Bug 62381 - CRASH when select slide with NPAPI plug-in object in Slides pane
Summary: CRASH when select slide with NPAPI plug-in object in Slides pane
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Impress (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: x86 (IA32) Windows (All)
: medium normal
Assignee: Stephan Bergmann
URL:
Whiteboard: target:5.2.0 target:5.1.0.1 target:5...
Keywords: haveBacktrace
Depends on:
Blocks:
 
Reported: 2013-03-15 17:29 UTC by Pedro
Modified: 2016-10-25 19:11 UTC (History)
7 users (show)

See Also:
Crash report or crash signature:


Attachments
ODP presentation with 2 OLE objects embedded (PDF files) (683.97 KB, application/vnd.oasis.opendocument.presentation)
2013-03-15 17:29 UTC, Pedro
Details
Text file containing Windbg output from crash (7.77 KB, text/plain)
2014-02-07 15:13 UTC, Pedro
Details
New backtrace of crash using version LibreOffice 5.0.4.1 (6.34 KB, text/plain)
2015-12-07 10:18 UTC, Pedro
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro 2013-03-15 17:29:08 UTC
Created attachment 76586 [details]
ODP presentation with 2 OLE objects embedded (PDF files)

When I click on the miniature (on the Slide Pane) of the second or third slides of the attached presentation, Impress always crashes (under Windows XP Pro x86 SP3). The crash occurs on any version of LO (I have tested it under LO 3.3.4.1, 3.4.5.2, 3.5.5.3, 3.6.5.2 and 4.0.1.2)

Opening the same file in OOo does not crash and allows to remove the OLE objects that cause the crash.

This file is a part of a presentation by Aaron C. Johnson.
See more details here
http://nabble.documentfoundation.org/Intro-to-LibreOffice-Presentations-td4043445.html
Comment 1 Julien Nabet 2013-03-16 15:32:23 UTC
Comment on attachment 76586 [details]
ODP presentation with 2 OLE objects embedded (PDF files)

mimetype fixed
Comment 2 Julien Nabet 2013-03-16 15:50:53 UTC
On pc Debian x86-64 with master sources updated today, I don't reproduce this.
On slide 2 and 3, I've got a small icon indicating it contains an OLE object.

On Win7 with 4.0.1.2 (French localization), I have same behaviour as Debian.

Pedro: could you rename your LO directory profile and give it a new try? (https://wiki.documentfoundation.org/UserProfile)
Comment 3 Pedro 2013-03-18 09:41:41 UTC
@Julien, that "solution" does not apply. As you can see in my original post, I tested under 4 different versions of LibreOffice. Only version 4.0.1.2 is installed. All previous versions are Portable (and that is why I don't have the final version in each branch).

So, they don't share the same LO directory profile. In any case version 3 and 4 builds don't share the same profile directory.
Comment 4 Julien Nabet 2013-03-18 19:00:32 UTC
Pedro: you're right, sorry.

Rainer: would you have some time for this one (after Base fdo#62478 of course:-)) ?
Comment 5 Rainer Bielefeld Retired 2013-03-19 06:42:35 UTC
No crash  with  "LibreOffice 3.6.5.2 " German UI/ German Locale [Build-ID: 5b93205] {pull date 2013-01-18} on German WIN7 Home Premium (64bit), 3.5.7.2, 3.4.5 and several other Versions I tested. I always opened reporter's sample document from LibO Start center File Dialog and clicked 15s around in the Slides pane, ran the presentation, again clicked 15s around in the Slides pane

This is a document created with an experimental AOOo 4.0 Version (OpenOffice/4.0.0$Win32 OpenOffice.org_project/400m1$Build-9700), I do not get the PDF objects shown with any version of LibO or OOo ("General OLE Error"). Objects seem to be damaged, replacements both have 0 bytes.

Of course, LibO should not crash. But I do not have any idea how to make the crash reproducible.
Comment 6 Pedro 2013-03-19 10:00:38 UTC
Rainer, the bug is NOT related to AOO 4.

I created the short ODP with just 4 slides in AOO because it was the only version that did NOT crash when editing.

