Bug 68064 - CppunitTest_sw_rtfimport: recursive SwNodes::RemoveNode, valgrind reports invalid read/write
Summary: CppunitTest_sw_rtfimport: recursive SwNodes::RemoveNode, valgrind reports inv...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.2.0.0.alpha0+ Master
Hardware: Other All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:4.2.0 target:4.1.2 target:4.0.6
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-13 14:42 UTC by Stephan Bergmann
Modified: 2013-08-14 09:19 UTC (History)
0 users

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2013-08-13 14:42:50 UTC 
With a recent master (but also with a recent libreoffice-4-0 build), valgrind'ing CppunitTest_sw_rtfimport gives

> Invalid read of size 2
>    at 0x103D3334: BigPtrArray::Remove(unsigned long, unsigned long) (/sw/source/core/bastyp/bparr.cxx:366)
>    by 0x106B5DDD: SwNodes::RemoveNode(unsigned long, unsigned long, unsigned char) (/sw/source/core/docnode/nodes.cxx:2401)
>    by 0x106B2F35: SwNodes::DelNodes(SwNodeIndex const&, unsigned long) (/sw/source/core/docnode/nodes.cxx:1528)
>    by 0x104EEFD9: SwDoc::DeleteSection(SwNode*) (/sw/source/core/doc/docedt.cxx:696)
>    by 0x105527DD: SwDoc::DelLayoutFmt(SwFrmFmt*) (/sw/source/core/doc/doclay.cxx:295)
>    by 0x10A5E576: SwTxtNode::DestroyAttr(SwTxtAttr*) (/sw/source/core/txtnode/thints.cxx:1101)
>    by 0x10A3D2B8: SwTxtNode::~SwTxtNode() (/sw/source/core/txtnode/ndtxt.cxx:248)
>    by 0x10A3D47B: SwTxtNode::~SwTxtNode() (/sw/source/core/txtnode/ndtxt.cxx:262)
>    by 0x106B5D24: SwNodes::RemoveNode(unsigned long, unsigned long, unsigned char) (/sw/source/core/docnode/nodes.cxx:2391)
>    by 0x106B2F35: SwNodes::DelNodes(SwNodeIndex const&, unsigned long) (/sw/source/core/docnode/nodes.cxx:1528)
>    by 0x104EEFD9: SwDoc::DeleteSection(SwNode*) (/sw/source/core/doc/docedt.cxx:696)
>    by 0x107CA9C2: DelHFFormat(SwClient*, SwFrmFmt*) (/sw/source/core/layout/atrfrm.cxx:164)
>    by 0x107CBB43: SwFmtHeader::~SwFmtHeader() (/sw/source/core/layout/atrfrm.cxx:438)
>    by 0x107CBBD1: SwFmtHeader::~SwFmtHeader() (/sw/source/core/layout/atrfrm.cxx:439)
>    by 0x163F3E6E: SfxItemPool::Remove(SfxPoolItem const&) (/svl/source/items/itempool.cxx:831)
>    by 0x1640878B: SfxItemSet::~SfxItemSet() (/svl/source/items/itemset.cxx:317)
>    by 0x103CF3DD: SwAttrSet::~SwAttrSet() (in /solver/unxlngx6/lib/libswlo.so)
>    by 0x103CD75D: SwFmt::~SwFmt() (/sw/source/core/attr/format.cxx:213)
>    by 0x105357F8: SwFrmFmt::~SwFrmFmt() (in /solver/unxlngx6/lib/libswlo.so)
>    by 0x10859A54: SwPageDesc::~SwPageDesc() (/sw/source/core/layout/pagedesc.cxx:102)
>    by 0x10859B57: SwPageDesc::~SwPageDesc() (/sw/source/core/layout/pagedesc.cxx:104)
>    by 0x10E22B04: SwDocStyleSheet::SetItemSet(SfxItemSet const&, bool) (/sw/source/ui/app/docstyle.cxx:1388)
>    by 0x10C15D16: SwXPageStyle::SetPropertyValues_Impl(com::sun::star::uno::Sequence<rtl::OUString> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (/sw/source/core/unocore/unostyle.cxx:3193)
>    by 0x10C16065: SwXPageStyle::setPropertyValues(com::sun::star::uno::Sequence<rtl::OUString> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (/sw/source/core/unocore/unostyle.cxx:3207)
>    by 0x22672868: writerfilter::dmapper::SectionPropertyMap::_ApplyProperties(com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet>) (/writerfilter/source/dmapper/PropertyMap.cxx:1153)
>    by 0x22670E3A: writerfilter::dmapper::SectionPropertyMap::CloseSectionGroup(writerfilter::dmapper::DomainMapper_Impl&) (/writerfilter/source/dmapper/PropertyMap.cxx:1042)
>    by 0x225CAABD: writerfilter::dmapper::DomainMapper::lcl_endSectionGroup() (/writerfilter/source/dmapper/DomainMapper.cxx:3488)
>    by 0x22759BE2: writerfilter::LoggedStream::endSectionGroup() (/writerfilter/source/resourcemodel/LoggedResources.cxx:101)
>    by 0x22545D0C: writerfilter::rtftok::RTFDocumentImpl::sectBreak(bool) (/writerfilter/source/rtftok/rtfdocumentimpl.cxx:558)
>    by 0x225629D4: writerfilter::rtftok::RTFDocumentImpl::popState() (/writerfilter/source/rtftok/rtfdocumentimpl.cxx:4479)
>    by 0x225ADD48: writerfilter::rtftok::RTFTokenizer::resolveParse() (/writerfilter/source/rtftok/rtftokenizer.cxx:106)
>    by 0x22546348: writerfilter::rtftok::RTFDocumentImpl::resolve(writerfilter::Stream&) (/writerfilter/source/rtftok/rtfdocumentimpl.cxx:622)
>    by 0x226FB41F: RtfFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/writerfilter/source/filter/RtfFilter.cxx:126)
>    by 0x15983C20: SfxObjectShell::ImportFrom(SfxMedium&, bool) (/sfx2/source/doc/objstor.cxx:2255)
>    by 0x1597BDFA: SfxObjectShell::DoLoad(SfxMedium*) (/sfx2/source/doc/objstor.cxx:752)
>    by 0x159C1057: SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/sfx2/source/doc/sfxbasemodel.cxx:1886)
>    by 0x15AA4C60: SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) (/sfx2/source/view/frmload.cxx:597)
>    by 0x1BC8277A: framework::LoadEnv::impl_loadContent() (/framework/source/loadenv/loadenv.cxx:1166)
>    by 0x1BC7EED6: framework::LoadEnv::startLoading() (/framework/source/loadenv/loadenv.cxx:400)
>    by 0x1BC7DF9E: framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/framework/source/loadenv/loadenv.cxx:171)
>    by 0x1BCB981A: framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/framework/source/services/desktop.cxx:627)
>    by 0x11E8065A: unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, char const*) (/unotest/source/cpp/macros_test.cxx:41)
>    by 0xFCCECBA: SwModelTestBase::load(char const*, char const*, bool) (/sw/qa/extras/inc/swmodeltestbase.hxx:272)
>    by 0xFCAB353: Test::run() (/sw/qa/extras/rtfimport/rtfimport.cxx:333)
>    by 0xFCE1E8D: CppUnit::TestCaller<Test>::runTest() (/workdir/unxlngx6/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:166)
>    by 0x4F484E7: CppUnit::TestCaseMethodFunctor::operator()() const (/workdir/unxlngx6/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32)
>    by 0xCD2BA86: (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (/unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:88)
>    by 0x4F40586: CppUnit::ProtectorChain::ProtectFunctor::operator()() const (/workdir/unxlngx6/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20)
>    by 0xB9CF51B: (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) (/unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:64)
>    by 0x4F40586: CppUnit::ProtectorChain::ProtectFunctor::operator()() const (/workdir/unxlngx6/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20)
>  Address 0x545bec0 is 16 bytes inside a block of size 56 free'd
>    at 0x4A077E6: free (/builddir/build/BUILD/valgrind-3.8.1/coregrind/m_replacemalloc/vg_replace_malloc.c:446)
>    by 0x4C3E140: rtl_freeMemory_SYSTEM(void*) (/sal/rtl/alloc_global.cxx:276)
>    by 0x4C3E3FB: rtl_freeMemory (/sal/rtl/alloc_global.cxx:346)
>    by 0x4C3CF05: rtl_cache_free (/sal/rtl/alloc_cache.cxx:1245)
>    by 0x130F723F: FixedMemPool::Free(void*) (/tools/source/memtools/mempool.cxx:48)
>    by 0x106615C8: SwStartNode::operator delete(void*, unsigned long) (in /solver/unxlngx6/lib/libswlo.so)
>    by 0x10672460: SwStartNode::~SwStartNode() (/sw/inc/node.hxx:298)
>    by 0x106B5D24: SwNodes::RemoveNode(unsigned long, unsigned long, unsigned char) (/sw/source/core/docnode/nodes.cxx:2391)
>    by 0x106B2F35: SwNodes::DelNodes(SwNodeIndex const&, unsigned long) (/sw/source/core/docnode/nodes.cxx:1528)
>    by 0x104EEFD9: SwDoc::DeleteSection(SwNode*) (/sw/source/core/doc/docedt.cxx:696)
>    by 0x105527DD: SwDoc::DelLayoutFmt(SwFrmFmt*) (/sw/source/core/doc/doclay.cxx:295)
>    by 0x10A5E576: SwTxtNode::DestroyAttr(SwTxtAttr*) (/sw/source/core/txtnode/thints.cxx:1101)
>    by 0x10A3D2B8: SwTxtNode::~SwTxtNode() (/sw/source/core/txtnode/ndtxt.cxx:248)
>    by 0x10A3D47B: SwTxtNode::~SwTxtNode() (/sw/source/core/txtnode/ndtxt.cxx:262)
>    by 0x106B5D24: SwNodes::RemoveNode(unsigned long, unsigned long, unsigned char) (/sw/source/core/docnode/nodes.cxx:2391)
>    by 0x106B2F35: SwNodes::DelNodes(SwNodeIndex const&, unsigned long) (/sw/source/core/docnode/nodes.cxx:1528)
>    by 0x104EEFD9: SwDoc::DeleteSection(SwNode*) (/sw/source/core/doc/docedt.cxx:696)
>    by 0x107CA9C2: DelHFFormat(SwClient*, SwFrmFmt*) (/sw/source/core/layout/atrfrm.cxx:164)
>    by 0x107CBB43: SwFmtHeader::~SwFmtHeader() (/sw/source/core/layout/atrfrm.cxx:438)
>    by 0x107CBBD1: SwFmtHeader::~SwFmtHeader() (/sw/source/core/layout/atrfrm.cxx:439)
>    by 0x163F3E6E: SfxItemPool::Remove(SfxPoolItem const&) (/svl/source/items/itempool.cxx:831)
>    by 0x1640878B: SfxItemSet::~SfxItemSet() (/svl/source/items/itemset.cxx:317)
>    by 0x103CF3DD: SwAttrSet::~SwAttrSet() (in /solver/unxlngx6/lib/libswlo.so)
>    by 0x103CD75D: SwFmt::~SwFmt() (/sw/source/core/attr/format.cxx:213)
>    by 0x105357F8: SwFrmFmt::~SwFrmFmt() (in /solver/unxlngx6/lib/libswlo.so)
>    by 0x10859A54: SwPageDesc::~SwPageDesc() (/sw/source/core/layout/pagedesc.cxx:102)
>    by 0x10859B57: SwPageDesc::~SwPageDesc() (/sw/source/core/layout/pagedesc.cxx:104)
>    by 0x10E22B04: SwDocStyleSheet::SetItemSet(SfxItemSet const&, bool) (/sw/source/ui/app/docstyle.cxx:1388)
>    by 0x10C15D16: SwXPageStyle::SetPropertyValues_Impl(com::sun::star::uno::Sequence<rtl::OUString> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (/sw/source/core/unocore/unostyle.cxx:3193)
>    by 0x10C16065: SwXPageStyle::setPropertyValues(com::sun::star::uno::Sequence<rtl::OUString> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) (/sw/source/core/unocore/unostyle.cxx:3207)
>    by 0x22672868: writerfilter::dmapper::SectionPropertyMap::_ApplyProperties(com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet>) (/writerfilter/source/dmapper/PropertyMap.cxx:1153)
