70197 – [FILEOPEN/FILESAVE] crash loading autosaved presentation

Bug 70197 - [FILEOPEN/FILESAVE] crash loading autosaved presentation

Summary: [FILEOPEN/FILESAVE] crash loading autosaved presentation

Status:	RESOLVED DUPLICATE of bug 68839

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Impress (show other bugs)
Version: (earliest affected)	4.1.2.3 release
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	high major
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:	haveBacktrace

Depends on:
Blocks:

Reported:	2013-10-06 16:01 UTC by Paolo Bonzini
Modified:	2013-10-29 10:28 UTC (History)
CC List:	0 users

See Also:
Crash report or crash signature:

Attachments
file causing the crash (16.45 KB, application/vnd.oasis.opendocument.presentation) 2013-10-06 16:01 UTC, Paolo Bonzini	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paolo Bonzini 2013-10-06 16:01:14 UTC

Created attachment 87197 [details]
file causing the crash

The attached reduced testcase causes a segfault in libreoffice.  The saved file breaks after a few hours of editing.  All times a broken file was saved, I could recover the presentation (but losing the pictures) by stripping <draw:image> tags from the content.xml file.

Backtrace:

#0  0x000000336cfb88b8 in main_arena () from /lib64/libc.so.6
#1  0x000000336fc5d89f in __cxxabiv1::__dynamic_cast (src_ptr=0x1396670, 
    src_type=0x3381219460 <typeinfo for SvXMLImportContext>, 
    dst_type=0x338121cc30, src2dst=0)
    at ../../../../libstdc++-v3/libsupc++/dyncast.cc:60
#2  0x0000003380dda15a in SdXMLFrameShapeContext::EndElement() ()
   from /usr/lib64/libreoffice/program/../program/libxolo.so
#3  0x0000003380d29216 in SvXMLImport::endElement(rtl::OUString const&) ()
   from /usr/lib64/libreoffice/program/../program/libxolo.so
#4  0x00007fffd264f4fe in sax_expatwrap::SaxExpatParser_Impl::callbackEndElement(void*, char const*) ()
   from /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#5  0x000000337280b080 in doContent () from /lib64/libexpat.so.1
#6  0x000000337280b9de in contentProcessor () from /lib64/libexpat.so.1
#7  0x0000003372809cd5 in doProlog () from /lib64/libexpat.so.1
#8  0x000000337280a4cd in prologProcessor () from /lib64/libexpat.so.1
#9  0x000000337280da1f in XML_ParseBuffer () from /lib64/libexpat.so.1
#10 0x00007fffd264e7b9 in sax_expatwrap::SaxExpatParser_Impl::parse() ()
   from /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#11 0x00007fffd2651912 in sax_expatwrap::SaxExpatParser::parseStream(com::sun::star::xml::sax::InputSource const&) ()
   from /usr/lib64/libreoffice/program/../program/libexpwraplo.so
#12 0x00007fffd1f8770a in ReadThroughComponent(com::sun::star::uno::Reference<com::sun::star::io::XInputStream>, com::sun::star::uno::Reference<com::sun::star::lang::XComponent>, String const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext>&, char const*, com::sun::star::uno::Sequence<com::sun::star::uno::Any>, rtl::OUString const&, unsigned char, unsigned char) ()
   from /usr/lib64/libreoffice/program/../program/libsdlo.so
#13 0x00007fffd1f88408 in ReadThroughComponent(com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::lang::XComponent>, char const*, char const*, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext>&, char const*, com::sun::star::uno::Sequence<com::sun::star::uno::Any>, rtl::OUString const&, unsigned char) ()
   from /usr/lib64/libreoffice/program/../program/libsdlo.so
#14 0x00007fffd1f8a3e1 in SdXMLFilter::Import(unsigned long&) ()
   from /usr/lib64/libreoffice/program/../program/libsdlo.so
#15 0x00007fffd20152e3 in sd::DrawDocShell::Load(SfxMedium&) ()
   from /usr/lib64/libreoffice/program/../program/libsdlo.so
#16 0x000000337ff1d46f in SfxObjectShell::LoadOwnFormat(SfxMedium&) ()
   from /usr/lib64/libreoffice/program/libsfxlo.so
#17 0x000000337ff2c08d in SfxObjectShell::DoLoad(SfxMedium*) ()
   from /usr/lib64/libreoffice/program/libsfxlo.so
#18 0x000000337ff55f37 in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) ()
   from /usr/lib64/libreoffice/program/libsfxlo.so
#19 0x000000337ffe119d in SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) ()
   from /usr/lib64/libreoffice/program/libsfxlo.so
#20 0x00007fffdbc138bd in framework::LoadEnv::impl_loadContent() ()
   from /usr/lib64/libreoffice/program/../program/libfwklo.so
#21 0x00007fffdbc14088 in framework::LoadEnv::startLoading() ()
   from /usr/lib64/libreoffice/program/../program/libfwklo.so
#22 0x00007fffdbb86464 in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) ()
   from /usr/lib64/libreoffice/program/../program/libfwklo.so
#23 0x00007fffdbb87348 in framework::LoadDispatcher::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) ()
   from /usr/lib64/libreoffice/program/../program/libfwklo.so
#24 0x00000033760f85aa in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) ()
   from /usr/lib64/libreoffice/program/libcomphelper.so
#25 0x000000337d83dcd9 in desktop::DispatchWatcher::executeDispatchRequests(std::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#26 0x000000337d84837a in desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#27 0x000000337d8216ee in desktop::Desktop::OpenClients() ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#28 0x000000337d822521 in desktop::Desktop::OpenClients_Impl(void*) ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#29 0x000000337880340a in ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) () from /usr/lib64/libreoffice/program/libvcllo.so
#30 0x0000003378809e68 in SalGenericDisplay::DispatchInternalEvent() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#31 0x00007ffff0cded9f in GtkData::userEventFn(void*) ()
   from /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#32 0x00007ffff0cdee11 in call_userEventFn ()
   from /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#33 0x000000336f049256 in g_main_dispatch (context=0x6596d0) at gmain.c:3065
#34 g_main_context_dispatch (context=context@entry=0x6596d0) at gmain.c:3641
#35 0x000000336f0495d8 in g_main_context_iterate (
    context=context@entry=0x6596d0, block=block@entry=0, 
    dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712
#36 0x000000336f04968c in g_main_context_iteration (context=0x6596d0, 
    may_block=0) at gmain.c:3773
#37 0x00007ffff0cdeb11 in GtkData::Yield(bool, bool) ()
   from /usr/lib64/libreoffice/program/libvclplug_gtklo.so
#38 0x000000337851cee4 in Application::Yield(bool) ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#39 0x000000337851cf87 in Application::Execute() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#40 0x000000337d8242e8 in desktop::Desktop::Main() ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#41 0x00000033785247b1 in ImplSVMain() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#42 0x00000033785247e2 in SVMain() ()
   from /usr/lib64/libreoffice/program/libvcllo.so
#43 0x000000337d84c825 in soffice_main ()
   from /usr/lib64/libreoffice/program/libsofficeapp.so
#44 0x000000000040071b in main ()

