This bug was filed from the crash reporting server and is br-6039fa92-6ecf-4aa6-b103-fca397897c75. ========================================= LO crashes after opening a Calc instance and then closing the document (Ctrl-W) without doing anything else (not even clicking on any empty cell). Just open a Calc document from the Calc shortcut, wait for it to load, then Ctrl-W. Crash.
Thank you for reporting the bug. Please attach a sample document, as this makes it easier for us to verify the bug. I have set the bug's status to 'NEEDINFO'. Please change it back to 'UNCONFIRMED' once the requested document is provided. (Please note that the attachment will be public, remove any sensitive information before attaching it. See https://wiki.documentfoundation.org/QA/FAQ#How_can_I_eliminate_confidential_data_from_a_sample_document.3F for help on how to do so.)
Xisco, there's no need for a sample document. An empty document or *any* ODS document will do. Calc crashes just by opening it and then closing the empty default document!
(In reply to skagon from comment #2) > Xisco, there's no need for a sample document. An empty document or *any* ODS > document will do. Calc crashes just by opening it and then closing the empty > default document! No repro Version: 7.1.2.2 / LibreOffice Community Build ID: 8a45595d069ef5570103caea1b71cc9d82b2aae4 CPU threads: 8; OS: Linux 5.3; UI render: default; VCL: kf5 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded Please try to reset your user profile: https://wiki.documentfoundation.org/UserProfile
Created attachment 171585 [details] Spreadsheet opened prior to crash being experienced It happened here, too, in the same situation - just open calc and close it again. https://crashreport.libreoffice.org/stats/crash_details/5e8227d5-0310-4f72-8fd0-7ec7aa11f208 I had, however, previously opened the attached document and clicked through all the tabs, in case it matters. This was the crash from that instance: https://crashreport.libreoffice.org/stats/crash_details/373be4ee-4131-4254-9770-f3cfa0d397c2 This is, deliberately (because it's smaller) the 32-bit version on 64-bit Windows. I don't think it should really crash whatever the profile is. It appears to be happening at process cleanup, not loading the profile.
*** Bug 141403 has been marked as a duplicate of this bug. ***
*** Bug 142024 has been marked as a duplicate of this bug. ***
New by duplicates.
*** Bug 142030 has been marked as a duplicate of this bug. ***
Could you please paste the info from Help - about LibreOffice ? I have set the bug's status to 'NEEDINFO'. Please change it back to 'UNCONFIRMED' once the information has been provided
From bug 141403: Version: 7.1.1.2 (x64) / LibreOffice Community Build ID: fe0b08f4af1bacafe4c7ecc87ce55bb426164676 CPU threads: 8; OS: Windows 10.0 Build 19041; UI render: Skia/Raster; VCL: win Locale: es-ES (es_ES); UI: es-ES Calc: CL Detailed status of reporter of bug 142024 in bug 142022: Version: 7.1.2.2 (x64) / LibreOffice Community Build ID: 8a45595d069ef5570103caea1b71cc9d82b2aae4 CPU threads: 8; OS: Windows 10.0 Build 19042; UI render: Skia/Vulkan; VCL: win Locale: fr-FR (fr_FR); UI: fr-FR Calc: threaded
For those who reproduce this issue. Do you reproduce it if you disable SKIA from Tools - Options - View ?
(In reply to Xisco Faulí from comment #11) > For those who reproduce this issue. > Do you reproduce it if you disable SKIA from Tools - Options - View ? Yes
Yes, repeatably; here are crash reports: https://crashreport.libreoffice.org/stats/crash_details/eabb9e50-2e65-41f2-9a39-5ad879b328be https://crashreport.libreoffice.org/stats/crash_details/7cc4c35a-679e-484d-80f1-2a529fe1b643
Given the call stack, I tried to disable assistive technologies; however, this setting does not stick (the checkbox can be deselected but it returns on reopening the dialog or restarting the application). I noticed there was a new version; it also reproduces on 7.1.3.2 https://crashreport.libreoffice.org/stats/crash_details/bea8c5ec-1481-4798-9e78-05ee5003b8f1
(In reply to Xisco Faulí from comment #9) > Could you please paste the info from Help - about LibreOffice ? > > I have set the bug's status to 'NEEDINFO'. Please change it back to > 'UNCONFIRMED' once the information has been provided Here it is from me: Version: 7.1.3.2 (x64) / LibreOffice Community Build ID: 47f78053abe362b9384784d31a6e56f8511eb1c1 CPU threads: 8; OS: Windows 10.0 Build 19042; UI render: Skia/Vulkan; VCL: win Locale: el-GR (en_GB); UI: en-GB Calc: CL
Version: 7.1.3.2 (x86) / LibreOffice Community Build ID: 47f78053abe362b9384784d31a6e56f8511eb1c1 CPU threads: 2; OS: Windows 10.0 Build 19042; UI render: default; VCL: win Locale: en-US (en_US); UI: en-GB Calc: threaded
*** Bug 141624 has been marked as a duplicate of this bug. ***
I guess this should be NEW now with so many dupes
*** Bug 142022 has been marked as a duplicate of this bug. ***
Question for those reporting this issue, which is your java version in Tools - Options - Advanced, if any ?
I have: Oracle Corporation version 1.8.0_291 under Program Files (x86).
(In reply to Xisco Faulí from comment #20) > Question for those reporting this issue, which is your java version in Tools > - Options - Advanced, if any ? I have none.
(In reply to Xisco Faulí from comment #20) > Question for those reporting this issue, which is your java version in Tools > - Options - Advanced, if any ? I don't have any.
WinDbg stack traces available in attachment 171588 [details] (7.1.1.2) and attachment 171589 [details] (7.1.3.2) from dupe bug 142022 -- regression as same W10 Pro 64 20H2 (Version 10.0.19042 Build 19042) with 7.0.5.2 build has no issues. Not a driver or old hardware issue.
I still can not reproduce on a range of Windows 10 systems with mix of CPUs and GPUs. However for those affected, the minidump crash reporter signature [1] shows this signature pretty solidly from 7.1.0.3 release build. Affecting a mix of AMD and Intel based CPUs, and AMD-Intel-nVidia GPUs. =-ref-= [1] https://crashreport.libreoffice.org/stats/signature/cppu::OInterfaceContainerHelper::disposeAndClear(com::sun::star::lang::EventObject%20const%20&)
Here I have encoded the ampersand in the crash report link so that it works properly: https://crashreport.libreoffice.org/stats/signature/cppu::OInterfaceContainerHelper::disposeAndClear(com::sun::star::lang::EventObject%20const%20%26)
Note that the Bugzilla linkifier isn’t including the closing paren in the link so you will have to add that manually in the location bar of your web browser.
