[Libreoffice-bugs] [Bug 126138] New: -fsanitize=dynamic-type-mismatch in SwTabFrame::FindLastContent (SwTabFrame vs. SwContentFrame) during --convert-to pdf

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Thu Jun 27 15:50:54 UTC 2019 

https://bugs.documentfoundation.org/show_bug.cgi?id=126138

            Bug ID: 126138
           Summary: -fsanitize=dynamic-type-mismatch in
                    SwTabFrame::FindLastContent (SwTabFrame vs.
                    SwContentFrame) during --convert-to pdf
           Product: LibreOffice
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: Writer
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: sbergman at redhat.com
                CC: michael.stahl at cib.de, vmiklos at collabora.com

At least on recent master built with UBSan, `--headless --convert-to pdf
doc/fdo53816-2.doc` as obtained by bin/get-bugzilla-attachments-by-mimetype
(i.e., attachment 65809 at bug 53816 comment 1) fails with

> sw/source/core/layout/tabfrm.cxx:3429:12: runtime error: downcast of address 0x612000459640 which does not point to an object of type 'SwContentFrame'
> 0x612000459640: note: object is of type 'SwTabFrame'
>  43 01 80 13  b0 50 5c b7 a5 7f 00 00  bd 18 00 00 00 00 00 00  0d 18 1b 00 00 00 00 00  40 11 00 00
>               ^~~~~~~~~~~~~~~~~~~~~~~
>               vptr for 'SwTabFrame'
>  #0 in SwTabFrame::FindLastContent() at sw/source/core/layout/tabfrm.cxx:3429:12 (instdir/program/../program/libswlo.so +0xe0a351a)
>  #1 in SwFrame::GetNextLeaf(MakePageType) at sw/source/core/layout/flowfrm.cxx:918:64 (instdir/program/../program/libswlo.so +0xd9d8eb4)
>  #2 in SwFrame::GetLeaf(MakePageType, bool) at sw/source/core/layout/flowfrm.cxx:821:19 (instdir/program/../program/libswlo.so +0xd9d88b8)
>  #3 in SwFlowFrame::MoveBwd(bool&) at sw/source/core/layout/flowfrm.cxx:2363:37 (instdir/program/../program/libswlo.so +0xda0e4c3)
>  #4 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2086:18 (instdir/program/../program/libswlo.so +0xe07380c)
>  #5 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:364:5 (instdir/program/../program/libswlo.so +0xd8f72fc)
>  #6 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #7 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:248:25 (instdir/program/../program/libswlo.so +0xd8f30ac)
>  #8 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #9 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:248:25 (instdir/program/../program/libswlo.so +0xd8f30ac)
>  #10 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #11 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:248:25 (instdir/program/../program/libswlo.so +0xd8f30ac)
>  #12 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #13 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2579:47 (instdir/program/../program/libswlo.so +0xe081647)
>  #14 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:364:5 (instdir/program/../program/libswlo.so +0xd8f72fc)
>  #15 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #16 in lcl_InnerCalcLayout(SwFrame*, long, bool) at sw/source/core/layout/tabfrm.cxx:1583:21 (instdir/program/../program/libswlo.so +0xe05a672)
>  #17 in lcl_InnerCalcLayout(SwFrame*, long, bool) at sw/source/core/layout/tabfrm.cxx:1585:25 (instdir/program/../program/libswlo.so +0xe05aa57)
>  #18 in lcl_InnerCalcLayout(SwFrame*, long, bool) at sw/source/core/layout/tabfrm.cxx:1585:25 (instdir/program/../program/libswlo.so +0xe05aa57)
