Description: Writer suddenly crashes at the time or shortly after a document has loaded. The crashes happen when LanguageTool extension is installed and activated. I have been using LibreOffice with LanguageTool for a long time and never had issues. These crashes appeared for the first time some weeks ago. Reproducibility: Always, with different documents. LibreOffice profile: A newly set-up LibreOffice profile doesn't make a difference. Steps to Reproduce: 1.Open a document -> crash after loading document Actual Results: Crash Expected Results: No crash Reproducible: Always User Profile Reset: Yes Additional Info: System: Tested with LibreOffice versions: Version: 7.3.0.3 / LibreOffice Community (Fresh from Ubuntu PPA) Build ID: 30(Build:3) CPU threads: 16; OS: Linux 5.13; UI render: default; VCL: gtk3 Locale: de-DE (de_DE.UTF-8); UI: de-DE Ubuntu package version: 1:7.3.0~rc3-0ubuntu0.21.10.1~lo1 Calc: threaded Version: 7.2.5: The very same crashes happened with LibreOffice 7.2.5 which comes with Ubuntu 21.10 (that's why I updated to 7.3 in the hope that crashes dissapear) LanguageTool 5.6 (Crashes also occur with LT 5.5) Java version: java-11-openjdk-amd64 11.0.13 OS version: Ubuntu 21.10 (impish), Wayland
Created attachment 178553 [details] Backtrace gdbtrace.log
On pc Debian x86-64 with master sources updated today + gtk3 rendering, I installed LanguageTool 5.6 from https://extensions.libreoffice.org/en/extensions/show/languagetool. (use "only for me" option when installing). Then I opened Writer on a brand new file, no crash here. I noticed these on console: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. (soffice:15828): Gdk-WARNING **: 10:31:27.758: XSetErrorHandler() called with a GDK error trap pushed. Don't do that. Did you open a specific document? (openjdk version "11.0.14" 2022-01-18 OpenJDK Runtime Environment (build 11.0.14+9-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.14+9-post-Debian-1, mixed mode, sharing))
backtrace doesn't show anything here. Did you try https://wiki.documentfoundation.org/QA/BugReport/Debug_Information#GNU.2FLinux:_How_to_get_a_backtrace ? When there are "??", you must use "c" (for "continue") until there's no "??", then you can use "bt" (for "backtrace").
Created attachment 178557 [details] Example document causing the crash I attached a example document that causes crashes here. I say example, because the crashes happen with all documents that have some text in it. (btw, I didn't get a better backtrace.log yet. I am trying)
Here's a part which may help from Gerry: Thread 67 "Thread-24" received signal SIGBUS, Bus error. 0x00007ff3b3e2a9a6 in LocaleDataWrapper::getLanguageCountryInfo() const () from /usr/lib/libreoffice/program/libmergedlo.so (gdb) bt #0 0x00007ff3b3e2a9a6 in LocaleDataWrapper::getLanguageCountryInfo() const () from /usr/lib/libreoffice/program/libmergedlo.so #1 0x00007ff3b3e2bafb in LocaleDataWrapper::getLoadedLanguageTag() const () from /usr/lib/libreoffice/program/libmergedlo.so #2 0x00007ff3b2be4b78 in ?? () from /usr/lib/libreoffice/program/libmergedlo.so #3 0x00007ff3b2be984f in ?? () from /usr/lib/libreoffice/program/libmergedlo.so #4 0x00007ff3b2bea710 in ?? () from /usr/lib/libreoffice/program/libmergedlo.so #5 0x00007ff3b0d4643a in ?? () from /usr/lib/libreoffice/program/libgcc3_uno.so #6 0x00007ff3b0d45566 in ?? () from /usr/lib/libreoffice/program/libgcc3_uno.so #7 0x00007ff3b0d45cb6 in ?? () from /usr/lib/libreoffice/program/libgcc3_uno.so #8 0x00007ff358d83ba5 in ?? () from /usr/lib/libreoffice/program/libjava_uno.so #9 0x00007ff358d84060 in Java_com_sun_star_bridges_jni_1uno_JNI_1proxy_dispatch_1call () from /usr/lib/libreoffice/program/libjava_uno.so #10 0x00007ff3773c9aa9 in ?? () BTW, I noticed other things on console logs: - when opening Writer: warn:configmgr:25772:25772:configmgr/source/xcuparser.cxx:159: bad set node <prop> member in "file:///home/julien/lo/libreoffice/instdir/program/../program/../user/uno_packages/cache/uno_packages/lu25eow.tmp_/LanguageTool-5.6.oxt/Addons.xcu" but above all a kind of crash at the end with: warn:sal.osl.mutex:25918:26030:sal/osl/unx/mutex.cxx:149: pthread_mutex_unlock failed: EINVAL warn:sal.osl.mutex:25918:26030:sal/osl/unx/mutex.cxx:103: pthread_mutex_lock failed: EINVAL warn:sal.osl.mutex:25918:26030:sal/osl/unx/mutex.cxx:149: pthread_mutex_unlock failed: EINVAL # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f8f4776e8e4, pid=25918, tid=25918 # # JRE version: OpenJDK Runtime Environment (11.0.14+9) (build 11.0.14+9-post-Debian-1) # Java VM: OpenJDK 64-Bit Server VM (11.0.14+9-post-Debian-1, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64) # Problematic frame: # C [libc.so.6+0x828e4] There's definitely something wrong here. Stephan: since it may be related to Java part, thought you might be interested in this one. Of course, there might be some bugs on Language tool but this one triggers something wrong on LO.