(In reply to V Stuart Foote from comment #24) > WinDbg stack traces available in attachment 171588 [details] (7.1.1.2) and > attachment 171589 [details] (7.1.3.2) from dupe bug 142022 quoting the usable backtrace from attachment 171589 [details] for easier consumption: > INVALID_POINTER_READ > Tid [0x5d90] > Frame [0x00]: cppuhelper3MSC!cppu::OInterfaceContainerHelper::disposeAndClear > > > LAST_CONTROL_TRANSFER: from 00007ff835aceca4 to 00007ff835aceb3a > > STACK_TEXT: > 00000080`fd38e050 00007ff8`35aceca4 : 00000000`00000000 00000080`fd38e1d8 000001ef`23379818 000001ef`29de0920 : cppuhelper3MSC!cppu::OInterfaceContainerHelper::disposeAndClear+0x12a > 00000080`fd38e0e0 00007ff8`35ac7dec : 000001ef`29de0920 000001ef`23379760 000001ef`23379818 00007ff8`638a0352 : cppuhelper3MSC!cppu::OMultiTypeInterfaceContainerHelper::disposeAndClear+0xb4 > 00000080`fd38e130 00007ff8`08fbf177 : 000001ef`23379790 000001ef`23379760 00000000`00000000 000001ef`23379760 : cppuhelper3MSC!cppu::WeakAggComponentImplHelperBase::dispose+0xac > 00000080`fd38e1d0 00007ff8`08ee8a0c : 000001ef`29bebf90 000001ef`2b751390 000001ef`2bdd9fe0 00007ff8`08ee896c : mergedlo!vcl::Window::dispose+0x657 > 00000080`fd38e340 00007ff8`08ed7d8b : 00000000`00000000 000001ef`2b751390 000001ef`29ccd180 00000000`00000001 : mergedlo!VclBuilder::disposeBuilder+0xbc > 00000080`fd38e390 00007ff8`0930daae : 000001ef`29ccd180 000001ef`29ccd180 000001ef`2a3e1008 00000000`00008000 : mergedlo!VclBuilder::~VclBuilder+0x1b > 00000080`fd38e3c0 00007ff8`09017037 : 000001ef`29e03b90 00000000`00000000 000001ef`2a3e1008 000001ef`29e03e08 : mergedlo!weld::Window::~Window+0x5ade > 00000080`fd38e400 00007ff8`03093d17 : 000001ef`29e03b90 000001ef`29e03b90 00000080`fd38e4e9 000001ef`29de0150 : mergedlo!InterimItemWindow::dispose+0x67 > 00000080`fd38e440 00007ff8`06f751ff : 00000000`00000000 000001ef`2a3e0b00 00000000`ffffffff 00007ff8`06f7519c : sclo!ScFieldEditEngine::SetExecuteURL+0x2527 > 00000080`fd38e550 00007ff8`07e19cb7 : 000001ef`2a3e0b00 00000000`00008000 00000080`fd38e4f0 00007ff8`07e19c10 : mergedlo!basicide_handle_basic_error+0x103af > 00000080`fd38e580 00007ff8`0308be6e : 00000000`00000001 00000080`fd38e729 00000000`0000ffff 000001ef`2bda30e0 : mergedlo!SfxChildWindow::~SfxChildWindow+0xc7 > 00000080`fd38e5b0 00007ff8`07e60bb1 : 000001ef`2bda30e0 000001ef`2bda30e0 00000000`0000ffff 00000000`00000001 : sclo!ScViewData::SetPasteMode+0xce4e > 00000080`fd38e5e0 00007ff8`080c9dea : 000001ef`29fe6650 00000000`00000000 000001ef`29bebf90 00007ff8`080c9dc0 : mergedlo!com_sun_star_comp_desktop_QuickstartWrapper_get_implementation+0x5b01 > 00000080`fd38e690 00007ff8`080e5cd7 : 000001ef`2a8e6900 000001ef`2a8e6900 00000080`fd38e729 000001ef`1b40ee90 : mergedlo!SfxFrame::DoClose_Impl+0x3a > 00000080`fd38e6c0 00007ff8`079a3ebb : 000001ef`29e02620 000001ef`2a8e68d8 000001ef`2a8e68d8 00000000`00000000 : mergedlo!SfxBaseController::dispose+0x4e7 > 00000080`fd38e790 00007ff8`0789d8fe : 000001ef`1cfddbf0 00000080`fd38e860 00000080`fd38e8c8 00000080`fd38e801 : mergedlo!framework_DispatchHelper_get_implementation+0xcf5b > 00000080`fd38e840 00007ff8`0789d1a4 : 000001ef`1cfddbf0 000001ef`2a984838 000001ef`1baf7970 000001ef`227991f0 : mergedlo!com_sun_star_comp_framework_ModuleAcceleratorConfiguration_get_implementation+0xeede > 00000080`fd38e8c0 00007ff8`0789c43c : 000001ef`22666dc8 000001ef`22666df8 000001ef`2a984301 00007ff8`06ee3e01 : mergedlo!com_sun_star_comp_framework_ModuleAcceleratorConfiguration_get_implementation+0xe784 > 00000080`fd38eaf0 00007ff8`079965fe : 00000000`00000000 000001ef`2a984360 00000080`fd38ec19 000001ef`2a984d48 : mergedlo!com_sun_star_comp_framework_ModuleAcceleratorConfiguration_get_implementation+0xda1c > 00000080`fd38eb50 00007ff8`07996aff : 000001ef`2266ed01 00000080`fd38ee10 000001ef`2a984358 00000080`fd38ecb0 : mergedlo!com_sun_star_comp_framework_Desktop_get_implementation+0x12be > 00000080`fd38ec70 00007ff8`079361d3 : 000001ef`2a984350 00000000`00000000 000001ef`2266e700 00007ff8`07996710 : mergedlo!com_sun_star_comp_framework_Desktop_get_implementation+0x17bf > 00000080`fd38edb0 00007ff8`08fc93e0 : 00007ff8`638d50a0 ffffffff`ffff8001 000001ef`1cfddbd8 000001ef`2266f030 : mergedlo!com_sun_star_comp_framework_JobExecutor_get_implementation+0x5863 > 00000080`fd38ee60 00007ff8`0947ca3c : 000001ef`19c1c820 000001ef`1c1e58c0 00000000`00000000 00000000`00000246 : mergedlo!FloatingWindow::ImplSetMouseDown+0xc80 > 00000080`fd38f1e0 00007ff8`135b1a02 : 00000000`00000482 00000000`00000000 00000000`00000482 00000000`00000000 : mergedlo!SalFrame::CallCallback+0x1c > 00000080`fd38f210 00007ff8`135b225d : 00000000`00000000 00000000`00000000 00000000`00000000 00000080`fd38f4a8 : vclplug_winlo!dtrans_CWinClipboard_get_implementation+0x4b072 > 00000080`fd38f370 00007ff8`6c3fe858 : 00000000`000d0a7e 00007ff8`00000482 00000000`00000000 000001ef`226677c0 : vclplug_winlo!dtrans_CWinClipboard_get_implementation+0x4b8cd > 00000080`fd38f3e0 00007ff8`6c3fe299 : 00000000`00003dff 00007ff8`135b2210 00000000`000d0a7e 000001ef`00000482 : USER32!UserCallWinProcCheckWow+0x2f8 > 00000080`fd38f570 00007ff8`1353bd84 : 00007ff8`135b2210 00000000`00000001 00000000`00000000 00000000`00000001 : USER32!DispatchMessageWorker+0x249 > 00000080`fd38f5f0 00007ff8`1353b951 : 00007ff8`0b534101 00000000`00000001 00000000`00000001 000001ef`1b41a130 : vclplug_winlo+0x1bd84 > 00000080`fd38f680 00007ff8`0934e964 : 00000080`00000001 00007ff8`0b534110 00000000`0000ffff 00000000`00000000 : vclplug_winlo+0x1b951 > 00000080`fd38f6b0 00007ff8`08116135 : 000001ef`00000000 000001ef`1d460780 000001ef`1d45fd00 000001ef`1baf7970 : mergedlo!Application::Execute+0x164 > 00000080`fd38f710 00007ff8`0935dcd7 : 000001ef`1cc7da60 00007ff8`0b4ef270 00000000`00000000 00007ff8`0b534110 : mergedlo!SfxTabPage::set_visible+0x5795 > 00000080`fd38fa60 00007ff8`081378a3 : 000001ef`00000000 000001ef`177c0970 00007ff8`0b4ef270 00000000`00000000 : mergedlo!ImplSVMain+0x67 > 00000080`fd38fa90 00007ff7`1d6c105b : 000001ef`1afe6180 00000000`00000012 000001ef`177c0970 00007ff7`1d6c104c : mergedlo!soffice_main+0x133 > 00000080`fd38fb40 00007ff7`1d6c1308 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : soffice!main+0x1b > 00000080`fd38fb70 00007ff8`6c347034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : soffice!main+0x2c8 > 00000080`fd38fbb0 00007ff8`6e322651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 > 00000080`fd38fbe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
*** Bug 142691 has been marked as a duplicate of this bug. ***
Common to reporters is Windows 10.0.19042. Best would be to bibisect this crash, if someone can do it. Otherwise, maybe to try 10.0.19043.
