Issue 123585

Summary: AOO 4.0.1 crash when "Random effect" custom animation selected
Product: Impress Reporter: r4zoli <r4zoli>
Component: editingAssignee: Armin Le Grand <Armin.Le.Grand>
Status: CLOSED FIXED QA Contact:
Severity: Major    
Priority: P2 CC: Armin.Le.Grand, doneyourself, elish, issues
Version: 4.0.1Keywords: crash, regression
Target Milestone: 4.1.0   
Hardware: All   
OS: Windows 7   
Issue Type: DEFECT Latest Confirmation in: ---
Developer Difficulty: ---
Attachments:
Description Flags
Bugdoc with custom animation none

Description r4zoli 2013-10-30 15:40:29 UTC 
Created attachment 81847 [details]
Bugdoc with custom animation

When "Random effect" custom animation selected, the AOO 4.0.1 crashes.

This not happens with AOO 3.4.1, it seems to as regression.
tested under Windows 7.

From Hungarian forum post: http://forum.openoffice.org/hu/forum/viewtopic.php?f=8&t=1467 (It is inserted here only for references).

I can reproduce it under Windows 8.1, the bug confirmed.

To reproduce crash, open attached file, select Test2, add "Random effect" from "Basic" category. Click to "OK" AOO crash. Document recovery starts. When recovery finished the file opens, and custom animation on Test2 is set.
Comment 1 Edwin Sharp 2013-11-02 21:00:50 UTC 
No crash with
AOO401m5(Build:9714)  -  Rev. 1524958
2013-09-20 11:54 - Linux x86_64
Debian
Comment 2 r4zoli 2013-11-04 08:01:36 UTC 
added keyword, crash and regression.
Comment 3 Rob Weir 2013-11-27 16:20:02 UTC 
Reproduced on Win 8.1 64-bit with AOO 4.0.1 en-US.  Crash does not depend on this particular document.  Can reproduce with a fresh new document as well.  Tried some other animation effects and did not see a crash.  

Raising priority.
Comment 4 Armin Le Grand 2014-01-29 22:33:44 UTC 
Taking a look...
Comment 5 Armin Le Grand 2014-01-29 23:03:16 UTC 
Happens at aquire of a local mutex:

Guard< Mutex > aGuard( maMutex );

strange...
Comment 6 Armin Le Grand 2014-01-29 23:54:43 UTC 
There is a AnimationNode with a bad mutex. It seems not initialized, all members are on 0xfeeefeee in the debug version. Thisis strange since the AnimationNode looks good and is derived from AnimationNodeBase which has the Mutex as a member. Added a missing call in one of AnimationNode::AnimationNode to base class AnimationNodeBase, but makes no difference. AnimationNodeBase has no defined constructor, it's implicit and should work. Adding one to check this...
Comment 7 Armin Le Grand 2014-01-30 00:53:02 UTC 
Can reproduce/debug the following way:
- load file from description
- select test2 (press tab, tab)
- switch sidebar to custom animation
- press add, dialog appears
- press 'random effects', preview runs
-> set breakpoint at anaimations/source/animcore/animcore.cxx line 1327
- press OK in custom animation dialog
-> stop at breakpoint
- enter fireChangeListener
- AnimationNode has a parent, follow mpParent->fireChangeListener() once
- step into animcore.cxx line 2093 (the Guard< Mutex > aGuard constructor)
- in osl_acquireMutex() of sal/osl/w32/mutex.c take a look at handed over parameter Mutex -> it is not initialized (!)

I could not find a way how a AnimationNode can be created with a non-valid local Mutex. Maybe the mpParent is invalid, the acccording mxParent from which it is taken (via Uno Tunnel) is a weak reference. Checking this...
Comment 8 Armin Le Grand 2014-01-30 01:05:20 UTC 
Indeed, adding the following code to AnimationNode::fireChangeListener() is triggered and makes all work:

    if(mpParent)
    {
        Reference< XInterface > xCheckReference(mxParent);

        if(!xCheckReference.is())
        {
            mpParent = 0;
        }
    }

Thus it indeed looks as if the parent of an AnimationNode is deleted, but this is not reflected in other AnimationNodes that reference that node as a parent. Suggesting that code as a fix.
Alternatively - if someone knows how this happens - maybe AnimationNode::setParent with an empty reference could be called (if possible), that would also reset the mpParent member accordingly.
Comment 9 Armin Le Grand 2014-01-30 15:23:35 UTC 
Preparing patch, also looking at some assertions which are triggered during playing the animations...
Comment 10 Armin Le Grand 2014-01-30 17:28:41 UTC 
One assertion is due to https://issues.apache.org/ooo/show_bug.cgi?id=122485 that says 1bit bitmaps do not work anymore on linux (64bit probably), so full depth is used for mask creation. For win it is okay and I will change the defines to have 1bit masks back for win.
The others are for AnimationNode mappings which are not a guessed ParagraphTarget but contain shorts and for OutputDevice::ImplSelectClipRegion not being able to set a clip region (I will have a 2nd look at the latter one).
Comment 11 Armin Le Grand 2014-01-30 21:10:14 UTC 
The assert from setting the ClipRegion is not a problem, but a hint that handling a case in WinSalGraphics::setClipRegion is missing. It may happen when a Region in form of a Polygon or PolyPoygon is done that this is empty or only contains empty part-polygons (e.g. have no width/height). Added handling that as a legal case, it will be equal to calling WinSalGraphics::ResetClipRegion().
Comment 12 Armin Le Grand 2014-01-30 21:33:48 UTC 
Checked usage of mpClipRgnData and if it would need to be deleted in case there is no ClipRegion (no Rectangle), but no, it is used as a buffer for up to 16 rectangles. Zero is less than 16, so no need to delete. Preparing commit...
Comment 13 Armin Le Grand 2014-01-30 21:35:52 UTC 
Okay, all asserts cleared and changes done, all committed. Setting to resolved.
Comment 14 Armin Le Grand 2014-01-31 22:43:32 UTC 
OOps, the comments from the commits landed in 12355, I had a typo in the commits...
Comment 15 liuping 2014-02-25 23:52:39 UTC 
verify AOO410m1(Build:9750)  -  Rev. 1570848
Rev.1570848 on windows7 ,pass