https://bugs.documentfoundation.org/show_bug.cgi?id=172205
Bug ID: 172205
Summary: Writer hangs in SwNumRule::MakeNumString while opening
certain documents
Product: LibreOffice
Version: 26.2.3.2 release
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Writer
Assignee: [email protected]
Reporter: [email protected]
Description:
I suspect this might be a regression introduced by the fix to bug 166975.
Sample backtrace (the exact backtrace depends on various things, but they all
hang in SwNumRule::MakeNumString):
#0 0x0000ffff870a0520 in rtl_ustr_indexOfChar_WithLength (pStr=0xaaab3858c4b0
u".", nLen=<optimized out>, c=<optimized out>) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sal/rtl/ustring.cxx:973
#1 0x0000ffff25310530 [PAC] in rtl::OUString::indexOf (this=0xffffdf2272c0,
ch=37 u'%', fromIndex=4) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/include/rtl/ustring.hxx:2331
#2 SwNumRule::MakeNumString (this=this@entry=0xaaab38c21e20,
rNumVector=std::vector of length 3, capacity 4 = {...},
bInclStrings=bInclStrings@entry=true,
_nRestrictToThisLevel=_nRestrictToThisLevel@entry=10,
bHideNonNumerical=bHideNonNumerical@entry=false,
pExtremities=pExtremities@entry=0x0, nLang=...,
nLang@entry=...) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/doc/number.cxx:825
#3 0x0000ffff25313aa8 [PAC] in SwNumRule::MakeNumString (this=0xaaab38c21e20,
rNum=..., bInclStrings=<optimized out>) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/doc/number.cxx:679
#4 0x0000ffff25661d4c [PAC] in SwTextNode::HasVisibleNumberingOrBullet
(this=0xaaab38d464c0) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/txtnode/ndtxt.cxx:4471
#5 SwTextNode::HasVisibleNumberingOrBullet (this=this@entry=0xaaab38d464c0) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/txtnode/ndtxt.cxx:4461
#6 0x0000ffff25661dec [PAC] in SwTextNode::GetListTabStopPosition
(this=0xaaab38d464c0, nListTabStopPosition=@0xffffdf228328: 0) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/txtnode/ndtxt.cxx:4896
#7 0x0000ffff255ab248 [PAC] in SwLineInfo::InitLineInfo (this=0xffffdf2282d0,
rTextNodeForLineProps=...) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/inftxt.cxx:123
#8 0x0000ffff255d1fcc [PAC] in SwLineInfo::CtorInitLineInfo
(this=0xffffdf2282d0, rAttrSet=..., rTextNodeForLineProps=<optimized out>) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/inftxt.cxx:164
#9 SwTextIter::CtorInitTextIter (this=0xffffdf2278b0, pNewFrame=<optimized
out>, pNewInf=<optimized out>) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/itrtxt.cxx:56
#10 0x0000ffff255bd934 [PAC] in SwTextMargin::CtorInitTextMargin
(this=this@entry=0xffffdf2278b0, pNewFrame=<optimized out>,
pNewInf=pNewInf@entry=0xffffdf227670) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/itrcrsr.cxx:158
#11 0x0000ffff255be18c [PAC] in SwTextCursor::CtorInitTextCursor
(this=0xffffdf2278b0, pNewFrame=<optimized out>, pNewInf=0xffffdf227670) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/itrcrsr.cxx:422
#12 SwTextPainter::CtorInitTextPainter (this=0xffffdf2278b0,
pNewFrame=<optimized out>, pNewInf=0xffffdf227670) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/itrpaint.cxx:70
#13 SwTextFormatter::CtorInitTextFormatter (this=0xffffdf2278b0,
pNewFrame=<optimized out>, pNewInf=0xffffdf227670) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/itrform2.cxx:97
#14 0x0000ffff25614c38 [PAC] in SwTextFormatter::SwTextFormatter
(this=0xffffdf2278b0, pTextFrame=0xaaab37a20cb0, pTextFormatInf=0xffffdf227670)
at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/itrform2.hxx:157
#15 SwTextFrame::CalcAdditionalFirstLineOffset (this=0xaaab37a20cb0) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/txtfrm.cxx:3784
#16 0x0000ffff255a1e84 [PAC] in SwTextFrame::Format (this=0xaaab37a20cb0,
pRenderContext=0xaaab38ee21e0) at
/usr/src/debug/libreoffice-26.2.3.2-2.fc44.aarch64/sw/source/core/text/frmform.cxx:2119
The loop on line 779 never exits:
for (sal_Int32 nPosition{0}; nPosition < sLevelFormat.getLength() - 2;)
When the hang happens:
sLevelFormat = "1%1%."
nPosition = 1
nReplaceLevel = 0
nLevel = 2
Stepping through, I get these steps:
779 for (sal_Int32 nPosition{0}; nPosition <
sLevelFormat.getLength() - 2;)
781 if (sLevelFormat[nPosition] != '%')
Test fails since sLevelFormat[1] == '%'
788 if (sLevelFormat[nPosition+1] == '1'
&& sLevelFormat[nPosition+2] == '0'
&& (nPosition+3) < sLevelFormat.getLength()
&& sLevelFormat[nPosition+3] == '%')
Test fails since sLevelFormat[3] != '0'
796 else if (sLevelFormat[nPosition+2] == '%'
&& '1' <= sLevelFormat[nPosition+1]
&& sLevelFormat[nPosition+1] <= '9')
Test passes since sLevelFormat[3] == '%' and sLevelFormat[2] is within 1..9
801 nEndPosition = nPosition + 3;
nEndPosition = 4
808 if (nLevel < nReplaceLevel)
Test fails since nLevel >= nReplaceLevel
815 SwNumFormat const& rNFormat{Get(nReplaceLevel)};
At this point rNFormat.nNumType = SVX_NUM_NUMBER_NONE
825 sal_Int32 const nPositionNext{sLevelFormat.indexOf('%',
nEndPosition)};
No % after the end position (which points to '.'), so nPositionNext = -1
826 if (nPositionNext > nPosition)
Fails
830 continue;
Loops around
779 for (sal_Int32 nPosition{0}; nPosition <
sLevelFormat.getLength() - 2;)
(infinite loop)
Steps to Reproduce:
1. Open the attached document
Actual Results:
Writer hangs in an infinite loop
Expected Results:
Writer does not hang
Reproducible: Always
User Profile Reset: No
Additional Info:
Version: 26.2.3.2 (AARCH64)
Build ID: 620(Build:2)
CPU threads: 10; OS: Linux 6.19; UI render: default; VCL: kf6 (cairo+wayland)
Locale: en-US (en_US.utf8); UI: en-US
Calc: threaded
--
You are receiving this mail because:
You are the assignee for the bug.