The original presentation, mentioned in the linked topic you obviously did not read is
http://www.jordanschool.com/wp-content/uploads/LO-Presentation.zip

The presentation was created with LibreOffice 3.5 (I just checked the meta.xml)
Comment 7 Rainer Bielefeld Retired 2013-03-19 11:18:11 UTC
(In reply to comment #6)
Of course I read that.  Most of us know how to download a document from an URL, there is no need to create suspect sample documents. So it would be interesting to know why you created it.

May I remind you that your task is to create an instruction how we can reproduce your problem? So please create a clear step by step instruction how to reproduce the bug and tell characteristics of the bug. You deleted the hint that only a particular (yes, yes, and results of edits of that document) is affected. Do you really see that with more or less all .odp documents with embedded PDF OLE objects or is the problem only reproducible with "Jordan-LibreOffice-Presentation-11-28-2012.odp" and edits of it?
Comment 8 Pedro 2013-03-19 11:57:06 UTC
(In reply to comment #7)
> So it would be interesting to know why you created it.

To make a smaller working document which still replicated the problem. I didn't leave just one of the crashing slides because opening it sent LO on a loop.

> May I remind you that your task is to create an instruction how we can
> reproduce your problem? So please create a clear step by step instruction
> how to reproduce the bug and tell characteristics of the bug.

1) Open LO Start Center and open the file or simply double click on the file in your favorite file manager
2) Start presentation and move to second slide or simply click on the second slide in the Slide pane
3) LO crashes

> You deleted
> the hint that only a particular (yes, yes, and results of edits of that
> document) is affected. Do you really see that with more or less all .odp
> documents with embedded PDF OLE objects or is the problem only reproducible
> with "Jordan-LibreOffice-Presentation-11-28-2012.odp" and edits of it?

This only happens with the original "Jordan presentation" and with my shorter version of it. You are indeed correct that the cause is that there are no contents in the ObjectReplacements folder and that "Object 1","Object 2", etc. folders don't even exist

How this happened would be interesting to determine (it is a much more worrying bug...)

But the main point here is that LO immediately crashes while AOO doesn't. This means that LO is not resistant to this type of errors.
Comment 9 Rainer Bielefeld Retired 2013-03-20 08:20:14 UTC
I additionally tried the original presentation and reporter's reduced sample with LibO 3.4.x on a WIN XP (32bit) machine, no crash.

I think this one currently has not a bigger severity, it's a crash on a single computer with a single damaged document (but it's not clear whether that OLE object problem is related to the crashes). Of course I would prefer to find and eliminate the vulnerability, but I'm afraid that would cause very expensive efforts.
Comment 10 bfoman (inactive) 2013-05-15 07:12:30 UTC
Checked with:
LO 4.0.2.2
Build ID: own W7 debug build
Windows 7 Professional SP1 64 bit

Could not reproduce.

If it still crashes on your system, then try to get a backtrace following this article: http://wiki.documentfoundation.org/How_to_get_a_backtrace_with_WinDbg
Comment 11 ign_christian 2013-06-02 08:21:47 UTC
not reproducible on LO 4.0.4.1 (Win7 Home Premium 32bit)
Comment 12 Pedro 2013-06-03 12:46:23 UTC
Still occurs with LO 4.0.3.3 (and 4.1 Beta) under Windows XP in TWO separate machines.
Comment 13 Julien Nabet 2013-06-04 17:42:38 UTC
Pedro: just for the test, could you remove your portable version and install the "normal" 4.0.3 version ? (+ rename your LO directory profile (see https://wiki.documentfoundation.org/UserProfile))
Also:
- what's your Java version? 1.6, 1.7, 32 or 64bits?
- do you use any LO specific extensions?
Comment 14 Pedro 2013-06-04 18:06:09 UTC
(In reply to comment #13)
> Pedro: just for the test, could you remove your portable version and install
> the "normal" 4.0.3 version ?

I am using the installed version of both 4.0.3.3 and 4.1Beta

> (+ rename your LO directory profile (see
> https://wiki.documentfoundation.org/UserProfile))

I know ;) Did that and still crashes.