Reporters, if you are using Dark mode or some customization, please write.
Comment from dup bug 142691: I did the clean user profile run and recreated the crash. My log: Reset to factory settings Reset settings and user interface modifications Reset entire user profile Continue in Safe Mode Edited and saved the spreadsheet in question. No issues until I closed that window. I then got a window titled "LibreOffice 7.1 Document Recovery" with "Due to an error, LibreOffice crashed. All the files you were working on will now be saved. The next time LibreOffice is launched, your files will be recovered automatically. The following files will be recovered:" with an empty list of files. I started LibreOffice Calc again and got the "Crash Report". I did not select to "Restart LibreOffice to enter safe mode" and clicked on the "Do Not Send" button. A blank spreadsheet opened up. When I clicked the "X" to close it, it crashed again. When I tried to restart, it entered a loop of starts and crashes. The splash window shows with the various status items. The last one to show before it crashes again is "Enabling: Wiki Publisher". Used Task Manager to kill LibreOffice.
(In reply to Timur from comment #30) > Common to reporters is Windows 10.0.19042. > Best would be to bibisect this crash, if someone can do it. > Otherwise, maybe to try 10.0.19043. No it is not. Reviewing the minidump crash reports [1] the details tabs show it is Windows 7, 8.1 and 10 including the latest 10.0.19043 build, while the meta tabs show it to affect both AMD & Intel CPU with a mix of AMD-Intel-nVidia GPUs--so unlikely anything to do with Windows desktop environment settings. Still the volume of incedents is relatively low, not clear what mechanisim is causing this. It could be a LibreOffice locale (e.g. spellcheck/grammar check), or externally a Windows helper/framework, or even an AV instance. Would be nice if someone affected can run the bibisect process [2] unfortunately I have been unaffected on six different Windows systems thus far and can't. =-ref-= [1] "https://crashreport.libreoffice.org/stats/signature/cppu::OInterfaceContainerHelper::disposeAndClear(com::sun::star::lang::EventObject%20const%20%26)" [2] work against bibisect-win64-7.1 -- with instructions as in https://wiki.documentfoundation.org/QA/Bibisect/Windows
I will try to have a look at it; unfortunately it is only downloading at 1.0-1.6MiB/sec for some reason, and so only 25% of the 256363 objects have been received thus far. Hopefully it will reproduce for me as well under x86_64, as I have been using the 32-bit build as noted above and there is no bisect repository for that.
Bibisect of crash succeeded on bibisect-win64-7.1 If I'm reading it right, this is the bad commit https://git.libreoffice.org/core/+/e087e25f05e689091cbf1c4f91b6e93878ac17ec Change: https://gerrit.libreoffice.org/c/core/+/104037 Changes were made to disposal-related code in sc/source/ui/Accessibility/AccessibleText.cxx and sc/source/ui/app/inputwin.cxx among various other modifications. This seems like it might correlate to crashes within VCLXAccessibleTextComponent::disposing() in https://crashreport.libreoffice.org/stats/crash_details/eabb9e50-2e65-41f2-9a39-5ad879b328be Adding Cc: to Caolán McNamara <caolanm@redhat.com> --- weld InputBar this also restores that DnD of a selection from the inputbar is pasted as plain text not rich text formatted with the happenstance formatting of the inputbar's EditEngine Change-Id: If4934f83c14357afec2e0a7e1d51c8a1aea1d292 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/104037 Tested-by: Caolán McNamara <caolanm@redhat.com> Reviewed-by: Caolán McNamara <caolanm@redhat.com> tree: 8adb7ccbfa34e45e549a17bd9ee0a85067db1671 --- Bisect output: 23127f0640852e8db00361827a2c1257381d11d6 is the first bad commit commit 23127f0640852e8db00361827a2c1257381d11d6 Author: Norbert Thiebaud <nthiebaud@gmail.com> Date: Fri Oct 16 04:09:52 2020 -0700 source sha:e087e25f05e689091cbf1c4f91b6e93878ac17ec source sha:e087e25f05e689091cbf1c4f91b6e93878ac17ec instdir/program/basctllo.dll | Bin 1814528 -> 1814528 bytes instdir/program/chartcontrollerlo.dll | Bin 3416064 -> 3416064 bytes instdir/program/chartcorelo.dll | Bin 4113408 -> 4113408 bytes instdir/program/cuilo.dll | Bin 4847616 -> 4847616 bytes instdir/program/dbulo.dll | Bin 4796928 -> 4796928 bytes instdir/program/editenglo.dll | Bin 2950144 -> 2950144 bytes instdir/program/frmlo.dll | Bin 3028480 -> 3028480 bytes instdir/program/msfilterlo.dll | Bin 1287680 -> 1287680 bytes instdir/program/mswordlo.dll | Bin 3470336 -> 3470336 bytes instdir/program/ooxlo.dll | Bin 5701632 -> 5701632 bytes instdir/program/pcrlo.dll | Bin 1814016 -> 1814016 bytes instdir/program/rptlo.dll | Bin 1408000 -> 1408000 bytes instdir/program/rptuilo.dll | Bin 1672192 -> 1672192 bytes instdir/program/rptxmllo.dll | Bin 609792 -> 609792 bytes instdir/program/scfiltlo.dll | Bin 6928384 -> 