https://bugs.freedesktop.org/show_bug.cgi?id=57780
Michael Stahl <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Assignee|[email protected] |[email protected] |desktop.org | Summary|CRASH when FILEOPEN |CRASH when FILEOPEN |particular .doc |particular .doc with | |drawing object (AT_CHAR) in | |paragraph in table cell | |that is split across pages Component|Libreoffice |Writer --- Comment #13 from Michael Stahl <[email protected]> --- ...so with 30 lines of debug printfs, a gdb python script to try to track down when a layout frame moves to another page that didn't actually work becuase Intel cpus have only 4 watchpoints, and a bit of luck i've finally tracked down the subtly wrong conditional that causes the crash. 1. the SwAnchoredObject is anchored AT_CHARACTER and is initially inserted on a page. Old value = (void *) 0x0 New value = (void *) 0x4d27c30 SwFrm::InsertBehind (this=0x4d29160, pParent=0x4d27c30, pBefore=0x4d32e00) at wsfrm.cxx:613 LayoutTrackPage.handler: ((SwTxtFrm *) 0x4d814f0)->pUpper->pUpper->pUpper->pUpper ### PageFrm changed: old 0x0 new: 0x4d27b10 #0 SwFrm::InsertBehind (this=0x4d29160, pParent=0x4d27c30, pBefore=0x4d32e00) at wsfrm.cxx:613 #1 0x00007fffcff3a125 in SwLayHelper::CheckInsert (this=0x48f75a0, nNodeIndex=678) at laycache.cxx:797 #2 0x00007fffcff14173 in _InsertCnt (pLay=0x4d27c30, pDoc=0x455e960, nIndex=677, bPages=1 '\001', nEndIndex=0, pPrv=0x4d32e00) 2. the anchor paragraph is moved to different pages as the table is moved or split, but the mpPageFrm in the SwAnchoredObject is not updated. 3. then the page at which the SwAnchoredObject is registered is deleted, setting the mpPageFrm to 0: debug: **** SwPageFrm dtor 0x4a886a0 debug: *** SwAnchoredObject SetPageFrm 0x4a886a0 old: 0x4de9120 new: 0 af: 0x4d814f0 4. then the table is split, which is first attempted with splitting the last row; this fails and the split attempt is undone, including restoring of all drawing objects to their previous page; here the crash happens because of the 0 SwPageFrm mpPageFrm pointer: debug: lcl_RemoveObjsFromPage pObj ISA SwAnchoredDrawObject 0x4a886a0 debug: pObj->PageFrm 0 AnchorPageFrm 0xca4e140 AnchorFrm 0x4d814f0 id 1547 Program received signal SIGSEGV, Segmentation fault. in SwPageFrm::RemoveDrawObjFromPage (this=0x0, _rToRemoveObj=...) at flylay.cxx:903 what is missing is that the drawing object needs to be updated via its SetPageFrm method whenever it moves around. probably getting the "right" document content to crash in this way is somewhat rare... -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
