Bug 99712

Summary: Crash in context menu
Product: LibreOffice Reporter: Jean-Baptiste Faure <jbfaure>
Component: ImpressAssignee: Caolán McNamara <caolan.mcnamara>
Status: VERIFIED FIXED    
Severity: normal CC: Armin.Le.Grand, h3734236, lo_bugs, michael.meeks, raal, serval2412
Priority: medium Keywords: bibisected, haveBacktrace, regression
Version: 5.2.0.0.alpha0+   
Hardware: All   
OS: All   
Whiteboard: target:5.2.0
Crash report or crash signature: Regression By:
Attachments: gdb on the core file
bibisect result, daily Linux dbgutil repository
bibisect result Win 5.2 bibisect repository
typescript with backtrace from MenuFloatingWindow c'tor

Description Jean-Baptiste Faure 2016-05-06 15:50:44 UTC 
When trying to reproduce bug 62688 with current master, I found the following crash. Steps to reproduce:
1/ open a new empty Impress document
2/ ctrl+alt+C to create a comment
3/ type something in the comment field
4/ select the text of the comment (use the mouse because ctrl+A does not work in comments, it is the bug 62688)
5/ right click on the selected text

==> the comment field close
==> crash when you choose an entry in the context menu

Found in Version: 5.2.0.0.alpha1+
Build ID: 2fb31f248fe86c52c1070cbc8b18b24872a4bedc
built at home under Ubuntu 16.04 x86-64
No crash in LO 5.1.4.0.0+, so regression.

Best regards. JBF
Comment 1 Julien Nabet 2016-05-07 08:27:47 UTC 
On pc Debian x86-64 with master sources updated today, I could reproduce the crash but only when selecting an entry at second time.
warn:legacy.osl:10082:1:vcl/source/window/window.cxx:325: Window ( N2sd16AnnotationWindowE()) with live SystemWindows destroyed:  18MenuFloatingWindow()
Window ( N2sd16AnnotationWindowE()) with live SystemWindows destroyed:  18MenuFloatingWindow()
Comment 2 Julien Nabet 2016-05-07 08:29:15 UTC 
Armin: thought you might be interested in this one.
Comment 3 Terrence Enger 2016-05-09 14:07:04 UTC 
Created attachment 124935 [details]
gdb on the core file

Give or take some fat-fingering along the way, I did ...
(1) Type text in the comment.
(2) Drag mouse through all that text.
(3) Right-click, Copy.
(4) Type "<enter>-----<enter>".
(5) Right-click.

The error messages in the terminal are (whitespace added) ...

    warn:legacy.osl:22373:1:vcl/source/window/window.cxx:325:
        Window ( N2sd16AnnotationWindowE()) with live SystemWindows destroyed:
        18MenuFloatingWindow()
    Window ( N2sd16AnnotationWindowE()) with live SystemWindows destroyed:
        18MenuFloatingWindow()

Note the following points in the attached terminal output ...

    line  gdb command
    ----  ----------------------------------
      34  info threads
      41  backtrace
     121  thread apply all backtrace full

These observations are from master commit 11bf964, pulled 2016-05-09
05:35 UTC, configured ...
    CC=ccache /usr/bin/gcc
    CXX=ccache /usr/bin/g++
    --enable-option-checking=fatal
    --enable-dbgutil
    --enable-debug
    --enable-crashdump
    --without-system-postgresql
    --without-myspell-dicts
    --with-extra-buildid
    --without-doxygen
    --with-external-tar=/home/terry/lo_hacking/git/src
built and running on debian-stretch.

I am adding keyword haveBacktrace.
Comment 4 Terrence Enger 2016-05-09 14:51:01 UTC 
Created attachment 124936 [details]
bibisect result, daily Linux dbgutil repository

Working in the daily Linux dbgutil bibisect repository, I see an error
different from what I described in comment 3.  And now, the crash
happens on the first right-click > Copy.  The error messages are
(whitespace added) ...

    soffice.bin: /home/vmiklos/git/libreoffice/master/vcl/unx/gtk3/../gtk/gtkinst.cxx:303:
        void GtkYieldMutex::ThreadsLeave(): Assertion `mnCount != 0' failed.
    Application Error
    Fatal exception: Signal 6

This looks more like what Jean-Baptiste reported.  I do not know
whether my comment 3 is useful in this report, or whether I should
create a new bug report.

