You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openoffice.apache.org by bu...@apache.org on 2020/08/01 02:48:12 UTC

[Issue 125129] Writer: Insert->Frame->Area crashes

https://bz.apache.org/ooo/show_bug.cgi?id=125129

--- Comment #12 from damjan@apache.org ---
I managed to reproduce this unintentionally while playing with our unit tests,
so it is quite a common bug. Let's revisit it.

With comments in some of the related files now translated to English, hopefully
we can build a better picture of what's going on.




Thread 1 received signal SIGSEGV, Segmentation fault.
XPropertyList::Count (this=0x0) at source/xoutdev/xtable.cxx:164
164         if( mbListDirty )
(gdb) bt
#0  XPropertyList::Count() const (this=0x0) at source/xoutdev/xtable.cxx:164

Proximally, XPropertyList::Count() is called with a NULL "this". In the "if"
statement above, it attempts to access this->mbListDirty, resulting in a
SIGSEGV.

------------------------------------------------

#1  0x00000008032d6770 in ColorLB::Fill(boost::shared_ptr<XColorList>)
(this=0x80f01b6c8, aColorTab=...) at source/dialog/dlgctrl.cxx:1314

void ColorLB::Fill( const XColorListSharedPtr aColorTab )
{
    long nCount = aColorTab->Count();


The reason frame #0 got a NULL this is because the ColorLB::Fill() method in
this frame got passed a NULL "XColorListSharedPtr aColorTab" by its caller, and
called Count() on it.

So far, these methods seem innocent: they tried to do the right thing, on
invalid data they were passed from further upstream. The next 6 frames deal
with tab pages, tab dialogs and tab controls, and the bug is probably there
somewhere.

------------------------------------------------

#2  0x000000080ef3b390 in SvxAreaTabPage::Construct() (this=0x80f01b020) at
source/tabpages/tparea.cxx:831

main/cui/source/tabpages/tparea.cxx:

void SvxAreaTabPage::Construct()
{
    // fill colortables / lists
    aLbColor.Fill( maColorTab );
    aLbHatchBckgrdColor.Fill ( maColorTab );

    aLbGradient.Fill( maGradientList );
    aLbHatching.Fill( maHatchingList );
    aLbBitmap.Fill( maBitmapList );
}

However
(gdb) print maColorTab
$1 = {px = 0x0, pn = {pi_ = 0x0}}

It is here that the invalid maColorTab began from. But how did it become
invalid? As I previously noted:

main/cui/source/inc/cuitabarea.hxx
class SvxAreaTabPage : public SvxTabPage
{
....
    XColorListSharedPtr     maColorTab;
....
}

typedef ::boost::shared_ptr< XColorList > XColorListSharedPtr;

and to become invalid, it was either never written to, or overwritten by an
invalid value. The places it is written to include:
1.  void    SetColorTable( XColorListSharedPtr aColTab ) {
        maColorTab = aColTab;
    }
which is also called from SvxAreaTabPage::PageCreated() in frame #4.
2. In the constructor:
    maColorTab(),
which probably sets the default NULL value.
3. In SvxAreaTabPage::ActivatePage():
    if( *pnColorTableState & CT_CHANGED )
       maColorTab = ( (SvxAreaTabDialog*) DLGWIN )->GetNewColorTable();
4. Through memory corruption, via any pointer anywhere in the code. If so, it
will be extremely difficult to fix.

Possibilities 1-3 can be tested with debugger breakpoints.

It doesn't seem very useful to go into stack frames further upstream, given
that the bad value in maColorTab was already set. Let's rather find how and why
it arrived at its bad value.

------------------------------------------------

#3  0x000000080ef4239b in SvxAreaTabPage::PageCreated(SfxAllItemSet)
(this=0x80f01b020, aSet=...) at source/tabpages/tparea.cxx:2791
#4  0x000000080eb786a1 in SwFrmDlg::PageCreated(unsigned short, SfxTabPage&)
(this=0x80ada7860, nId=<optimized out>, rPage=...) at
source/ui/frmdlg/frmdlg.cxx:245
#5  0x0000000801468a05 in SfxTabDialog::ActivatePageHdl(TabControl*)
(this=0x80ada7860, pTabCtrl=0x80ada7ae8) at source/dialog/tabdlg.cxx:1479
#6  0x0000000801467a28 in SfxTabDialog::LinkStubActivatePageHdl(void*, void*)
(pThis=0x80ada7860, pCaller=0x80ada7ae8) at source/dialog/tabdlg.cxx:1383
#7  0x0000000802c17f2f in TabControl::SelectTabPage(unsigned short)
(this=0x80ada7ae8, nPageId=10056) at source/control/tabctrl.cxx:1899
#8  0x0000000802e4ea1a in ImplHandleMouseEvent(Window*, unsigned short,
unsigned char, long, long, unsigned long, unsigned short, unsigned short)
    (pWindow=<optimized out>, nSVEvent=1, bMouseLeave=0 '\000', nX=<optimized
out>, nY=<optimized out>, nMsgTime=177799169, nCode=1, nMode=3) at
source/window/winproc.cxx:800
#9  0x0000000802e525cb in ImplHandleSalMouseButtonDown(Window*, SalMouseEvent*)
(pWindow=0x0, pEvent=<optimized out>) at source/window/winproc.cxx:2063
#10 0x0000000806664afd in GtkSalFrame::signalButton(_GtkWidget*,
_GdkEventButton*, void*) (pEvent=0x80e139ad0, frame=0x80e54b610) at
unx/gtk/window/gtkframe.cxx:2678
...

-- 
You are receiving this mail because:
You are the assignee for the issue.