https://bugs.freedesktop.org/show_bug.cgi?id=46896
--- Comment #22 from Michael Meeks <[email protected]> --- Looks like a clean NULL ptr de-reference logic bug: #0 0x00007f6f88582740 in SwFrm::GetNext (this=0x0) at /home/julien/compile-libreoffice/libo/sw/source/core/inc/frame.hxx:599 #1 0x00007f6f889b517e in SwSectionFrm::Format (this=0x3e890d0, pAttr=0x4f464b0) at /home/julien/compile-libreoffice/libo/sw/source/core/layout/sectfrm.cxx:1382 #2 0x00007f6f88901927 in SwLayoutFrm::MakeAll (this=0x3e890d0) at /home/julien/compile-libreoffice/libo/sw/source/co Particularly since we seem to check GetNext() and de-reference Lower()->Lower() instead next to it: // Check the width of the columns and adjust if necessary if ( bHasColumns && ! Lower()->GetNext() && bMaximize ) ((SwColumnFrm*)Lower())->Lower()->Calc(); But that's very old code. The valgrind trace is rather more enlightening I guess: Invalid read of size 8 at 0x23F6A0A4: SwFlowFrm::HasFollow() const (in /home/julien/compile-libreoffice/libo_3_5/solver/unxlngx6/lib/libswlo.so) by 0x242A48E1: CalcCntnt(SwLayoutFrm*, bool, bool) (fly.cxx:1787) by 0x2432D92C: SwSectionFrm::_CheckClipping(unsigned char, unsigned char) (sectfrm.cxx:1111) by 0x2432E6B1: SwSectionFrm::Format(SwBorderAttrs const*) (sectfrm.cxx:1379) by 0x242867A6: SwLayoutFrm::MakeAll() (calcmove.cxx:924) by 0x2432C530: SwSectionFrm::MakeAll() (sectfrm.cxx:809) by 0x24283D20: SwFrm::PrepareMake() (calcmove.cxx:386) by 0x23FB8789: SwFrm::Calc() const (frame.hxx:1056) by 0x242D1D77: SwLayAction::FormatLayout(SwLayoutFrm*, unsigned char) (layact.cxx:1381) by 0x242D29F6: SwLayAction::FormatLayout(SwLayoutFrm*, unsigned char) (layact.cxx:1541) by 0x242D29F6: SwLayAction::FormatLayout(SwLayoutFrm*, unsigned char) (layact.cxx:1541) by 0x242CF8FC: SwLayAction::InternalAction() (layact.cxx:695) by 0x242CEE02: SwLayAction::Action() (layact.cxx:471) by 0x24687EDF: ViewShell::CalcLayout() (viewsh.cxx:910) by 0x249F27C0: SwXTextDocument::getRendererCount(com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (unotxdoc.cxx:2607) by 0x443FEFD7: PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdfexport.cxx:864) Address 0x3d9d5e70 is 208 bytes inside a block of size 248 free'd by 0x4A8CE5B: rtl_freeMemory (alloc_global.cxx:348) by 0x4A8F9FF: rtl_cache_free (alloc_cache.cxx:1277) by 0x8D546F7: FixedMemPool::Free(void*) (mempool.cxx:83) by 0x2415C53B: SwSectionFrm::operator delete(void*, unsigned long) (in /home/julien/compile-libreoffice/libo_3_5/solver/unxlngx6/lib/libswlo.so) by 0x2432A254: SwSectionFrm::~SwSectionFrm() (sectfrm.cxx:177) by 0x2433B136: SwLayoutFrm::Destroy() (ssfrm.cxx:606) by 0x2433B383: SwLayoutFrm::~SwLayoutFrm() (ssfrm.cxx:652) by 0x242FD5DE: SwBodyFrm::~SwBodyFrm() (in /home/julien/compile-libreoffice/libo_3_5/solver/unxlngx6/lib/libswlo.so) by 