It is null because:

#0  tools::WeakReference<SdrObject>::reset (this=0x9277ec0, pReference=0x0)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/tools/weakbase.hxx:83
#1  0xb088d7c3 in SvxShape::Notify (this=0x9277e18, rHint=...) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:1079
#2  0xb7678ab0 in SfxBroadcaster::Broadcast (this=0x8f56790, rHint=...) at /ssd/opt/libreoffice/master/svl/source/notify/brdcst.cxx:49
#3  0xb07bc4bb in SdrObject::BroadcastObjectChange (this=0x9275768) at /ssd/opt/libreoffice/master/svx/source/svdraw/svdobj.cxx:971
#4  0xb0751782 in sdr::properties::BaseProperties::BroadcastItemChange (this=0x887de98, rChange=...)
    at /ssd/opt/libreoffice/master/svx/source/sdr/properties/properties.cxx:148
#5  0xb0751817 in sdr::properties::BaseProperties::SetMergedItemSetAndBroadcast (this=0x887de98, rSet=..., bClearAllItems=0 '\000')
    at /ssd/opt/libreoffice/master/svx/source/sdr/properties/properties.cxx:112
#6  0xb07b90e8 in SdrObject::SetMergedItemSetAndBroadcast (this=0x9275768, rSet=..., bClearAllItems=false)
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdobj.cxx:2019

#7  0xb088ddf2 in SvxShape::ObtainSettingsFromPropertySet (this=0x9277e18, rPropSet=...)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:672

resets it - because:
void SvxShape::Notify( SfxBroadcaster&, const SfxHint& rHint ) throw()
{
...
    uno::Reference< uno::XInterface > xSelf( mpObj->getWeakUnoShape() );
    if( !xSelf.is() )
    {
        mpObj.reset( NULL );
        return;
    }

mpObj->getWeakUnoShape() is nil - although we carefully set it earlier here:

#0  SdrObject::impl_setUnoShape (this=0x9b6e4b8, _rxUnoShape=uno::Reference to {_vptr.XInterface = 0xb0ae7b30 <vtable for SvxCustomShape+8>})
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdobj.cxx:2929
#1  0xb07ba45d in SdrObject::setUnoShape (this=0x9b6e4b8, _rxUnoShape=
  uno::Reference to {_vptr.XInterface = 0xb0ae7b30 <vtable for SvxCustomShape+8>})
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdobj.cxx:2981
#2  0xb088903e in SvxShape::impl_initFromSdrObject (this=0x9adb270) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:372
#3  0xb088df4b in SvxShape::Create (this=0x9adb270, pNewObj=0x9b6e4b8) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:448
#4  0xb088e055 in SvxShapeText::Create (this=0x9adb270, pNewObj=0x9b6e4b8, pNewPage=0x8b6e2a8)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:4022

mpObj->getWeakUnoShape() is nil ( really the maWeakObjPtr member ) because of some cascade of deep unpleasantness like this:

