Bug 113755 - Crash in: SfxSlotPool::GetSlotPool(SfxViewFrame *) from 5.4.0, even 5.3.6 in Windows (no steps)
Summary: Crash in: SfxSlotPool::GetSlotPool(SfxViewFrame *) from 5.4.0, even 5.3.6 in ...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
5.4.0.3 release
Hardware: All All
: high major
Assignee: Not Assigned
URL:
Whiteboard: target:6.1.0 target:6.0.1 target:6.0....
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-10 11:38 UTC by m.a.riosv
Modified: 2018-06-14 19:15 UTC (History)
4 users (show)

See Also:
Crash report or crash signature: ["SfxSlotPool::GetSlotPool(SfxViewFrame *)"]


Attachments
some rough notes / code-reading. (6.84 KB, text/plain)
2018-01-16 12:10 UTC, Michael Meeks
Details
more notes ... (13.67 KB, text/plain)
2018-01-16 15:42 UTC, Michael Meeks
Details

Note You need to log in before you can comment on or make changes to this bug.
Description m.a.riosv 2017-11-10 11:38:19 UTC
This bug was filed from the crash reporting server and is br-205cd92e-417d-4dbc-808d-1da1ef0579b6.
=========================================
Saving a file
Version: 5.4.3.2 (x64)
Build ID: 92a7159f7e4af62137622921e809f8546db437e5
CPU threads: 4; OS: Windows 6.19; UI render: default; 
Locale: es-ES (es_ES); Calc: group

OpenGL.log
DriverVersion: 21.20.16.4550
DriverDate: 11-11-2016
DeviceID: PCI\VEN_8086&DEV_5916&SUBSYS_380117AA&REV_02
AdapterVendorID: 0x8086
AdapterDeviceID: 0x5916
AdapterSubsysID: 0x380117aa
DeviceKey: System\CurrentControlSet\Control\Video\{8CD6695F-B514-11E7-B258-B5AD865BD680}\0001
DeviceString: Intel(R) HD Graphics 620
Comment 1 Xisco Faulí 2017-11-10 13:48:06 UTC
Do you know the steps to reproduce this issue?
Comment 2 m.a.riosv 2017-11-10 15:31:52 UTC
No I think it was saving a writer file with password. But it didn't happen again.
Comment 3 Dieter Praas 2017-11-12 16:41:36 UTC
I'm not a developer, but I assume, that it is almost impossible to reproduce this bug without further informations. So I propose to close this bug and to reopen it, if it happens again and you can give some more informations. Do you agree?
Comment 4 Timur 2017-11-14 17:08:09 UTC
https://crashreport.libreoffice.org/stats/signature/SfxSlotPool::GetSlotPool%28SfxViewFrame%20*%29
4204 similar reports! For me it's like confirmation.
Comment 5 Xisco Faulí 2017-11-15 09:15:12 UTC
(In reply to m.a.riosv from comment #2)
> No I think it was saving a writer file with password. But it didn't happen
> again.

Do you think there was something in the clipboard when you tried to save the document ?
Comment 6 m.a.riosv 2017-11-16 00:02:38 UTC
Who knows?
Comment 7 Telesto 2018-01-15 14:58:07 UTC
Any relation with bug 100270 ?
Comment 8 Timur 2018-01-16 08:47:37 UTC
It's 10650 reports now, latest for LO 6.0. 
Xisco, in my view, cases like this should be discussed at ESC, maybe as "Most Pressing Bugs". 
And to have it in written: rules for keeping this open and confirmed, is a number of reports enough and can this ever be resolved like this, only with reports.
Comment 9 Xisco Faulí 2018-01-16 09:22:26 UTC
(In reply to Timur from comment #8)
> It's 10650 reports now, latest for LO 6.0. 
> Xisco, in my view, cases like this should be discussed at ESC, maybe as
> "Most Pressing Bugs". 
> And to have it in written: rules for keeping this open and confirmed, is a
> number of reports enough and can this ever be resolved like this, only with
> reports.

It has been already mentioned in ESC meeting in the crash reporter section.
Comment 10 Michael Meeks 2018-01-16 12:10:58 UTC
Created attachment 139127 [details]
some rough notes / code-reading.