>  #19 in lcl_RecalcRow(SwRowFrame*, long) at sw/source/core/layout/tabfrm.cxx:1620:16 (instdir/program/../program/libswlo.so +0xe089530)
>  #20 in lcl_RecalcTable(SwTabFrame&, SwLayoutFrame*, SwLayNotify&) at sw/source/core/layout/tabfrm.cxx:1724:9 (instdir/program/../program/libswlo.so +0xe087c61)
>  #21 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2114:21 (instdir/program/../program/libswlo.so +0xe074a1e)
>  #22 in SwTabFrame::MakeAll(OutputDevice*) at sw/source/core/layout/tabfrm.cxx:2536:42 (instdir/program/../program/libswlo.so +0xe07f7b0)
>  #23 in SwFrame::PrepareMake(OutputDevice*) at sw/source/core/layout/calcmove.cxx:364:5 (instdir/program/../program/libswlo.so +0xd8f72fc)
>  #24 in SwFrame::Calc(OutputDevice*) const at sw/source/core/layout/trvlfrm.cxx:1791:37 (instdir/program/../program/libswlo.so +0xe131abe)
>  #25 in SwLayAction::IsShortCut(SwPageFrame*&) at sw/source/core/layout/layact.cxx:1088:31 (instdir/program/../program/libswlo.so +0xdc501e6)
>  #26 in SwLayAction::InternalAction(OutputDevice*) at sw/source/core/layout/layact.cxx:482:44 (instdir/program/../program/libswlo.so +0xdc3eec0)
>  #27 in SwLayAction::Action(OutputDevice*) at sw/source/core/layout/layact.cxx:349:5 (instdir/program/../program/libswlo.so +0xdc3b6f0)
>  #28 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:2965:17 (instdir/program/../program/libswlo.so +0xde3a4c3)
>  #29 in SwViewShell::PrintOrPDFExport(OutputDevice*, SwPrintData const&, int, bool) at sw/source/core/view/vprint.cxx:542:30 (instdir/program/../program/libswlo.so +0x103bb673)
>  #30 in SwXTextDocument::render(int, com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sw/source/uibase/uno/unotxdoc.cxx:3051:32 (instdir/program/../program/libswlo.so +0x1277e95a)
>  #31 in PDFExport::ExportSelection(vcl::PDFWriter&, com::sun::star::uno::Reference<com::sun::star::view::XRenderable> const&, com::sun::star::uno::Any const&, StringRangeEnumerator const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&, int) at filter/source/pdf/pdfexport.cxx:227:34 (instdir/program/../program/libpdffilterlo.so +0x2db226)
>  #32 in PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdfexport.cxx:939:28 (instdir/program/../program/libpdffilterlo.so +0x2f35d5)
>  #33 in PDFFilter::implExport(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdffilter.cxx:155:24 (instdir/program/../program/libpdffilterlo.so +0x33dc9f)
>  #34 in PDFFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at filter/source/pdf/pdffilter.cxx:216:23 (instdir/program/../program/libpdffilterlo.so +0x33eb1f)
>  #35 in SfxObjectShell::ExportTo(SfxMedium&) at sfx2/source/doc/objstor.cxx:2422:25 (instdir/program/libsfxlo.so +0x4ba8653)
>  #36 in SfxObjectShell::SaveTo_Impl(SfxMedium&, SfxItemSet const*) at sfx2/source/doc/objstor.cxx:1513:19 (instdir/program/libsfxlo.so +0x4b986d2)
>  #37 in SfxObjectShell::PreDoSaveAs_Impl(rtl::OUString const&, rtl::OUString const&, SfxItemSet const&) at sfx2/source/doc/objstor.cxx:2828:39 (instdir/program/libsfxlo.so +0x4bc7b1c)
>  #38 in SfxObjectShell::CommonSaveAs_Impl(INetURLObject const&, rtl::OUString const&, SfxItemSet&) at sfx2/source/doc/objstor.cxx:2685:9 (instdir/program/libsfxlo.so +0x4bc15b3)
>  #39 in SfxObjectShell::APISaveAs_Impl(rtl::OUString const&, SfxItemSet&) at sfx2/source/doc/objserv.cxx:330:19 (instdir/program/libsfxlo.so +0x4b37598)
>  #40 in SfxBaseModel::impl_store(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, bool) at sfx2/source/doc/sfxbasemodel.cxx:3026:42 (instdir/program/libsfxlo.so +0x4d242b6)
>  #41 in SfxBaseModel::storeToURL(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sfx2/source/doc/sfxbasemodel.cxx:1697:13 (instdir/program/libsfxlo.so +0x4d2a9ab)
>  #42 in desktop::DispatchWatcher::executeDispatchRequests(std::__debug::vector<desktop::DispatchWatcher::DispatchRequest, std::allocator<desktop::DispatchWatcher::DispatchRequest> > const&, bool) at desktop/source/app/dispatchwatcher.cxx:655:48 (instdir/program/libsofficeapp.so +0x9060f8)
>  #43 in desktop::RequestHandler::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&, bool) at desktop/source/app/officeipcthread.cxx:1360:38 (instdir/program/libsofficeapp.so +0x972cb0)
>  #44 in desktop::Desktop::OpenClients() at desktop/source/app/app.cxx:2148:14 (instdir/program/libsofficeapp.so +0x7e4739)
>  #45 in desktop::Desktop::OpenClients_Impl(void*) at desktop/source/app/app.cxx:1935:9 (instdir/program/libsofficeapp.so +0x7de8c1)
>  #46 in desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) at desktop/source/app/app.cxx:1918:1 (instdir/program/libsofficeapp.so +0x7d9d7a)
>  #47 in Link<void*, void>::Call(void*) const at include/tools/link.hxx:112:45 (instdir/program/libvcllo.so +0x6acdbc1)
>  #48 in ImplHandleUserEvent(ImplSVEvent*) at vcl/source/window/winproc.cxx:1964:30 (instdir/program/libvcllo.so +0x6abb56f)
>  #49 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) at vcl/source/window/winproc.cxx:2517:13 (instdir/program/libvcllo.so +0x6aa4645)
>  #50 in SalFrame::CallCallback(SalEvent, void const*) const at vcl/inc/salframe.hxx:299:29 (instdir/program/libvcllo.so +0x9bb7fa8)
>  #51 in SvpSalInstance::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/headless/svpinst.cxx:282:22 (instdir/program/libvcllo.so +0x9c3d8b2)
>  #52 in non-virtual thunk to SvpSalInstance::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/headless/svpinst.cxx (instdir/program/libvcllo.so +0x9c3e2e2)
>  #53 in SalUserEventList::DispatchUserEvents(bool) at vcl/source/app/salusereventlist.cxx:109:17 (instdir/program/libvcllo.so +0x8e746e8)
>  #54 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:427:19 (instdir/program/libvcllo.so +0x9c424f4)
>  #55 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:457:48 (instdir/program/libvcllo.so +0x91af8b3)
>  #56 in Application::Yield() at vcl/source/app/svapp.cxx:521:5 (instdir/program/libvcllo.so +0x91aee37)
>  #57 in Application::Execute() at vcl/source/app/svapp.cxx:438:9 (instdir/program/libvcllo.so +0x91aebac)
>  #58 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1620:17 (instdir/program/libsofficeapp.so +0x7d3700)
>  #59 in ImplSVMain() at vcl/source/app/svmain.cxx:202:35 (instdir/program/libvcllo.so +0x92569bc)
>  #60 in SVMain() at vcl/source/app/svmain.cxx:236:12 (instdir/program/libvcllo.so +0x925ff30)
>  #61 in soffice_main at desktop/source/app/sofficemain.cxx:170:12 (instdir/program/libsofficeapp.so +0x9b47b1)
>  #62 in sal_main at desktop/source/app/main.c:48:15 (instdir/program/soffice.bin +0x323dcc)
>  #63 in main at desktop/source/app/main.c:47:1 (instdir/program/soffice.bin +0x323da6)
>  #64 in __libc_start_main at /usr/src/debug/glibc-2.29-24-g2ec0b166bf/csu/../csu/libc-start.c:308:16 (/lib64/libc.so.6 +0x23f32)
>  #65 in _start at <null> (instdir/program/soffice.bin +0x24e02d)
> 
> SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch sw/source/core/layout/tabfrm.cxx:3429:12 in

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190627/fc63d5a1/attachment-0001.html>

More information about the Libreoffice-bugs mailing list