Bug 91883 - Crash: assert in ImplLogicToPixel fails by clicking a cell of a table of attachment tdf#91878
Summary: Crash: assert in ImplLogicToPixel fails by clicking a cell of a table of atta...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
5.1.0.0.alpha0+ Master
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: haveBacktrace
Depends on:
Blocks:
 
Reported: 2015-06-05 22:39 UTC by Julien Nabet
Modified: 2015-10-15 17:05 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:


Attachments
bt with debug symbols (7.11 KB, text/plain)
2015-06-05 22:39 UTC, Julien Nabet
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Julien Nabet 2015-06-05 22:39:08 UTC
Created attachment 116319 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, ca6997fbb8b1f4b8c039db1c487df0ce8961472c, I had a crash by following these steps:
- retrieve https://bugs.documentfoundation.org/attachment.cgi?id=116312 (tdf#91878)
- open the file
- click just below the "1" of the cell which contains "A1"
=> crash

soffice.bin: /home/julien/compile-libreoffice/libreoffice/vcl/source/outdev/map.cxx:382: long int ImplLogicToPixel(long int, long int, long int, long int, long int): Assertion `nMapNum == 0 || std::abs(n) < std::numeric_limits<long>::max() / nMapNum / nDPI' failed.

#4  0x00002aaab1c81b88 in ImplLogicToPixel(long, long, long, long, long) (n=-9223372036854772989, nDPI=96, nMapNum=19, nMapDenom=16000, nThres=2528336632909749)
    at /home/julien/compile-libreoffice/libreoffice/vcl/source/outdev/map.cxx:382

See bt
Comment 1 Julien Nabet 2015-06-05 23:40:08 UTC
Noticing this part in bt:
#6  0x00002aaace14e975 in SvxRuler::ConvertHPosPixel(long) const (this=0x2590d30, nVal=-9223372036854772989)
    at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:404
#7  0x00002aaace14eb6d in SvxRuler::ConvertPosPixel(long) const (this=0x2590d30, nVal=-9223372036854772989)
    at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:424
#8  0x00002aaace150c4f in SvxRuler::UpdateColumns() (this=0x2590d30) at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:835

I suppose investigation can start at frame 8 (since nVal=-9223372036854772989 seems wrong)
Putting a break in svx/source/dialog/svxruler.cxx:812 gave me 2 bts:
1)
#0  0x00002aaace1509f5 in SvxRuler::UpdateColumns() (this=0x2abd450) at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:812
#1  0x00002aaace152aa1 in SvxRuler::Update() (this=0x2abd450) at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:1262
#2  0x00002aaace15cfa4 in SvxRuler::Notify(SfxBroadcaster&, SfxHint const&) (this=0x2abd450, rHint=...)
    at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:3413

2)
#0  0x00002aaace1509f5 in SvxRuler::UpdateColumns() (this=0x2bb4a40) at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:812
#1  0x00002aaace152aa1 in SvxRuler::Update() (this=0x2bb4a40) at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:1262
#2  0x00002aaaca575c90 in SwCommentRuler::Update() (this=0x2bb4a40) at /home/julien/compile-libreoffice/libreoffice/sw/source/uibase/misc/swruler.cxx:251
#3  0x00002aaace15cfa4 in SvxRuler::Notify(SfxBroadcaster&, SfxHint const&) (this=0x2bb4a40, rHint=...)
    at /home/julien/compile-libreoffice/libreoffice/svx/source/dialog/svxruler.cxx:3413

Commenting line 251 in sw/source/uibase/misc/swruler.cxx (see 
    248 void SwCommentRuler::Update()
    249 {
    250     Rectangle aPreviousControlRect = GetCommentControlRegion();
    251     // SvxRuler::Update();
    252     if (aPreviousControlRect != GetCommentControlRegion())
    253         Invalidate();
    254 }
prevents from the crash.
See http://opengrok.libreoffice.org/xref/core/sw/source/uibase/misc/swruler.cxx#248

Just for info, searching git history for this line gives this:
commit e047a967b0db8c61dc977b52f3876fc4e385ad77
Author: Rodolfo Ribeiro Gomes <rodolforg@gmail.com>
Date:   Sat Mar 9 14:08:21 2013 -0300

    fdo#38246 Comment control on Writer ruler feature
Comment 2 Julien Nabet 2015-06-05 23:45:58 UTC
Now I don't know if it's the good fix.

Perhaps sometimes only SwCommentRuler::Update is called and so svxRuler::Update() should be called too.

Michael: any thought? (see bt + previous comment)

(I put tdf#90502 since it crashes on the same assert but perhaps completely unrelated)
Comment 3 Julien Nabet 2015-10-15 17:05:42 UTC
I don't reproduce this with master sources updated today.
I'm quite sure it's thanks to http://cgit.freedesktop.org/libreoffice/core/commit/?id=c837bfda8c646fe2f7ff789032dd9a6ee6fd396f so RESOLVED/FIXED. (since it changes FAR_AWAY part)