Bug 68084 - Writer crashes when open this .docx file
Summary: Writer crashes when open this .docx file
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: filters and storage (show other bugs)
Version:
(earliest affected)
4.1.0.4 release
Hardware: All All
: medium critical
Assignee: Michael Stahl (allotropia)
URL:
Whiteboard: target:4.2.0 target:4.1.2 target:4.0.6
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-14 00:04 UTC by reddit.app
Modified: 2013-08-17 03:56 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:

Attachments
simple .docx file that crashes Writer (11.33 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)
2013-08-14 00:04 UTC, reddit.app 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description reddit.app 2013-08-14 00:04:29 UTC 
Created attachment 84032 [details]
simple .docx file that crashes Writer

This happens on the latest from master, commit hash: ea4fc480c7317b16f4abbafacda3872bb7413357

writer crashes while opening this .docx file created by MS Office 2011. Here is the backtrace and the original .docx file is attached.




Reading symbols for shared libraries . done
libc++abi.dylib: terminate called throwing an exception

Program received signal SIGABRT, Aborted.
0x95e52a6a in __pthread_kill ()
(gdb) bt
#0  0x95e52a6a in __pthread_kill ()
#1  0x9022ab2f in pthread_kill ()
#2  0x902614ec in abort ()
#3  0x9141e7e0 in abort_message ()
#4  0x9141c249 in default_terminate ()
#5  0x9141c289 in safe_handler_caller ()
#6  0x9141c26e in unexpected_defaults_to_terminate ()
#7  0x9141c2cf in __cxxabiv1::__unexpected ()
#8  0x9141d1ad in __cxa_call_unexpected ()
#9  0x2887850a in WriterFilter::filter (this=0x2865b9b0, aDescriptor=@0xbfff5930) at /Users/sguo/lo/core/writerfilter/source/filter/ImportFilter.cxx:155
#10 0x28878559 in non-virtual thunk to WriterFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (this=0x2865b9c4, aDescriptor=@0xbfff5930) at /Users/sguo/lo/core/writerfilter/source/filter/ImportFilter.cxx:155
#11 0x01789cf5 in SfxObjectShell::ImportFrom (this=0x1300f380, rMedium=@0x1dcc2180, bInsert=false) at /Users/sguo/lo/core/sfx2/source/doc/objstor.cxx:2255
#12 0x0177d4ee in SfxObjectShell::DoLoad (this=0x1300f380, pMed=0x1dcc2180) at /Users/sguo/lo/core/sfx2/source/doc/objstor.cxx:752
#13 0x017d495b in SfxBaseModel::load (this=0x192745bc, seqArguments=@0xbfff6258) at /Users/sguo/lo/core/sfx2/source/doc/sfxbasemodel.cxx:1886
#14 0x017d59b9 in non-virtual thunk to SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (this=0x19274618, seqArguments=@0xbfff6258) at /Users/sguo/lo/core/sfx2/source/doc/sfxbasemodel.cxx:1962
#15 0x018d793b in SfxFrameLoader_Impl::load (this=0x1fad7bf4, rArgs=@0xbfff64c8, _rTargetFrame=@0xbfff6508) at /Users/sguo/lo/core/sfx2/source/view/frmload.cxx:597
#16 0x018d82e6 in non-virtual thunk to SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) (this=0x1fad7c08, rArgs=@0xbfff64c8, _rTargetFrame=@0xbfff6508) at /Users/sguo/lo/core/sfx2/source/view/frmload.cxx:644