(In reply to Julien Nabet from comment #5) > Here's a part which may help from Gerry: > Thread 67 "Thread-24" received signal SIGBUS, Bus error. This is from private communication between Julien and Gerry? SIGBUS is somewhat odd. I assume this is on x86-64 hardware? (And a backtrace with apparently lacking debug information is of reduced usefulness and might even be misleading.) > BTW, I noticed other things on console logs: > - when opening Writer: > warn:configmgr:25772:25772:configmgr/source/xcuparser.cxx:159: bad set node > <prop> member in > "file:///home/julien/lo/libreoffice/instdir/program/../program/../user/ > uno_packages/cache/uno_packages/lu25eow.tmp_/LanguageTool-5.6.oxt/Addons.xcu" Definitely harmless and unrelated, see <https://github.com/languagetool-org/languagetool/pull/6396> "Remove spurious 'Title' prop". > but above all a kind of crash at the end with: > warn:sal.osl.mutex:25918:26030:sal/osl/unx/mutex.cxx:149: > pthread_mutex_unlock failed: EINVAL > warn:sal.osl.mutex:25918:26030:sal/osl/unx/mutex.cxx:103: pthread_mutex_lock > failed: EINVAL > warn:sal.osl.mutex:25918:26030:sal/osl/unx/mutex.cxx:149: > pthread_mutex_unlock failed: EINVAL > # > # A fatal error has been detected by the Java Runtime Environment: > # > # SIGSEGV (0xb) at pc=0x00007f8f4776e8e4, pid=25918, tid=25918 > # > # JRE version: OpenJDK Runtime Environment (11.0.14+9) (build > 11.0.14+9-post-Debian-1) > # Java VM: OpenJDK 64-Bit Server VM (11.0.14+9-post-Debian-1, mixed mode, > sharing, tiered, compressed oops, g1 gc, linux-amd64) > # Problematic frame: > # C [libc.so.6+0x828e4] It smells like LanguageTool causes some threads to still run during process exit. That's definitely something that should be addressed, but it's unclear whether that might be related to Garry's original issue. (What I e.g. see when typing some words in Writer, then trying to quit LO without saving the document is > Thread 77 "Thread-102" received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x7fff0effe640 (LWP 3960536)] > 0x00007ffff1b9c115 in std::__1::unique_ptr<comphelper::SolarMutex, std::__1::default_delete<comphelper::SolarMutex> >::get (this=0x10) at ~llvm/inst/include/c++/v1/__memory/unique_ptr.h:287 > 287 return __ptr_.first(); > > Thread 77 (Thread 0x7fff0effe640 (LWP 3960536) "Thread-102"): > ##0 0x00007ffff1b9c115 in std::__1::unique_ptr<comphelper::SolarMutex, std::__1::default_delete<comphelper::SolarMutex> >::get() const (this=0x10) at ~llvm/inst/include/c++/v1/__memory/unique_ptr.h:287 > #1 0x00007ffff1b5c819 in SalInstance::GetYieldMutex() (this=0x0) at vcl/source/app/salvtables.cxx:120 > #2 0x00007fffdc4b2d95 in GdkThreadsLeave() () at vcl/unx/gtk3/gtkinst.cxx:115 > #3 0x00007fffb48d65c2 in Java_com_sun_java_swing_plaf_gtk_GTKStyle_nativeGetXThicknessDownloading 0.00 MB source file /usr/src/debug/java-latest-openjdk-17.0.2.0.8-2.rolling.fc35.x86_64/openjdk/src/java.desktop/unix/native/libawt_xawt/awt/swing_GTKStyle.c > (env=<optimized out>, klass=<optimized out>, widget_type=18) at /usr/src/debug/java-latest-openjdk-17.0.2.0.8-2.rolling.fc35.x86_64/openjdk/src/java.desktop/unix/native/libawt_xawt/awt/swing_GTKStyle.c:49 > #4 0x00007fffa08fec48 in () > #5 0x0000000800448d58 in () > #6 0x00007fff0effb528 in () > #7 0x0000000000000000 in () [...] > Thread 1 (Thread 0x7fffe9cf9080 (LWP 3960429) "soffice.bin"): > #0 0x00007ffff7fc9d88 in _dl_close_workerDownloading -0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/elf/dl-close.c... > (map=map@entry=0x1675640, force=force@entry=false) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/elf/dl-close.c:825 > #1 0x00007ffff7fca33b in _dl_close (_map=0x1675640) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/elf/dl-close.c:873 > #2 0x00007ffff7976878 in __GI__dl_catch_exceptionDownloading 0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/elf/dl-error-skeleton.c... > (exception=exception@entry=0x7fffffffda80, operate=<optimized