Bug 73095 - Writer crashes when scrolling pages if formatting marks are visible
Summary: Writer crashes when scrolling pages if formatting marks are visible
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.1.5.1 rc
Hardware: Other Windows (All)
: medium critical
Assignee: Michael Stahl (allotropia)
URL:
Whiteboard: target:4.3.0 target:4.1.5 target:4.2.0
Keywords: regression
Depends on:
Blocks: mab4.1 mab4.2
  Show dependency treegraph
 
Reported: 2013-12-28 08:59 UTC by ape
Modified: 2014-01-16 09:04 UTC (History)
6 users (show)

See Also:
Crash report or crash signature:


Attachments
ODT file for example (458.58 KB, application/vnd.oasis.opendocument.text)
2013-12-28 09:55 UTC, ape
Details
typescript: execution plus bt from SIGABRT (29.16 KB, text/plain)
2013-12-28 20:28 UTC, Terrence Enger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description ape 2013-12-28 08:59:18 UTC
PC's configurations:
1. OS: Windows XP sp3 32-bit; Windows XP sp2 64-bit
2. Installed: MSVCR-2010x86 (ver.10.0.30319) and MSVCR-2012x86 (ver.11.0.60610)
3. LibreOffice: 4.2.0.1 (RC1) and 4.2.0.1.0+ (ID: 7f3bcb1e98cb3417594a5fd811babfc8067677f4, TinderBox: Win-x86@42, Time: 2013-12-27_10:53:34)
--
Description:
1. Run the Start Center.
2. Program UI switched from full-screen mode to windowed mode.
3. Open multi-page text document (~50 pages; formats - doc, docx, rtf, odt).
4. Non-printing characters button sets formatting marks to visible.
5. Scroll through the pages quickly, using an input device: mouse wheel or keyboard key [down_arrow] or [page_down].
6. Writer's UI crashes, but the 'soffice.bin' is working and sends error message box.
--
Note:
1. The bug is confirmed on four computers running under Windows_XP_32\64-bit if both packages - MSVCR-2010 and MSVCR-2012 - installed in the operating system.
2. The GUI will work well if MSVCR-2012 package will be removed.
--
This is regression to LibreOffice-4.1.5.0.0+, so I installed the critical status.
Comment 1 ape 2013-12-28 09:55:04 UTC
Created attachment 91252 [details]
ODT file for example

Sorry, crashes of Writer UI are continued without MSVCR-2012.
Comment 2 Terrence Enger 2013-12-28 20:28:08 UTC
Created attachment 91263 [details]
typescript: execution plus bt from SIGABRT

Line numbers within the typescript:
   4: run-time messages from LibreOffice
  32: Signal 6, followed by stack dump from LibreOffice
 162: backtrace from gdb from the core file

Obviously, this is not exactly ape's crash, as: 
(a) it happened on Linux, 
(b) it happened after (several minutes after!) I tried to close the
    document,
(c) the backtrace shows the debug version of the STL library.
Still, here it is.

This comes from master commit 480c7c2, fetched 2013-12-27 02:33 UTC,
configured as:
    --enable-option-checking=fatal
    --enable-dbgutil
    --enable-crashdump
    --without-system-postgresql
    --without-myspell-dicts
    --with-extra-buildid
    --without-doxygen
    --with-external-tar=/home/terry/lo_hacking/git/src
built and executing on debian wheezy.
Comment 3 Terrence Enger 2013-12-28 20:29:17 UTC
Setting platform to All.  This is subject to correction when it is
determined whether my crash has the same cause as ape's crash.
Comment 4 ape 2014-01-02 06:39:36 UTC
(In reply to comment #3)
> Setting platform to All.  This is subject to correction when it is
> determined whether my crash has the same cause as ape's crash.