0x242FD61B: SwBodyFrm::~SwBodyFrm() (bodyfrm.hxx:36) by 0x2433B136: SwLayoutFrm::Destroy() (ssfrm.cxx:606) by 0x2433B383: SwLayoutFrm::~SwLayoutFrm() (ssfrm.cxx:652) by 0x2428DD20: SwFtnBossFrm::~SwFtnBossFrm() (in /home/julien/compile-libreoffice/libo_3_5/solver/unxlngx6/lib/libswlo.so) by 0x242F5CBE: SwPageFrm::~SwPageFrm() (pagechg.cxx:279) by 0x242F5D27: SwPageFrm::~SwPageFrm() (pagechg.cxx:327) by 0x242F8CE6: SwFrm::InsertPage(SwPageFrm*, unsigned char) (pagechg.cxx:1360) by 0x2432FA23: SwFrm::GetNextSctLeaf(MakePageType) (sectfrm.cxx:1667) by 0x24298F7A: SwFrm::GetLeaf(MakePageType, unsigned char) (flowfrm.cxx:871) by 0x2429BA2B: SwFlowFrm::MoveFwd(unsigned char, unsigned char, unsigned char) (flowfrm.cxx:1946) by 0x24288086: SwCntntFrm::MakeAll() (calcmove.cxx:1270) by 0x24283A4B: SwFrm::PrepareMake() (calcmove.cxx:318) by 0x23FB8789: SwFrm::Calc() const (frame.hxx:1056) by 0x243D48BB: SwTxtFrm::CalcFollow(unsigned short) (frmform.cxx:315) by 0x243D5A7E: SwTxtFrm::_AdjustFollow(SwTxtFormatter&, unsigned short, unsigned short, unsigned char) (frmform.cxx:607) by 0x243D783A: SwTxtFrm::FormatAdjust(SwTxtFormatter&, WidowsAndOrphans&, unsigned short, unsigned char) (frmform.cxx:1154) by 0x243D6D21: SwTxtFrm::CalcPreps() (frmform.cxx:932) by 0x243D9FE2: SwTxtFrm::Format(SwBorderAttrs const*) (frmform.cxx:1870) by 0x24288FC9: SwCntntFrm::MakeAll() (calcmove.cxx:1427) by 0x24283D20: SwFrm::PrepareMake() (calcmove.cxx:386) by 0x23FB8789: SwFrm::Calc() const (frame.hxx:1056) by 0x242A4099: CalcCntnt(SwLayoutFrm*, bool, bool) (fly.cxx:1601) by 0x2432D92C: SwSectionFrm::_CheckClipping(unsigned char, unsigned char) (sectfrm.cxx:1111) by 0x2432E6B1: SwSectionFrm::Format(SwBorderAttrs const*) (sectfrm.cxx:1379) by 0x242867A6: SwLayoutFrm::MakeAll() (calcmove.cxx:924) by 0x2432C530: SwSectionFrm::MakeAll() (sectfrm.cxx:809) by 0x24283D20: SwFrm::PrepareMake() (calcmove.cxx:386) by 0x23FB8789: SwFrm::Calc() const (frame.hxx:1056) by 0x242D1D77: SwLayAction::FormatLayout(SwLayoutFrm*, unsigned char) (layact.cxx:1381) by 0x242D29F6: SwLayAction::FormatLayout(SwLayoutFrm*, unsigned char) (layact.cxx:1541) by 0x242D29F6: SwLayAction::FormatLayout(SwLayoutFrm*, unsigned char) (layact.cxx:1541) by 0x242CF8FC: SwLayAction::InternalAction() (layact.cxx:695) by 0x242CEE02: SwLayAction::Action() (layact.cxx:471) by 0x24687EDF: ViewShell::CalcLayout() (viewsh.cxx:910) by 0x249F27C0: SwXTextDocument::getRendererCount(com::sun::star::uno::Any const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (unotxdoc.cxx:2607) by 0x443FEFD7: PDFExport::Export(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) (pdfexport.cxx:864) Which looks much more like a traditional layout / memory mis-management silly. -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