out>, args=<optimized out>) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/elf/dl-error-skeleton.c:208 > #3 0x00007ffff7976943 in __GI__dl_catch_error (objname=0x7fffffffdad8, errstring=0x7fffffffdae0, mallocedp=0x7fffffffdad7, operate=<optimized out>, args=<optimized out>) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/elf/dl-error-skeleton.c:227 > #4 0x00007ffff78a682e in _dlerror_runDownloading 0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/dlfcn/dlerror.c... > (operate=<optimized out>, args=<optimized out>) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/dlfcn/dlerror.c:138 > #5 0x00007ffff78a6558 in __dlcloseDownloading 0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/dlfcn/dlclose.c... > (handle=<optimized out>) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/dlfcn/dlclose.c:31 > #6 0x00007ffff7f820d9 in osl_unloadModule(oslModule) (hModule=0x1675640) at sal/osl/unx/module.cxx:217 > #7 0x00007ffff7f56588 in osl::Module::~Module() (this=0x7ffff7fbe7e8 <Impl_getTextEncodingData(unsigned short)::gFullTextEncodingData>) at include/osl/module.hxx:78 > #8 0x00007ffff7f56495 in (anonymous namespace)::FullTextEncodingData::~FullTextEncodingData() (this=0x7ffff7fbe7e8 <Impl_getTextEncodingData(unsigned short)::gFullTextEncodingData>) at sal/textenc/textenc.cxx:380 > #9 0x00007ffff7861de5 in __run_exit_handlersDownloading 0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/stdlib/exit.c... > (status=0, listp=0x7ffff7a17658 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/stdlib/exit.c:113 > #10 0x00007ffff7861f60 in __GI_exit (status=<optimized out>) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/stdlib/exit.c:143 > #11 0x00007ffff784a567 in __libc_start_call_mainDownloading 0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h... > (main=main@entry=0x201970 <main>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdf98) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:74 > #12 0x00007ffff784a60c in __libc_start_main_implDownloading 0.00 MB source file /usr/src/debug/glibc-2.34-25.fc35.x86_64/csu/../csu/libc-start.c... > (main=0x201970 <main>, argc=3, argv=0x7fffffffdf98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf88) at /usr/src/debug/glibc-2.34-25.fc35.x86_64/csu/../csu/libc-start.c:409 > #13 0x0000000000201875 in _start () )
Created attachment 178665 [details] Output of "gdb --pid=$(pidof soffice.bin)" .txt Thanks @sbergman for looking into this bug on LibreOffice crashes caused by LanguageTool. I had difficulties producing some helpful backtrace and Julien had helped me to do so. Here I attach the output of gdb --pid=$(pidof soffice.bin) with backtrace. The output seems to contain more valuable content than the extract which I had sent to Julien a few days ago. I hope that this is more helpful to find the cause of the crashes. Is there anything more I can do to trace the bug?
(In reply to Gerry from comment #7) > ... > Is there anything more I can do to trace the bug? I must recognize, I'm stuck now but certainly Stephan or someone else will have an idea.
Also the LanguageTool team investigated this bug (https://github.com/languagetool-org/languagetool/issues/6412) and they also come to the conclusion that this bug is in both, LanguageTool and LibreOffice. Here two quotes: "The bug occurs only, if writer is opened with an empty document, and after that a real document is loaded (This depends on the used machine. I count to four, open the document, and LO crashes. If you are opening very fast the document, no new XComponent is generated - LT and LO don't recognize the document as new - and LO doesn't crash). I could localize the problem at the class which installs a dynamic LT menu. If a document is loaded in the same window, LO crashes, when the dynamic menu is set (this is only the case if an unnamed empty document is overwritten by another document). