| Summary: | Crash on opening docx file | ||
|---|---|---|---|
| Product: | LibreOffice | Reporter: | Knut Hohenberg <k.hohenberg> |
| Component: | Writer | Assignee: | Not Assigned <libreoffice-bugs> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | critical | CC: | aron.budea, bakos.attilakaroly, hossein, kelemeng, libreoffice, nemeth, serval2412, stephane.guillou, telesto |
| Priority: | medium | Keywords: | bibisected, bisected, haveBacktrace, regression |
| Version: | 7.4.0.3 release | ||
| Hardware: | x86-64 (AMD64) | ||
| OS: | All | ||
| See Also: |
https://bugs.documentfoundation.org/show_bug.cgi?id=148687 https://bugs.documentfoundation.org/show_bug.cgi?id=160309 |
||
| Whiteboard: | |||
| Crash report or crash signature: | ["google_breakpad::ExceptionHandler::HandlePureVirtualCall()","SwAnchoredObject::GetObjRectWithSpaces() const"] | Regression By: | Attila Bakos |
| Bug Depends on: | |||
| Bug Blocks: | 104450, 133092 | ||
| Attachments: |
files created by adobe acrobat and word 2016
Backtrace using Visual Studio 2022 Minimal version of the DOCX attachment that still reproduces the crash bt with debug symbols |
||
The crash seems to be caused by a nested (graphics-)text object used as document title with shadows. Reproduced the crash with LO 7.5: Version: 7.5.3.2 (X86_64) / LibreOffice Community Build ID: 9f56dff12ba03b9acd7730a5a481eea045e468f3 CPU threads: 20; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win Locale: en-US (en_DE); UI: en-GB Calc: CL threaded Created attachment 188771 [details]
Backtrace using Visual Studio 2022
Repro with Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 34387332173782498acd4998c7c665d04ebc3c7d CPU threads: 15; OS: Windows 10.0 Build 19045; UI render: default; VCL: win Locale: hu-HU (hu_HU); UI: en-US Calc: threaded Both files did open fine in 7.3, started to crash in 7.4. Bibisected on windows-7.4 to: https://git.libreoffice.org/core/+/44eef5f494825a26594ba3d50ef1f3211ae73b9b author Attila Bakos (NISZ) <bakos.attilakaroly@nisz.hu> Mon Jun 20 17:27:53 2022 +0200 committer László Németh <nemeth@numbertext.org> Wed Jul 13 09:25:10 2022 +0200 tdf#148687 tdf#149173 tdf#149546 sw: fix crash with textboxes Adding CC to: Attila Bakos Created attachment 188786 [details] Minimal version of the DOCX attachment that still reproduces the crash The attached file is a minified version of the attachment 188762 [details] which still reproduces the crash. It contains a box with an image and a text box inside it. Created attachment 189319 [details]
bt with debug symbols
On pc Debian x86-64 with master sources updated today, I could reproduce this.
