Issue 95369 - Writer crash related to input fields
Writer crash related to input fields
Status: CONFIRMED
Product: Writer
Classification: Application
Component: programming
OOo 2.4.0
All All
: P3 trivial (vote)
: ---
Assigned To: Oliver-Rainer Wittmann
: oooqa
Depends on:
Blocks: 90439
  Show dependency treegraph
 
Reported: 2008-10-23 13:48 UTC by mux2005
Modified: 2013-01-29 21:39 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation on: ---
Developer Difficulty: ---


Attachments
See issue description. (18.33 KB, application/vnd.oasis.opendocument.text)
2008-10-23 13:50 UTC, mux2005
no flags Details
avoids immediate crash, pinpoints insertion of NULL into aSortedObjs which is where the later crash originates (809 bytes, patch)
2010-02-16 10:40 UTC, caolanm
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this issue.
Description mux2005 2008-10-23 13:48:58 UTC
(gdb) bt
#0  0x9bc31c71 in ObjAnchorOrder::operator() (this=0xafd2eecc,
_pListedAnchoredObj=0x9ac6f28,
    _pNewAnchoredObj=0x0) at
/ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/sortedobjsimpl.cxx:95
#1  0x9bc32266 in _STL::__lower_bound<SwAnchoredObject**, SwAnchoredObject*,
ObjAnchorOrder, int> (
    __first=0xa17c278, __last=0xa17c27c, __val=@0xafd2ef14, __comp={<No data
fields>})
    at
/ooo/src-3.0.0-debug/OOO300_m9/solver/300/unxlngi6.pro/inc/stl/stl/_algobase.c:371
#2  0x9bc322d7 in _STL::lower_bound<SwAnchoredObject**, SwAnchoredObject*,
ObjAnchorOrder> (__first=0xa17c278,
    __last=0xa17c27c, __val=@0xafd2ef14, __comp={<No data fields>})
    at
/ooo/src-3.0.0-debug/OOO300_m9/solver/300/unxlngi6.pro/inc/stl/stl/_algo.h:498
#3  0x9bc316f1 in SwSortedObjsImpl::Insert (this=0x97cc5610, _rAnchoredObj=@0x0)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/sortedobjsimpl.cxx:237
#4  0x9bc3130e in SwSortedObjs::Insert (this=0xafd2f374, _rAnchoredObj=@0x0)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/sortedobjs.cxx:58
#5  0x9bc4b03b in SwRootFrm::CalcFrmRects (this=0x9bd5e30, rCrsr=@0x9ad54084,
bIsTblMode=0 '\0')
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/trvlfrm.cxx:2041
#6  0x9bb4df56 in SwShellCrsr::FillRects (this=0x9ad54084)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/viscrs.cxx:1060
#7  0x9bb50167 in SwSelPaintRects::Show (this=0x9ad54084)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/viscrs.cxx:762
#8  0x9bb221f6 in SwCrsrShell::UpdateCrsr (this=0x9bd5c88, eFlags=6, bIdleEnd=0
'\0')
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/crsrsh.cxx:1765
#9  0x9bb26260 in SwCrsrShell::EndAction (this=0x9bd5c88, bIdleEnd=0 '\0')
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/crsrsh.cxx:316
#10 0x9bb12caa in SwEditShell::EndAllAction (this=0x9bd5c88)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/edit/edws.cxx:133
#11 0x9c001293 in SwInputFieldList::GotoFieldPos (this=0xa1fd1c0, nId=2)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/fields/fldlst.cxx:147
#12 0x9c4ea5bb in SwWrtShell::UpdateInputFlds (this=0x9bd5c88, pLst=0x0,
bOnlyInSel=0 '\0')
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/ui/wrtsh/wrtsh2.cxx:138
#13 0x9c2a75e4 in SwModule::Notify (this=0x9913bb8, rHint=@0xa037f64)
    at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/ui/app/apphdl.cxx:744
#14 0xa7342d2d in SfxBroadcaster::Broadcast ()
   from /opt/ooo-3.0/openoffice.org3/program/../basis-link/program/libsvlli.so
#15 0xa7417d72 in SfxApplication::GetOptions ()
   from /opt/ooo-3.0/openoffice.org3/program/../basis-link/program/libsfxli.so
#16 0xa7417dd1 in SfxApplication::GetOptions ()


We've confirmed the crash with OOo 3.0 on Linux and Windows XP. 2.4.0 is the
earliest version we've tested that has the crash. On 2.2.0 we were unable to
reproduce the crash. 2.3 was not tested.

