[Libreoffice-bugs] [Bug 101327] Impress crashes saving a pptx doc

Tue, 18 Oct 2016 20:35:03 -0700 

https://bugs.documentfoundation.org/show_bug.cgi?id=101327

Mike Kaganski <mikekagan...@hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |notBibisectable,
                   |                            |preBibisect, regression
            Version|5.1.5.2 release             |4.1.0.4 release

--- Comment #13 from Mike Kaganski <mikekagan...@hotmail.com> ---
This started somewhere before Version: 4.1.0.0.beta2
Build ID: 33224f4f11a05cfad2249e812fcc2975fbb61f6

The stated version already crashes saving attachment 126630 as ODG, while
4.0.6.2 does not -> regression, preBibisect.

No crash with Version: 5.2.2.2
Build ID: 1:5.2.2-0ubuntu1~xenial0
CPU Threads: 1; OS Version: Linux 4.4; UI Render: default; 
Locale: en-US (en_US.UTF-8); Calc: group

No bibisect repository for that commit range for Windows -> notBibisectable.

The initial crash (on current master) happens in void vcl::Window::dispose() at
line 547 of vcl/source/window/window.cxx:
> pSysWin = pSysWin->mpWindowImpl->mpFrameData->mpNextFrame;

because pSysWin happens to be nullptr.
Actually, all the block starting from line 539:
> if ( mpWindowImpl->mbFrame )
fails because it tries to use mpWindowImpl->mpFrame and
mpWindowImpl->mpFrameData, that are both nullptr for some reason.

If line 539 is fixed this way:
> if ( mpWindowImpl->mbFrame && mpWindowImpl->mpFrame && 
> mpWindowImpl->mpFrameData )
then next crash happens in ::std::shared_ptr<FrameworkHelper>
FrameworkHelper::Instance (ViewShellBase& rBase) at line 333 of
sd/source/ui/framework/tools/FrameworkHelper.cxx:
> InstanceMap::const_iterator iHelper (maInstanceMap.find(&rBase));
This time, it turns out that static maInstanceMap gets cleared somewhere
previously, but somehow incorrectly, so that its size is 0, but _Myhead's
_Mytop, _Myleft and _Myright members do not point to _Myhead but to 0xdddddddd,
and _Myproxy is 0x00000000 (in essence, maInstanceMap is ruined), so find()
segfaults.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

Reply via email to