Apache OpenOffice (AOO) Bugzilla – Issue 5000
SfxPoolItem 16bit reference count overflows
Last modified: 2013-08-07 14:43:23 UTC
Writer seems to be in a memory seeking loop opening a large Word document. After several minutes the programs invariably aborts with an error message. The system log shows exception c0000005 (at different addresses) [rtl_allocateMemory]. Other Word documents load just fine. I can provide the document triggering the error, if needed.
Created attachment 1685 [details] zipped doc file causing the error -content masked for confidentiality
Issue 5000 does not show as assigned. Trying to re-assigned. (hey, it's my first..)
Thanks for posting Mario. Duplicated on Win NT 4.0, OO 1.0. OO 1.0 will start to load the file but eventually crashes with an "Unrecoverable error" dialog box.
Reassigned to Michael.
Problem still exists in OOo 643c.
The document contains loads of tables. On import at approx. 75% you get Assertions "AddRef: Referenzzaehler ueberschlaegt sich" and "AddRed mit nicht-Pool-item". stack for this is below. After tons of these two Assertions it crashes with a similar stack. Is it really the filter or more an issue for MBA? Stack: SVL644MI! SfxPoolItem::AddRef(unsigned short) + 283 bytes SVL644MI! SfxItemPool::Put(class SfxPoolItem const &,unsigned short) + 2324 bytes SVL644MI! SfxItemSet::Put(class SfxPoolItem const &,unsigned short) + 1459 bytes SVL644MI! SfxItemSet::Put(class SfxItemSet const &,unsigned char) + 330 bytes SW644MI! SwCntntNode::SetAttr(class SfxItemSet const &) + 286 bytes SW644MI! InsAttr(class SwDoc *,class SwPaM const &,class SfxItemSet const &,unsigned short,class SwUndoAttr *) + 3892 bytes SW644MI! SwDoc::Insert(class SwPaM const &,class SfxPoolItem const &,unsigned short) + 271 bytes SW644MI! SwFltControlStack::SetAttrInDoc(struct SwPosition const &,class SwFltStackEntry *) + 2004 bytes SW644MI! SwWW8FltControlStack::SetAttrInDoc(struct SwPosition const &,class SwFltStackEntry *) + 126 bytes SW644MI! SwFltControlStack::NewAttr(struct SwPosition const &,class SfxPoolItem const &) + 123 bytes SW644MI! SwWW8FltControlStack::NewAttr(struct SwPosition const &,class SfxPoolItem const &) + 160 bytes SW644MI! SwWW8ImplReader::NewAttr(class SfxPoolItem const &) + 279 bytes SW644MI! SwWW8ImplReader::Read_Justify(unsigned short,unsigned char const *,short) + 81 bytes SW644MI! SwWW8ImplReader::ImportSprm(unsigned char const *,unsigned short) + 104 bytes SW644MI! SwWW8ImplReader::ReadTextAttr(long &,bool &) + 435 bytes SW644MI! SwWW8ImplReader::ReadAttrs(long &,long &,bool &) + 35 bytes SW644MI! SwWW8ImplReader::ReadText(long,long,short) + 427 bytes
cmc->mba: Its not the filters fault as far as I can see, it's a big document with huge amounts of the same hard coded up/down spacing on every paragraph as well as vast uses of the same nonstyle left/right align property on the contents of each cell. I believe that it is simply that we are overflowing the reference count for a poolitem which is a 16bit value while I count approx 90,000+ instances of some of the properties. If I disable the import of the overused properties then it imports fine.
#105756# records another instance of this problem
We can blow up the refcount of SfxPoolItem to 32 Bits. For file format compatibility we store only 16 Bits in our binary format. Before we save, we check the ItemPool for RefCount overflow and deny saving if we detect one. If the application does not use the refcounts at all, we can avoid that. This must be checked by all modules that store an ItemPool. Necessary changes: Rename nRef and Method GetRef() in class SfxPoolItem, recompile all modules above SVTOOLS. This will discover all usage of the RefCount. All "special RefCounts" will be redefined.
I fixed the RefCount problem, but I'm not able to detect if the import is done properly. I recommend to check this immediately if the RefCount fix is available that fixes the crash. The RefCount fix will be available on all builds >=644.
.
Fixed in CWS CD5.
*** Issue 3103 has been marked as a duplicate of this issue. ***
We now get many assertions in nonpro builds, this is fixed by CMC (#106844#).
Reopened for QA
@mru: please test this in CWS CD5.
Crash is fixed in internal workspace.
Fix will be public in OpenOffice 1.1 Beta.
Check fix with internal milestone.