Apache OpenOffice (AOO) Bugzilla – Issue 61812
a11y: Using Backspace to join bullet paragraph causes crash in impress (editengine) under accessibility
Last modified: 2008-02-12 08:38:56 UTC
Steps: Format at least two paragraphs with bullets Go to the end of the second paragraph and backspace to remove it Continue until you reach the last letter of the first paragraph (go across the space that was in between the two paragraphs Impress (and Writer) crash Report: Video Driver is probably fglrx DESKTOP_SESSION is set to default libgcj version is libgcj-4.0.2-8.fc4 OpenOffice.org core rpm version is openoffice.org-core-2.0.1.1-5.1 0x47c007: /usr/lib/openoffice.org2.0/program/libuno_sal.so.3 + 0x1e007 0x47c7cc: /usr/lib/openoffice.org2.0/program/libuno_sal.so.3 + 0x1e7cc 0x923420: + 0x420 (__kernel_sigreturn + 0x0) 0x46d0c94: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2dec94 0x4696c72: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2a4c72 (EditEngine::GetParaAttrib(unsigned short, unsigned short) + 0x24) 0x46db1b5: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2e91b5 (Outliner::ImplHasBullet(unsigned short) const + 0x27) 0x46dbf52: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2e9f52 (Outliner::GetBulletInfo(unsigned short) + 0x38) 0x47eeba4: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x3fcba4 (SvxOutlinerForwarder::GetBulletInfo(unsigned short) const + 0x24) 0x47ead8b: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x3f8d8b 0x47eaf13: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x3f8f13 0x4887656: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x495656 0x488768c: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x49568c 0x858570: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x11570 (DocumentFocusListener::detachRecursive(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleStateSet> const&) + 0x34) 0x858673: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x11673 (DocumentFocusListener::detachRecursive(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> const&) + 0x35) 0x8586ce: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x116ce (DocumentFocusListener::detachRecursive(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&) + 0x32) 0x858a0f: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x11a0f (DocumentFocusListener::notifyEvent(com::sun::star::accessibility::AccessibleEventObject const&) + 0xa7) 0x311b87: /usr/lib/openoffice.org2.0/program/libcomphelp4gcc3.so + 0x5db87 (comphelper::AccessibleEventNotifier::addEvent(unsigned long, com::sun::star::accessibility::AccessibleEventObject const&) + 0xb3) 0x487e64e: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x48c64e 0x487f322: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x48d322 0x488199d: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x48f99d 0x4881a00: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x48fa00 0x4880b75: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x48eb75 0x4881142: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x48f142 0x2ddff7a: /usr/lib/openoffice.org2.0/program/libsvl680li.so + 0x88f7a (SfxBroadcaster::Broadcast(SfxHint const&) + 0x46) 0x4831310: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x43f310 0x4831348: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x43f348 0x464acec: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x258cec 0x46da651: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2e8651 (Outliner::EditEngineNotifyHdl(EENotify*) + 0x2d) 0x46da6a8: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2e86a8 (Outliner::LinkStubEditEngineNotifyHdl(void*, void*) + 0x1a) 0x464acec: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x258cec 0x46b560e: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2c360e 0x469b958: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2a9958 0x46b2abb: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2c0abb 0x46a3c05: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2b1c05 (EditView::PostKeyEvent(KeyEvent const&) + 0x1d) 0x46e3128: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x2f1128 (OutlinerView::PostKeyEvent(KeyEvent const&) + 0x546) 0x493d10b: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x54b10b (SdrObjEditView::KeyInput(KeyEvent const&, Window*) + 0xd5) 0x4994135: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x5a2135 (SdrView::KeyInput(KeyEvent const&, Window*) + 0x2d) 0x4a29b60: /usr/lib/openoffice.org2.0/program/libsvx680li.so + 0x637b60 (FmFormView::KeyInput(KeyEvent const&, Window*) + 0x1b4) 0x4f400d5: /usr/lib/openoffice.org2.0/program/libsd680li.so + 0x1840d5 0x4eae322: /usr/lib/openoffice.org2.0/program/libsd680li.so + 0xf2322 0x4ec1147: /usr/lib/openoffice.org2.0/program/libsd680li.so + 0x105147 0x4eb7eb3: /usr/lib/openoffice.org2.0/program/libsd680li.so + 0xfbeb3 0x2cba12a: /usr/lib/openoffice.org2.0/program/libvcl680li.so + 0x1da12a 0x2cbbd81: /usr/lib/openoffice.org2.0/program/libvcl680li.so + 0x1dbd81 0x871b38: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x2ab38 0x86fc04: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x28c04 0x8714f9: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x2a4f9 0x101fbe2: /usr/lib/libgtk-x11-2.0.so.0 + 0x10bbe2 0x1213285: /usr/lib/libgobject-2.0.so.0 + 0x8285 (g_closure_invoke + 0x10a) 0x122175b: /usr/lib/libgobject-2.0.so.0 + 0x1675b 0x1222c23: /usr/lib/libgobject-2.0.so.0 + 0x17c23 (g_signal_emit_valist + 0x41e) 0x1223223: /usr/lib/libgobject-2.0.so.0 + 0x18223 (g_signal_emit + 0x29) 0x10fb743: /usr/lib/libgtk-x11-2.0.so.0 + 0x1e7743 0x101e459: /usr/lib/libgtk-x11-2.0.so.0 + 0x10a459 (gtk_propagate_event + 0x1d2) 0x101e784: /usr/lib/libgtk-x11-2.0.so.0 + 0x10a784 (gtk_main_do_event + 0x329) 0x8bbdf6: /usr/lib/libgdk-x11-2.0.so.0 + 0x3bdf6 0x126a4ce: /usr/lib/libglib-2.0.so.0 + 0x234ce (g_main_context_dispatch + 0x1dc) 0x126d4d6: /usr/lib/libglib-2.0.so.0 + 0x264d6 0x126d9b8: /usr/lib/libglib-2.0.so.0 + 0x269b8 (g_main_context_iteration + 0x66) 0x861a51: /usr/lib/openoffice.org2.0/program/libvclplug_gtk680li.so + 0x1aa51 0x131633d: /usr/lib/openoffice.org2.0/program/libvclplug_gen680li.so + 0x4633d (X11SalInstance::Yield(unsigned char) + 0x29) 0x2b691ba: /usr/lib/openoffice.org2.0/program/libvcl680li.so + 0x891ba (Application::Yield() + 0x50) 0x2b691f8: /usr/lib/openoffice.org2.0/program/libvcl680li.so + 0x891f8 (Application::Execute() + 0x26) 0x42d1015: /usr/lib/openoffice.org2.0/program/libsoffice.so + 0x29015 (desktop::Desktop::Main() + 0x15df) 0x2b6e769: /usr/lib/openoffice.org2.0/program/libvcl680li.so + 0x8e769 0x2b6e819: /usr/lib/openoffice.org2.0/program/libvcl680li.so + 0x8e819 (SVMain() + 0x29) 0x42c8a37: /usr/lib/openoffice.org2.0/program/libsoffice.so + 0x20a37 (sal_main + 0x57) 0x42c8a83: /usr/lib/openoffice.org2.0/program/libsoffice.so + 0x20a83 (main + 0x27) 0x125d5f: /lib/libc.so.6 + 0x14d5f (__libc_start_main + 0xdf) 0x80484e1: /usr/lib/openoffice.org2.0/program/simpress.bin + 0x4e1
Created attachment 33981 [details] The file that crash VERY often
Sorry, not reproducible at the moment. Which linux do you use? Did you download the Office version from the official site? Thanks in advance.
I just saw in i61810 that you are probably using Fedora Core. If this is the case wew cannot do anything to fix the problem.
No more infor received, closing. Feel free to reopen if the issue still occurs with an original version.
reopening, I have a bit of insight here
I see this in 2.0.4 and in OOE680_m2
Sorry, still no crash reproducible here in any way. Reassigned. @cgu: can you reproduce this?
==29162== Invalid read of size 4 ==29162== at 0x44A6CC1: SfxItemSet::GetItemState(unsigned short, unsigned char, SfxPoolItem const**) const (in /usr/lib/openoffice.org2.1/program/libsvl680li.so) ==29162== by 0xB3AEC5B: ContentAttribs::GetItem(unsigned short) (editdoc.cxx:1181) ==29162== by 0xB405D61: ImpEditEngine::GetParaAttrib(unsigned short, unsigned short) const (impedit5.cxx:827) ==29162== by 0xB3B6E8F: EditEngine::GetParaAttrib(unsigned short, unsigned short) (editeng.cxx:1587) ==29162== by 0xB4168B7: Outliner::ImplHasBullet(unsigned short) const (outliner.cxx:1682) ==29162== by 0xB417A40: Outliner::GetBulletInfo(unsigned short) (outliner.cxx:1967) ==29162== by 0xB5EC3D3: SvxOutlinerForwarder::GetBulletInfo(unsigned short) const (unoforou.cxx:314) ==29162== by 0xB5E6983: SvxAccessibleTextAdapter::GetBulletInfo(unsigned short) const (unoedprx.cxx:755) ==29162== by 0xB5E753C: SvxAccessibleTextAdapter::HaveImageBullet(unsigned short) const (unoedprx.cxx:1124) ==29162== by 0xB6F153B: accessibility::AccessibleEditableTextPara::HaveChildren() (AccessibleEditableTextPara.cxx:730) ==29162== by 0xB6F3B12: accessibility::AccessibleEditableTextPara::getAccessibleChildCount() (AccessibleEditableTextPara.cxx:913) ==29162== by 0x747C224: DocumentFocusListener::detachRecursive(com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> const&, com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleStateSet> const&) (in /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so) ==29162== Address 0xAF3F72C is 20 bytes inside a block of size 68 free'd ==29162== at 0x4004FDA: free (vg_replace_malloc.c:233) ==29162== by 0x4D83A0C: rtl_freeMemory (alloc_global.c:319) ==29162== by 0x4054DBD: (within /usr/lib/openoffice.org2.1/program/libsoffice.so) ==29162== by 0x4054DF5: operator delete(void*) (in /usr/lib/openoffice.org2.1/program/libsoffice.so) ==29162== by 0xB3B39CE: EditDoc::ConnectParagraphs(ContentNode*, ContentNode*) (editdoc.cxx:1611) ==29162== by 0xB3E32CF: ImpEditEngine::ImpConnectParagraphs(ContentNode*, ContentNode*, unsigned char) (impedit2.cxx:2211) ==29162== by 0xB3EB4E6: ImpEditEngine::DeleteLeftOrRight(EditSelection const&, unsigned char, unsigned char) (impedit2.cxx:2307) ==29162== by 0xB3BC1D7: EditEngine::PostKeyEvent(KeyEvent const&, EditView*) (editeng.cxx:996) ==29162== by 0xB3DD877: ImpEditView::PostKeyEvent(KeyEvent const&) (impedit.cxx:1088) ==29162== by 0xB3C8AA6: EditView::PostKeyEvent(KeyEvent const&) (editview.cxx:401) ==29162== by 0xB42126A: OutlinerView::PostKeyEvent(KeyEvent const&) (outlvw.cxx:277) ==29162== by 0xB80931D: SdrObjEditView::KeyInput(KeyEvent const&, Window*) (svdedxv.cxx:1123)
Created attachment 40469 [details] a bandaid patch that just fixes the local crash, not a real fix
*** Issue 67574 has been marked as a duplicate of this issue. ***
*** Issue 65015 has been marked as a duplicate of this issue. ***
Obvious workaround for a user is to disable accessibility if they don't need it, e.g. under gnome system->preferences->accessibility->assisitive technology preferences->disable and logout and login again
We did some fixes for crashes while deleting text (paragraqphy) in the outline view. Please have a look if this fixes your bug too.
cmc->cgu: is "paragraqphy" the name of a workspace ?
it should be paragraphs. (I should check what I wrote before submitting it) We did several fixes in several cws.
I ask if the bug still occurs with the 'paragraph fixes' at jan 2 and get no answer therfore I think that the bug is fixed. I close the issue as works for me
I close the issue as works for me. Please reopen it if you can still reproduce the bug with the latest stable version (OOo 2.2)
Re-opened as this is reproducable through automated tests with a11y turned on: see internal bug #146869.
re-assigning and adjusting target.
set target to 2.3
The very problem that is described at the top of this issue can not be reproduced. Neither with Linux nor Solaris. What could be reproduced is the problem described in the closed internal issue 146869. Because that was an internal issue I'll list what needs to be done to reproduce that here: - open impress - switch to outline view - enter: aaaaa <return> - press <backspace> -> crash
so - looks like there's a reentrance problem with EditEngine accessibility. EEA notifies a CHILD event when the end paragraph gets deleted, AtkBridge calls back immediately to update its childs. EEA still has the old state, and returns one surplus paragraph, just to throw an IndexOutOfBoundsException because the paragraph is not valid anymore. Remedy: best would be to modify AccessibleTextHelper_Impl::ProcessQueue(), to first modify state to reflect things notified, then notify, and finally purge the vector of deceased paragraphs. THB->TL: please be aware that ProcessQueue() has multiple places (not only the remove branch), that need to be adapted, and that state change needs to be two-phased - the ParaManager::Release of the dying paragraph must happen only after notification (otherwise, the paragraph is dead).
TL->CMC: Can you still reproduce a scenario for your patch? I just like to know if there is still another problem aside from the one in AccessibleTextHelper_Impl::ProcessQueue(). That is, is the patch to be ignored?
cmc->tl: the " - open impress - switch to outline view - enter: aaaaa <return> - press <backspace> -> crash " is the route we took to reproduce this, so if you've that under control then the bandaid is redundant and can be ignored. The original backtrace in comment #1 is the same that I get when reproducing as above, so it's all looks like the same problem.
TL->WG: please note that the problem described above could only be reproduced with Solaris. But even though the fix should be tested on all platforms.
.
Verified in CWS tl40.
Tested in master OOH m5. Closed.