> Also:
> - what's your Java version? 1.6, 1.7, 32 or 64bits?

I have two Java 32 bits 1.6.0_45 and 1.7.0_21
Selecting either one or disabling Java use has no effect. It always crashes.

> - do you use any LO specific extensions?

No. Just the default (included in the installer)
Comment 15 Julien Nabet 2013-06-04 18:10:04 UTC
Pedro: so you confirm you don't use portable version?
Comment 16 Pedro 2013-06-04 22:05:55 UTC
(In reply to comment #15)
> Pedro: so you confirm you don't use portable version?

Yes, I confirm I'm not using the portable version. I'm using the *installed* versions.
Comment 17 Julien Nabet 2013-06-05 05:55:53 UTC
Pedro: ok then, i put it back to Unconfirmed
Comment 18 tommy27 2013-08-24 17:07:45 UTC
no crash on test .odp file using LibO 4.0.4 under Win7 64bit.

@Pedro
do you still see this crash with recent 4.0.5 or 4.1.0 final releases?
Comment 19 ign_christian 2013-08-25 01:32:37 UTC
Emm..I saw many specific problems with XP machines..

Pedro, perhaps you could try booting in safe mode & try to reproduce the problem? Or create new user in XP & try login from the newly created user to reproduce the problem.
Comment 20 Pedro 2013-08-25 14:44:30 UTC
Hi Tommy

> @Pedro
> do you still see this crash with recent 4.0.5 or 4.1.0 final releases?

I tested with 4.1.1.2 and it still crashes.
Comment 21 Pedro 2013-08-25 14:46:57 UTC
(In reply to comment #19)
> Pedro, perhaps you could try booting in safe mode & try to reproduce the
> problem? Or create new user in XP & try login from the newly created user to
> reproduce the problem.

I did create a new user in XP (although I don't understand how that is better than just deleting or renaming the LO user folder) and the crash still occurs.
Comment 22 Julien Nabet 2013-08-25 16:10:24 UTC
Pedro: if you have some time, it could be interesting you retrieve crash information (see https://wiki.documentfoundation.org/QA/BugReport/Debug_Information#Windows:_How_to_get_a_backtrace)
Comment 23 Pedro 2014-02-07 15:13:31 UTC
Created attachment 93616 [details]
Text file containing Windbg output from crash
Comment 24 Pedro 2014-02-12 01:07:38 UTC
As suggested by Christian Lohmaier on this topic

http://nabble.documentfoundation.org/Backtracing-in-Windows-XP-tp4096030p4096756.html

This is the information in Firefox about the PDF Xchange Viewer plugin

PDF-XChange Viewer

    File: npPDFXCviewNPPlugin.dll
    Path: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
    Version: 2.5.213.1
    State: Enabled
    PDF-XChange Viewer Netscape Gecko Plugin

MIME Type	Description	Suffixes
application/pdf	Portable Document Format	pdf
Comment 25 Pedro 2014-06-19 09:53:08 UTC
This crasher still occurs with LO 4.3.0.1 under Windows XP Pro x86 SP3 (but not under Windows 7 Pro x64)

Since it seems to be a Windows XP specific bug my hope that it will be fixed is very little.

However I did post some findings that maybe are relevant
http://nabble.documentfoundation.org/Backtracing-in-Windows-XP-tt4096030.html#a4096921
Comment 26 Julien Nabet 2014-06-21 06:45:36 UTC
Put it at NEW since there's a bt.

