Bug Hunting Session
Bug 82781 - writer crashes in page preview when reducing number of pages due to hidden format
Summary: writer crashes in page preview when reducing number of pages due to hidden fo...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.3.0.1 rc
Hardware: x86 (IA32) All
: high major
Assignee: Caolán McNamara
URL:
Whiteboard: target:5.2.0 target:5.1.2 target:5.0.6
Keywords: haveBacktrace
Depends on:
Blocks:
 
Reported: 2014-08-18 18:16 UTC by Koehler
Modified: 2016-10-25 19:09 UTC (History)
6 users (show)

See Also:
Crash report or crash signature:


Attachments
sample document with backtrace (11.66 KB, application/zip)
2015-03-29 20:15 UTC, Gordo
Details
bt with debug symbols (4.81 KB, text/plain)
2015-10-18 15:02 UTC, Julien Nabet
Details
Several bts (3.32 KB, application/x-tar-gz)
2015-10-18 20:28 UTC, Julien Nabet
Details
gdb debug + bt with debug symbols (10.20 KB, text/plain)
2015-12-31 09:41 UTC, Julien Nabet
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Koehler 2014-08-18 18:16:30 UTC
1) create a new .odt file by typing so many CR that one page is exceeded.
2) format some CR as hidden such that the resulting document will fit on one page.
3) press "page preview" once and once again to back to normal view - and uups LO is gone.
Comment 1 sophie 2014-08-19 14:24:03 UTC
Hi, how do you format the paragraph mark as hidden? Thanks - Sophie
Comment 2 Koehler 2014-08-19 15:11:22 UTC
Hi Sophie,

1) check writer/view/"hidden paragraphs"
2) mark i.e. 20 paragraphs
3) format/character/"font effects"/ x hidden

Any paragraph can have any text. Just make sure, the visible text (including the hidden paragraphs marked by underlining points) exceeds 1 page and in page preview mode (or print) it fits on 1 page less.
Comment 3 Koehler 2014-08-19 18:11:52 UTC
here the log-file content:
some further info from dmesg | grep soffice

[37184.964831] soffice.bin[6785]: segfault at 50 ip ac6d2ee1 sp bfac6384 error 4 in libswlo.so[ac286000+ab2000]
[37215.543718] soffice.bin[21036]: segfault at bf010000 ip ac7ec23f sp bfd37014 error 4 in libswlo.so[ac1d5000+ab2000]

Aug  8 09:42:19 lsp kernel: [10281.136086] soffice.bin[6653]: segfault at 28 ip ac592ee1 sp bf908fa4 error 4 in libswlo.so[ac146000+ab2000]
Aug  8 09:44:52 lsp kernel: [10434.112812] soffice.bin[11769]: segfault at 28 ip ac6d5ee1 sp bfcdcc14 error 4 in libswlo.so[ac289000+ab2000]
Aug  8 09:46:06 lsp kernel: [10507.348194] soffice.bin[12916]: segfault at 29 ip ac734ee1 sp bfbd1cf4 error 4 in libswlo.so[ac2e8000+ab2000]
Aug  8 10:00:44 lsp kernel: [11385.769636] soffice.bin[13424]: segfault at 10010031 ip ac6acee1 sp bfd7cad4 error 4 in libswlo.so[ac260000+ab2000]
Aug  8 10:01:47 lsp kernel: [11449.168585] soffice.bin[19833]: segfault at 28 ip ac67aee1 sp bfcceef4 error 4 in libswlo.so[ac22e000+ab2000]
Aug  8 10:03:28 lsp kernel: [11549.667020] soffice.bin[20341]: segfault at 99 ip ac700ee4 sp bf9e3154 error 4 in libswlo.so[ac2b4000+ab2000]
Aug  8 10:05:00 lsp kernel: [11641.713741] soffice.bin[21116]: segfault at 1008a ip ac8ea23f sp bfd50294 error 4 in libswlo.so[ac2d3000+ab2000]
Aug  8 10:06:06 lsp kernel: [11707.554483] soffice.bin[21798]: segfault at 99 ip ac71aee4 sp bf9f5234 error 4 in libswlo.so[ac2ce000+ab2000]
Aug  8 10:16:29 lsp kernel: [12330.590600] soffice.bin[22312]: segfault at 28 ip ac691ee1 sp bf9f2634 error 4 in libswlo.so[ac245000+ab2000]

debian squeeze/kde
Comment 4 sophie 2014-08-21 12:43:14 UTC
Hi, thanks for the feedback. I do not reproduce with Version: 4.3.0.4
Build ID: 62ad5818884a2fc2e5780dd45466868d41009ec0 Ubuntu 14.04 x64. Sophie
Comment 5 Terrence Enger 2014-08-26 22:56:10 UTC
FWIW, I do not see a crash with my debug build of master f74a633,
fetched 2014-08-23, built on debian-wheezy 64-bit running in an
environment chgroot sid.
Comment 6 Joel Madero 2014-10-23 01:33:51 UTC
Please attach a document that you see this problem. Setting as NEEDINFO, once you do, set to UNCONFIRMED.

