Bug 92269 - 5.0.0.1 Win 64 Explorer Crash after single click on any LO file in folder. (shlxthdl.dll / propertyhdl.dll property handler problem?)
Summary: 5.0.0.1 Win 64 Explorer Crash after single click on any LO file in folder. (s...
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.0.0.1 rc
Hardware: x86-64 (AMD64) Windows (All)
: highest blocker
Assignee: Not Assigned
URL:
Whiteboard: target:5.1.0 target:5.0.0.3
Keywords:
: 92261 92265 92277 92334 92422 92568 92707 92839 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-06-23 07:46 UTC by Eric M
Modified: 2016-10-25 19:24 UTC (History)
21 users (show)

See Also:
Crash report or crash signature:


Attachments
Shell Crash Report (109.76 KB, image/jpeg)
2015-06-23 07:46 UTC, Eric M
Details
Disabled Shell Handlers - Stable Behaviour (110.67 KB, image/jpeg)
2015-06-23 07:48 UTC, Eric M
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eric M 2015-06-23 07:46:59 UTC
Created attachment 116750 [details]
Shell Crash Report

Win 7 x64
LO 5.0.0.1 x64 build - (win shell extensions enabled)

steps:-
Open any folder containing LO ODF files in an explorer window.
Click on an ODF file to select.
Explorer crashes. [see attached screen shot]

Workaround:-
Disable all 32bit LO shell property handlers [see attached screen shot]
Note:
32bit Thumbnail handler may be left enabled without a crash occuring.
Disabling a single handler changes the length of time before the crash occurs. Disabling all stops the crash.

64bit handlers are all left enabled. Disabling the 64bit handlers has no effect upon the behaviour.
Comment 1 Eric M 2015-06-23 07:48:08 UTC
Created attachment 116751 [details]
Disabled Shell Handlers - Stable Behaviour
Comment 2 Eric M 2015-06-23 08:02:48 UTC
I previously noticed a bug out for x64 shlxthdl.dll but I can't find it now :( -
this may be a duplicate but I'm filing it as it still occurs in 5.0.0.1 (rc) and I'm also having to disable propertyhdl.dll under 32bit in order to stop the crash.
Comment 3 Thorsten Behrens (CIB) 2015-06-24 21:36:02 UTC
Likely related: bug 92321 and bug 92277.
Comment 4 Thorsten Behrens (CIB) 2015-06-24 21:39:24 UTC
Confirm due to bug 92277. Adjust prio.
Comment 5 Thorsten Behrens (CIB) 2015-06-24 21:39:41 UTC
*** Bug 92277 has been marked as a duplicate of this bug. ***
Comment 6 Claude 2015-06-25 02:33:26 UTC
(In reply to Thorsten Behrens from comment #5)
> *** Bug 92277 has been marked as a duplicate of this bug. ***

Hi Thorsten

In reply to Comment #3 bug 92277 (duplicate of this bug)
No, my system is Windows 7 Home Premium SP1 32 bit. (Spanish)
LibO 5.0.0.1 9a0b23dd0ab9652e0965484934309f2d49a7758e  es_CO


I had installed LibO 5.0.0.1 on a Windows 8.1 64x, but I was unaware of the x64 LibreOffice version.  So I don't know what was on the 8.1 system,  I reverted back to 4.4.  (But I think it as 32 bit)

Thanks
Claude
Comment 7 tommy27 2015-06-25 05:18:29 UTC
I've encountered a similar problem after installing LibO 5.0.0.1 on Win7x64

just selecting an .odt file and trying to rename it, caused crash of the file manager

after uninstalling LibO 5.0.0.1 the issue was gone

on another machine with Win8.1x64 and a very recent 5.1.0.0 alpha daily build I have no issue like that.
Comment 8 Robinson Tryon (qubit) 2015-06-25 15:03:50 UTC
TESTING on Win8.1 with 5.1.0.0.alpha1+ (x64)

tinderbox: pull time 2015-06-24 21:31:12
tinderbox: git sha1s
core:253c0f073715b1d0f6ba063b1182016e45951bf4

(In reply to Eric M from comment #0)
> steps:-
> Open any folder containing LO ODF files in an explorer window.
> Click on an ODF file to select.
> Explorer crashes. [see attached screen shot]

NO REPRO here -- clicking on an ODT file does not crash Explorer.
(However: I'm seeing the same missing filetype associations as reported in Bug 92320, and I wonder if that issue is superseding this bug)
Comment 9 Robinson Tryon (qubit) 2015-06-25 15:35:25 UTC
(In reply to Robinson Tryon (qubit) from comment #8)
> TESTING on Win8.1 with 5.1.0.0.alpha1+ (x64)
> 
> (In reply to Eric M from comment #0)
> > steps:-
> > Open any folder containing LO ODF files in an explorer window.
> > Click on an ODF file to select.
> > Explorer crashes. [see attached screen shot]

CONFIRMED on Win8.1 + LO 5.0.0.1 (x64)

The Explorer window froze, then disappeared (crashed, I assume?), but I was able to open up Explorer again less than a minute later.

