  0x00007fffdd8d34b0 in SwCntntNode::getLayoutFrm (this=0x0, _pRoot=0x1694bf0, pPoint=0x0, pPos=0x0, bCalcFrm=1 '\001') at /data5/Backup/LibreOffice-onegit/core/sw/source/core/docnode/node.cxx:1109
#5  0x00007fffddc5d64b in SwUnoCursorHelper::GetCurPageStyle (rPaM=SwPaM = {...}, rString="") at /data5/Backup/LibreOffice-onegit/core/sw/source/core/unocore/unocrsrhelper.cxx:724
#6  0x00007fffddc5b443 in SwUnoCursorHelper::getCrsrPropertyValue (rEntry=..., rPam=SwPaM = {...}, pAny=0x7fffffff9a40, eState=@0x7fffffff97cc, pNode=0x0) at /data5/Backup/LibreOffice-onegit/core/sw/source/core/unocore/unocrsrhelper.cxx:225
#7  0x00007fffddcbd7fe in SwUnoCursorHelper::GetPropertyValue (rPaM=SwPaM = {...}, rPropSet=..., rPropertyName=...) at /data5/Backup/LibreOffice-onegit/core/sw/source/core/unocore/unoobj.cxx:1865
#8  0x00007fffddcc914c in SwXTextRange::getPropertyValue (this=0x19f6f20, rPropertyName=...) at /data5/Backup/LibreOffice-onegit/core/sw/source/core/unocore/unoobj2.cxx:1430
#9  0x00007fffe6c38b39 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, unsigned int, double*, unsigned int) () from /data5/Backup/LibreOffice-onegit/core/INSTALL_LINK/ure/lib/libgcc3_uno.so
#10 0x00007fffe6c3a5bc in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) () from /data5/Backup/LibreOffice-onegit/core/INSTALL_LINK/ure/lib/libgcc3_uno.so
#11 0x00007fffe6c3afd0 in bridges::cpp_uno::shared::unoInterfaceProxyDispatch(_uno_Interface*, _typelib_TypeDescription const*, void*, void**, _uno_Any**) () from /data5/Backup/LibreOffice-onegit/core/INSTALL_LINK/ure/lib/libgcc3_uno.so
#12 0x00007fffd9cd2e21 in stoc_corefl::IdlInterfaceMethodImpl::invoke(com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any>&) () from /data5/Backup/LibreOffice-onegit/core/INSTALL_LINK/ure/lib/reflection.uno.so
#13 0x00007ffff1c1e94b in SbUnoObject::Notify (this=0x2204390, rBC=..., rHint=...) at /data5/Backup/LibreOffice-onegit/core/basic/source/classes/sbunoobj.cxx:2296
#14 0x00007ffff4fdc9fa in SfxBroadcaster::Broadcast (this=0x24c3820, rHint=...) at /data5/Backup/LibreOffice-onegit/core/svl/source/notify/brdcst.cxx:64
#15 0x00007ffff1d06c05 in SbxVariable::Broadcast (this=0x24c3750, nHintId=65536) at /data5/Backup/LibreOffice-onegit/core/basic/source/sbx/sbxvar.cxx:196
#16 0x00007ffff1d00802 in SbxValue::SbxValue (this=0x24d8910, __vtt_parm=0x7ffff1fb1910, r=..., __in_chrg=<value optimized out>) at /data5/Backup/LibreOffice-onegit/core/basic/source/sbx/sbxvalue.cxx:134
#17 0x00007ffff1d05fda in SbxVariable::SbxVariable (this=0x24d8910, __vtt_parm=0x7ffff1fb1908, r=..., __in_chrg=<value optimized out>) at /data5/Backup/LibreOffice-onegit/core/basic/source/sbx/sbxvar.cxx:90
#18 0x00007ffff1cf9867 in SbxMethod::SbxMethod (this=0x24d8910, r=..., __in_chrg=<value optimized out>, __vtt_parm=<value optimized out>) at /data5/Backup/LibreOffice-onegit/core/basic/source/sbx/sbxobj.cxx:881
Comment 12 Noel Power 2013-01-03 17:20:31 UTC
note: I'm using an older version of xray so that might explain the bt difference


