Apache OpenOffice (AOO) Bugzilla – Issue 20282
Drag drop in the formula text area crashes OOo
Last modified: 2013-08-07 15:13:02 UTC
If you type Word1 Word2 in the formula text area in Calc, then you make a drag n drop (to invert wor1 and word2) it takes all system's memory and then crashes OOo. Tested on XP Home (french) with OOo 11RC5 (french). Already made it with previous versions. Fred
Created attachment 9762 [details] Example image
Same for me Win2k RC5
more info: on win 2k - if reproducting fred's example --> crash - if taking intermediate letters and not putiing at the beginning, after 5 to 6 manipulations --> freezes and eat the memory (used memory grows, grows ...) laurent
I can confirm on fresh install of 1.1RC5 german on Win XP pro. Setting Prio2 (crash in basic functionality)
confirming on linux, setting OS to all, setting target-milestone to OOo 1.1 (change to later target if appropriate)
The same thing happens in 1.1 RC4 on Windows 2000, so it isn't a recent regression (if it's a regression at all).
Confirmed on OS X. All backtraces (taken with gdb at various periods after doing the drop) have up to ImplEditEngine::CreateLines() in common, frames down than that differ. #0 0x90004da0 in szone_malloc () #1 0x900049a4 in malloc_zone_malloc () #2 0x00518788 in operator new(unsigned long) () #3 0x003b829c in Font::MakeUnique() () #4 0x003b87c8 in Font::SetCJKContextLanguage(unsigned short) () #5 0x0459ba14 in ImpEditEngine::SeekCursor(ContentNode*, unsigned short, SvxFont&, OutputDevice*, unsigned short) () #6 0x04598768 in ImpEditEngine::CreateLines(unsigned short, unsigned long) () #7 0x04596814 in ImpEditEngine::FormatDoc() () #8 0x0459e6ec in ImpEditEngine::FormatAndUpdate(EditView*) () #9 0x04588a10 in ImpEditView::dragDropEnd(com::sun::star::datatransfer::dnd::DragSourceDropEvent const&) () #10 0x026a32c4 in x11::SelectionManager::dropComplete(unsigned char, unsigned long, unsigned long) () #11 0x0049a6e4 in DNDListenerContainer::dropComplete(unsigned char) () #12 0x04588e60 in ImpEditView::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #13 0x00498730 in DNDListenerContainer::fireDropEvent(com::sun::star::uno::Reference<com::sun::star:: datatransfer::dnd::XDropTargetDropContext> const&, signed char, long, long, signed char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) () #14 0x00497af0 in DNDEventDispatcher::fireDropEvent(Window*, com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDropC ontext> const&, signed char, Point const&, signed char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) () #15 0x0049672c in DNDEventDispatcher::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #16 0x026a9ca0 in x11::DropTarget::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #17 0x026a4bd0 in x11::SelectionManager::handleDragEvent(_XEvent&) () #18 0x026a7b64 in x11::SelectionManager::handleXEvent(_XEvent&) () #19 0x026a7c34 in x11::SelectionManager::dispatchEvent(int) () #20 0x026a7cc8 in x11::SelectionManager::run(void*) () #21 0x011fba08 in osl_thread_start_Impl () #22 0x90020c88 in _pthread_body () ---------------------- #0 0x00792e04 in dyld_stub_osl_incrementInterlockedCount () #1 0x00728584 in String::String(String const&) () #2 0x003b8158 in Impl_Font::Impl_Font(Impl_Font const&) () #3 0x003b82a8 in Font::MakeUnique() () #4 0x003b87c8 in Font::SetCJKContextLanguage(unsigned short) () #5 0x0459ba14 in ImpEditEngine::SeekCursor(ContentNode*, unsigned short, SvxFont&, OutputDevice*, unsigned short) () #6 0x04598768 in ImpEditEngine::CreateLines(unsigned short, unsigned long) () #7 0x04596814 in ImpEditEngine::FormatDoc() () #8 0x0459e6ec in ImpEditEngine::FormatAndUpdate(EditView*) () #9 0x04588a10 in ImpEditView::dragDropEnd(com::sun::star::datatransfer::dnd::DragSourceDropEvent const&) () #10 0x026a32c4 in x11::SelectionManager::dropComplete(unsigned char, unsigned long, unsigned long) () #11 0x0049a6e4 in DNDListenerContainer::dropComplete(unsigned char) () #12 0x04588e60 in ImpEditView::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #13 0x00498730 in DNDListenerContainer::fireDropEvent(com::sun::star::uno::Reference<com::sun::star:: datatransfer::dnd::XDropTargetDropContext> const&, signed char, long, long, signed char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) () #14 0x00497af0 in DNDEventDispatcher::fireDropEvent(Window*, com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDropC ontext> const&, signed char, Point const&, signed char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) () #15 0x0049672c in DNDEventDispatcher::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #16 0x026a9ca0 in x11::DropTarget::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #17 0x026a4bd0 in x11::SelectionManager::handleDragEvent(_XEvent&) () #18 0x026a7b64 in