Not sure that bug is a duplicate no; but I spent a little while chasing this one down. It -looks- from ptr arithmetic from the 0x14 crash-site, as if (somehow) we have a NULL SfxApplication - rather odd. Need to chase further. The crash happens during shutdown.
Comment 11 Michael Meeks 2018-01-16 15:41:33 UTC
Something of a hack here: https://gerrit.libreoffice.org/48007 may help - hard to say since we can't reproduce this easily. Possibly it only shows on very busy machines where the user events are not processed fully before save (or something) =)
Comment 12 Michael Meeks 2018-01-16 15:42:49 UTC
Created attachment 139132 [details]
more notes ...

Actually - having a large number of writer windows open - perhaps with some floating windows too and then exiting -might- be enough to trigger this - if someone wants to play =)
Comment 13 Commit Notification 2018-01-16 20:26:27 UTC
Michael Meeks committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=ad7e6339e5e5cf465a2ef25442099eb59f1a0deb

tdf#113755 - avoid null ptr de-reference during shutdown.

It will be available in 6.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 14 Timur 2018-01-17 08:16:44 UTC
From https://wiki.documentfoundation.org/Releases/5.3.6/RC1 looks like Caolan had some patches for  null deref.
Comment 15 Timur 2018-01-19 08:00:59 UTC
Michael, do you think it's safe to backport to 6.0 so we can track reports if they reoccur?
And please comment on my previous message, what are "ofz".
Comment 16 Michael Meeks 2018-01-19 09:55:21 UTC
I back-ported to 6-0 but no 2nd review (yet): https://gerrit.libreoffice.org/48013

> looks like Caolan had some patches for  null deref.

It is a favourite programmers hobby de-referencing null =)

> And please comment on my previous message, what are "ofz".

OFZ ? =)
Comment 17 Xisco Faulí 2018-01-19 09:59:08 UTC
(In reply to Timur from comment #15)
> Michael, do you think it's safe to backport to 6.0 so we can track reports
> if they reoccur?
> And please comment on my previous message, what are "ofz".

Hi Timur,
The backport to 6-0 is waiting for review in https://gerrit.libreoffice.org/#/c/48013/ and I've just cherry-picked it to 6-0-0 as well -> https://gerrit.libreoffice.org/#/c/48179/.

'ofz' stands for oss-fuzz: https://github.com/google/oss-fuzz
Comment 18 Commit Notification 2018-01-24 16:21:26 UTC
Michael Meeks committed a patch related to this issue.
It has been pushed to "libreoffice-6-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=a747dfef9c723808e12e802a2cc2f5688ab255fa&h=libreoffice-6-0

tdf#113755 - avoid null ptr de-reference during shutdown.

It will be available in 6.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 19 Commit Notification 2018-01-24 20:26:44 UTC
Michael Meeks committed a patch related to this issue.
It has been pushed to "libreoffice-6-0-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=877d94e5e90bf6599a30aa33e8504e4bcd332654&h=libreoffice-6-0-0

tdf#113755 - avoid null ptr de-reference during shutdown.

It will be available in 6.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 20 Xisco Faulí 2018-02-01 14:53:54 UTC
It seems the crash is no longer reported in http://crashreport.libreoffice.org/stats/version/6.0.0.3.
@Michael Meeks, i guess we can close it as RESOLVED FIXED now.
backported to 5-4 branch -> https://gerrit.libreoffice.org/#/c/49103/
Comment 21 Commit Notification 2018-02-13 21:01:55 UTC
Michael Meeks committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=615f4846751fb669ea28cc092eadfd3842ab3220&h=libreoffice-5-4

tdf#113755 - avoid null ptr de-reference during shutdown.

It will be available in 5.4.6.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 22 Xisco Faulí 2018-02-20 10:59:16 UTC
A polite ping to Michael Meeks: Could you please close it as RESOLVED FIXED ? Thanks
Comment 23 Timur 2018-02-20 15:12:58 UTC
(In reply to Xisco Faulí from comment #20)
> It seems the crash is no longer reported in
> http://crashreport.libreoffice.org/stats/version/6.0.0.3.
Bug summary lists 4 reports for 6.0.0.3 and 2 for 6.0.1.1.