[Libreoffice-bugs] [Bug 130775] FILEOPEN DOCX: Crash in SwTextAdjuster::CalcRightMargin

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Tue Mar 24 21:20:14 UTC 2020


https://bugs.documentfoundation.org/show_bug.cgi?id=130775

Miklos Vajna <vmiklos at collabora.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|regression                  |implementationError

--- Comment #9 from Miklos Vajna <vmiklos at collabora.com> ---
I looked at this, but then ran out of time, so I'm just dumping my notes here,
so in case I get back to this in the future or somebody else takes a look it's
not necessary to start from scratch.

The direct problem is that SwTextAdjuster::CalcRightMargin() works on a list of
portions, we set pLast to a value, then call CalcFlyPortion(), then we continue
using pLast. But this is not safe, because pLast may be deleted while
CalcFlyPortion() is called.

Here is how the delete happens:

#0  SwLinePortion::~SwLinePortion (this=0x6040007b4950) at
sw/source/core/text/porlin.cxx:57
#1  0x00007fff55977768 in SwTextPortion::~SwTextPortion (this=0x6040007b4950)
at sw/source/core/text/portxt.hxx:27
#2  0x00007fff55d4e445 in SwTextPortion::~SwTextPortion (this=0x6040007b4950)
at sw/source/core/text/portxt.hxx:27
#3  0x00007fff55c90648 in SwLinePortion::Truncate_ (this=0x61800003b080) at
sw/source/core/text/porlin.cxx:165
#4  0x00007fff5591e6f2 in SwLinePortion::Truncate (this=0x61800003b080) at
sw/source/core/text/porlin.hxx:199
#5  0x00007fff55b97f97 in SwLineLayout::~SwLineLayout (this=0x61800003b080) at
sw/source/core/text/porlay.cxx:201
#6  0x00007fff55bd2013 in SwParaPortion::~SwParaPortion (this=0x61800003b080)
at sw/source/core/text/porlay.cxx:2376
#7  0x00007fff55bd2075 in SwParaPortion::~SwParaPortion (this=0x61800003b080)
at sw/source/core/text/porlay.cxx:2375
#8  0x00007fff55db3492 in std::default_delete<SwParaPortion>::operator()
(this=0x6040012bafb8, __ptr=0x61800003b080)
    at
/home/vmiklos/git/libreoffice/lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:78
#9  0x00007fff55db29fa in std::unique_ptr<SwParaPortion,
std::default_delete<SwParaPortion> >::reset (this=0x6040012bafb8,
__p=0x61800003b080)
    at
/home/vmiklos/git/libreoffice/lode/opt_private/gcc-7.3.0/lib64/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:376
#10 0x00007fff55db0fb1 in SwTextLine::SetPara (this=0x6040012baf90, pNew=0x0,
bDelete=true) at sw/source/core/text/txtcache.hxx:45
#11 0x00007fff55daf0fc in SwTextFrame::ClearPara (this=0x61200040a140) at
sw/source/core/text/txtcache.cxx:112
#12 0x00007fff55e5eacc in SwTextFrame::Init (this=0x61200040a140) at
sw/source/core/text/txtfrm.cxx:753
#13 0x00007fff55eafc8a in SwTextFrame::Prepare (this=0x61200040a140,
ePrep=PrepareHint::FlyFrameArrive, pVoid=0x7fff8345f820, bNotify=true) at
sw/source/core/text/txtfrm.cxx:3071
#14 0x00007fff54e6102c in lcl_NotifyContent (pThis=0x615000644900,
pCnt=0x61200040a140, rRect=SwRect = {...}, eHint=PrepareHint::FlyFrameArrive)
at sw/source/core/layout/frmtool.cxx:3146
#15 0x00007fff54e59757 in Notify_Background (pObj=0x615000644900,
pPage=0x612000405640, rRect=SwRect = {...}, eHint=PrepareHint::FlyFrameArrive,
bInva=true)
    at sw/source/core/layout/frmtool.cxx:3224
#16 0x00007fff541560d6 in lcl_NotifyBackgroundOfObj (_rDrawContact=...,
_rObj=..., _pOldObjRect=0x0) at sw/source/core/draw/dcontact.cxx:937
#17 0x00007fff5415ff07 in SwDrawContact::SwClientNotify (this=0x6130001cf700,
rMod=..., rHint=...) at sw/source/core/draw/dcontact.cxx:1437
#18 0x00007fff522392c6 in SwModify::CallSwClientNotify (this=0x6130001cf380,
rHint=...) at sw/source/core/attr/calbck.cxx:373
#19 0x00007fff522395c6 in sw::BroadcastingModify::CallSwClientNotify
(this=0x6130001cf380, rHint=...) at sw/source/core/attr/calbck.cxx:378
#20 0x00007fff52240408 in SwModify::ModifyBroadcast (this=0x6130001cf380,
pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at sw/inc/calbck.hxx:199
#21 0x00007fff52236818 in SwModify::NotifyClients (this=0x6130001cf380,
pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at
sw/source/core/attr/calbck.cxx:201
#22 0x00007fff5227d9fb in SwFormat::Modify (this=0x6130001cf380,
pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at