If you want to reproduce the crash yourself:

== Steps 1.-4. for LINUX (for Windows, see further below) ==

1. Download http://forge.osor.eu/frs/download.php/139/WollMux.uno.pkg

2. Download
http://forge.osor.eu/frs/download.php/138/wollmux-config-utf8-4.8.0.tar.gz

3. cd $HOME

4. tar xzf wollmux-config-utf8-4.8.0.tar.gz

== Steps 1.-4. for WINDOWS (for Linux, see further above) ==
1. Download http://forge.osor.eu/frs/download.php/139/WollMux.uno.pkg

2. Download
http://forge.osor.eu/frs/download.php/137/wollmux-config-iso8859-1-4.8.0.zip

3. Extract wollmux-config-iso8859-1-4.8.0.zip to the folder that contains your
personal Desktop folder. On a German Windows XP that is C:\Dokumente und
Einstellungen\<login_id>

4. If you've done this correctly, then you will have (on a German Windows XP) a
file C:\Dokumente und Einstellungen\.wollmux\wollmux.conf

== Next steps are the same for Linux and Windows ==
5. Start OpenOffice.org

6. Open Tools/Extension Manager and add the downloaded WollMux.uno.pkg

7. Close OpenOffice.org (including quickstarter) and then start it again

8. Open an empty writer document. You should get the WollMux dialog
"Absenderliste Verwalten". If you don't you've either already initialized
WollMux on an earlier run, or the installation of the WollMux.uno.pkg has
failed. In the dialog, enter "Burmux" and click "Suchen". Then double-click
"Burmux, Holger" in the left panel. Then click "Schließen". Then you should get
the "Absender Auswählen" dialog. Click "Schließen".

9. Open the attached file 2mal_okay_klicken_dann_crash-2.ott

10. Wait till everything has settled.

11. There should be a Writer popup presenting you options "Einschreiben",
"Einschreiben mit Rückschein",... In this window, click "OK".

12. Now the popup should present you with a text area above which there's a line
of text saying "Zusatz <<Zusatz>>". Click OK again.

13. OOo crashes

NOTE: The WollMux does not perform any background activities while you're
working with the Writer popup window. The crash is likely caused by OOo
corrupting its internal data structures while being (extensively) accessed by
the WollMux via the UNO interface.
Comment 1 mux2005 2008-10-23 13:50:28 UTC
Created attachment 57413 [details]
See issue description.
Comment 2 mux2005 2008-10-23 13:53:56 UTC
The NOTE about WollMux's activity is missing the text "while preparing its form
GUI". The point I'm trying to make is that whatever UNO calls cause the
corruption, do not happen while/after you press "Okay" but before you make your
first click.
Comment 3 michael.ruess 2008-10-23 14:32:19 UTC
Reassigned to ES.
Comment 4 eric.savary 2009-12-10 13:46:27 UTC
@mux2005: can you still reproduce this in a current version?
Comment 5 mux2005 2009-12-18 07:07:11 UTC
@es: 
Yes, I can reproduce the crash with m8 exactly as described. The URL of the
.tar.gz has changed, though. This page has the current links:

http://forge.osor.eu/frs/?group_id=11
Comment 6 mux2005 2009-12-18 07:27:30 UTC
The crash can also be reproduced without installing the uno.pkg extension. To do
this, change the instructions as follows

1. Instead of WollMux.uno.pkg download version 5.9.3 of WollMuxBar.jar from
http://forge.osor.eu/frs/?group_id=11

4b. After the normal step 4, edit the wollmux.conf to add the following line at
the end

ALLOW_EXTERNAL_WOLLMUX "true"

5.-7. Instead, after closing all OOo instances launch

java -jar WollMuxBar.jar

This will start OOo via the bootstrap mechanism. The dialog described in step 8.
will pop up. The remaining steps are the same.

--------

As you can see even when just communicating with OOo via the socket connection,
it will crash. In this scenario there's none of our code executing in OOo's JVM.
As you will also notice, in this scenario OUR GUI remains even after OOo
crashes, because it's not our Java code that crashes.
Comment 7 caolanm 2010-02-16 10:39:00 UTC
I can confirm that this can be reproduced with 3.1.1 as above. Doesn't happen if
I just open the .ott and click through the input field popups, but it does if I
launch it according to the report and then click through. When I do that I see a
NULL returned from pEndFrm->FindFlyFrm which is then dereferenced and placed in
the aSortedObjs

Attached patch adds an ASSERT there to help catch it. (and hacks around the
immediate crash by avoiding placing the NULL into aSortedObjs)
Comment 8 caolanm 2010-02-16 10:40:15 UTC
Created attachment 67855 [details]
avoids immediate crash, pinpoints insertion of NULL into aSortedObjs which is where the later crash originates