6928384 bytes instdir/program/sclo.dll | Bin 21195776 -> 21190656 bytes instdir/program/scuilo.dll | Bin 1022976 -> 1022976 bytes instdir/program/sdfiltlo.dll | Bin 997888 -> 997888 bytes instdir/program/sdlo.dll | Bin 8723456 -> 8723456 bytes instdir/program/sduilo.dll | Bin 721408 -> 721408 bytes instdir/program/setup.ini | 2 +- instdir/program/smlo.dll | Bin 1624576 -> 1624576 bytes instdir/program/sofficeapp.dll | Bin 1530880 -> 1530880 bytes instdir/program/svgfilterlo.dll | Bin 1053184 -> 1053184 bytes instdir/program/svxcorelo.dll | Bin 10199040 -> 10199040 bytes instdir/program/svxlo.dll | Bin 4450816 -> 4450816 bytes instdir/program/swlo.dll | Bin 19734016 -> 19734016 bytes instdir/program/swuilo.dll | Bin 2975232 -> 2975232 bytes instdir/program/vbaobjlo.dll | Bin 2129408 -> 2129408 bytes instdir/program/vbaswobjlo.dll | Bin 1656832 -> 1656832 bytes instdir/program/version.ini | 2 +- instdir/program/writerfilterlo.dll | Bin 3244544 -> 3244544 bytes instdir/share/config/images_breeze.zip | Bin 1886483 -> 1886483 bytes instdir/share/config/images_breeze_dark.zip | Bin 1882148 -> 1882148 bytes instdir/share/config/images_breeze_dark_svg.zip | Bin 1565502 -> 1565502 bytes instdir/share/config/images_breeze_svg.zip | Bin 1563025 -> 1563025 bytes instdir/share/config/images_colibre.zip | Bin 2771260 -> 2771260 bytes instdir/share/config/images_colibre_svg.zip | Bin 2864630 -> 2864630 bytes instdir/share/config/images_elementary.zip | Bin 4065290 -> 4065290 bytes instdir/share/config/images_elementary_svg.zip | Bin 5060922 -> 5060922 bytes instdir/share/config/images_karasa_jaga.zip | Bin 4882540 -> 4882540 bytes instdir/share/config/images_karasa_jaga_svg.zip | Bin 19311495 -> 19311495 bytes instdir/share/config/images_sifr.zip | Bin 2102952 -> 2102952 bytes instdir/share/config/images_sifr_dark.zip | Bin 2104828 -> 2104828 bytes instdir/share/config/images_sifr_dark_svg.zip | Bin 1754690 -> 1754690 bytes instdir/share/config/images_sifr_svg.zip | Bin 1750825 -> 1750825 bytes instdir/share/config/images_sukapura.zip | Bin 3041377 -> 3041377 bytes instdir/share/config/images_sukapura_svg.zip | Bin 4346564 -> 4346564 bytes .../soffice.cfg/modules/scalc/ui/inputbar.ui | 122 +++++++++++++++++++++ 49 files changed, 124 insertions(+), 2 deletions(-) create mode 100755 instdir/share/config/soffice.cfg/modules/scalc/ui/inputbar.ui # bad: [10e2a57b0a703ab22c1eac2e9c495ab444c073c4] source sha:296c1b3b7e2fca6d54e3e61684d70d12f7989624 # good: [5dda870d87685eced00ca4ba6d5ceb48aff3c19e] source sha:574c57090642347980d2395e1e183cc7b5c171ad git bisect start 'master' 'oldest' # good: [17a6536d28165faf2aa32e32ca78323b414ccd03] source sha:e7b0e0b2b0df7197ee04c5c7232145d7a044bae0 git bisect good 17a6536d28165faf2aa32e32ca78323b414ccd03 # bad: [9be980890a6fa507b4c77176336367896060f35d] source sha:d6ed9cfe37a4a88e8f4911c004c0aea0b2568211 git bisect bad 9be980890a6fa507b4c77176336367896060f35d # good: [ffc1246377962da8a9f6bb1d84121f1caafdebd2] source sha:10bda37a3c6470a46dadd859daa60a67ab53c29f git bisect good ffc1246377962da8a9f6bb1d84121f1caafdebd2 # good: [e118dd4a98e6c6601b5586f9a7e4049b0b9b9f9a] source sha:64ca94ad591afc3134b600e05104b5d78ab60218 git bisect good e118dd4a98e6c6601b5586f9a7e4049b0b9b9f9a # bad: [15e26685c2c56dbe34068a27cfeaf03406e1e355] source sha:606c65c90cb3e8abdd74540195b7cb01ba88adc8 git bisect bad 15e26685c2c56dbe34068a27cfeaf03406e1e355 # bad: [3a8d04fee0a8d9dcb2b44924349689d429b79874] source sha:55281fe6d3cda23d37b0b0c368786c9fc4c5abe9 git bisect bad 3a8d04fee0a8d9dcb2b44924349689d429b79874 # bad: [44d5143c6345a4dd1e0b21a29785ad0207cf7707] source sha:dd4670b976b00d643f335516fe5fd0c880d58025 git bisect bad 44d5143c6345a4dd1e0b21a29785ad0207cf7707 # bad: [85d08bbb8fea8e5e7a22e6e82197d19279ace77f] source sha:2df0e599090bc915362e1efb8eb27a37eccdc1f3 git bisect bad 85d08bbb8fea8e5e7a22e6e82197d19279ace77f # good: [71415107b721fd706fa558a96e5c89cb7ba8f6c2] source sha:b12b1663d135f94eb56f3c1f852ef008e87c4e5f git bisect good 71415107b721fd706fa558a96e5c89cb7ba8f6c2 # good: [c8f3fb6412fc500d679f707b0058bef32db00728] source sha:e1a47ddab37e70c400de254251be38e844117cc1 git bisect good c8f3fb6412fc500d679f707b0058bef32db00728 # bad: [77dc7c76543062ba871c7e0a4a8da5d98e4833ed] source sha:2e412c5354134fe3cd66ea0266011c5b87dc9eb3 git bisect bad 77dc7c76543062ba871c7e0a4a8da5d98e4833ed # bad: [23127f0640852e8db00361827a2c1257381d11d6] source sha:e087e25f05e689091cbf1c4f91b6e93878ac17ec git bisect bad 23127f0640852e8db00361827a2c1257381d11d6 # good: [70315057f8d86b3faed128933da35528ca3132df] source sha:d6b7cc3f7c07b98c90194e8b33cf44b94804b525 git bisect good 70315057f8d86b3faed128933da35528ca3132df # first bad commit: [23127f0640852e8db00361827a2c1257381d11d6] source sha:e087e25f05e689091cbf1c4f91b6e93878ac17ec
As for the locale, am FR-FR, Windows 10 Pro 19042 (FR) GPU Intel ; CPU : Intel Up to LO 7.0.5, am ok, no issue. Any higher, even nightly builds, fail.