Stephan: Noticing the commit http://cgit.freedesktop.org/libreoffice/core/commit/?id=93f5d5a9190e0e03bf4822663652a4b068c44f75 which fixes pointers problem in several files, including extensions/source/plugin/base/xplugin.cxx + vcl/source/helper/threadex.cxx (both appear in the bt), I thought you might be interested to take a look to pointer casts in http://opengrok.libreoffice.org/xref/core/extensions/source/plugin/win/sysplug.cxx#311
Comment 27 Stephan Bergmann 2014-06-23 07:50:45 UTC
(In reply to comment #26)
> Stephan: Noticing the commit
> http://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=93f5d5a9190e0e03bf4822663652a4b068c44f75 which fixes pointers problem in
> several files, including extensions/source/plugin/base/xplugin.cxx +
> vcl/source/helper/threadex.cxx (both appear in the bt), I thought you might
> be interested to take a look to pointer casts in
> http://opengrok.libreoffice.org/xref/core/extensions/source/plugin/win/
> sysplug.cxx#311

Those casts in PluginComm_Impl::NPP_New look OK.  They are used to tunnel the args from there to PluginComm_Impl::doIt's case eNPP_New, where they would be cast back accordingly.  The top four frames of attachment 93616 [details] (allegedly: vcl::SolarThreadExecutor::impl_execute -> rtl::OString::OString -> rtl_uString2String -> NP_Shutdown) are unfortunately dubious enough to keep it unclear what's going wrong here.
Comment 28 QA Administrators 2015-09-04 02:48:14 UTC Comment hidden (obsolete)
Comment 29 Pedro 2015-09-14 16:50:46 UTC
Crash still occurs under Windows XP x86 running version 5.0.2.1
Comment 30 Pedro 2015-09-14 17:16:35 UTC
Changed the version to "Inherited from OOo"
Tested with LibreOfficePortable 3.3.0 and it crashed too.

My point is that it does NOT crash current releases of AOO (at least since 4.0.1) so it has been fixed since then.
Comment 31 Julien Nabet 2015-09-18 20:15:51 UTC
The only way to advance here would be to retrieve a backtrace:
https://wiki.documentfoundation.org/QA/BugReport/Debug_Information#Windows:_How_to_get_a_backtrace
Comment 32 Julien Nabet 2015-12-05 14:57:49 UTC
Dumb me! Even if it's now a bit old, there was a bt attached!

Pedro: if you have some time, it could be interesting you give a try to last non portable stable LO version 5.0.3 (with a brand new profile).
Comment 33 Pedro 2015-12-05 17:48:31 UTC
(In reply to Julien Nabet from comment #32)
> Pedro: if you have some time, it could be interesting you give a try to last
> non portable stable LO version 5.0.3 (with a brand new profile).

Immediate crash with brand new (installed)
Versão: 5.1.0.0.beta2
ID da versão: 53054959a12edc6510f51b94ddc9b73d27aedaf6
Threads 2; Ver: Windows 5.1; Render: default;

No crash with
AOO412m3(Build:9782)  -  Rev. 1709696
2015-10-21 09:53:29 (Mi, 21 Okt 2015)
Comment 34 Julien Nabet 2015-12-06 00:22:07 UTC
(In reply to Pedro from comment #33)
> (In reply to Julien Nabet from comment #32)
> > Pedro: if you have some time, it could be interesting you give a try to last
> > non portable stable LO version 5.0.3 (with a brand new profile).
> 
> Immediate crash with brand new (installed)
> Versão: 5.1.0.0.beta2
> ID da versão: 53054959a12edc6510f51b94ddc9b73d27aedaf6
> Threads 2; Ver: Windows 5.1; Render: default;
> 
> No crash with
> AOO412m3(Build:9782)  -  Rev. 1709696
> 2015-10-21 09:53:29 (Mi, 21 Okt 2015)

Thank you for your new feedback.
Taking a look at your old bt, I don't understand where OString comes from?
00e3f6a4 02ca5cd8 104c3098 097238d0 0000000f pllo!rtl::OString::OString+0x45 [c:\cygwin\home\buildslave\source\libo-core\include\rtl\string.hxx @ 229]
00e3f6c0 175d5891 00000000 00e3f734 175f2fa5 vcllo!vcl::SolarThreadExecutor::impl_execute+0x38 [c:\cygwin\home\buildslave\source\libo-core\vcl\source\helper\threadex.cxx @ 56]
Indeed, http://opengrok.libreoffice.org/xref/core/vcl/source/helper/threadex.cxx#49 shows no OString (or I just miss it!).