The pb is the object is destroyed:
#0 SwAnchoredObject::~SwAnchoredObject() (this=0x5600c10ec0a0) at sw/source/core/layout/anchoredobject.cxx:104
#1 0x00007f937aa05a10 in SwFlyFrame::~SwFlyFrame() (this=0x5600c10ebf40) at sw/source/core/layout/fly.cxx:372
#2 0x00007f937aa258ad in SwFlyFreeFrame::~SwFlyFreeFrame() (this=0x5600c10ebf40) at sw/source/core/layout/flylay.cxx:98
#3 0x00007f937aa2c2b5 in SwFlyLayFrame::~SwFlyLayFrame() (this=0x5600c10ebf40) at sw/source/core/inc/flyfrms.hxx:150
#4 0x00007f937aa2c2d9 in SwFlyLayFrame::~SwFlyLayFrame() (this=0x5600c10ebf40) at sw/source/core/inc/flyfrms.hxx:150
#5 0x00007f937ab2c8a5 in SwFrame::DestroyFrame(SwFrame*) (pFrame=0x5600c10ebf40) at sw/source/core/layout/ssfrm.cxx:397
#6 0x00007f937a9c0c92 in SwFrameFormat::DelFrames() (this=0x5600c11d25f0) at sw/source/core/layout/atrfrm.cxx:2764
#7 0x00007f937a3d1c9d in SwDoc::SetFlyFrameAnchor(SwFrameFormat&, SfxItemSet&, bool)
(this=0x5600c1059040, rFormat=..., rSet=SfxItemSet of pool 0x5600c1056800 with parent 0x5600c11d26b8 and Which ranges: [(88, 140), (159, 159), (1014, 1034)] = {...}, bNewFrames=false)
at sw/source/core/doc/docfly.cxx:287
#8 0x00007f937a3d3600 in lcl_SetFlyFrameAttr(SwDoc&, signed char (SwDoc::*)(SwFrameFormat&, SfxItemSet&, bool), SwFrameFormat&, SfxItemSet&)
(rDoc=..., pSetFlyFrameAnchor=(sal_Int8 (SwDoc::*)(SwDoc * const, SwFrameFormat &, SfxItemSet &, bool)) 0x7f937a3d1a70 <SwDoc::SetFlyFrameAnchor(SwFrameFormat&, SfxItemSet&, bool)>, rFlyFormat=..., rSet=SfxItemSet of pool 0x5600c1056800 with parent 0x5600c11d26b8 and Which ranges: [(88, 140), (159, 159), (1014, 1034)] = {...}) at sw/source/core/doc/docfly.cxx:435
#9 0x00007f937a3d342e in SwDoc::SetFlyFrameAttr(SwFrameFormat&, SfxItemSet&)
(this=0x5600c1059040, rFlyFormat=..., rSet=SfxItemSet of pool 0x5600c1056800 with parent 0x5600c11d26b8 and Which ranges: [(88, 140), (159, 159), (1014, 1034)] = {...}) at sw/source/core/doc/docfly.cxx:544
#10 0x00007f937b093a74 in SwXFrame::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&)
(this=0x5600c16de740, rPropertyName="AnchorType", _rValue=uno::Any("com.sun.star.text.TextContentAnchorType": com::sun::star::text::TextContentAnchorType::TextContentAnchorType_AT_CHARACTER))
at sw/source/core/unocore/unoframe.cxx:1933
#11 0x00007f937a6d7acd in SwTextBoxHelper::changeAnchor(SwFrameFormat*, SdrObject*) (pShape=0x5600c13980f0, pObj=0x5600c1185420) at sw/source/core/doc/textboxhelper.cxx:1253
#12 0x00007f937a6da577 in SwTextBoxHelper::synchronizeGroupTextBoxProperty(bool (*)(SwFrameFormat*, SdrObject*), SwFrameFormat*, SdrObject*)
(pFunc=0x7f937a6d73c0 <SwTextBoxHelper::changeAnchor(SwFrameFormat*, SdrObject*)>, pFormat=0x5600c13980f0, pObj=0x5600c1185420) at sw/source/core/doc/textboxhelper.cxx:1587
#13 0x00007f937a6da553 in SwTextBoxHelper::synchronizeGroupTextBoxProperty(bool (*)(SwFrameFormat*, SdrObject*), SwFrameFormat*, SdrObject*)
(pFunc=0x7f937a6d73c0 <SwTextBoxHelper::changeAnchor(SwFrameFormat*, SdrObject*)>, pFormat=0x5600c13980f0, pObj=0x5600c1024b10) at sw/source/core/doc/textboxhelper.cxx:1583
#14 0x00007f937ace2ca7 in SwFlyCntPortion::SetBase(SwTextFrame const&, Point const&, long, long, long, long, AsCharFlags)
(this=0x5600c16e56f0, rFrame=..., rBase=Point = {...}, nLnAscent=224, nLnDescent=52, nFlyAsc=224, nFlyDesc=52, nFlags=(AsCharFlags::UlSpace | AsCharFlags::Init)) at sw/source/core/text/porfly.cxx:374