As might be hinted at from the commit, it's not necessary to close the window to trigger the crash; just disable the Formula Bar via: View/Formula Bar. The setting appears to be changed first, so subsequently restarting Calc and then closing the window will succeed without a crash, because there is no InputBox to dispose. This may be why it has not been universally reproducible. It appears non-determinsitic as to whether disabling the Formula Bar causes a crash if you click the expand-down button and/or type content into the InputBox first. I have been able to close the Formula Bar and app, but not repeatably. --- A bunch of code changed in that commit, so it's hard to pick out what caused it, but presumably those who know it might have a better idea. I notice in ScAccessibleEditLineTextData (AccessibleText.cxx) existing isDisposed asserts were removed. How certain is it that mpTxtWnd isn't disposed? (These were commented out as "TODO" at one point?) Class ScTextWnd has a WeakReference xAcc, but in ScTextWnd::CreateAccessible it is set to a Reference instead. The same pattern is used for ScEditWindow::CreateAccessible, but it looks to have been a bigger change for ScTextWnd, which has also modified disposal, eliminating steps and dispose() itself (called by ~ScAcessibleEditObject?) in favour of a destructor.
the bisect is totally plausible but I can't get this to reproduce yet even on windows with its system accessibility screen reader enabled
I couldn't find a way to reproduce it either. Tried with 2 different win machines
(In reply to Xisco Faulí from comment #39) > I couldn't find a way to reproduce it either. Tried with 2 different win > machines I also tried others bugs introduced by the same commit but nothing -> https://bugs.documentfoundation.org/buglist.cgi?f0=OP&f1=OP&f2=product&f3=component&f4=alias&f5=short_desc&f6=status_whiteboard&f7=content&f8=CP&f9=CP&j1=OR&list_id=1317709&o2=substring&o3=substring&o4=substring&o5=substring&o6=substring&o7=matches&query_format=advanced&v2=e087e25f05e689091cbf1c4f91b6e93878ac17ec&v3=e087e25f05e689091cbf1c4f91b6e93878ac17ec&v4=e087e25f05e689091cbf1c4f91b6e93878ac17ec&v5=e087e25f05e689091cbf1c4f91b6e93878ac17ec&v6=e087e25f05e689091cbf1c4f91b6e93878ac17ec&v7=%22e087e25f05e689091cbf1c4f91b6e93878ac17ec%22
If, under windows, I install nvda (https://www.nvaccess.org/) I get a reproducible crash that is very like this one so I might have a way in.
Created attachment 172704 [details] WinDbg stack trace with symbols against 7.1.3.2 with NVDA 2021.4 active So, was able to reproduce with NVDA (2021.4) screen reader enabled. The AT facet had not come up in context or STR, but saw Caolán's note. With NVDA enabled, it does crash/recover current master and 7.1.3.2 builds on Windows 10 (20H2 build 19042.985) Attaching a WinDbg stacktrace w/symbols against 7.1.3.2, if it helps. That same crash on restart generated: https://crashreport.libreoffice.org/stats/crash_details/2f6d75b5-dbdf-42e1-b677-f7a366be01f1
Created attachment 172716 [details] Backtrace from disabling Function Bar on 7.1.3.2 (x86) - non-debug stack TL;DR: I end up in the same place with an invalid acquire(). Backtrace attached up to the exit. Not sure anything after this helps; apologies for the spam if not. -- The bibisected build has no symbols, the released build does, so I opened that in Visual Studio. I was quickly reminded why I don't do that for complex projects. :-) From the looks of it, it ran into a notifications issue while disposing of the combo box down spinner button - but this may be a symptom of corruption before that. It starts to dispose() ScInputWindow and when VS is set to run with a debug memory stack an access violation exception occurs via this call chain: mxTextWindow.disposeAndClear() m_xBuilder.reset() VclBuilder::~VclBuilder() VclBuilder::disposeBuilder() aI->m_pWindow.disposeAndClear() within rev. iteration of m_aChildren.rbegin() Window::dispose() xC->dispose(); WeakAggComponentImplHelperBase::dispose() rBHelper.aLC.disposeAndClear( aEvt ); OMultiTypeInterfaceContainerHelper::disposeAndClear ppListenerContainers[i]->disposeAndClear( rEvt ); OInterfaceContainerHelper::disposeAndClear Reference<XEventListener > xLst( aIt.next(), UNO_QUERY ); at this point aIt.aData.pAsVector has supposedly three elements: * OAccessibleWrapper [0] = {0x0c000850 {m_xParentAccessible={0x0c000704 ... and a chain above this}} * OAccessibleContentWrapper for a VCLAccessibleComponent (window) with {m_nNotifierClient=0x000003d4 } * Junk with a broken vptr? Exception thrown at 0x6E6D6B89 (cppuhelper3MSC.dll) in soffice.bin: 0xC0000005: Access violation reading location 0x00650066 (trying to call something on the junk vptr). This exception is caught so as to "be robust". -- When *not* using a debug stack it proceeds past mxTextWindow.disposeAndClear() to dispose InterimItemWindow via aWndPos.disposeAndClear - going into VclReferenceBase::disposeOnce after clReferenceBase::release, resulting in m_xBuilder.reset() in InterimItemWindow::dispose(). (It never gets to m_xVclContentArea.disposeAndClear().) VclBuilder::disposeBuilder reverse iterates over m_aChildren. At the time of the crash it seems like there is (in order) a "PosBox" which has not been disposed, a "pos_window" that has an empty m_pWindow, and an empty element. It is currently within aI->m_pWindow.disposeAndClear(), at the point of calling VclReferenceBase::disposeOnce(). This in turn calls ComboBox::dispose() which is at the point of m_pImpl->m_pBtn.disposeAndClear() (having eliminated its subEdit, ListBox and floating window). In disassembly it is again calling VclReferenceBase::disposeOnce(). The combo box button has disposed of any status listener and calls Control::dispose(). This leads to pWrapper->WindowDestroyed( this ) from UnoWrapperBase::GetUnoWrapper in vcl::Window::dispose(), and that tries to call xWindowPeerComp->dispose(). This gets into VCL classes, and by the crash VCLXButton has finished off all its own disposal and is calling the base class VCLXGraphicControl::dispose() (VCLXWindow::dispose()). It's at this point we get mentions of accessibility: // #i14103# dispose the accessible context after the window has been destroyed, // otherwise the old value in the child event fired in VCLXAccessibleComponent::ProcessWindowEvent() // for VclEventId::WindowChildDestroyed contains a reference to an already disposed accessible object try { css::uno::Reference< css::lang::XComponent > xComponent( mpImpl->mxAccessibleContext, css::uno::UNO_QUERY ); if ( xComponent.is() ) > xComponent->dispose(); } catch ( const css::uno::Exception& ) { OSL_FAIL( "VCLXWindow::dispose: could not dispose the accessible context!" ); } [by the crash, mpImpl->mxAccessibleContex is empty, xComponent.is() is true.] It seems to anticipate some disposal failures, but maybe not the exception which ends up terminating the application. xComponent is a VCLXAccessibleButton. It enters WeakAggComponentImplHelperBase::dispose and calls rBHelper.aLC.disposeAndClear( aEvt ), then enters disposing(). This calls VCLXAccessibleComponent::disposing() - it'd later clear m_sText, which is empty. This does DisconnectEvents() and then enters OAccessibleExtendedComponentHelper::disposing, which gets the SolarMutex guard and goes into AccessibleEventNotifier::revokeClientNotifyDisposing( m_pImpl->getClientId( ), *this ); ['this' being the VCLXAccessibleButton]. It's quite complex - comments reference prior re-entrancy problems - but proceeds to call pListeners->disposeAndClear( aDisposalEvent ). Here it becomes unstuck: void OInterfaceContainerHelper2::disposeAndClear( const EventObject & rEvt ) { ClearableMutexGuard aGuard( rMutex ); > OInterfaceIteratorHelper2 aIt( *this ); and this calls OInterfaceIteratorHelper2::OInterfaceIteratorHelper2( OInterfaceContainerHelper2 & rCont_ ) : rCont( rCont_ ), bIsList( rCont_.bIsList ) { ... else if( aData.pAsInterface ) { > aData.pAsInterface->acquire(); Which appears for some reason to be a pure virtual call.
Created attachment 172717 [details] Backtrace of exception during ScAccessibleEditLineTextData::GetTextForwarder sclo.dll!ScAccessibleEditLineTextData::GetTextForwarder() Line 797 mergedlo.dll!SvxEditSourceAdapter::GetTextForwarder() Line 339 mergedlo.dll!accessibility::AccessibleTextHelper_Impl::GetTextForwarder() Line 265 mergedlo.dll!accessibility::AccessibleTextHelper::AccessibleTextHelper(std::unique_ptr<SvxEditSource,std::default_delete<SvxEditSource> > && pEditSource={...}) Line 1531 sclo.dll!ScAccessibleEditObject::CreateTextHelper() Line 379 sclo.dll!ScAccessibleEditObject::addAccessibleEventListener(const com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleEventListener> & xListener={...}) Line 315 mergedlo.dll!comphelper::OAccessibleContextWrapperHelper::aggregateProxy(long & _rRefCount=0x00000003, cppu::OWeakObject & _rDelegator) Line 370 mergedlo.dll!comphelper::OAccessibleContextWrapper::OAccessibleContextWrapper(const com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> & _rxContext={...}, const com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> & _rxInnerAccessibleContext={...}, const com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> & _rxOwningAccessible={...}, const com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessible> & _rxParentAccessible={...}) Line 492 mergedlo.dll!comphelper::OAccessibleWrapper::createAccessibleContext(const com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleContext> & _rxInnerContext={...}) Line 313 mergedlo.dll!comphelper::OAccessibleWrapper::getAccessibleContext() Line 327 winaccessibility.dll!AccObjectWinManager::InsertAccObj(com::sun::star::accessibility::XAccessible * pXAcc=0x0c000824, com::sun::star::accessibility::XAccessible * pParentXAcc=0x0c000704, HWND__ * pWnd=0x00000000) Line 678 winaccessibility.dll!AccObjectManagerAgent::InsertAccObj(com::sun::star::accessibility::XAccessible * pXAcc=0x0c000824, com::sun::star::accessibility::XAccessible * pParentXAcc=0x0c000704, __int64 nWnd=0x0000000000000000) Line 152 winaccessibility.dll!AccContainerEventListener::HandleChildChangedEvent(com::sun::star::uno::Any oldValue={...}, com::sun::star::uno::Any newValue={...}) Line 133 winaccessibility.dll!AccContainerEventListener::notifyEvent(const com::sun::star::accessibility::AccessibleEventObject & aEvent={...}) Line 57 mergedlo.dll!comphelper::AccessibleEventNotifier::addEvent(const unsigned long _nClient, const com::sun::star::accessibility::AccessibleEventObject & _rEvent={...}) Line 269 mergedlo.dll!comphelper::OAccessibleContextWrapper::notifyTranslatedEvent(const com::sun::star::accessibility::AccessibleEventObject & _rEvent={...}) Line 563 mergedlo.dll!comphelper::OAccessibleContextWrapperHelper::notifyEvent(const com::sun::star::accessibility::AccessibleEventObject & _rEvent) Line 451 mergedlo.dll!comphelper::AccessibleEventNotifier::addEvent(const unsigned long _nClient, const com::sun::star::accessibility::AccessibleEventObject & _rEvent={...}) Line 269 mergedlo.dll!comphelper::OAccessibleContextHelper::NotifyAccessibleEvent(const short _nEventId=0x0007, const com::sun::star::uno::Any & _rOldValue={...}, const com::sun::star::uno::Any & _rNewValue={...}) Line 160 mergedlo.dll!VCLXAccessibleComponent::ProcessWindowChildEvent(const VclWindowEvent & rVclWindowEvent) Line 174 mergedlo.dll!VCLXAccessibleComponent::WindowChildEventListener(VclWindowEvent & rEvent={...}) Line 128 mergedlo.dll!VCLXAccessibleComponent::LinkStubWindowChildEventListener(void * instance=0x0c111030, VclWindowEvent & data={...}) Line 117 mergedlo.dll!vcl::Window::CallEventListeners(VclEventId nEvent, void * pData) Line 290 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1312 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::ImplSetReallyVisible() Line 1324 mergedlo.dll!vcl::Window::Show(bool bVisible, ShowFlags nFlags) Line 2317 sclo.dll!ScInputWindowWrapper::CreateImpl(vcl::Window * pParent=0x0b85f740, unsigned short nId=0x65f4, SfxBindings * pBindings=0x0bc83458, SfxChildWinInfo * pInfo=0x01b8ef70) Line 110 mergedlo.dll!SfxChildWindow::CreateChildWindow(unsigned short nId=0x65f4, vcl::Window * pParent=0x0b85f740, SfxBindings * pBindings=0x0bc83458, const SfxChildWinInfo & rInfo={...}) Line 265 mergedlo.dll!SfxWorkWindow::CreateChildWin_Impl(SfxChildWin_Impl * pCW=0x0978be60, bool bSetFocus=false) Line 1351 mergedlo.dll!SfxWorkWindow::UpdateChildWindows_Impl() Line 1299 mergedlo.dll!SfxWorkWindow::UpdateObjectBars_Impl2() Line 1245 mergedlo.dll!SfxWorkWindow::UpdateObjectBars_Impl() Line 1101 mergedlo.dll!SfxDispatcher::Update_Impl(bool bForce) Line 1114 mergedlo.dll!SfxBaseController::ConnectSfxFrame_Impl(const SfxBaseController::ConnectSfxFrame i_eConnect=E_CONNECT) Line 1249 mergedlo.dll!SfxBaseController::attachFrame(const com::sun::star::uno::Reference<com::sun::star::frame::XFrame> & xFrame) Line 531 mergedlo.dll!`anonymous namespace'::SfxFrameLoader_Impl::impl_createDocumentView(const com::sun::star::uno::Reference<com::sun::star::frame::XModel2> & i_rModel={...}, const com::sun::star::uno::Reference<com::sun::star::frame::XFrame> & i_rFrame={...}, const comphelper::NamedValueCollection & i_rViewFactoryArgs={...}, const rtl::OUString & i_rViewName={...}) Line 585 mergedlo.dll!`anonymous namespace'::SfxFrameLoader_Impl::load(const com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> & rArgs={...}, const com::sun::star::uno::Reference<com::sun::star::frame::XFrame> & _rTargetFrame={...}) Line 703 mergedlo.dll!framework::LoadEnv::impl_loadContent() Line 1166 mergedlo.dll!framework::LoadEnv::startLoading(const rtl::OUString & sURL, const com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> & lMediaDescriptor, const com::sun::star::uno::Reference<com::sun::star::frame::XFrame> & xBaseFrame, const rtl::OUString & sTarget={...