On 03/01/13 19:26, Matteo Casalin wrote: > Hi all, > I've been lately struggling with crash in conversion from > Traditional to Simplified Chinese in Writer. After some debugging, I > tracked the problem to access to released memory, but I don't know ho to > proceed to solve the issue since it involves a deeper knowledge than I > have about Writer internal structure. > I really would appreciate if anybody could give me any hint on this. > Here are the details: > The conversion is handled by editeng::HangulHanjaConversion class, which > is used as a base class for SwHHCWrapper (and is also derived in a > parallel manner also in editeng itself). Without digging into details > (the flow is quite convoluted), the problem arises in SwTxtNode::Convert > (sw/source/core/txtnode/txtedt.cxx) as follow: > * line 1074: instantiate a SwLanguageIterator object, which builds a > list of pointers to non-copiable SwTxtAttr; > * line 1111: call SetLanguageAndFont, which destroys the original > SwTxtAttr items which the iterator still points to; > * line 1117: access the now deleted iterator items.
so SwTxtNode::SetLanguageAndFont calls InsertItemSet, with a SvxFontItem, which will result in a RES_TXTATR_AUTOFMT hint... which may be combined (in SwpHints::MergePortions) with an existing RES_TXTATR_AUTOFMT that is adjacent to the insertion range (aCurPaM), provided that the item set on the adjacent hint contains the same attributes as the one on the insertion range. SwTxtNode::Convert appears clearly wrong to me in modifying the hints of a text node while iterating over them. (it is possible that this used to work in 2005 or earlier; i don't know if equal text hints were combined before the introduction of AUTOFMT, as i wasn't around back then). perhaps the insertion could be delayed until after the loop? _______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
