Apache OpenOffice (AOO) Bugzilla – Issue 118878
[From Symphony] Writer crash after modify properties of new Frame
Last modified: 2012-10-09 09:21:34 UTC
1)create a new Word Processor doc 2)create a new Frame via click "Insert-->Frame", use default properties. 3)drag mouse to extend the frame 4)select the frame and double click the frame 5)chage properties of frame.In Columns tab,set "Columns"=2 , set "Line"= 4.00pt,then click OK button 6)repeat step 4 7)In "Type" tab,set "Width" = "6.08", "Height" = "2.03";In "Columna" tab,set "Columns" = "3", then click OK button defect: Writer crashed
Can't confirm with OOo-dev 3.4.0, OOO340m1 (Build:9586) Rev. 1240836 OS: Ubuntu 11.10, 64 bit
Reproduced agains revision 1240872 with Windows/Mac/RedHat
The reproduce step can be simpler: 1) create a new Word Processor doc 2) create a new Frame via click "Insert-->Frame", use default properties. 3) chage properties for frame from "Right-click menu->Frame...". In Columns tab,set "Columns"=2 4) chage properties for frame from "Right-click menu->Frame...". In Columns tab,set "Columns"=3(a value more than previous). In "Type" tab,set "Width" to another value such as "6.08" 5) click OK button, AOO will crash.
I found the root cause. The issue is caused by that if the user change width value and column value together, In SwFmt::SetFmtAttr(), it will update all the modified value first. Then in SwFlyFrm::Modify(), it will enumerate all the changed items one by one and call SwFlyFrm::_UpdateAttr() to handle the value changed for each item. In this case, frame size value changed item will be handled first, it will call SwFlyFrm::FrmSizeChg() to handle it. In that function, it will call SwLayoutFrm::AdjustColumns() to re-calculate the column size in the frame. When enumerate the columns in the frame, it use the new column number value set in SwFmt::SetFmtAttr(). However, the real column object in frame is not updated. That work will be done in column number value changed handler in SwFlyFrm::_UpdateAttr() later. So if the new column value is larger than previous, in SwLayoutFrm::AdjustColumns(), it will enumerate a null column object. So crash will happen. According to my investigation, the crash should happen on all kinds of platforms.
Created attachment 77582 [details] patch_in_AdjustColumns_to_fix_this_issue The real root cause of this issue is that it should use the old property value but not the new modified and not processed property value in the property changed handler. However, for this special case, I think we can have a simple fix. In this case, we can just add the check for column frame object and only do sth when it is not null. the SwLayoutFrm::AdjustColumns() will be called again when process column number value changed handler in SwLayoutFrm::ChgColumns() and can be set the correct value in it.
Patch reviewed. There could be other thoughtful refactory do cover some other similar potential issues. But this one is neat and safe.
Fix submitted in r1350879.
verified in r1350879 on Windows 7 and Mac
Verified it on Aoo_Trunk_20120616.1800.1350879 and it does not reproduce, so close it as fixed.
set Target Milestone to AOO 3.5.0 for PM purpose.