Subsequent runs of the steps above (no reboot) had less severe effects. Explorer isn't even freezing up when I click on the file icon.

Neither LibreOffice nor Windows has crashed for me, and Explorer seems to re-appear pretty promptly, so I'm wondering if this really a highest + blocker, or perhaps something less severe.
Comment 10 Thorsten Behrens (CIB) 2015-06-25 16:48:12 UTC
(In reply to Robinson Tryon (qubit) from comment #9)
> CONFIRMED on Win8.1 + LO 5.0.0.1 (x64)
> 
This is possibly fixed (on master and libreoffice-5-0 branch), any chance to 
re-test with a daily libreoffice-5-0 build?

http://cgit.freedesktop.org/libreoffice/core/commit/?id=aa6670764b49a37a82641ae8d9fe77683b820190
Comment 11 Robinson Tryon (qubit) 2015-06-25 20:41:20 UTC
(In reply to Thorsten Behrens from comment #10)
> (In reply to Robinson Tryon (qubit) from comment #9)
> > CONFIRMED on Win8.1 + LO 5.0.0.1 (x64)
> > 
> This is possibly fixed (on master and libreoffice-5-0 branch), any chance to 
> re-test with a daily libreoffice-5-0 build?

Yep -- I'm eager to test, but 5.0 RC1 came out on June 22nd, and I don't believe there are any newer 5-0 daily builds:

Latest x86-64: Jun 22nd
http://dev-builds.libreoffice.org/daily/libreoffice-5-0/Win-x86_64@62-TDF/

Latest x86: Jun 17th
http://dev-builds.libreoffice.org/daily/libreoffice-5-0/Win-x86@62-merge-TDF/

I know that TB62 wears multiple hats, so it may have been too busy to produce new 5-0 builds. I'll check with cloph.
Comment 12 raal 2015-06-25 21:25:43 UTC
*** Bug 92334 has been marked as a duplicate of this bug. ***
Comment 13 Eric M 2015-06-27 20:29:54 UTC
Just tested on the new rc :-

Version: 5.0.0.2 (x64)
Build ID: a26d58f11b99b6aeddf7f7884effea188cc6e512
Locale: en-GB

OS - Win 7 - x64 

The crash is reproducible (same steps).
The workaround will stop the crash.
Comment 14 Thomas Krumbein 2015-06-28 11:54:33 UTC
Crash is even reproducable with 32 bit build on Win 8.1 64Bit.
It just needs some more time....

so crash occurs after opening 3 or 4 files )odf) via explorer and then stay with muase about 1-3 sec over another odf-file. Explorer crashes!

Win 8.1 64 bit

Version: 5.0.0.1
Build-ID: 9a0b23dd0ab9652e0965484934309f2d49a7758e
Gebietsschema: de-DE (de_DE)
Comment 15 raal 2015-06-29 13:48:16 UTC
*** Bug 92422 has been marked as a duplicate of this bug. ***
Comment 16 Rafael Strozi 2015-06-29 18:21:17 UTC
It happens on 5.0.0.2 .

Windows 7 x64
Intel Core i7


Build-Id: a26d58f11b99b6aeddf7f7884effea188cc6e512
Comment 17 Gerhard Schaber 2015-06-30 20:36:17 UTC
Same here. Windows 7/64, Core i5, 8GB RAM.
Comment 18 Gerhard Schaber 2015-06-30 20:38:31 UTC
(In reply to schaber from comment #17)
> Same here. Windows 7/64, Core i5, 8GB RAM.

