Apache OpenOffice (AOO) Bugzilla – Issue 95369
Writer crash related to input fields
Last modified: 2017-05-20 11:35:13 UTC
(gdb) bt #0 0x9bc31c71 in ObjAnchorOrder::operator() (this=0xafd2eecc, _pListedAnchoredObj=0x9ac6f28, _pNewAnchoredObj=0x0) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/sortedobjsimpl.cxx:95 #1 0x9bc32266 in _STL::__lower_bound<SwAnchoredObject**, SwAnchoredObject*, ObjAnchorOrder, int> ( __first=0xa17c278, __last=0xa17c27c, __val=@0xafd2ef14, __comp={<No data fields>}) at /ooo/src-3.0.0-debug/OOO300_m9/solver/300/unxlngi6.pro/inc/stl/stl/_algobase.c:371 #2 0x9bc322d7 in _STL::lower_bound<SwAnchoredObject**, SwAnchoredObject*, ObjAnchorOrder> (__first=0xa17c278, __last=0xa17c27c, __val=@0xafd2ef14, __comp={<No data fields>}) at /ooo/src-3.0.0-debug/OOO300_m9/solver/300/unxlngi6.pro/inc/stl/stl/_algo.h:498 #3 0x9bc316f1 in SwSortedObjsImpl::Insert (this=0x97cc5610, _rAnchoredObj=@0x0) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/sortedobjsimpl.cxx:237 #4 0x9bc3130e in SwSortedObjs::Insert (this=0xafd2f374, _rAnchoredObj=@0x0) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/sortedobjs.cxx:58 #5 0x9bc4b03b in SwRootFrm::CalcFrmRects (this=0x9bd5e30, rCrsr=@0x9ad54084, bIsTblMode=0 '\0') at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/layout/trvlfrm.cxx:2041 #6 0x9bb4df56 in SwShellCrsr::FillRects (this=0x9ad54084) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/viscrs.cxx:1060 #7 0x9bb50167 in SwSelPaintRects::Show (this=0x9ad54084) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/viscrs.cxx:762 #8 0x9bb221f6 in SwCrsrShell::UpdateCrsr (this=0x9bd5c88, eFlags=6, bIdleEnd=0 '\0') at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/crsrsh.cxx:1765 #9 0x9bb26260 in SwCrsrShell::EndAction (this=0x9bd5c88, bIdleEnd=0 '\0') at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/crsr/crsrsh.cxx:316 #10 0x9bb12caa in SwEditShell::EndAllAction (this=0x9bd5c88) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/edit/edws.cxx:133 #11 0x9c001293 in SwInputFieldList::GotoFieldPos (this=0xa1fd1c0, nId=2) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/core/fields/fldlst.cxx:147 #12 0x9c4ea5bb in SwWrtShell::UpdateInputFlds (this=0x9bd5c88, pLst=0x0, bOnlyInSel=0 '\0') at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/ui/wrtsh/wrtsh2.cxx:138 #13 0x9c2a75e4 in SwModule::Notify (this=0x9913bb8, rHint=@0xa037f64) at /ooo/src-3.0.0-debug/OOO300_m9/sw/source/ui/app/apphdl.cxx:744 #14 0xa7342d2d in SfxBroadcaster::Broadcast () from /opt/ooo-3.0/openoffice.org3/program/../basis-link/program/libsvlli.so #15 0xa7417d72 in SfxApplication::GetOptions () from /opt/ooo-3.0/openoffice.org3/program/../basis-link/program/libsfxli.so #16 0xa7417dd1 in SfxApplication::GetOptions () We've confirmed the crash with OOo 3.0 on Linux and Windows XP. 2.4.0 is the earliest version we've tested that has the crash. On 2.2.0 we were unable to reproduce the crash. 2.3 was not tested. If you want to reproduce the crash yourself: == Steps 1.-4. for LINUX (for Windows, see further below) == 1. Download http://forge.osor.eu/frs/download.php/139/WollMux.uno.pkg 2. Download http://forge.osor.eu/frs/download.php/138/wollmux-config-utf8-4.8.0.tar.gz 3. cd $HOME 4. tar xzf wollmux-config-utf8-4.8.0.tar.gz == Steps 1.