Old value = (com::sun::star::uno::OWeakRefListener *) 0x9b6d070
New value = (com::sun::star::uno::OWeakRefListener *) 0x0
0xb7acd6c0 in com::sun::star::uno::WeakReferenceHelper::clear (this=0x9b6e568) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:468
468	            m_pImpl = 0;
(gdb) bt
#0  0xb7acd6c0 in com::sun::star::uno::WeakReferenceHelper::clear (this=0x9b6e568) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:468
#1  0xb7acdcd3 in com::sun::star::uno::WeakReferenceHelper::operator= (this=0x9b6e568, xInt=empty uno::Reference)
    at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:490
#2  0xb07ba35f in operator= (xInt=empty uno::Reference, this=0x9b6e568)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/cppuhelper/weakref.hxx:147
#3  SdrObject::impl_setUnoShape (this=0x9b6e4b8, _rxUnoShape=empty uno::Reference)
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdobj.cxx:2928
#4  0xb07ba45d in SdrObject::setUnoShape (this=0x9b6e4b8, _rxUnoShape=empty uno::Reference)
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdobj.cxx:2981
#5  0xb088d153 in SvxShape::~SvxShape (this=0x9b6ed70, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:244
#6  0xb088d4cd in SvxShapeText::~SvxShapeText (this=0x9b6ed70, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:4011
#7  0xb087a8ce in SvxCustomShape::~SvxCustomShape (this=0x9b6ed70, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshap2.cxx:1725
#8  0xb087a92c in SvxCustomShape::~SvxCustomShape (this=0x9b6ed70, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshap2.cxx:1727
#9  0xb7acd179 in release (this=0x9b6ed70) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:204
#10 cppu::OWeakObject::release (this=0x9b6ed70) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:197
#11 0xb7acd9bf in cppu::OWeakAggObject::release (this=0x9b6ed70) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:274
#12 0xb085b0d4 in cppu::WeakAggImplHelper12<com::sun::star::drawing::XShape, com::sun::star::lang::XComponent, com::sun::star::beans::XPropertySet, com::sun::star::beans::XMultiPropertySet, com::sun::star::beans::XPropertyState, com::sun::star::lang::XUnoTunnel, com::sun::star::container::XNamed, com::sun::star::drawing::XGluePointsSupplier, com::sun::star::container::XChild, com::sun::star::lang::XServiceInfo, com::sun::star::document::XActionLockable, com::sun::star::beans::XMultiPropertyStates>::release (this=0x9b6ed70)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/cppuhelper/implbase12.hxx:151
#13 0xb0875e36 in SvxCustomShape::release (this=0x9b6ed70) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshap2.cxx:1760
#14 0xafe38f5a in com::sun::star::uno::Reference<com::sun::star::uno::XAggregation>::~Reference (this=0x9b6f3f8, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/com/sun/star/uno/Reference.hxx:108
#15 0xafe5e5f0 in ScShapeObj::~ScShapeObj (this=0x9b6f3c0, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/sc/source/ui/unoobj/shapeuno.cxx:141
#16 0xafe5e66c in ScShapeObj::~ScShapeObj (this=0x9b6f3c0, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/sc/source/ui/unoobj/shapeuno.cxx:145
#17 0xb7acd179 in release (this=0x9b6f3c0) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:204
#18 cppu::OWeakObject::release (this=0x9b6f3c0) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:197
#19 0xafe5dc12 in ScShapeObj::release (this=0x9b6f3c0) at /ssd/opt/libreoffice/master/sc/source/ui/unoobj/shapeuno.cxx:173
#20 0xb7a84a7e in com::sun::star::uno::Reference<com::sun::star::uno::XInterface>::~Reference (this=0xbfffbc9c, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/com/sun/star/uno/Reference.hxx:108
#21 0xb7acd9ca in cppu::OWeakAggObject::release (this=0x9b6ed70) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:274
#22 0xb085b0d4 in cppu::WeakAggImplHelper12<com::sun::star::drawing::XShape, com::sun::star::lang::XComponent, com::sun::star::beans::XPropertySet, com::sun::star::beans::XMultiPropertySet, com::sun::star::beans::XPropertyState, com::sun::star::lang::XUnoTunnel, com::sun::star::container::XNamed, com::sun::star::drawing::XGluePointsSupplier, com::sun::star::container::XChild, com::sun::star::lang::XServiceInfo, com::sun::star::document::XActionLockable, com::sun::star::beans::XMultiPropertyStates>::release (this=0x9b6ed70)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/cppuhelper/implbase12.hxx:151
#26 0xaf76afb4 in EnhancedCustomShapeEngine::~EnhancedCustomShapeEngine (this=0x9b6ff68, __in_chrg=<optimized out>)
    at /ssd/opt/libreoffice/master/svx/source/customshapes/EnhancedCustomShapeEngine.cxx:78
#27 0xb7acd179 in release (this=0x9b6ff68) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:204
#28 cppu::OWeakObject::release (this=0x9b6ff68) at /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:197

