Created attachment 9762 [details]
Example image

Same for me Win2k RC5

more info:
on win 2k
- if reproducting fred's example --> crash
- if taking intermediate letters and not putiing at the beginning, 
after 5 to 6 manipulations --> freezes and eat the memory (used 
memory grows, grows ...)

laurent

I can confirm on fresh install of 1.1RC5 german on Win XP pro.

Setting Prio2 (crash in basic functionality)

confirming on linux, setting OS to all, setting target-milestone to
OOo 1.1 (change to later target if appropriate)

The same thing happens in 1.1 RC4 on Windows 2000, so it isn't a 
recent regression (if it's a regression at all). 

Confirmed on OS X.  All backtraces (taken with gdb at various periods after doing the 
drop) have up to ImplEditEngine::CreateLines() in common, frames down than that 
differ.

#0  0x90004da0 in szone_malloc ()
#1  0x900049a4 in malloc_zone_malloc ()
#2  0x00518788 in operator new(unsigned long) ()
#3  0x003b829c in Font::MakeUnique() ()
#4  0x003b87c8 in Font::SetCJKContextLanguage(unsigned short) ()
#5  0x0459ba14 in ImpEditEngine::SeekCursor(ContentNode*, unsigned short, 
SvxFont&, OutputDevice*, unsigned short) ()
#6  0x04598768 in ImpEditEngine::CreateLines(unsigned short, unsigned long) ()
#7  0x04596814 in ImpEditEngine::FormatDoc() ()
#8  0x0459e6ec in ImpEditEngine::FormatAndUpdate(EditView*) ()
#9  0x04588a10 in 
ImpEditView::dragDropEnd(com::sun::star::datatransfer::dnd::DragSourceDropEvent 
const&) ()
#10 0x026a32c4 in x11::SelectionManager::dropComplete(unsigned char, unsigned 
long, unsigned long) ()
#11 0x0049a6e4 in DNDListenerContainer::dropComplete(unsigned char) ()
#12 0x04588e60 in 
ImpEditView::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) ()
#13 0x00498730 in 
DNDListenerContainer::fireDropEvent(com::sun::star::uno::Reference<com::sun::star::
datatransfer::dnd::XDropTargetDropContext> const&, signed char, long, long, signed 
char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> 
const&) ()
#14 0x00497af0 in DNDEventDispatcher::fireDropEvent(Window*, 
com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDropC
ontext> const&, signed char, Point const&, signed char, 
com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) 
()
#15 0x0049672c in 
DNDEventDispatcher::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent 
const&) ()
#16 0x026a9ca0 in 
x11::DropTarget::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent 
const&) ()
#17 0x026a4bd0 in x11::SelectionManager::handleDragEvent(_XEvent&) ()
#18 0x026a7b64 in x11::SelectionManager::handleXEvent(_XEvent&) ()
#19 0x026a7c34 in x11::SelectionManager::dispatchEvent(int) ()
#20 0x026a7cc8 in x11::SelectionManager::run(void*) ()
#21 0x011fba08 in osl_thread_start_Impl ()
#22 0x90020c88 in _pthread_body ()

----------------------
#0  0x00792e04 in dyld_stub_osl_incrementInterlockedCount ()
#1  0x00728584 in String::String(String const&) ()
#2  0x003b8158 in Impl_Font::Impl_Font(Impl_Font const&) ()
#3  0x003b82a8 in Font::MakeUnique() ()
#4  0x003b87c8 in Font::SetCJKContextLanguage(unsigned short) ()
#5  0x0459ba14 in ImpEditEngine::SeekCursor(ContentNode*, unsigned short, 
SvxFont&, OutputDevice*, unsigned short) ()
#6  0x04598768 in ImpEditEngine::CreateLines(unsigned short, unsigned long) ()
#7  0x04596814 in ImpEditEngine::FormatDoc() ()
#8  0x0459e6ec in ImpEditEngine::FormatAndUpdate(EditView*) ()
#9  0x04588a10 in 
ImpEditView::dragDropEnd(com::sun::star::datatransfer::dnd::DragSourceDropEvent 
const&) ()
#10 0x026a32c4 in x11::SelectionManager::dropComplete(unsigned char, unsigned 
long, unsigned long) ()
#11 0x0049a6e4 in DNDListenerContainer::dropComplete(unsigned char) ()
#12 0x04588e60 in 
ImpEditView::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) ()
#13 0x00498730 in 
DNDListenerContainer::fireDropEvent(com::sun::star::uno::Reference<com::sun::star::
datatransfer::dnd::XDropTargetDropContext> const&, signed char, long, long, signed 
char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> 
const&) ()
#14 0x00497af0 in DNDEventDispatcher::fireDropEvent(Window*, 
com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDropC
ontext> const&, signed char, Point const&, signed char, 
com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) 
()
#15 0x0049672c in 
DNDEventDispatcher::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent 
const&) ()
#16 0x026a9ca0 in 
x11::DropTarget::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent 
const&) ()
#17 0x026a4bd0 in x11::SelectionManager::handleDragEvent(_XEvent&) ()
#18 0x026a7b64 in x11::SelectionManager::handleXEvent(_XEvent&) ()
#19 0x026a7c34 in x11::SelectionManager::dispatchEvent(int) ()
#20 0x026a7cc8 in x11::SelectionManager::run(void*) ()
#21 0x011fba08 in osl_thread_start_Impl ()
#22 0x90020c88 in _pthread_body ()