#15 0x00007f937ace31b5 in sw::DrawFlyCntPortion::Create(SwTextFrame const&, SwFrameFormat const&, Point const&, long, long, long, long, AsCharFlags)
(rFrame=..., rFormat=..., rBase=Point = {...}, nLnAscent=224, nLnDescent=52, nFlyAsc=224, nFlyDesc=52, nFlags=AsCharFlags::None) at sw/source/core/text/porfly.cxx:305
#16 0x00007f937acc0cc1 in SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const (this=0x7ffe6ac97888, rInf=..., pHint=0x5600c1206b10) at sw/source/core/text/itrform2.cxx:3018
#17 0x00007f937ad605a4 in SwTextFormatter::NewExtraPortion(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/txtfld.cxx:371
#18 0x00007f937acb76da in SwTextFormatter::NewPortion(SwTextFormatInfo&, std::optional<o3tl::strong_int<int, Tag_TextFrameIndex> >)
(this=0x7ffe6ac97888, rInf=..., oMovedFlyIndex=std::optional<o3tl::strong_int<int, Tag_TextFrameIndex>> [no contained value]) at sw/source/core/text/itrform2.cxx:1737
#19 0x00007f937acb3ed2 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/itrform2.cxx:440
but this same object is used here:
#0 SwAnchoredObject::GetObjRectWithSpaces() const (this=0x5600c10ec0a0) at sw/source/core/layout/anchoredobject.cxx:563
#1 0x00007f937ad65750 in SwTextFly::ForEach(SwRect const&, SwRect*, bool) const (this=0x7ffe6ac97790, rRect=SwRect = {...}, pRect=0x7ffe6ac94b18, bAvoid=true) at sw/source/core/text/txtfly.cxx:1100
#2 0x00007f937ad6541b in SwTextFly::GetFrame_(SwRect const&) const (this=0x7ffe6ac97790, rRect=SwRect = {...}) at sw/source/core/text/txtfly.cxx:382
#3 0x00007f937ac9529e in SwTextFly::GetFrame(SwRect const&) const (this=0x7ffe6ac97790, rRect=SwRect = {...}) at sw/source/core/inc/txtfly.hxx:371
#4 0x00007f937acb1ecc in SwTextFormatter::CalcFlyWidth(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/itrform2.cxx:2753
#5 0x00007f937acb7f5c in SwTextFormatter::NewPortion(SwTextFormatInfo&, std::optional<o3tl::strong_int<int, Tag_TextFrameIndex> >)
(this=0x7ffe6ac97888, rInf=..., oMovedFlyIndex=std::optional<o3tl::strong_int<int, Tag_TextFrameIndex>> [no contained value]) at sw/source/core/text/itrform2.cxx:1859
#6 0x00007f937acb3ed2 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/itrform2.cxx:440
Repro on Linux with 7.4.0.3 with signature "SwAnchoredObject::GetObjRectWithSpaces() const": https://crashreport.libreoffice.org/stats/crash_details/71fb341f-e183-4339-9495-d1b7da48e1c1 However, no crash anymore on Windows nor on Linux. For all 3 files shared here, crash in master of linux-64-7.4 repo, but no crash in oldest of linux-64-7.5. So couldn't bibisect any fix. Can someone else confirm that the files don't crash on opening anymore? On pc Debian x86-64 with master sources updated today or with LO Debian package 24.2.03, I don't reproduce the crash anymore with minimal version reproducer or with the 2 files in initial attached zip. OK, thanks Julien, let's close as "works for me". |
Created attachment 188762 [details] files created by adobe acrobat and word 2016 Writer crashes on opening a docx file converted from pdf by adobe acrobat (P09-001-4p01-201127 Brandschutznachweis Schulgebäude.docx). Word 2016 opens the file without errors, and writes it out with a warning that the file format will change (filesize indeed increases, see Word_2016_Brandschutznachweis Schulgebäude.docx). Unfortunately, LibeOffice is not able to open this file either. Related Crash reports are 9915cefc-85d2-4ac7-a742-bb6ad03d0ad8 for the original file and 267c44a2-9e7a-4ed6-9b9e-7f943521274b for the file written by word.