#4  0x00007fffdd8d34b0 in SwCntntNode::getLayoutFrm (this=0x0, _pRoot=0x1694bf0, pPoint=0x0, pPos=0x0, bCalcFrm=1 '\001') at /data5/Backup/LibreOffice-onegit/core/sw/source/core/docnode/node.cxx:1109
#5  0x00007fffddc5d64b in SwUnoCursorHelper::GetCurPageStyle (rPaM=SwPaM = {...}, rString="") at /data5/Backup/LibreOffice-onegit/core/sw/source/core/unocore/unocrsrhelper.cxx:724


above is the real cause,

e.g.
724  const SwPageFrm* pPage = rPaM.GetCntntNode()->getLayoutFrm(rPaM.GetDoc()->GetCurrentLayout())->FindPageFrm();

rPaM.GetCntntNode() is obviously returning null
Comment 13 Noel Power 2013-01-03 17:28:44 UTC
Created attachment 72466 [details]
just a patch to test avoiding the core

Here is a simple fix, it avoids the core dump and the old xray version seems to work. I don't have a master ( currently building ) and I haven't tried this with the newer version of xray either.

Also I would not propose this as a real patch, imo it just avoids the problem, maybe that is in fact the best one can do, we need a writer expert to give a proper solution ( or tell us that the hack is ok )

When I get a chance I will try to test with the newer version of xray ( and also try on master )
Comment 14 Noel Power 2013-01-03 18:07:16 UTC
Created attachment 72468 [details]
another version of the patch

it seems that the newer version of xray triggers a similar bt to that attached earlier in this report ( which was created from master I believe )

even more defensive coding needed it seems ( which seems to suggest maybe something is wrong somewhere else ? )

again the writer experts probably know more here
Comment 15 Michael Stahl 2013-01-09 13:14:07 UTC
crashes here on master in yet another different property
FN_UNO_CHARFMT_SEQUENCE, it appears the problem is endemic :(

apparently much of Writer code was developed following the paradigm
"dynamic_cast is for weenies, real men use C-style casts,
 and even if real men did use dynamic_cast they wouldn't check the result".

attached patches look good at first glance, i'll push them in a bit...
Comment 16 Julien Nabet 2013-01-09 13:54:40 UTC
Michael: if interested, I could provide a Cppcheck report about "C cast style" cases only. It could be either a simple XML file or a zipped directory which would include sources.
Comment 17 Not Assigned 2013-01-09 15:00:52 UTC
Noel Power committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=11b380874a36869452246cc77c392d1767e60e95

fdo#58242: getCrsrPropertyValue: fix crashes when PaM not on SwTxtNode



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 18 Not Assigned 2013-01-09 15:01:10 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=68d40d2cae3700f4134375fcaf9649ac626ada7d

fdo#58242: sw: fix more crashes when not on SwTxtNode



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 19 Not Assigned 2013-01-09 15:07:01 UTC
Noel Power committed a patch related to this issue.
It has been pushed to "libreoffice-4-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=9d1cdb4f42c3fee9f24020404ce8e3d378cb34f4&h=libreoffice-4-0

fdo#58242: getCrsrPropertyValue: fix crashes when PaM not on SwTxtNode


It will be available in LibreOffice 4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 20 Not Assigned 2013-01-09 15:07:20 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=23e5bce572ebb65b302c139e89890e23a27a994d&h=libreoffice-4-0

fdo#58242: sw: fix more crashes when not on SwTxtNode


It will be available in LibreOffice 4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 21 Not Assigned 2013-01-09 15:24:00 UTC
Noel Power committed a patch related to this issue.
It has been pushed to "libreoffice-3-6":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e5add879def40a7695fb506b42c024ef9f776062&h=libreoffice-3-6

fdo#58242: getCrsrPropertyValue: fix crashes when PaM not on SwTxtNode


It will be available in LibreOffice 3.6.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 22 Michael Stahl 2013-01-09 15:31:07 UTC
fix plus unit test pushed.
only needs one more review to get into 3.6 branch.
Comment 23 Michael Stahl 2013-01-09 15:31:52 UTC
Comment on attachment 72466 [details]
just a patch to test avoiding the core

superseded by second patch
Comment 24 Not Assigned 2013-01-10 09:34:18 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-3-6":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=b58dc1b9aee370a1a2aa9d8f951cede3ae24d61d&h=libreoffice-3-6

fdo#58242: sw: fix more crashes when not on SwTxtNode


It will be available in LibreOffice 3.6.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.