And LO 5.0.0RC2
Comment 19 Christian Lohmaier 2015-06-30 21:16:59 UTC
the trick to provoke a crash is not clicking on a file - it is waiting until Windows Explorer tries to show a tooltip.
Comment 20 Christian Lohmaier 2015-06-30 22:39:13 UTC
*** Bug 92265 has been marked as a duplicate of this bug. ***
Comment 21 Christian Lohmaier 2015-06-30 22:39:30 UTC
*** Bug 92261 has been marked as a duplicate of this bug. ***
Comment 22 Christian Lohmaier 2015-06-30 22:49:19 UTC
problem is here:
http://cgit.freedesktop.org/libreoffice/core/tree/shell/source/win32/shlxthandler/infotips/infotips.cxx?h=libreoffice-5.0.0.2#n292

the wscpy_s triggeres invalid parameter error and that terminates the process.

it was changed from simple, non-caring function

-        msg.copy(pMem,msg.length());
+        wcscpy_s(pMem, msg.length(), msg.c_str());

in 19bfe765a50a81f67325c4fd35314ca8a2e4ca0a


so the function does what it is supposed to do and chokes on invalid input (overruns) - so question is where does invalid input come from/is it OK to just revert. Need to read about the functions in more detail...
Comment 23 Christian Lohmaier 2015-06-30 22:55:02 UTC
first guess: copy is length, wcscpy_s expects buffersize, i.e. needs a +1 for also covering the null-byte

now on to verify...
Comment 24 Kevin Suo 2015-07-01 03:04:09 UTC
I encounter the explorer crash after install LibreOffice 5.0.0 version in my Win 7 PC. However my OS is 32bit. Is it the same problem, or should a file a new bug?
Comment 25 Eric M 2015-07-01 03:35:28 UTC
(In reply to Kevin Suo from comment #24)
> I encounter the explorer crash after install LibreOffice 5.0.0 version in my
> Win 7 PC. However my OS is 32bit. Is it the same problem, or should a file a
> new bug?

Does the crash occur in the same way? 
Does the mentioned workaround stop the crash?
If the behaviour you have encountered is the same, you don't need to file a new bug. Confirming that an existing bug is reproducible (as you have done) is enough.
Comment 26 Christian Lohmaier 2015-07-01 10:04:19 UTC
it's the same bug if you see error about msvcr120.dll with the exception 0xc0000409 (i.e. an overrun) in your windows event log (or in some error-report-sending tool that might shows up). 

Bot 64bit as well as 32bit versions of windows are affected, so no need to file a separate bug.
Comment 27 Commit Notification 2015-07-01 10:37:30 UTC
Christian Lohmaier committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=2279f1f0227fc232356a7f5afc60eead77914b89

tdf#92269 fix Windows Explorer crash caused by shellextension

It will be available in 5.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 28 Michael Stahl (CIB) 2015-07-01 10:51:02 UTC
wow - these "secure" functions actually do what they're supposed to
when you stupidly forget to consider the terminating null :)

thanks for tracking that down.
Comment 29 Commit Notification 2015-07-01 11:24:51 UTC
Christian Lohmaier committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=70c21ef09d3f05a44fbc23245bed17e64aeca6e0&h=libreoffice-5-0

tdf#92269 fix Windows Explorer crash caused by shellextension

It will be available in 5.0.0.3.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 30 pierre-yves samyn 2015-07-01 17:07:16 UTC
Hi

I do not reproduce the crash on Windows 7/64 SP1 & Version: 5.0.0.2.0+ (x64)
Build ID: 18d6d789cae7cd684156dbd41d473892bc17392c
Locale: fr-FR (fr_FR)

Tried with steps comment 1 & comment 7

Regards
Pierre-Yves
Comment 31 Regina Henschel 2015-07-01 17:59:06 UTC
I use Windows 7 starter, 32 Bit. Windows Explorer finishes and restarts here, when I hover a file thumbnail, which is associated to LibreOffice. Right click and calling file properties does not trigger it. I have uninstalled my old LO version 4.2 and installed
Version: 5.0.0.2
Build-ID: a26d58f11b99b6aeddf7f7884effea188cc6e512
Gebietsschema: de-DE (de_DE)
Comment 32 Maxim Monastirsky 2015-07-06 12:08:25 UTC
*** Bug 92568 has been marked as a duplicate of this bug. ***
Comment 33 Maxim Monastirsky 2015-07-13 16:18:55 UTC
*** Bug 92707 has been marked as a duplicate of this bug. ***
Comment 34 mjsulik 2015-07-13 16:43:36 UTC
Resolved in 5.0.0.3 RC on 32-bit Windows 7, but can't speak to 64-bit versions of Windows.
Comment 35 Eric M 2015-07-16 14:59:20 UTC
Resolved in 
Version: 5.0.0.3 (x64)
Build ID: f79b5ba13f5e6cbad23f8038060e556217e66632
Locale: en-GB (en_GB)
Comment 36 Maxim Monastirsky 2015-07-20 12:42:54 UTC
*** Bug 92839 has been marked as a duplicate of this bug. ***