-4. for WINDOWS (for Linux, see further above) == 1. Download http://forge.osor.eu/frs/download.php/139/WollMux.uno.pkg 2. Download http://forge.osor.eu/frs/download.php/137/wollmux-config-iso8859-1-4.8.0.zip 3. Extract wollmux-config-iso8859-1-4.8.0.zip to the folder that contains your personal Desktop folder. On a German Windows XP that is C:\Dokumente und Einstellungen\<login_id> 4. If you've done this correctly, then you will have (on a German Windows XP) a file C:\Dokumente und Einstellungen\.wollmux\wollmux.conf == Next steps are the same for Linux and Windows == 5. Start OpenOffice.org 6. Open Tools/Extension Manager and add the downloaded WollMux.uno.pkg 7. Close OpenOffice.org (including quickstarter) and then start it again 8. Open an empty writer document. You should get the WollMux dialog "Absenderliste Verwalten". If you don't you've either already initialized WollMux on an earlier run, or the installation of the WollMux.uno.pkg has failed. In the dialog, enter "Burmux" and click "Suchen". Then double-click "Burmux, Holger" in the left panel. Then click "Schließen". Then you should get the "Absender Auswählen" dialog. Click "Schließen". 9. Open the attached file 2mal_okay_klicken_dann_crash-2.ott 10. Wait till everything has settled. 11. There should be a Writer popup presenting you options "Einschreiben", "Einschreiben mit Rückschein",... In this window, click "OK". 12. Now the popup should present you with a text area above which there's a line of text saying "Zusatz <<Zusatz>>". Click OK again. 13. OOo crashes NOTE: The WollMux does not perform any background activities while you're working with the Writer popup window. The crash is likely caused by OOo corrupting its internal data structures while being (extensively) accessed by the WollMux via the UNO interface.
Created attachment 57413 [details] See issue description.
The NOTE about WollMux's activity is missing the text "while preparing its form GUI". The point I'm trying to make is that whatever UNO calls cause the corruption, do not happen while/after you press "Okay" but before you make your first click.
Reassigned to ES.
@mux2005: can you still reproduce this in a current version?
@es: Yes, I can reproduce the crash with m8 exactly as described. The URL of the .tar.gz has changed, though. This page has the current links: http://forge.osor.eu/frs/?group_id=11
The crash can also be reproduced without installing the uno.pkg extension. To do this, change the instructions as follows 1. Instead of WollMux.uno.pkg download version 5.9.3 of WollMuxBar.jar from http://forge.osor.eu/frs/?group_id=11 4b. After the normal step 4, edit the wollmux.conf to add the following line at the end ALLOW_EXTERNAL_WOLLMUX "true" 5.-7. Instead, after closing all OOo instances launch java -jar WollMuxBar.jar This will start OOo via the bootstrap mechanism. The dialog described in step 8. will pop up. The remaining steps are the same. -------- As you can see even when just communicating with OOo via the socket connection, it will crash. In this scenario there's none of our code executing in OOo's JVM. As you will also notice, in this scenario OUR GUI remains even after OOo crashes, because it's not our Java code that crashes.
I can confirm that this can be reproduced with 3.1.1 as above. Doesn't happen if I just open the .ott and click through the input field popups, but it does if I launch it according to the report and then click through. When I do that I see a NULL returned from pEndFrm->FindFlyFrm which is then dereferenced and placed in the aSortedObjs Attached patch adds an ASSERT there to help catch it. (and hacks around the immediate crash by avoiding placing the NULL into aSortedObjs)
Created attachment 67855 [details] avoids immediate crash, pinpoints insertion of NULL into aSortedObjs which is where the later crash originates
Reset assigne to the default "issues@openoffice.apache.org".