#17 0x1357cadf in framework::LoadEnv::impl_loadContent (this=0x1c2c5384) at /Users/sguo/lo/core/framework/source/loadenv/loadenv.cxx:1166
#18 0x135785e9 in framework::LoadEnv::startLoading (this=0x1c2c5384) at /Users/sguo/lo/core/framework/source/loadenv/loadenv.cxx:400
#19 0x134d9fc9 in framework::LoadDispatcher::impl_dispatch (this=0x1c2c5344, rURL=@0xbfff68b8, lArguments=@0xbfff6e28, xListener=@0xbfff6798) at /Users/sguo/lo/core/framework/source/dispatch/loaddispatcher.cxx:119
#20 0x134da645 in framework::LoadDispatcher::dispatchWithReturnValue (this=0x1c2c5344, rURL=@0xbfff68b8, lArguments=@0xbfff6e28) at /Users/sguo/lo/core/framework/source/dispatch/loaddispatcher.cxx:65
#21 0x134da6e8 in non-virtual thunk to framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (this=0x1c2c535c, rURL=@0xbfff68b8, lArguments=@0xbfff6e28) at /Users/sguo/lo/core/framework/source/dispatch/loaddispatcher.cxx:66
#22 0x004eca8a in comphelper::SynchronousDispatch::dispatch (xStartPoint=@0xbfff6f20, sURL=@0xbfff6e10, sTarget=@0xbfff6e98, nFlags=0, lArguments=@0xbfff6e28) at /Users/sguo/lo/core/comphelper/source/misc/synchronousdispatch.cxx:69
#23 0x014342bc in SfxApplication::OpenDocExec_Impl (this=0x10662d90, rReq=@0xbfff78b8) at /Users/sguo/lo/core/sfx2/source/appl/appopen.cxx:1093
#24 0x01427004 in SfxStubSfxApplicationOpenDocExec_Impl (pShell=0x10662d90, rReq=@0xbfff78b8) at sfxslots.hxx:1208
#25 0x01553afa in SfxShell::CallExec (this=0x10662d90, pFunc=0x1426fe0 <SfxStubSfxApplicationOpenDocExec_Impl(SfxShell*, SfxRequest&)>, rReq=@0xbfff78b8) at shell.hxx:183
#26 0x0192d141 in SfxDispatcher::Call_Impl (this=0xeeb3ed0, rShell=@0x10662d90, rSlot=@0x1b5093c, rReq=@0xbfff78b8, bRecord=0 '\0') at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:243
#27 0x0192fded in SfxDispatcher::_Execute (this=0xeeb3ed0, rShell=@0x10662d90, rSlot=@0x1b5093c, rReq=@0xbfff78b8, eCallMode=1) at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:924
#28 0x019309ef in SfxDispatcher::Execute (this=0xeeb3ed0, nSlot=5501, eCall=1, nModi=0, rArgs=@0xb8e9380) at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:1122
#29 0x019307d2 in SfxDispatcher::Execute (this=0xeeb3ed0, nSlot=5501, eCall=1, rArgs=@0xb8e9380) at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:1094
#30 0x01431207 in SfxApplication::OpenDocExec_Impl (this=0x10662d90, rReq=@0xa1c1870) at /Users/sguo/lo/core/sfx2/source/appl/appopen.cxx:737
#31 0x01427004 in SfxStubSfxApplicationOpenDocExec_Impl (pShell=0x10662d90, rReq=@0xa1c1870) at sfxslots.hxx:1208
#32 0x01553afa in SfxShell::CallExec (this=0x10662d90, pFunc=0x1426fe0 <SfxStubSfxApplicationOpenDocExec_Impl(SfxShell*, SfxRequest&)>, rReq=@0xa1c1870) at shell.hxx:183
#33 0x0192d141 in SfxDispatcher::Call_Impl (this=0xeeb3ed0, rShell=@0x10662d90, rSlot=@0x1b5093c, rReq=@0xa1c1870, bRecord=1 '\001') at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:243