x11::SelectionManager::handleXEvent(_XEvent&) () #19 0x026a7c34 in x11::SelectionManager::dispatchEvent(int) () #20 0x026a7cc8 in x11::SelectionManager::run(void*) () #21 0x011fba08 in osl_thread_start_Impl () #22 0x90020c88 in _pthread_body () ---------------------- #0 0x003f493c in ImplFontCache::Get(ImplDevFontList*, Font const&, Size const&, ImplFontSubstEntry*) () #1 0x003f6a4c in OutputDevice::ImplNewFont() () #2 0x003fc02c in OutputDevice::GetTextHeight() const () #3 0x04539ee4 in SvxFont::GetPhysTxtSize(OutputDevice const*, String const&) () #4 0x04598794 in ImpEditEngine::CreateLines(unsigned short, unsigned long) () #5 0x04596814 in ImpEditEngine::FormatDoc() () #6 0x0459e6ec in ImpEditEngine::FormatAndUpdate(EditView*) () #7 0x04588a10 in ImpEditView::dragDropEnd(com::sun::star::datatransfer::dnd::DragSourceDropEvent const&) () #8 0x026a32c4 in x11::SelectionManager::dropComplete(unsigned char, unsigned long, unsigned long) () #9 0x0049a6e4 in DNDListenerContainer::dropComplete(unsigned char) () #10 0x04588e60 in ImpEditView::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #11 0x00498730 in DNDListenerContainer::fireDropEvent(com::sun::star::uno::Reference<com::sun::star:: datatransfer::dnd::XDropTargetDropContext> const&, signed char, long, long, signed char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) () #12 0x00497af0 in DNDEventDispatcher::fireDropEvent(Window*, com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDropC ontext> const&, signed char, Point const&, signed char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) () #13 0x0049672c in DNDEventDispatcher::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #14 0x026a9ca0 in x11::DropTarget::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) () #15 0x026a4bd0 in x11::SelectionManager::handleDragEvent(_XEvent&) () #16 0x026a7b64 in x11::SelectionManager::handleXEvent(_XEvent&) () #17 0x026a7c34 in x11::SelectionManager::dispatchEvent(int) () #18 0x026a7cc8 in x11::SelectionManager::run(void*) () #19 0x011fba08 in osl_thread_start_Impl () #20 0x90020c88 in _pthread_body ()
unless this is not a regression in rc3 - rc5 I would like to propose this for 1.1.1.
I tried this with rc5_ja on Windows98SE and Redhat9. This made the systems very slow, almost freezing. It took time for soffice to be crashed. As I couldn't wait for soffice to be crashed on Redhat9, so I switched off the system, I don't know ErrorReport would come up when soffice crashes. On Windows98SE, I monitored CPU usage and Resource during the test. 1) kept CPU usage 100% 2) didn't affect system resource, user resource and gdi resource. 3) ate up hard disk space And when soffice crashed, something like "invalid use of soffice" message appear but ErrorReport didn't come up.
Hi Niklas, your's or Maltes ? Error report send.
Error Report ID is: rz68n8 Frank
I can duplicate on win2k and nt4 going back at least as far as 1.1Beta2. Probably the cause of more than a few misc crashes. Would be nice to see an RC6 but it looks like 1.1.0 might already be out the door?
This loops at line 773 in svx/source/editeng/impedit3.cxx while ( ( nIndex < pNode->Len() ) || bForceOneRun ) I will attach my rough diff which can be used to watch the looping thus: start while: nIndex = 2 pNode->Len()=3 start while: nIndex = 0 pNode->Len()=3if nIndex==0 start while: nIndex = 0 pNode->Len()=3if nIndex==0 start while: nIndex = 0 pNode->Len()=3if nIndex==0 start while: nIndex = 0 I just build svx and copy the new libsvxls.so into my installed OpenOffice/program
Created attachment 9833 [details] to see looping i used this diff to make new libsvx645ls.so
This is only a clue, it will allow that drag and drop to be done safely, but it can sometimes make a real crash too. in impedit3.cxx at line 825 - sal_uInt16 nTmpPortion = pLine->GetStartPortion(); + sal_uInt16 nTmpPortion = 0; This is based on the observation that the bad cases will never enter the "while" statement at line 909 because nTmpPortion == Count().
FormatDoc is called for the input line's edit engine from its own modified-handler. This is bad and must be changed, then everything should be fine.
Fixed in CWS calc19. Changed files: inputhdl.cxx 1.48.116.1 inputhdl.hxx 1.10.266.1 inputwin.cxx 1.33.112.1
Reassigning to QA for verification.
Reset to fixed for changing state to verified
Found fixed on CWS Calc19 for Solaris, Windows and Linux
FST: As requested by TZ and AK back to you
It's already in a right childworkspace, so nothing to do for dev.
restoring fixed state
closing as I've found it integrated in internal build 645m21-3 on Linux, Solaris and Windows
found integrated in srx645m25s1-1 using Solaris, Linux and Windows
*** Issue 25839 has been marked as a duplicate of this issue. ***
*** Issue 26568 has been marked as a duplicate of this issue. ***