----------------------
#0  0x003f493c in ImplFontCache::Get(ImplDevFontList*, Font const&, Size const&, 
ImplFontSubstEntry*) ()
#1  0x003f6a4c in OutputDevice::ImplNewFont() ()
#2  0x003fc02c in OutputDevice::GetTextHeight() const ()
#3  0x04539ee4 in SvxFont::GetPhysTxtSize(OutputDevice const*, String const&) ()
#4  0x04598794 in ImpEditEngine::CreateLines(unsigned short, unsigned long) ()
#5  0x04596814 in ImpEditEngine::FormatDoc() ()
#6  0x0459e6ec in ImpEditEngine::FormatAndUpdate(EditView*) ()
#7  0x04588a10 in 
ImpEditView::dragDropEnd(com::sun::star::datatransfer::dnd::DragSourceDropEvent 
const&) ()
#8  0x026a32c4 in x11::SelectionManager::dropComplete(unsigned char, unsigned 
long, unsigned long) ()
#9  0x0049a6e4 in DNDListenerContainer::dropComplete(unsigned char) ()
#10 0x04588e60 in 
ImpEditView::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent const&) ()
#11 0x00498730 in 
DNDListenerContainer::fireDropEvent(com::sun::star::uno::Reference<com::sun::star::
datatransfer::dnd::XDropTargetDropContext> const&, signed char, long, long, signed 
char, com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> 
const&) ()
#12 0x00497af0 in DNDEventDispatcher::fireDropEvent(Window*, 
com::sun::star::uno::Reference<com::sun::star::datatransfer::dnd::XDropTargetDropC
ontext> const&, signed char, Point const&, signed char, 
com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable> const&) 
()
#13 0x0049672c in 
DNDEventDispatcher::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent 
const&) ()
#14 0x026a9ca0 in 
x11::DropTarget::drop(com::sun::star::datatransfer::dnd::DropTargetDropEvent 
const&) ()
#15 0x026a4bd0 in x11::SelectionManager::handleDragEvent(_XEvent&) ()
#16 0x026a7b64 in x11::SelectionManager::handleXEvent(_XEvent&) ()
#17 0x026a7c34 in x11::SelectionManager::dispatchEvent(int) ()
#18 0x026a7cc8 in x11::SelectionManager::run(void*) ()
#19 0x011fba08 in osl_thread_start_Impl ()
#20 0x90020c88 in _pthread_body ()

unless this is not a regression in rc3 - rc5 I would like to propose
this for 1.1.1.

I tried this with rc5_ja on Windows98SE and Redhat9.
This made the systems very slow, almost freezing.
It took time for soffice to be crashed.

As I couldn't wait for soffice to be crashed on Redhat9,
so I switched off the system, I don't know ErrorReport 
would come up when soffice crashes.

On Windows98SE, I monitored CPU usage and Resource
during the test.
1) kept CPU usage 100%
2) didn't affect system resource, user resource and gdi resource.
3) ate up hard disk space

And when soffice crashed, something like "invalid use of soffice"
message appear but ErrorReport didn't come up.

Hi Niklas,

your's or Maltes ?

Error report send.

Error Report ID is:
rz68n8

Frank

I can duplicate on win2k and nt4 going back at least as far as 1.1Beta2.

Probably the cause of more than a few misc crashes.

Would be nice to see an RC6 but it looks like 1.1.0 might already be
out the door?

This loops at line 773 in svx/source/editeng/impedit3.cxx

while ( ( nIndex < pNode->Len() ) || bForceOneRun )

I will attach my rough diff 
which can be used to watch the looping thus:

start while: nIndex = 2 pNode->Len()=3 start while: nIndex = 0
pNode->Len()=3if nIndex==0 start while: nIndex = 0 pNode->Len()=3if
nIndex==0 start while: nIndex = 0 pNode->Len()=3if nIndex==0 start
while: nIndex = 0 

I just build svx and copy the new libsvxls.so into my installed
OpenOffice/program

Created attachment 9833 [details]
to see looping i used this diff to make new libsvx645ls.so

This is only a clue, 
it will allow that drag and drop to be done safely, 
but it can sometimes make a real crash too. 
in impedit3.cxx at line 825
- sal_uInt16 nTmpPortion = pLine->GetStartPortion();
+ sal_uInt16 nTmpPortion = 0;

This is based on the observation that the bad cases will never enter
the "while" statement at line 909 because nTmpPortion == Count(). 

FormatDoc is called for the input line's edit engine from its own
modified-handler. This is bad and must be changed, then everything
should be fine.

Fixed in CWS calc19.
Changed files:
inputhdl.cxx 1.48.116.1
inputhdl.hxx 1.10.266.1
inputwin.cxx 1.33.112.1

Reassigning to QA for verification.

Reset to fixed for changing state to verified

Found fixed on CWS Calc19 for Solaris, Windows and Linux

FST: As requested by TZ and AK back to you

It's already in a right childworkspace, so nothing to do for dev.

restoring fixed state

closing as I've found it integrated in internal build 645m21-3 on
Linux, Solaris and Windows

found integrated in srx645m25s1-1 using Solaris, Linux and Windows

*** Issue 25839 has been marked as a duplicate of this issue. ***

*** Issue 26568 has been marked as a duplicate of this issue. ***