Also what is your version of LibreOffice and Distro of Linux? Thanks
Comment 7 Gordo 2015-03-29 20:15:50 UTC
Created attachment 114450 [details]
sample document with backtrace

1. Open attached document.
2. Turn on Non-printing Characters.
3. Place cursor anywhere in hidden text.
4. Print Preview.
5. Print Preview.
Result:
Crash with AutoRecovery.

Version: 4.4.1.2
Build ID: 45e2de17089c24a1fa810c8f975a7171ba4cd432

Set to UNCONFIRMED.
Comment 8 Buovjaga 2015-04-04 15:27:33 UTC
(In reply to Gordo from comment #7)
> Created attachment 114450 [details]
> sample document with backtrace
> 
> 1. Open attached document.
> 2. Turn on Non-printing Characters.
> 3. Place cursor anywhere in hidden text.
> 4. Print Preview.
> 5. Print Preview.
> Result:
> Crash with AutoRecovery.

View - Hidden paragraphs makes no difference for me. I don't see it exceeding one page. Doesn't crash with print preview either.

Win 7 Pro 64-bit, Version: 4.4.2.2
Build ID: c4c7d32d0d49397cad38d62472b0bc8acff48dd6
Locale: fi_FI

Ubuntu 14.10 64-bit 
Version: 4.4.2.2
Build ID: 40m0(Build:2)
Locale: en_US
Comment 9 Gordo 2015-04-04 15:38:19 UTC
@Beluga:  Sorry, forgot to mention Tools -> Options -> LibreOffice Writer -> Formatting Aids -> check Hidden text.
Comment 10 Buovjaga 2015-04-04 15:47:12 UTC
(In reply to Gordo from comment #9)
> @Beluga:  Sorry, forgot to mention Tools -> Options -> LibreOffice Writer ->
> Formatting Aids -> check Hidden text.

There we go, a nice juicy crash on Windows!
But curiously not on Linux (original report was against Linux).

Setting to new.

Win 7 Pro 64-bit, Version: 4.4.2.2
Build ID: c4c7d32d0d49397cad38d62472b0bc8acff48dd6
Locale: fi_FI

Ubuntu 14.10 64-bit 
Version: 4.4.2.2
Build ID: 40m0(Build:2)
Locale: en_US

Version: 4.3.5.2
Build ID: 3a87456aaa6a95c63eea1c1b3201acedf0751bd5
Comment 11 David 2015-04-04 19:43:39 UTC
Could possibly be related to bug 81792.
Comment 12 Julien Nabet 2015-10-18 15:02:09 UTC
Created attachment 119716 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.
Comment 13 Julien Nabet 2015-10-18 20:28:59 UTC
Created attachment 119721 [details]
Several bts

It seems iterator is invalided because maPreviewPages is changed in SwPagePreviewLayout::_CalcPreviewPages

I attached a tar.gz containing 3 bts:
- 2 when clicking "Preview" button
- 1 when clicking "Close preview" button
Comment 14 Julien Nabet 2015-12-31 09:41:19 UTC
Created attachment 121656 [details]
gdb debug + bt with debug symbols

On pc Debian x86-64 with master sources updated today, I gave a new try and reproduced this.
Then I tried to understand the root cause of this:
/usr/include/c++/5/debug/safe_iterator.h:303:error: attempt to dereference 
    a singular iterator.

Objects involved in the operation:
iterator "this" @ 0x0x7ffca0230da0 {
type = N11__gnu_debug14_Safe_iteratorIN9__gnu_cxx17__normal_iteratorIPKP11PreviewPageNSt9__cxx19986vectorIS4_SaIS4_EEEEENSt7__debug6vectorIS4_S9_EEEE (constant iterator);
  state = singular;
  references sequence with type `NSt7__debug6vectorIP11PreviewPageSaIS2_EEE' @ 0x0x3476678
}

The problem is showed by the gdb debug + bt:
during loop http://opengrok.libreoffice.org/xref/core/sw/source/core/view/pagepreviewlayout.cxx#1082 in SwPagePreviewLayout::Paint, we call SwPagePreviewLayout::_ClearPreviewPageData
Comment 15 Julien Nabet 2015-12-31 09:46:33 UTC
Caolan: thought you might be interested in this one since it concerns vcl.
I noticed that the container maPreviewPages, which is used by an iterator in a loop, is cleared (see my previous comment).
So it seems the chain of Paint method calls might be broken here.
Comment 16 Koehler 2015-12-31 10:00:07 UTC
Thank you Julien for your detective work. This bug still affects my daily work, when checking the look of a letter before sending it.
Comment 17 Commit Notification 2016-03-09 16:02:54 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=4eb5f363ed9a3181a817f12d5ec49eede13b9c9c

Resolves: tdf#82781 avoid dereferencing invalid iterators

It will be available in 5.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 18 Commit Notification 2016-03-11 23:35:29 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=4dbf1e6897453b998e3f5460612f871bb2eded63&h=libreoffice-5-1

Resolves: tdf#82781 avoid dereferencing invalid iterators

It will be available in 5.1.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 19 Commit Notification 2016-03-15 12:14:26 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=416843f69cf62d2f01e2a25f03bda0fdec949cb8&h=libreoffice-5-0

Resolves: tdf#82781 avoid dereferencing invalid iterators

It will be available in 5.0.6.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.