Would you mind providing a new bt? Perhaps there's a crash but for another reason now.
Comment 35 Pedro 2015-12-07 10:18:38 UTC
Created attachment 121099 [details]
New backtrace of crash using version LibreOffice 5.0.4.1

New backtrace this time from version 5.0.4.1

It is obvious that the problem is between LibreOffice and the Mozilla plugin used to open PDFs. I use the freeware PDF-XChange Viewer from Tracker Software (instead of the almost mandatory Adobe Reader)

I don't expect developers to worry about this particular program. The point here is that it is causing a crash while in Apache OpenOffice there is no crash at all.
Comment 36 Julien Nabet 2015-12-07 20:04:57 UTC
Thank you Pedro for the bt.

Stephan: 
1) considering last commits about NPAPI (see http://cgit.freedesktop.org/libreoffice/core/log/?qt=grep&q=npapi), I wonder if the problem could be due to remnants regkeys on reporter's machine.
In this case, I thought about raw method:
- uninstall LO
- remove any remnant LO directory (profile or in Program Files)
- launch a free registry cleaner (eg: ccleaner or other)
- install again LO
Would it be sufficient or could the fact that ApacheOOo is also installed on this machine interfere?

2) To avoid a crash, I thought about adding a try-catch but I don't know at which level/function in the stack, what to put in the catch and return in this case, ...

Any thoughts?
Comment 37 Commit Notification 2015-12-08 16:36:02 UTC
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=00daa67d745ae84ed15d3f210001193c6e950144

tdf#62381: Stop using NPAPI plugin when NP_Initialize fails

It will be available in 5.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 38 Commit Notification 2015-12-08 16:38:58 UTC
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-5-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5da95d887ce8f0de9d19a886ebad733be02ae5a5&h=libreoffice-5-1

tdf#62381: Stop using NPAPI plugin when NP_Initialize fails

It will be available in 5.1.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 39 Stephan Bergmann 2015-12-08 17:43:25 UTC
* This issue is about NPAPI plug-in objects, not OLE objects (adapted summary accordingly).

* The attachment 76586 [details] is not self-contained.  It references <../Jordan%20-%20LibreOffice%20-%20Standard%20Toolbar.pdf> and <../Jordan%20-%20LibreOffice%20-%20Formatting%20Toolbar.pdf> from Jordan-LibreOffice-Presentation-11-28-2012-crasher.odp's content.xml (i.e., you need correspondingly named .pdf files next to the .odp to reproduce).  (The mentioned original at <http://www.jordanschool.com/wp-content/uploads/LO-Presentation.zip> appears to be no longer available.)

* On Windows, with the PDF-XChange Viewer (File: npPDFXCviewNPPluign.dll, Version: 2.5.315.0) installed in Firebird, I can reproduce a crash with a local 32-bit LO master build.  The reason is that calling the plugin's NP_Initialize fails with an error return (i.e., LO would not be able to use the plugin to display the content anyway), but LO keeps on calling into the plugin afterwards.  This has been fixed now (backport request to libreoffice-5-0 towards LO 5.0.5 pending at <https://gerrit.libreoffice.org/#/c/20474/>).
Comment 40 Stephan Bergmann 2015-12-08 17:45:08 UTC
(In reply to Stephan Bergmann from comment #39)
> * On Windows, with the PDF-XChange Viewer (File: npPDFXCviewNPPluign.dll,
> Version: 2.5.315.0) installed in Firebird, [...]

That should read "Firefox" instead of "Firebird," of course.
Comment 41 Pedro 2015-12-08 18:41:59 UTC
(In reply to Stephan Bergmann from comment #39)
> This has been fixed now (backport request to
> libreoffice-5-0 towards LO 5.0.5 pending at
> <https://gerrit.libreoffice.org/#/c/20474/>).

Thank you Stephan for fixing this bug!
I hope it does get backported to 5.0.5!

Thanks!
Comment 42 Commit Notification 2015-12-08 22:08:23 UTC
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=448fec81bf45e0e74be887d139519a3c403c625e&h=libreoffice-5-0

tdf#62381: Stop using NPAPI plugin when NP_Initialize fails

It will be available in 5.0.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.