Description: Closing a document while a tunneled dialig is shown leads to a crash of the app. I try to add a video to show the issue. Steps to Reproduce: 1. Open a writer document in the iOS App 2. Open a dialog such as the one to format a paragraph style (in english probably something like "edit > paragraph style..." - in German it is "Bearbeiten > Absatzvorlage barbeiten...") 3. Close the document Actual Results: The iOS app crashes Expected Results: The apps should not crash Reproducible: Always User Profile Reset: No Additional Info:
Created attachment 148112 [details] Crash after documents is closed while tunneled dialog is open
Moving to NEW
Looking at this now.
Problem is that a SfxItemPool object is destructed at: > #0 0x000000010228ece0 in SfxItemPool::~SfxItemPool() at /Volumes/TML13/lo/ios-optimised-cp-6.0/svl/source/items/itempool.cxx:333 > #1 0x000000010281cec4 in SwAttrPool::~SwAttrPool() [inlined] at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/core/attr/swatrset.cxx:59 > #2 0x000000010281cec0 in SwAttrPool::~SwAttrPool() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/core/attr/swatrset.cxx:59 > #3 0x000000010228ff60 in SfxItemPool::Free(SfxItemPool*) at /Volumes/TML13/lo/ios-optimised-cp-6.0/svl/source/items/itempool.cxx:366 > #4 0x00000001028905c0 in SwDoc::~SwDoc() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/core/doc/docnew.cxx:600 > #5 0x000000010285de44 in SwDoc::release() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/core/doc/doc.cxx:151 > #6 0x0000000102cee2bc in rtl::Reference<SwDoc>::clear() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/rtl/ref.hxx:157 > #7 0x0000000102cee01c in SwDocShell::RemoveLink() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/uibase/app/docshini.cxx:466 > #8 0x0000000102cede90 in SwDocShell::~SwDocShell() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/uibase/app/docshini.cxx:393 > #9 0x0000000102cee098 in SwDocShell::~SwDocShell() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/uibase/app/docshini.cxx:383 > #10 0x0000000102cee0f0 in SwDocShell::~SwDocShell() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/uibase/app/docshini.cxx:383 > #11 0x00000001020742f8 in tools::SvRef<SfxObjectShell>::~SvRef() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/tools/ref.hxx:56 > #12 0x00000001020293e8 in tools::SvRef<SfxObjectShell>::~SvRef() [inlined] at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/tools/ref.hxx:55 > #13 0x00000001020293e4 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/doc/sfxbasemodel.cxx:237 > #14 0x000000010202926c in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() [inlined] at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/doc/sfxbasemodel.cxx:236 > #15 0x0000000102029268 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/doc/sfxbasemodel.cxx:236 > #16 0x0000000102029e38 in std::__1::__shared_count::__release_shared() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3490 > #17 0x0000000102029e10 in std::__1::__shared_weak_count::__release_shared() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3532 > #18 0x0000000102029e10 in std::__1::shared_ptr<IMPL_SfxBaseModel_DataContainer>::~shared_ptr() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4468 > #19 0x0000000102018e84 in std::__1::shared_ptr<IMPL_SfxBaseModel_DataContainer>::~shared_ptr() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4466 > #20 0x0000000102018e7c in std::__1::shared_ptr<IMPL_SfxBaseModel_DataContainer>::reset() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4603 > #21 0x0000000102018e68 in SfxBaseModel::dispose() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/doc/sfxbasemodel.cxx:761 > #22 0x000000010201b2e4 in SfxBaseModel::close(unsigned char) at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/doc/sfxbasemodel.cxx:1367 > #23 0x0000000102e0cb34 in SwXTextDocument::close(unsigned char) at /Volumes/TML13/lo/ios-optimised-cp-6.0/sw/source/uibase/uno/unotxdoc.cxx:632 > #24 0x0000000102018ea4 in SfxBaseModel::dispose() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/doc/sfxbasemodel.cxx:722 > #25 0x000000010213a724 in desktop::LibLODocument_Impl::~LibLODocument_Impl() at /Volumes/TML13/lo/ios-optimised-cp-6.0/desktop/source/lib/init.cxx:886 > #26 0x000000010213a7dc in desktop::LibLODocument_Impl::~LibLODocument_Impl() at /Volumes/TML13/lo/ios-optimised-cp-6.0/desktop/source/lib/init.cxx:885 > #27 0x000000010212cc2c