}, long nSearchFlags=0x00000000, LoadEnvFeatures eFeature=WorkWithUI | AllowContentHandler) Line 299 mergedlo.dll!framework::LoadDispatcher::impl_dispatch(const com::sun::star::util::URL & rURL={...}, const com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> & lArguments={...}, const com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> & xListener={...}) Line 107 mergedlo.dll!framework::LoadDispatcher::dispatch(const com::sun::star::util::URL & aURL={...}, const com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> & lArguments={...}) Line 53 mergedlo.dll!implDispatchDelayed(void * __formal=0x00000000, void * pArg=0x0b91ca30) Line 738 mergedlo.dll!ImplWindowFrameProc(vcl::Window * _pWindow, SalEvent nEvent=UserEvent, const void * pEvent=0x0bc2df88) Line 2560 mergedlo.dll!SalFrame::CallCallback(SalEvent nEvent=UserEvent, const void * pEvent=0x0bc2df88) Line 306 vclplug_winlo.dll!SalFrameWndProc(HWND__ * hWnd=0x00ac0dba, unsigned int nMsg=0x00000482, unsigned int wParam=0x00000000, long lParam=0x0bc2df88, bool & rDef=true) Line 5792 vclplug_winlo.dll!SalFrameWndProcW(HWND__ * hWnd=0x00ac0dba, unsigned int nMsg=0x00000482, unsigned int wParam=0x00000000, long lParam=0x0bc2df88) Line 5900 user32.dll!__InternalCallWinProc@20() user32.dll!UserCallWinProcCheckWow() user32.dll!DispatchMessageWorker() user32.dll!_DispatchMessageW@4() vclplug_winlo.dll!ImplSalYield(bool bWait=true, bool bHandleAllCurrentEvents=false) Line 457 vclplug_winlo.dll!WinSalInstance::DoYield(bool bWait=true, bool bHandleAllCurrentEvents=false) Line 528 mergedlo.dll!Application::Execute() Line 426 mergedlo.dll!desktop::Desktop::Main() Line 1590 mergedlo.dll!ImplSVMain() Line 196 mergedlo.dll!soffice_main() Line 98 soffice.bin!main(int argc=0x00000001, char * * argv=0x01e82ca8) Line 47 C soffice.bin!__scrt_common_main_seh() Line 288 kernel32.dll!@BaseThreadInitThunk@12() ntdll.dll!__RtlUserThreadStart() ntdll.dll!__RtlUserThreadStart@8()
Created attachment 172718 [details] Backtrace of exception during ScAccessibleEditLineTextData::GetTextForwarder (Switching comment and attachment...) While debugging I encountered what seems to be accessibiliy-related exceptions in ScAccessibleEditLineTextData::GetTextForwarder; backtrace attached: Exception thrown at 0x75D1A6F2 in soffice.bin: Microsoft C++ exception: com::sun::star::uno::RuntimeException at memory location 0x01B8F240. This occurred a couple of times before I got to the loaded application with sheet. It goes through SfxWorkWindow::UpdateObjectBars_Impl and SfxWorkWindow::UpdateObjectBars_Impl into accessiblity-related code (see trace). mpTxtWnd and mpForwarder are both null, and so pTextForwarder is null in AccessibleTextHelper_Impl::GetTextForwarder So it throws uno::RuntimeException("Unable to fetch text forwarder, model might be dead", mxFrontEnd); [mxFrontEnd is also null] Not sure if it is usual for this to occur or if it has relevance to the crash, but I figured if something failed in creating the accessibility events, it might also cause problems when accessibility-related stuff is being torn down.
it would be a lot easier to debug this if visual studio didn't itself crash while nvda is running during stepping through the problem.
Well, we have a status Moved, like one can report to MS and turn on some music until it's fixed :)
mpTextWnd being null is the problem I believe, we're waiting until the on-demand editview is created to set it but we need it before that https://gerrit.libreoffice.org/c/core/+/116917 makes things work for me with what I see crashing for me under nvda
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/ff72a7db944651c81ff32ad33d6f6b7502448c4e tdf#141769 ScTextWnd has to be available before the editview is created It will be available in 7.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
backport to 7-1 in gerrit. Testing welcome as there's always the chance I fixed something slightly different to what was initially reported given the initial trickiness of reproducing.
Thanks for tracking it down! I know it's annoying when it's hard to reproduce. Will give it a go when a build comes out (looks like they did a daily just before) or perhaps if it becomes available in the 7.1 bibisect tree prior to then.
(In reply to Caolán McNamara from comment #50) > ... always the chance I > fixed something slightly different to what was initially reported given the > initial trickiness of reproducing. Caolán, * As in trace of comment 24 and comment 28? Those do not seem to have an AT enabled...
(In reply to V Stuart Foote from comment #52) > As in trace of comment 24 and comment 28? Those do not seem to have an AT > enabled... because there is no accessibility mentioned in the backtraces at the time of crash ? My thinking is that there were earlier accessibility related calls which resulted in exceptions like that captured in comment #45 which leads to uncleaned up zombie objects attached to the inputbar TextWnd which then crashes when it's torn down. Well, maybe. I think I've fixed something worth fixing and we'll presumably see if it's sufficient.
(In reply to Caolán McNamara from comment #53) > (In reply to V Stuart Foote from comment #52) > > As in trace of comment 24 and comment 28? Those do not seem to have an AT > > enabled... > because there is no accessibility mentioned in the backtraces at the time of > crash ? > Yes > My thinking is that there were earlier accessibility related calls which > resulted in exceptions like that captured in comment #45 which leads to > uncleaned up zombie objects attached to the inputbar TextWnd which then > crashes when it's torn down. Well, maybe. I defer to your instinct on that :-) > I think I've fixed something worth > fixing and we'll presumably see if it's sufficient. Absolutely--and thanks! QA may have to poke folks on some of the dupes to be sure it really is quashed for all cases.