Valgrind points to a dangling pointer.  It doesn't give accurate debug information unfortunately:

==9142==  Address 0x4d28380 is 0 bytes inside a block of size 280 free'd
==9142==    at 0x4A078DE: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9142==    by 0x3380D38809: ??? (in /usr/lib64/libreoffice/program/libxolo.so)
==9142==    by 0x3380DDA13C: ??? (in /usr/lib64/libreoffice/program/libxolo.so)
==9142==    by 0x3380D29215: SvXMLImport::endElement(rtl::OUString const&) (in /usr/lib64/libreoffice/program/libxolo.so)
==9142==    by 0x1D79E4FD: ??? (in /usr/lib64/libreoffice/program/libexpwraplo.so)
==9142==    by 0x337280B07F: ??? (in /usr/lib64/libexpat.so.1.6.0)
==9142==    by 0x337280B9DD: ??? (in /usr/lib64/libexpat.so.1.6.0)
==9142==    by 0x3372809CD4: ??? (in /usr/lib64/libexpat.so.1.6.0)
==9142==    by 0x337280A4CC: ??? (in /usr/lib64/libexpat.so.1.6.0)
==9142==    by 0x337280DA1E: XML_ParseBuffer (in /usr/lib64/libexpat.so.1.6.0)
==9142==    by 0x1D79D7B8: ??? (in /usr/lib64/libreoffice/program/libexpwraplo.so)
==9142==    by 0x1D7A0911: ??? (in /usr/lib64/libreoffice/program/libexpwraplo.so)

but frame 2 seems to match the address in the gdb backtrace, so it should be in SdXMLFrameShapeContext::EndElement(), just before the dynamic_cast.

Comment 1 Paolo Bonzini 2013-10-06 16:24:39 UTC

Better description: the attached reduced testcase, when opened, segfaults libreoffice. The original crashing file was produced after a few hours of editing, and breaks again after a few hours when a "good copy" is restored from a backup.  It also breaks after a few hours if the image tags are stripped, the presentation is opened and the pictures are put back. In case it matters, the first copy of the picture is an .svg I add with Insert/Picture, afterwards I copy-and-paste an already existing copy of the picture (the same picture occurs many times in the full presentation).

Comment 2 Paolo Bonzini 2013-10-16 16:02:18 UTC

Reproduced again. Just before saving the bad presentation I noticed that all instances of one image had gone away and were replaced by an "empty picture object" frame.  I guess this is the bigger bug, still not crashing would be nice as it would lose less work.

In case someone finds the same bug, a workaround for not losing work is to start LibreOffice with valgrind, save the presentation, exit and restart from the newly-saved presentation.

Comment 3 Julien Nabet 2013-10-19 15:16:52 UTC

Comment on attachment 87197 [details]
file causing the crash

Mimetype fixed

Comment 4 Caolán McNamara 2013-10-29 10:28:00 UTC


*** This bug has been marked as a duplicate of bug 68839 ***