#34 0x01930de2 in SfxDispatcher::PostMsgHandler (this=0xeeb3ed0, pReq=0xa1c1870) at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:1222
#35 0x0192d674 in SfxDispatcher::LinkStubPostMsgHandler (pThis=0xeeb3ed0, pCaller=0xa1c1870) at /Users/sguo/lo/core/sfx2/source/control/dispatch.cxx:1193
#36 0x0012ea5a in Link::Call (this=0xeeb1ae8, pCaller=0xa1c1870) at link.hxx:123
#37 0x0183104d in GenLink::Call (this=0xeeb1ae8, pCaller=0xa1c1870) at genlink.hxx:45
#38 0x01830ec9 in SfxHintPoster::Event (this=0xeeb1ae0, pPostedHint=0xa1c1870) at /Users/sguo/lo/core/sfx2/source/notify/hintpost.cxx:62
#39 0x01830fd9 in SfxHintPoster::DoEvent_Impl (this=0xeeb1ae0, pPostedHint=0xa1c1870) at /Users/sguo/lo/core/sfx2/source/notify/hintpost.cxx:52
#40 0x01830e94 in SfxHintPoster::LinkStubDoEvent_Impl (pThis=0xeeb1ae0, pCaller=0xa1c1870) at /Users/sguo/lo/core/sfx2/source/notify/hintpost.cxx:56
#41 0x0012ea5a in Link::Call (this=0xa17aee0, pCaller=0xa1c1870) at link.hxx:123
#42 0x0585deaa in ImplHandleUserEvent (pSVEvent=0xa1931a0) at /Users/sguo/lo/core/vcl/source/window/winproc.cxx:1975
#43 0x0585aedb in ImplWindowFrameProc (pWindow=0xeeb57e0, nEvent=22, pEvent=0xa1931a0) at /Users/sguo/lo/core/vcl/source/window/winproc.cxx:2590
#44 0x0587dc76 in SalFrame::CallCallback (this=0xeeb5af0, nEvent=22, pEvent=0xa1931a0) at salframe.hxx:243
#45 0x0587b0b7 in AquaSalInstance::Yield (this=0xb8a8fa0, bWait=true, bHandleAllCurrentEvents=false) at /Users/sguo/lo/core/vcl/aqua/source/app/salinst.cxx:653
#46 0x052397b2 in ImplYield (i_bWait=true, i_bAllEvents=false) at /Users/sguo/lo/core/vcl/source/app/svapp.cxx:417
#47 0x052350ea in Application::Yield () at /Users/sguo/lo/core/vcl/source/app/svapp.cxx:451
#48 0x052350ab in Application::Execute () at /Users/sguo/lo/core/vcl/source/app/svapp.cxx:396
#49 0x0011ebd5 in desktop::Desktop::Main (this=0xbfff9a78) at /Users/sguo/lo/core/desktop/source/app/app.cxx:1720
#50 0x05245c01 in ImplSVMain () at /Users/sguo/lo/core/vcl/source/app/svmain.cxx:162
#51 0x0587a963 in AquaSalInstance::handleAppDefinedEvent (pEvent=0xa193f00) at /Users/sguo/lo/core/vcl/aqua/source/app/salinst.cxx:524
#52 0x058dccef in -[VCL_NSApplication sendEvent:] (self=0xa572fa0, _cmd=0x94e83db1, pEvent=0xa193f00) at /Users/sguo/lo/core/vcl/aqua/source/app/vclnsapp.mm:62
#53 0x9461d62c in -[NSApplication run] ()
#54 0x945c05f6 in NSApplicationMain ()
#55 0x05879726 in ImplSVMainHook (pnInit=0xbfff9a10) at /Users/sguo/lo/core/vcl/aqua/source/app/salinst.cxx:217
#56 0x052472ce in SVMain () at /Users/sguo/lo/core/vcl/source/app/svmain.cxx:195
#57 0x0018aac8 in soffice_main () at /Users/sguo/lo/core/desktop/source/app/sofficemain.cxx:81
#58 0x00001f5b in sal_main () at /Users/sguo/lo/core/desktop/source/app/main.c:48
#59 0x00001f40 in main (argc=5, argv=0xbfff9b20) at /Users/sguo/lo/core/desktop/source/app/main.c:47
(gdb)
Comment 1 Julien Nabet 2013-08-14 20:02:28 UTC 
Comment on attachment 84032 [details]
simple .docx file that crashes Writer

