Re: Need help for bug 158451
Hi Michael, Michael Stahl schrieb am 21.12.2023 um 20:19: hi Regina, [..] the problem is that the type of anchor of the inner shape changes during text formatting, which is not supposed to happen. hope https://gerrit.libreoffice.org/c/core/+/161137 should fix the crash. Yes it solves the crash and the groups are rendered as expected. Excellent! How do you find the root cause? Kind regards, Regina
Re: Need help for bug 158451
hi Regina, On 14/12/2023 01:26, Regina Henschel wrote: Hi all, I can now narrow down the error somewhat. Look at method SwTextFrame::FormatImpl() in https://opengrok.libreoffice.org/xref/core/sw/source/core/text/frmform.cxx?r=7d7ca347#1832 It creates SwTextFormatInfo aInf( pRenderContext, this ); Later down in the for-loop, aInf is used. The for-loop iterates over pObj = aInf.GetTextFly().GetAnchoredObjList() and performs aInf.GetTextFly().AnchoredObjToRect(pObj, aRect) AnchoredObjToRect crashes then because of an invalid pObj. You see the AnchoredObjList with these steps: aInf > SwTextPaintInfo > m_aTextFly > mpAnchoredObjList When aInf is created, mpAnchoredObjList is empty. After line #1863 Format_( aLine, aInf ); you can see the invalid item in that list. This happens not always. When you use the example file of the bug report, first the text of the shape inside the group is handled. That works. Then the line where the group is anchored is handled. And there it happens. If the inline anchored object is not a group but a simple shape with text, first the line is handled and then the text of the shape. the problem is that the type of anchor of the inner shape changes during text formatting, which is not supposed to happen. hope https://gerrit.libreoffice.org/c/core/+/161137 should fix the crash.
Re: Need help for bug 158451
Hi Regina, On Thu, Dec 14, 2023 at 01:26:24AM +0100, Regina Henschel wrote: > And there I'm now. I have no idea, how something there changes the parameter > rInfo of SwTextFrame::Format_(). > And I still do not know, which object is really needed in the above > mentioned for-loop. > And I still don't know, whether the problem would be solved, when somehow > first the line and then the group would be handled. > > I appreciate any help. Writer layout is famous for tricky debugging, so unless you're interested in finding the root cause here, I wonder if it makes sense to look at this from a bit higher level. (At least I don't have an idea off the top of my head for the above question.) Do you hit all these problems because of the partially done work to support complex Writer text inside Writer groupshapes? If so, perhaps it makes sense to disable this while importing WPC constructs? Regards, Miklos
Re: Need help for bug 158451
Hi all, I can now narrow down the error somewhat. Look at method SwTextFrame::FormatImpl() in https://opengrok.libreoffice.org/xref/core/sw/source/core/text/frmform.cxx?r=7d7ca347#1832 It creates SwTextFormatInfo aInf( pRenderContext, this ); Later down in the for-loop, aInf is used. The for-loop iterates over pObj = aInf.GetTextFly().GetAnchoredObjList() and performs aInf.GetTextFly().AnchoredObjToRect(pObj, aRect) AnchoredObjToRect crashes then because of an invalid pObj. You see the AnchoredObjList with these steps: aInf > SwTextPaintInfo > m_aTextFly > mpAnchoredObjList When aInf is created, mpAnchoredObjList is empty. After line #1863 Format_( aLine, aInf ); you can see the invalid item in that list. This happens not always. When you use the example file of the bug report, first the text of the shape inside the group is handled. That works. Then the line where the group is anchored is handled. And there it happens. If the inline anchored object is not a group but a simple shape with text, first the line is handled and then the text of the shape. Next I have examined Format_( aLine, aInf ) for the crash case. It is void SwTextFrame::Format_( SwTextFormatter , SwTextFormatInfo const bool bAdjust ) in https://opengrok.libreoffice.org/xref/core/sw/source/core/text/frmform.cxx?r=7d7ca347#1431 Here watch parameter rInf. It is OK till #1671. After line #1672 bFormat = FormatLine( rLine, bPrev ); rInf has the invalid object. That is surprising. The method does no have rInf as parameter. This method is bool SwTextFrame::FormatLine( SwTextFormatter , const bool bPrev ) in https://opengrok.libreoffice.org/xref/core/sw/source/core/text/frmform.cxx?r=7d7ca347#1296 The adding of the faulty object happens there in #1672 in bFormat = FormatLine( rLine, bPrev ); That method is bool SwTextFrame::FormatLine( SwTextFormatter , const bool bPrev ) in https://opengrok.libreoffice.org/xref/core/sw/source/core/text/frmform.cxx?r=7d7ca347#1296 And there I'm now. I have no idea, how something there changes the parameter rInfo of SwTextFrame::Format_(). And I still do not know, which object is really needed in the above mentioned for-loop. And I still don't know, whether the problem would be solved, when somehow first the line and then the group would be handled. I appreciate any help. Kind regards, Regina Regina Henschel schrieb am 11.12.2023 um 03:15: Hi all, I need help for bug 158451. Problem: A group or a drawing canvas in a docx file crashes Writer, in case it is anchored 'inline' and has a child shape with text. The crash happens in SwAnchoredObject::GetObjRectWithSpaces(). There is no crash, if such group is in an odt file. It is not a new problem, but it will effect more users now, because the drawing canvas and not the VML fallback is imported now and the drawing canvas is anchored 'inline' as default in Word. Steps before the crash are SwTextFormatter::NewPortion() SwTextFormatter::CalcFlyWidth() SwTextFly::GetFrame() SwTextFly::ForEach() SwAnchoredObject::GetObjRectWithSpaces() I think the crash should be fixed till release, but I'm not familiar with these frames. Do you have tips for me? Do you have an idea why a group from docx is different from a group from odt, for example? Attila Bakos had worked in that area, but NISZ does no longer exist. Kind regards, Regina
Re: Need help for bug 158451
On Mon, 2023-12-11 at 03:15 +0100, Regina Henschel wrote: > Steps before the crash are > SwTextFormatter::NewPortion() > SwTextFormatter::CalcFlyWidth() > SwTextFly::GetFrame() > SwTextFly::ForEach() > SwAnchoredObject::GetObjRectWithSpaces() It is possible that this is also been recently picked up with a document I added to crashtesting https://wiki.documentfoundation.org/Development/Crashtesting Try running it under valgrind and see if it is a use-after-free and get those backtraces for the bug, Use valgrind --num-callers=50 or some large enough number to get useful info.
Need help for bug 158451
Hi all, I need help for bug 158451. Problem: A group or a drawing canvas in a docx file crashes Writer, in case it is anchored 'inline' and has a child shape with text. The crash happens in SwAnchoredObject::GetObjRectWithSpaces(). There is no crash, if such group is in an odt file. It is not a new problem, but it will effect more users now, because the drawing canvas and not the VML fallback is imported now and the drawing canvas is anchored 'inline' as default in Word. Steps before the crash are SwTextFormatter::NewPortion() SwTextFormatter::CalcFlyWidth() SwTextFly::GetFrame() SwTextFly::ForEach() SwAnchoredObject::GetObjRectWithSpaces() I think the crash should be fixed till release, but I'm not familiar with these frames. Do you have tips for me? Do you have an idea why a group from docx is different from a group from odt, for example? Attila Bakos had worked in that area, but NISZ does no longer exist. Kind regards, Regina