#29 0xaf76a85a in EnhancedCustomShapeEngine::release (this=0x9b6ff68)
    at /ssd/opt/libreoffice/master/svx/source/customshapes/EnhancedCustomShapeEngine.cxx:88
#30 0xb07b6122 in com::sun::star::uno::Reference<com::sun::star::drawing::XCustomShapeEngine>::set (this=0x9b6e5e0, pInterface=0x0)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/com/sun/star/uno/Reference.hxx:218
#31 0xb07af67f in operator= (pInterface=0x0, this=0x9b6e5e0)
    at /ssd/opt/libreoffice/master/solver/unxlngi6.pro/inc/com/sun/star/uno/Reference.hxx:324
#32 SdrObjCustomShape::InvalidateRenderGeometry (this=0x9b6e4b8) at /ssd/opt/libreoffice/master/svx/source/svdraw/svdoashp.cxx:3214

// #i37011# centralize throw-away of render geometry
void SdrObjCustomShape::InvalidateRenderGeometry()
{
    mXRenderedCustomShape = 0L;
    mxCustomShapeEngine = 0L;	<-- This line ! ...
    SdrObject::Free( mpLastShadowGeometry );
    mpLastShadowGeometry = 0L;
}

#33 0xb07af99b in SdrObjCustomShape::NbcSetLogicRect (this=0x9b6e4b8, rRect=Rectangle = {...})
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdoashp.cxx:1472
#34 0xb07abfa4 in SdrObjCustomShape::SetLogicRect (this=0x9b6e4b8, rRect=Rectangle = {...})
    at /ssd/opt/libreoffice/master/svx/source/svdraw/svdoashp.cxx:1495
#35 0xb08884ea in svx_setLogicRectHack (rRect=Rectangle = {...}, pObj=0x9b6e4b8)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:1172

static void svx_setLogicRectHack( SdrObject* pObj, const Rectangle& rRect )
{ ...
        pObj->SetLogicRect( rRect ); <-- here
}

#36 SvxShape::setSize (this=0x9adb270, rSize=...) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:1281
#37 0xb0876637 in SvxCustomShape::setSize (this=0x9adb270, rSize=...) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshap2.cxx:1890
#38 0xb088df97 in SvxShape::Create (this=0x9adb270, pNewObj=0x9b6e4b8) at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:457
#39 0xb088e055 in SvxShapeText::Create (this=0x9adb270, pNewObj=0x9b6e4b8, pNewPage=0x8b6e2a8)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshape.cxx:4022
#40 0xb08762ca in SvxCustomShape::Create (this=0x9adb270, pNewObj=0x9b6e4b8, pNewPage=0x8b6e2a8)
    at /ssd/opt/libreoffice/master/svx/source/unodraw/unoshap2.cxx:1733

Which makes you wonder what we can do about it really :-)

Prolly the easiest thing to do is to revert the caching magic in:

svx/source/svdraw/svdoashp.cxx

IIRC that was a small optimisation next to the other speedups in draw-shape loading there: though it really sucks to go back to re-creating/destroying that object a dozen times per draw object created.

Thoughts ?

Noel - this is the calc issue you identified on our call :-)

*** Bug 58076 has been marked as a duplicate of this bug. ***

I just came across this one today as well. I'm attaching a work in progress. If you apply the patch and try to open the attached reproducer, the importer crashes. Reverting commit 76350361f386b78e1bc9edb75af89e7ff3afe356 fixes the issue.

Created attachment 71514 [details]
patch to trigger the issue

Created attachment 71515 [details]
Input file to trigger the crash.

Ah, sorry for the spam, I missed the fact that bug 58076 already contains a public reproducer for the issue. :-)

Created attachment 71519 [details]
Wrong page orientation in LOWriter 4.0b1 compared to MS Word 2007

Created attachment 71520 [details]
Wrong page orientation in LOWriter 4.0b1 compared to MS Word 2007_2

(In reply to comment #6)
> Created attachment 71515 [details]
> Input file to trigger the crash.

Hi Miklos,

I can open the attached file to tigger the crash in LO Writter 4.0.0.0 beta 1 without applying the patch. I can see no crash with it, but the content looks differend in LO Writter 4.0.0.0 beta and MS Word 2007 PL as you can see at the screenshots.