in doc_destroy(_LibreOfficeKitDocument*) at /Volumes/TML13/lo/ios-optimised-cp-6.0/desktop/source/lib/init.cxx:1471 > #28 0x00000001006e4ccc in lok::Document::~Document() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/LibreOfficeKit/LibreOfficeKit.hxx:41 > #29 0x00000001006e4c88 in lok::Document::~Document() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/LibreOfficeKit/LibreOfficeKit.hxx:40 > #30 0x00000001006e4a38 in std::__1::default_delete<lok::Document>::operator()(lok::Document*) const [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:2285 > #31 0x00000001006e4a20 in std::__1::__shared_ptr_pointer<lok::Document*, std::__1::default_delete<lok::Document>, std::__1::allocator<lok::Document> >::__on_zero_shared() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3586 > #32 0x00000001005157c0 in std::__1::__shared_count::__release_shared() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3490 > #33 0x0000000100515750 in std::__1::__shared_weak_count::__release_shared() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3532 > #34 0x0000000100515744 in std::__1::shared_ptr<lok::Document>::~shared_ptr() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4468 > #35 0x00000001004cebfc in std::__1::shared_ptr<lok::Document>::~shared_ptr() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4466 > #36 0x00000001006b2fd8 in std::__1::shared_ptr<lok::Document>::reset() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4603 > #37 0x00000001006b2f1c in Document::onUnload(ChildSession const&) at /Volumes/TML13/lo/online-ios-co-4/kit/Kit.cpp:1446 > #38 0x00000001004c1f28 in ChildSession::disconnect() at /Volumes/TML13/lo/online-ios-co-4/kit/ChildSession.cpp:94 > #39 0x00000001004c1d70 in ChildSession::~ChildSession() at /Volumes/TML13/lo/online-ios-co-4/kit/ChildSession.cpp:83 > #40 0x00000001004c270c in ChildSession::~ChildSession() at /Volumes/TML13/lo/online-ios-co-4/kit/ChildSession.cpp:80 > #41 0x00000001006ef8cc in std::__1::__shared_ptr_emplace<ChildSession, std::__1::allocator<ChildSession> >::__on_zero_shared() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3656 > #42 0x00000001006b9fd4 in std::__1::__shared_count::__release_shared() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3490 > #43 0x00000001006b9f64 in std::__1::__shared_weak_count::__release_shared() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:3532 > #44 0x00000001006b9f58 in std::__1::shared_ptr<ChildSession>::~shared_ptr() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4468 > #45 0x00000001006b9f08 in std::__1::shared_ptr<ChildSession>::~shared_ptr() at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4466 > #46 0x00000001006c7b88 in std::__1::shared_ptr<ChildSession>::reset() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/memory:4603 > #47 0x00000001006c7acc in Document::forwardToChild(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char, std::__1::allocator<char> > const&) at /Volumes/TML13/lo/online-ios-co-4/kit/Kit.cpp:1818 > #48 0x00000001006aa3b8 in Document::run() at /Volumes/TML13/lo/online-ios-co-4/kit/Kit.cpp:1939 > #49 0x0000000104255fbc in Poco::(anonymous namespace)::RunnableHolder::run() at /Users/tml/src/poco-1.9.0/Foundation/src/Thread.cpp:55 > #50 0x0000000104253940 in Poco::ThreadImpl::runnableEntry(void*) at /Users/tml/src/poco-1.9.0/Foundation/src/Thread_POSIX.cpp:345 > #51 0x0000000195a5025c in _pthread_body () > #52 0x0000000195a501bc in _pthread_start () > #53 0x0000000195a53cf4 in thread_start () but then still accessed at: > #0 0x0000000102295500 in SfxItemPool::GetFrozenIdRanges() const at /Volumes/TML13/lo/ios-optimised-cp-6.0/svl/source/items/itempool.cxx:858 > #1 0x00000001022a0234 in SfxItemSet::~SfxItemSet() at /Volumes/TML13/lo/ios-optimised-cp-6.0/svl/source/items/itemset.cxx:245 > #2 0x00000001022a02e4 in SfxItemSet::~SfxItemSet() [inlined] at /Volumes/TML13/lo/ios-optimised-cp-6.0/svl/source/items/itemset.cxx:222 > #3 0x00000001022a02e0 in SfxItemSet::~SfxItemSet() at /Volumes/TML13/lo/ios-optimised-cp-6.0/svl/source/items/itemset.cxx:222 > #4 0x0000000101f947c8 in SfxTabDialog::dispose() at /Volumes/TML13/lo/ios-optimised-cp-6.0/sfx2/source/dialog/tabdlg.cxx:376 > #5 0x0000000101d622cc in VclPtr<vcl::Window>::disposeAndClear() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/vcl/vclptr.hxx:208 > #6 0x00000001034904a0 in vcl::LazyDeletor::~LazyDeletor() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/vcl/lazydelete.hxx:148 > #7 0x000000010348f1b0 in vcl::LazyDeletor::~LazyDeletor() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/vcl/lazydelete.hxx:122 > #8 0x000000010348f1e4 in vcl::LazyDeletor::~LazyDeletor() at /Volumes/TML13/lo/ios-optimised-cp-6.0/include/vcl/lazydelete.hxx:122 > #9 0x00000001037fcba8 in vcl::LazyDelete::flush() at /Volumes/TML13/lo/ios-optimised-cp-6.0/vcl/source/helper/lazydelete.cxx:52 > #10 0x0000000103810cf4 in ImplYield(bool, bool) at /Volumes/TML13/lo/ios-optimised-cp-6.0/vcl/source/app/svapp.cxx:478 > #11 0x0000000103810ab0 in Application::Execute() at /Volumes/TML13/lo/ios-optimised-cp-6.0/vcl/source/app/svapp.cxx:449 > #12 0x0000000102112500 in desktop::Desktop::Main() at /Volumes/TML13/lo/ios-optimised-cp-6.0/desktop/source/app/app.cxx:1642 > #13 0x00000001038153c0 in ImplSVMain() at /Volumes/TML13/lo/ios-optimised-cp-6.0/vcl/source/app/svmain.cxx:281 > #14 0x0000000103816430 in SVMain() at /Volumes/TML13/lo/ios-optimised-cp-6.0/vcl/source/app/svmain.cxx:319 > #15 0x0000000102124080 in ::soffice_main() at /Volumes/TML13/lo/ios-optimised-cp-6.0/desktop/source/app/sofficemain.cxx:167 > #16 0x0000000102186d50 in lo_startmain(void*) at /Volumes/TML13/lo/ios-optimised-cp-6.0/desktop/source/lib/init.cxx:4371 > #17 0x0000000103191958 in osl_thread_start_Impl(void*) at /Volumes/TML13/lo/ios-optimised-cp-6.0/sal/osl/unx/thread.cxx:234 > #18 0x0000000195a5025c in _pthread_body () > #19 0x0000000195a501bc in _pthread_start () > #20 0x0000000195a53cf4 in thread_start ()
Created attachment 150095 [details] Patch attempt Tried this, did not work, cause heap corruption, sigh. Not sure whether I should continue this approach or try something completely different. Maybe that SfxItemPoolUser/AddSfxItemPoolUser/RemoveSfxItemPoolUser mechanism is crack that was just one guy's idea back in the days, and that he used only in one corner case (it is used only by some very limited stuff in editeng, which isn't a good sign, is it?) and it isn't usable in general.... Kendy talks about LOKNotifier, maybe that is a better idea? > Yeah, I meant in core - something similar to the code that does "when the window has no LOKNotifier, cancel it right away" > Just iterate through the list of the windows that have the LOKNotifier, and cancel them (?) > But hmm, when I look at that, there it just immediately returns false from ImplStartExecute() > [Still, the iteration over the LOKNotifiers would be possible, if it helps in any way.]
A wild idea would of course be to change the horrible mess of raw pointers and references between the types involved to use smart pointers (std::shared_ptr) instead, but I wouldn't be surprised if there are circular references involved, so that would likely lead to leaks.
Tor Lillqvist committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/online/+/e9ca86de8531aeec7458578ee6e932aae11260ca%5E%21 tdf#122544: Disable the 'closemobile' button while tunnelled dialog is showing
The above somewhat ugly workaround fixes the issue. Patch applied also in the cp-6.0 branch.
I mean collabora-online-4 branch, not cp-6.0. That change was to online, not core.
Nicolas, please mark as verified when you have eventually verified that the bug is gone.
I suggest to also disable the menu entry "File > Close document" ("Datei > Dokument schliessen" in German) - this one still leads to the crash.
Created attachment 150137 [details] Menu entry "close document" still triggers the crash
(In reply to Nicolas Christener from comment #11) > I suggest to also disable the menu entry "File > Close document" ("Datei > > Dokument schliessen" in German) - this one still leads to the crash. Hello Nicolas, Would you mind reporting the mentioned problem in a new ticket ? Normally we try to have one problem per ticket. Closing as RESOLVED FIXED as the reported problem in the ticket was fixed by Tor.
(In reply to Xisco Faulí from comment #13) > (In reply to Nicolas Christener from comment #11) > > I suggest to also disable the menu entry "File > Close document" ("Datei > > > Dokument schliessen" in German) - this one still leads to the crash. > > Hello Nicolas, > Would you mind reporting the mentioned problem in a new ticket ? Normally we > try to have one problem per ticket. > Closing as RESOLVED FIXED as the reported problem in the ticket was fixed by > Tor. IMHO its still the same root issue, but of course I'm happy to create a new ticket. Thanks for your support.