Anyway, the bug was introduced somewhere in the 49 commits
a6f876d..0ab6332 ...

    what       commit   date        s-h
    ---------  -------  ----------  -------
    last good  cafe073  2016-02-11  a6f876d
    first bad  3ced19f  2016-02-12  0ab6332
Comment 5 Terrence Enger 2016-05-09 16:02:19 UTC 
Created attachment 124938 [details]
bibisect result Win 5.2 bibisect repository

Working in the win-32 5.2 bibisect repository, I see that the bad
commit is (whitespace added) ...

    author	Michael Meeks <michael.meeks@collabora.com>	
                2016-02-09 17:15:29 (GMT)
    committer	Tomaž Vajngerl <quikee@gmail.com>	
                2016-02-09 18:30:50 (GMT)
    commit 7672637cb33bcae199d3f0b0b3dcc568375d4976 (patch)
    tree 12620c6287e243a8c86339e73c5706fe669d0a9f
    parent a6ce77b508cdcda0a65fa3802daf7a6ef757af43 (diff)
    vcl: opengl - clear the user buffer after greyscale conversion.

This contradicts the results from Linux dbgutil bibisect that I
reported in comment 4: this "first bad" is earlier than the previously
reported "last good".  Am I getting a different crash?  Sigh.
Comment 6 Michael Meeks 2016-05-10 08:25:42 UTC 
Hi Terrence; the cause is pretty clear:

#16 0x00007f51db2023cf in SalAbort(rtl::OUString const&, bool) (rErrorText="Window ( N2sd16AnnotationWindowE()) with live SystemWindows destroyed:  18MenuFloatingWindow()", bDumpCore=true) at /home/terry/lo_hacking/git/libo6/vcl/unx/generic/plugadapt/salplug.cxx:293
#17 0x00007f51db1169ff in Application::Abort(rtl::OUString const&) (rErrorText="Window ( N2sd16AnnotationWindowE()) with live SystemWindows destroyed:  18MenuFloatingWindow()") at /home/terry/lo_hacking/git/libo6/vcl/source/app/svapp.cxx:320

Luckily its only a leak in non dbgutil mode - so shouldn't cause a widespread crash for real users when deployed -> lowering the priority. It is a VclPtr, lifecycle issue I guess.

Also the debug output above (I hope) identifies the problem - which is that the sd::AnnotationWindow has a live MenuFloatingWindow associated with it when it is disposed - and it should have disposed that itself first; which is curious.

Armin did some work in this area recently - but ...
Comment 7 Michael Meeks 2016-05-10 08:33:38 UTC 
Hmm - it looks like there is a floating MenuFloatingWindow that is not disposed in the correct order; to find where that is created I guess it'd be good to put a break-point into:

vcl/source/window/menufloatingwindow.cxx:MenuFloatingWindow::MenuFloatingWindow

And get a stack-trace of where that is created, to ensure that we get the ordering right for its destruction too.
Comment 8 Terrence Enger 2016-05-10 20:44:20 UTC 
Created attachment 124960 [details]
typescript with backtrace from MenuFloatingWindow c'tor

This is from master commit 65b327b, pulled around 2016-05-10 03:20 UTC, configured ...
    CC=ccache /usr/bin/gcc
    CXX=ccache /usr/bin/g++
    --enable-option-checking=fatal
    --enable-dbgutil
    --enable-debug
    --enable-crashdump
    --without-system-postgresql
    --without-myspell-dicts
    --with-extra-buildid
    --without-doxygen
    --with-external-tar=/home/terry/lo_hacking/git/src
built and running on debian-stretch.
Comment 9 Armin Le Grand 2016-05-11 07:40:55 UTC 
FYI: May be related/similar to Bug 99388. When there are more cases it is a hint that somewhere somehow the order/mechanism of closing *has* changed
Comment 10 Caolán McNamara 2016-05-24 12:57:30 UTC 
This isn't VclPtr this is "focus in floats"
Comment 11 Commit Notification 2016-05-24 14:25:34 UTC 
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=26333736f103342344b9b0fa20a3a04d426fac4f

Resolves: tdf#99712 Crash in impress annotation context menu

It will be available in 5.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 12 Jean-Baptiste Faure 2016-05-25 04:43:09 UTC 
(In reply to Commit Notification from comment #11)
> Caolán McNamara committed a patch related to this issue.
> It has been pushed to "master":
> [...]
> Affected users are encouraged to test the fix and report feedback.

Thank you very much for the quick fix.
Verified fixed in
Version: 5.2.0.0.alpha1+
Build ID: c5ab14e2bca0cc4fabd25b27f078a1c38fda4fa7
CPU Threads: 4; OS Version: Linux 4.4; UI Render: default; 
Ubuntu_16.04_x86-64
Locale: fr-FR (fr_FR.UTF-8)

Best regards. JBF
Comment 13 Armin Le Grand 2016-05-25 08:18:39 UTC 
Hey Cao0lan,
thanks for sorting this out and making it more general - is probably better ;-)