*** Bug 58310 has been marked as a duplicate of this bug. ***

*** Bug 58309 has been marked as a duplicate of this bug. ***

(In reply to comment #2)
> mpObj->getWeakUnoShape() is nil ( really the maWeakObjPtr member )
I got as far as that, but not as far as below
> because
> of some cascade of deep unpleasantness like this:
> 
> Old value = (com::sun::star::uno::OWeakRefListener *) 0x9b6d070
> New value = (com::sun::star::uno::OWeakRefListener *) 0x0
> 0xb7acd6c0 in com::sun::star::uno::WeakReferenceHelper::clear
> (this=0x9b6e568) at
> /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:468
> 468	            m_pImpl = 0;
> (gdb) bt
> #0  0xb7acd6c0 in com::sun::star::uno::WeakReferenceHelper::clear
> (this=0x9b6e568) at
> /ssd/opt/libreoffice/master/cppuhelper/source/weak.cxx:468
> #1  0xb7acdcd3 in com::sun::star::uno::WeakReferenceHelper::operator=
> (this=0x9b6e568, xInt=empty uno::Reference)
> IIRC that was a small optimisation next to the other speedups in draw-shape
> loading there: though it really sucks to go back to re-creating/destroying
> that object a dozen times per draw object created.
> 
> Thoughts ?
> 
> Noel - this is the calc issue you identified on our call :-)
thanks for looking at that but I didn't see even you were looking at that ( seems the cc was the an old freedesktop account that I probably should retire )

*** Bug 58399 has been marked as a duplicate of this bug. ***

Thanks for the reports - reverted the whole layered set of re-works of this speedup to this module: the lifecycle is sufficiently complicated that it defeated me in half an hour of code reading: everyone appears to have weak references of different types to everyone else :-) That the old code works at all is clearly something of a miracle - still it does in fact work (albeit slowly).

Created attachment 71734 [details]
proper fix for fdo#56980

So, I have found the real problem behind fdo#56980 (at least I think I have .-) Attached is a patch that fixes it without exhibiting any crashes. Because it requires reverting the revert again (this must be done as a separate step before applying), I would like a second opinion before pushing it :-) (And I am truly sorry I did not finish it yesterday...)

why not virtualise impl_SetUnoShape instead of having this extra _ suffixed method ? possibly the ReportDesigner (the only other use of that) has a similar issue ?

Otherwise - fine by me if you're confident; nice work tracking down what is going on there - happy to re-instate the cache & revert the revert if you want to for B2 - we can always go back easily if necessary.

Many thanks !

(In reply to comment #17)
> why not virtualise impl_SetUnoShape instead of having this extra _ suffixed
> method ? possibly the ReportDesigner (the only other use of that) has a
> similar issue ?

I did it that way to keep the setting and the notification for derived classes as separate steps. But I agree it is overkill for such a simple case :-)

*** Bug 58464 has been marked as a duplicate of this bug. ***

LibreOffice 4.0.0.0 BETA 2 Polish UI, Windows 7 64 bit - the bug still exists as described above. Downloaded the input file to trigger the crash and the result is exactly the same as before. There is a single horizontal page in MS Word 2007 SP 3 PL. However in LO Writer there are 2 vertical pages as it was shown at the screenshots attached.
Nothing has changed since LO 4.0.0.0 beta 1, so the bug is reopened.

VX:
> There is a single horizontal page in MS Word 2007 SP 3 PL. However in LO 
> Writer there are 2 vertical pages as it was shown at the screenshots attached.

You appear to have added some reasonably random screenshots to an apparently completely unrelated bug about a strange lifecycle crasher.

Please can you file a separate and focused issue for your problem :-) it is best to keep one, short clean bug describing a single problem rather than having several with different titles can be hard to follow :-)

This one is: "weakref / lifecycle nightmare on calc draw shape load"

And David fixed it I believe; in the absence of evidence to the contrary; re-closing this report & looking forward to your new bug report :-)

Thanks !

we unofortunately missed beta2 by a small margin, so the fix will not appear in 4.0.0 till RC1

... actually, it _is_ fixed in beta2 too, by reverting the shape load optimization

*** Bug 58400 has been marked as a duplicate of this bug. ***