sw/source/core/attr/format.cxx:322
#23 0x00007fff54b6ceb2 in SwFrameFormat::Modify (this=0x6130001cf380,
pOld=0x7fff8365bb00, pNew=0x7fff8365bb40) at
sw/source/core/layout/atrfrm.cxx:2581
#24 0x00007fff52244154 in SwClient::ModifyNotification (this=0x6130001cf380,
pOldValue=0x7fff8365bb00, pNewValue=0x7fff8365bb40) at sw/inc/calbck.hxx:154
#25 0x00007fff52289492 in SwFormat::SetFormatAttr (this=0x6130001cf380, 
    rSet=SfxItemSet of pool 0x603001241f80 with parent 0x0 and Which ranges:
[(88, 130), (151, 151), (1014, 1033)] = {...}) at
sw/source/core/attr/format.cxx:643
#26 0x00007fff52e04653 in lcl_SetFlyFrameAttr (rDoc=..., pSetFlyFrameAnchor=
    (sal_Int8 (SwDoc::*)(SwDoc * const, SwFrameFormat &, SfxItemSet &, bool))
0x7fff52df8f40 <SwDoc::SetFlyFrameAnchor(SwFrameFormat&, SfxItemSet&, bool)>,
rFlyFormat=..., 
    rSet=SfxItemSet of pool 0x603001241f80 with parent 0x0 and Which ranges:
[(102, 103)] = {...}) at sw/source/core/doc/docfly.cxx:476
#27 0x00007fff52e027f8 in SwDoc::SetFlyFrameAttr (this=0x61900016ee80,
rFlyFormat=..., rSet=SfxItemSet of pool 0x603001241f80 with parent 0x0 and
Which ranges: [(102, 103)] = {...})
    at sw/source/core/doc/docfly.cxx:554
#28 0x00007fff54154b92 in SwDrawContact::Changed_ (this=0x6130001cf700,
rObj=..., eType=SdrUserCallType::Resize, pOldBoundRect=0x7fff833415a0) at
sw/source/core/draw/dcontact.cxx:1286
#29 0x00007fff5414eb9e in SwDrawContact::Changed (this=0x6130001cf700,
rObj=..., eType=SdrUserCallType::Resize, rOldBoundRect=...) at
sw/source/core/draw/dcontact.cxx:987
#30 0x00007fffd3fe2cd5 in SdrObject::SendUserCall (this=0x615000644900,
eUserCall=SdrUserCallType::Resize, rBoundRect=...) at
svx/source/svdraw/svdobj.cxx:2654
#31 0x00007fffd400564f in SdrObject::Resize (this=0x615000644900, rRef=Point =
{...}, xFact=..., yFact=..., bUnsetRelative=false) at
svx/source/svdraw/svdobj.cxx:1497
#32 0x00007fff54ae93de in SwAnchoredDrawObject::GetObjBoundRect
(this=0x6130001cf730) at sw/source/core/layout/anchoreddrawobject.cxx:663
#33 0x00007fff54aff458 in SwAnchoredObject::GetObjRectWithSpaces
(this=0x6130001cf730) at sw/source/core/layout/anchoredobject.cxx:573
#34 0x00007fff55e0f961 in SwTextFly::InitAnchoredObjList (this=0x7fff8360a620)
at sw/source/core/text/txtfly.cxx:892
#35 0x00007fff55e22599 in SwTextFly::GetAnchoredObjList (this=0x7fff8360a620)
at sw/source/core/inc/txtfly.hxx:305
#36 0x00007fff55dfd177 in SwTextFly::ForEach (this=0x7fff8360a620, rRect=SwRect
= {...}, pRect=0x7fff8360a6d0, bAvoid=true) at
sw/source/core/text/txtfly.cxx:1015
#37 0x00007fff55dfc4cb in SwTextFly::GetFrame_ (this=0x7fff8360a620,
rRect=SwRect = {...}) at sw/source/core/text/txtfly.cxx:379
#38 0x00007fff559ede27 in SwTextFly::GetFrame (this=0x7fff8360a620,
rRect=SwRect = {...}) at sw/source/core/inc/txtfly.hxx:358
#39 0x00007fff559e571a in SwTextAdjuster::CalcFlyPortion (this=0x7fff8383f280,
nRealWidth=9383, rCurrRect=SwRect = {...}) at
sw/source/core/text/itradj.cxx:703
#40 0x00007fff559db798 in SwTextAdjuster::CalcRightMargin (this=0x7fff8383f280,
pCurrent=0x61800003b080, nReal=0) at sw/source/core/text/itradj.cxx:550

The invariant is that the layout calculation only reads the doc model, does not
mutate it, so the above pLast usage is safe. But then this is violated in
SwAnchoredDrawObject::GetObjBoundRect(), which calls a Resize(). I think that's
the root cause. But it's not trivial to decide how to fix that: if we call
NbcResize() to avoid the broadcase, it's not clear what would break. If we do
broadcast, then the caller code is clearly not prepared for that. This root
problem was introduced in core.git commit
d4474dd0411d7de29ce42e181c97cbf032bf57ea (sw: implement page-relative size for
drawing objects and import them from docx, 2012-09-26). I.e. it's not a recent
regression, rather an implementation error in the "shapes with relative sizes"
feature.

Adjusting keywords accordingly.

(Debug builds typically don't crash, but optimized builds so, and it's reliably
happens in sanitizer builds.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200324/ef5b5abe/attachment-0001.htm>


More information about the Libreoffice-bugs mailing list