>    by 0x22670E3A: writerfilter::dmapper::SectionPropertyMap::CloseSectionGroup(writerfilter::dmapper::DomainMapper_Impl&) (/writerfilter/source/dmapper/PropertyMap.cxx:1042)
>    by 0x225CAABD: writerfilter::dmapper::DomainMapper::lcl_endSectionGroup() (/writerfilter/source/dmapper/DomainMapper.cxx:3488)
>    by 0x22759BE2: writerfilter::LoggedStream::endSectionGroup() (/writerfilter/source/resourcemodel/LoggedResources.cxx:101)
>    by 0x22545D0C: writerfilter::rtftok::RTFDocumentImpl::sectBreak(bool) (/writerfilter/source/rtftok/rtfdocumentimpl.cxx:558)
>    by 0x225629D4: writerfilter::rtftok::RTFDocumentImpl::popState() (/writerfilter/source/rtftok/rtfdocumentimpl.cxx:4479)
>    by 0x225ADD48: writerfilter::rtftok::RTFTokenizer::resolveParse() (/writerfilter/source/rtftok/rtftokenizer.cxx:106)
>    by 0x22546348: writerfilter::rtftok::RTFDocumentImpl::resolve(writerfilter::Stream&) (/writerfilter/source/rtftok/rtfdocumentimpl.cxx:622)
>    by 0x226FB41F: RtfFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/writerfilter/source/filter/RtfFilter.cxx:126)
>    by 0x15983C20: SfxObjectShell::ImportFrom(SfxMedium&, bool) (/sfx2/source/doc/objstor.cxx:2255)
>    by 0x1597BDFA: SfxObjectShell::DoLoad(SfxMedium*) (/sfx2/source/doc/objstor.cxx:752)
>    by 0x159C1057: SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/sfx2/source/doc/sfxbasemodel.cxx:1886)
>    by 0x15AA4C60: SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) (/sfx2/source/view/frmload.cxx:597)
>    by 0x1BC8277A: framework::LoadEnv::impl_loadContent() (/framework/source/loadenv/loadenv.cxx:1166)
>    by 0x1BC7EED6: framework::LoadEnv::startLoading() (/framework/source/loadenv/loadenv.cxx:400)
>    by 0x1BC7DF9E: framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/framework/source/loadenv/loadenv.cxx:171)
>    by 0x1BCB981A: framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (/framework/source/services/desktop.cxx:627)
>    by 0x11E8065A: unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, char const*) (/unotest/source/cpp/macros_test.cxx:41)
>    by 0xFCCECBA: SwModelTestBase::load(char const*, char const*, bool) (/sw/qa/extras/inc/swmodeltestbase.hxx:272)
>    by 0xFCAB353: Test::run() (/sw/qa/extras/rtfimport/rtfimport.cxx:333)

The invalid read is then immediately followed by an invalid write.
Comment 1 Commit Notification 2013-08-13 16:27:10 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=ebc81f19ef4ffe8d54f83c019ea80d10c98647d7

fdo#68064: Do not insert aTempEntry multiple times



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 2 Commit Notification 2013-08-14 09:18:46 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-4-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=b1b99974960259bd721f381723f74b1c00e034bb&h=libreoffice-4-1

fdo#68064: Do not insert aTempEntry multiple times


It will be available in LibreOffice 4.1.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 3 Commit Notification 2013-08-14 09:19:07 UTC 
Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-4-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8bf69e2abf94b94afedeb0b7d7644e5626954122&h=libreoffice-4-0

fdo#68064: Do not insert aTempEntry multiple times


It will be available in LibreOffice 4.0.6.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.