[Libreoffice-bugs] [Bug 88555] FORMATTING: When undo and redo, custom styles and formatting lost, or full crash.

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Fri Apr 28 21:00:15 UTC 2017 

https://bugs.documentfoundation.org/show_bug.cgi?id=88555

--- Comment #18 from Michael Stahl <mstahl at redhat.com> ---
regarding the crash, it is because commit
0f98299f7aa44bbb55c1bfeddca7799f727d14b0 inserted a dynamic_cast in the
Contains function.

Undo of the style creation deletes the SwFormat:

#0  0x00007f08164adf1b in SwFormat::~SwFormat() (this=0x3d63770,
__in_chrg=<optimized out>) at
/work/lo/libreoffice-5-3/sw/source/core/attr/format.cxx:214
#1  0x00007f0816614874 in SwFormatColl::~SwFormatColl() (this=0x3d63770,
__in_chrg=<optimized out>) at /work/lo/libreoffice-5-3/sw/inc/fmtcol.hxx:33
#2  0x00007f0816746f16 in SwTextFormatColl::~SwTextFormatColl()
(this=0x3d63770, __in_chrg=<optimized out>) at
/work/lo/libreoffice-5-3/sw/inc/fmtcol.hxx:54
#3  0x00007f0816746f32 in SwTextFormatColl::~SwTextFormatColl()
(this=0x3d63770, __in_chrg=<optimized out>) at
/work/lo/libreoffice-5-3/sw/inc/fmtcol.hxx:54
#4  0x00007f081660e8f5 in SwDoc::DelTextFormatColl(unsigned long, bool)
(this=0x36cb7e0, nFormatColl=7, bBroadcast=true) at
/work/lo/libreoffice-5-3/sw/source/core/doc/docfmt.cxx:991
#5  0x00007f081660ea11 in SwDoc::DelTextFormatColl(SwTextFormatColl*, bool)
(this=0x36cb7e0, pColl=0x3d63770, bBroadcast=true) at
/work/lo/libreoffice-5-3/sw/source/core/doc/docfmt.cxx:999
#6  0x00007f0816c98836 in SwUndoTextFormatCollCreate::Delete() (this=0x3d4f130)
at /work/lo/libreoffice-5-3/sw/source/core/undo/SwUndoFmt.cxx:206
#7  0x00007f0816c97f77 in SwUndoFormatCreate::UndoImpl(sw::UndoRedoContext&)
(this=0x3d4f130) at
/work/lo/libreoffice-5-3/sw/source/core/undo/SwUndoFmt.cxx:63

the call to SwFormatsModifyBase::Contains effectively wants to check if
the SwFormat has been deleted; i think every SwFormat is in some SwDoc
member array for as long as it is alive.

of course with the dynamic_cast in Contains, the check if it's
still alive turns into use-after-free crash.

the patch in commit #17 should fix this crash but every other
call to Contains probably either crashes or is pointless because
it will always return true.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20170428/bd845109/attachment.html>

More information about the Libreoffice-bugs mailing list