For those who can reproduce the crash, Could you please try with the latest daily build from today < https://dev-builds.libreoffice.org/daily/master/current.html > ? it already contains Caolan's fix
It works without crashing; which I'm guessing is a fix because it didn't before. I get a bunch of exceptions and warnings and is very slow (presumably because it's non-optimized too; and the 64-bit version, which I don't regularly use). Many of these may be expected, but I don't know which, so here's what I saw: When enabling the Formula Bar after it started disabled I got: warn:legacy.osl:4288:3320:sc/source/ui/Accessibility/AccessibleEditObject.cxx:303: Should never be called, because is set in the constructor. warn:legacy.osl:4288:3320:sc/source/ui/Accessibility/AccessibleContextBase.cxx:312: We should give always a name. It was also very laggy when I first clicked inside the formula bar input box, or clicked out of it, with messages like: Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: com::sun::star::uno::RuntimeException at memory location 0x000000152498DCE8. warn:sfx.control:4288:3320:sfx2/source/control/dispatch.cxx:1206: Childwindow slot missing: 25917 The thread 0x1fc0 has exited with code 0 (0x0). ...but I don't know if that is normal for the debug version. When disabling the Formula Bar I got 38 instances of: warn:legacy.osl:4288:3320:comphelper/source/misc/accessiblewrapper.cxx:458: OAccessibleContextWrapperHelper::disposing(): inner context is no broadcaster! When selecting SUM from the Formula Bar Select Function dropdown I get: Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: com::sun::star::uno::RuntimeException at memory location 0x000000152498DD50. Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: [rethrow] at memory location 0x0000000000000000. warn:svx:4288:3320:svx/source/accessibility/AccessibleTextHelper.cxx:1360: DBG_UNHANDLED_EXCEPTION in Notify exception: com.sun.star.uno.RuntimeException message: Text forwarder is invalid, model might be dead When closing the document I again get a lot of: OAccessibleContextWrapperHelper::disposing(): inner context is no broadcaster! as well as eight instances of: warn:legacy.osl:4288:3320:sc/source/ui/view/tabvwshh.cxx:232: no accessibility broadcaster? Reopening a new Calc document renews: warn:legacy.osl:4288:3320:sc/source/ui/Accessibility/AccessibleEditObject.cxx:303: Should never be called, because is set in the constructor. warn:legacy.osl:4288:3320:sc/source/ui/Accessibility/AccessibleContextBase.cxx:312: We should give always a name. warn:sfx.control:4288:3320:sfx2/source/control/dispatch.cxx:1206: Childwindow slot missing: 25917 warn:legacy.tools:4288:3320:sfx2/source/control/bindings.cxx:1764: No cache for OfficeDispatch! When opening the Manage Names dialog I got: Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: com::sun::star::lang::IllegalArgumentException at memory location 0x000000152498D178. warn:accessibility:4288:3320:accessibility/source/extended/AccessibleBrowseBoxBase.cxx:410: rectangle doesn't exist warn:accessibility:4288:3320:accessibility/source/extended/AccessibleBrowseBoxBase.cxx:397: rectangle doesn't exist warn:accessibility:4288:3320:accessibility/source/extended/AccessibleBrowseBoxBase.cxx:410: rectangle doesn't exist [last three repeated two times] and on closing it: Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: com::sun::star::uno::RuntimeException at memory location 0x000000152498DE40. Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: [rethrow] at memory location 0x0000000000000000. warn:svx:4288:3320:svx/source/accessibility/AccessibleTextHelper.cxx:1360: DBG_UNHANDLED_EXCEPTION in Notify exception: com.sun.star.uno.RuntimeException message: Text forwarder is invalid, model might be dead When selecting some text in the Function Bar I get: Exception thrown at 0x00007FFC49B34B89 in soffice.bin: Microsoft C++ exception: `private: rtl::Reference<LogicalFontInstance> __cdecl ImplFontCache::GetFontInstance(PhysicalFontCollection const * __ptr64,FontSelectPattern & __ptr64) __ptr64'::`44'::limit_exception at memory location 0x000000152498D260. After closing and opening a new Calc document with the Formula Bar set to be enabled on startup, it did not crash either, and could be disabled, with five instances of: warn:legacy.osl:9348:10140:comphelper/source/misc/accessiblewrapper.cxx:458: OAccessibleContextWrapperHelper::disposing(): inner context is no broadcaster!
(In reply to Laurence 'GreenReaper' Parry from comment #56) > It works without crashing; which I'm guessing is a fix because it didn't > before. > @Laurence, are you able to run Windows without an assistive technology active? LibreOffice detects that state and responds enabling AT accordingly. Would be interesting as to the trace you get with AT not active. Both for Caolan's fixed build, and for a 7.1 release build or master without it.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-1": https://git.libreoffice.org/core/commit/4b6af3412f72be85706fc5355a36bd8364726c13 tdf#141769 ScTextWnd has to be available before the editview is created It will be available in 7.1.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
That is perhaps the most confusing part of all this, as I was not aware I was using any accessibility technology. As such I'm not quite sure how to turn it off! The checkbox in Accessibility is autoselected, and deselecting it does not "stick" (which I think is itself a bug, in that if it can't be unset it should not be enabled). I had a look at what might enable it but HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility has a blank Configuration REG_SZ setting. I was a little confused when I couldn't find a LibreOffice registry folder, but found I had an Accessibility EnableATToolSupport fuse entry in registrymodifications.xcu set to true. I tried changing this to false but it was set back to true just by opening and closing the LO launcher again. Looking at the source, you use HasAtHook() in salplug.cxx which is looking at SystemParametersInfoW(SPI_GETSCREENREADER, ...). And running PowerShell also indicates that I "might be using a screen reader". I also enabled SAL_LOG for vcl info messages and got "got IAccessible2 bridge" from svdata.cxx:336. So I guess there may be an app installed which is triggering this? Not sure what it might be, or how to identify that - I do have graphics tablet software installed as well as a DisplayLink USB to VGA screen. Oracle Java 8 appears to have an Accessibility tool registered as well, but I am guessing that is normal for the JRE. One weird thing is that trying to access the Narrator tab freezes Windows Settings. The same happens if I try to access the Settings/Updates & Security/For developers. So there is definitely Something Up (TM)
As from Comment #55, it fixes the crash I was reporting #142022 and others... and linked to this thread... Many thanks for deploying ressources and focusing... I was over some time ago... side of DBLG was to tweaky for me ;o) Just discovered bibisected ! Am not able to focus AT form Windows... in order to disable and test previous version...
@Nico: It's interesting that you mention Lenovo in bug 142022, as this device is a Lenovo x120e. I wouldn't entirely put it past them to have some kind of screen reader integration (they've also had buggy plugins that leak handles before). Unfortunately this device is my main system right now (waiting on AMD's Van Gogh with RDNA2+AV1 decode to replace it), and the main screen is broken, so I don't feel too confident in removing the default device packages to test out whether it removes the screen reader flag. @V Stuart Foote: If you want me to test that, I think I'll need a way to force the accessible mode off in LibreOffice. I could try making a utility to disable it by setting the relevant system parameter to false, but I'm not sure that would work (I would've thought it's a global OR across all applications that can set it). Or maybe you know some way to identify the triggering application so as to remove it?
Formerly Thinkpad X380, touchscreen, pen About up to date (from Lenovo vantage), slightly dated from Intel's support page. Windows update about to be synced I can test previous vers and this one, but please ask what to look at ?
(In reply to Laurence 'GreenReaper' Parry from comment #61) >... > @V Stuart Foote: If you want me to test that, I think I'll need a way to > force the accessible mode off in LibreOffice. I could try making a utility > to disable it by setting the relevant system parameter to false, but I'm not > sure that would work (I would've thought it's a global OR across all > applications that can set it). Or maybe you know some way to identify the > triggering application so as to remove it? I don't think we can. We use the SPI_GETSCREENREADER call [1] to set the HasATHook(). The Tools -> Options -> Accessibility 'Support assistive technology tools' will always toggle on when the system reports it in use. That was hard coded when we replaced the Java Access Bridge to UAA calls on Windows builds with native IAccessible2 mappings at the 4.3.0 release. Would have to identify the Windows 10 app that is setting the screenreader enabled and disable it. Spent some time poking around StackOverflow but I could not find an effective way. https://opengrok.libreoffice.org/xref/core/vcl/source/app/salplug.cxx?r=fa8db25a#397
*** Bug 142958 has been marked as a duplicate of this bug. ***
*** Bug 143289 has been marked as a duplicate of this bug. ***