Mimetype fixed
Comment 2 Julien Nabet 2013-08-14 21:10:01 UTC 
On pc Debian x86-64 with master sources updated today, I reproduced the problem.
With gdb session, I saw that the crash happened there:
writerfilter/source/ooxml/OOXMLDocumentImpl.cxx at resolveFastSubStream(rStream, OOXMLStream::STYLES);

package/source/xstor/xstorage.cxx there:
   6047         xResult = m_pData->m_rHierarchyHolder->GetStreamHierarchically(
   6048                                                 ( m_pImpl->m_nStorageMode & embed::ElementModes::READWRITE ),
   6049                                                 aListPath,
   6050                                                 nOpenMode );

It's quite difficult to follow the code here, it seemed recursive to me.
Comment 3 reddit.app 2013-08-16 03:14:44 UTC 
I traced to the following code in package/source/xstor/xstorage.cxx, where the exception was thrown:


SotElement_Impl* OStorage::OpenStreamElement_Impl( const OUString& aStreamName, sal_Int32 nOpenMode, sal_Bool bEncr )
{
    ::osl::MutexGuard aGuard( m_pData->m_rSharedMutexRef->GetMutex() );

    OSL_ENSURE( !m_pData->m_bReadOnlyWrap || ( nOpenMode & embed::ElementModes::WRITE ) != embed::ElementModes::WRITE,
                "An element can not be opened for writing in readonly storage!\n" );

    SotElement_Impl *pElement = m_pImpl->FindElement( aStreamName );
    if ( !pElement )
    {
        // element does not exist, check if creation is allowed
        if ( !( m_pImpl->m_nStorageMode & embed::ElementModes::WRITE )
          || (( nOpenMode & embed::ElementModes::WRITE ) != embed::ElementModes::WRITE )
          || ( nOpenMode & embed::ElementModes::NOCREATE ) == embed::ElementModes::NOCREATE )
            throw io::IOException( OSL_LOG_PREFIX, uno::Reference< uno::XInterface >() ); // TODO: access_denied
Comment 4 reddit.app 2013-08-16 05:23:11 UTC 
Here is more gdb findings, the following statement:

        resolveFastSubStream(rStream, OOXMLStream::STYLES);

caused the failure when trying to access "word/styles.xml" file in the zip storage. I checked the original a.docx file, it does not have that xml in it. It only has "word/stylesWithEffects.xml". 

I think we should not throw exception when "word/styles.xml" file is not present. Instead a default stream should be provided in case of missing that file.
Comment 5 Julien Nabet 2013-08-16 05:40:51 UTC 
Reddit: thank you for these debugging findings!

Cédric/Michael: one for you?
Comment 6 Michael Stahl (allotropia) 2013-08-16 10:50:24 UTC 
hmm the document contains no styles.xml but a stylesWithEffects.xml,
whatever that is.

Cedric or Miklos may know if that requires additional handling.

just catching the exception in the right place seems to prevent the crash.

PS: lol, Mac OS X on Itanium :D
Comment 7 Commit Notification 2013-08-16 10:53:35 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=6e3ac01f850228afb5c6cb1a33b101693aea8712

fdo#68084: OOXML import: handle exceptions if stream is missing



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 8 Commit Notification 2013-08-16 13:48:30 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=b697e302c1eb31afdcc3bbc916bd929ec96a6c70&h=libreoffice-4-1

fdo#68084: OOXML import: handle exceptions if stream is missing


It will be available in LibreOffice 4.1.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 9 Commit Notification 2013-08-16 14:32:49 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5cc5a03d799434b51f67256a46d52b823870be94&h=libreoffice-4-0

fdo#68084: OOXML import: handle exceptions if stream is missing


It will be available in LibreOffice 4.0.6.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 10 reddit.app 2013-08-17 03:56:06 UTC 
It's fixed on master.

Thanks!