This is a different error:
 1. According to messages on the forum (http://forumooo.ru/index.php/topic,3845.msg23562.html#msg23562), the error shows itself only in Windows XP.
 2. Code base of programs LibO-4.2 and LibO-4.3 coincide in many respects. LibreOfficeDev-4.3.0.0 not contains the bug-fix of this problem, but LibO-4.3 works correctly.
 3. I observe that the output display letters violated when scrolling through the pages of the document by the "down arrow" key. I do not see this problem when I use LibO-4.1 or LibO-4.3.
Comment 5 ape 2014-01-02 10:30:40 UTC
LibreOffice-4.1.4.2 works fine.
But LibreOfficeDev_4.1.5.0.0+ (ID:050e42346bd2d7ce8ab454df400b48f52c2aeec; Win-x86_9-Voreppe; 2013-12-30_08.06.08) has this bug.
Comment 6 ape 2014-01-03 13:03:30 UTC
I checked, there is an error in this build:
LibreOfficeDev 4.3.0.0.alpha0+
Build ID: e625d00439f725b01f3818859e95e431e6173d57
TinderBox: Win-x86@47-TDF, Branch:master, Time: 2014-01-03_00:43:24
There is no bug, the program works well.
Maybe configuration PC Builder is the reason?
Comment 7 How can I remove my account? 2014-01-13 09:10:26 UTC
Terrence, if you know yourself that what you see is a different bug, why on earth do you then have to add information about it into the same bug report? That only makes the bug report less useful and reduces the likeliness that some developer will be able to understand what the bug report tries to describe. I wish there was a way to remove comments from bugzilla.
Comment 8 How can I remove my account? 2014-01-13 13:09:07 UTC
Could not reproduce with a fresh own build from the 4.2 branch on Windows 7 using just a lot of text in many paragraphs typed into a Writer document (and copy-pasted hundreds of times). Could not reproduce using the ODT file from comment #1 either. So whatever this bug was caused by, it might be fixed in 4.2.

Can the original bug reporter (or somebody else, on *Windows*) reproduce it with the 4.2.0 RC1 build?
Comment 9 How can I remove my account? 2014-01-13 13:10:28 UTC
Another possibility is of course that the bug for some odd reason happens only on Windows XP. In that case it will be hard to convince developers to spend time on fixing it, I think. (But *note*, I am not somebody who would make any *decisions* about such, of course.)
Comment 10 ape 2014-01-13 14:13:34 UTC
(In reply to comment #9)
> Another possibility is of course that the bug for some odd reason happens
> only on Windows XP.

Most likely, it is. But:

1. These programs work fine:
- LibreOffice 4.1.4.2 win_x86 (Date: 2013-12-12)
- LibreOfficeDev 4.2.0.0.beta2 (ID: 1a27be92e320f97c20d581a69ef1c8b99ea9885d)
- LibreOfficeDev 4.3.0.0.alpha0+ (ID: e625d00439f725b01f3818859e95e431e6173d57, Win-x86@47-TDF, Time: 2014-01-03_00:43:24)

2. These programs are forcing Writer to fall:
- LibreOffice 4.1.5.0.0+ (ID: 56381a9b28dbe4caf6e3d0a92dfddcddcebe349)
- LibreOffice 4.2.0.1 (ID: 7bf567613a536ded11709b952950c9e8f7181a4a)

3. Regressions between:
- LibO-4.1.4.2 and LibO-4.1.5.0.0+
- LibO-4.2.0.0.beta2 and LibO-4.2.0.1.

4. It possible that one of patches inputted this bug between of the 11th and 17th December into core-codes of LibreOfficeDev-4.1.5.0+ and LibreOfficeDev-4.2.0.0+.

So I increased the error status to the "blocker".
Comment 11 ape 2014-01-13 15:01:54 UTC
@Tor:
Sometimes I viewed pages of documents down and then up, before the error appeared. However, the error will appear much faster after that as this document will be restored by LibreOffice.
Comment 12 Michael Stahl (allotropia) 2014-01-14 14:08:25 UTC
crash is reproducible on Windows7 too, with LO 4.2.0.2 release build
(but not current master).

on Linux i'm seeing valgrind "Invalid read" warning on current master
with same backtrace as Windows crash.

==1831== Invalid read of size 4
==1831==    at 0x22119466: SwFntObj::DrawText(SwDrawTextInfo&) (fntcache.cxx:1576)
==1831==    by 0x22156682: SwSubFont::_DrawText(SwDrawTextInfo&, unsigned char) (swfont.cxx:1213)
==1831==  Address 0x2c44f650 is 4 bytes after a block of size 140 alloc'd
==1831==    at 0x4A06F70: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1831==    by 0x22118B8F: SwFntObj::DrawText(SwDrawTextInfo&) (fntcache.cxx:1447)
==1831==    by 0x22156682: SwSubFont::_DrawText(SwDrawTextInfo&, unsigned char) (swfont.cxx:1213)

[ and another one 8 bytes after follows ]

looking at that stack it's clearly regression from:

commit 02ce734450559c9353ca7f42b2519239220dd265
Author:     Khaled Hosny <khaledhosny@eglug.org>
AuthorDate: Sun Dec 8 22:30:28 2013 +0200
Commit:     Caolán McNamara <caolanm@redhat.com>
CommitDate: Mon Dec 9 09:01:00 2013 +0000

    fdo#72488: Broken text when showing visible space
    
    Turning on showing nonprinting characters replaces the space with bullet
    character, but still draws the text with the original kern array, this
    works fine until there are ligatures involving the space character as
    the number of glyphs after replacing the space with the bullet will be
    different and the kern array will be completely off.
    
    This is a hack that gives up on replacing the space with a bullet when
    its width is zero, not sure if it would interfere with other legitimate
    uses.
Comment 13 Commit Notification 2014-01-14 17:02:10 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=61ec8f086ba314b86c80a02b16072e88774abf6c

fdo#73095: fix invalid access in SwFntObj::DrawText()



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 14 Michael Stahl (allotropia) 2014-01-14 17:05:09 UTC
fixed on master
Comment 15 ape 2014-01-15 09:11:01 UTC
(In reply to comment #14)
> fixed on master

I changed the bug status to “reopened”, because the patch inputted only in Master-code (LibO-Dev 4.3.0).
Comment 16 retired 2014-01-15 11:40:58 UTC
ape please understand: no matter if the patch is only in master: if it’s fixed in master this bug is fixed.

thanks.
Comment 17 Commit Notification 2014-01-15 13:18:08 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=4b965b031e2196b39f20e28ce9d9fd40552753a5&h=libreoffice-4-1

fdo#73095: fix invalid access in SwFntObj::DrawText()


It will be available in LibreOffice 4.1.6.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 18 Commit Notification 2014-01-15 13:18:24 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=7ed845ae5682fdafb3390df85144388e240ccb89&h=libreoffice-4-2

fdo#73095: fix invalid access in SwFntObj::DrawText()


It will be available in LibreOffice 4.2.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 19 ape 2014-01-15 13:58:18 UTC
(In reply to comment #16)
> ape please understand: no matter if the patch is only in master: if it’s
> fixed in master this bug is fixed.
> 
> thanks.

@Foss:
Please read paragraph 1 of my comment 10: LibreOfficeDev 4.3.0.0+ worked perfectly and did not do this error.
Thanks, ape.
Comment 20 Commit Notification 2014-01-16 09:02:53 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-2-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=417e1ac46542de0e6d9775ed43da07980eceafea&h=libreoffice-4-2-0

fdo#73095: fix invalid access in SwFntObj::DrawText()


It will be available already in LibreOffice 4.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 21 Commit Notification 2014-01-16 09:04:11 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-1-5":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=cfcf7d267c5b3535c40b8394f53126b45a7898a4&h=libreoffice-4-1-5

fdo#73095: fix invalid access in SwFntObj::DrawText()


It will be available already in LibreOffice 4.1.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.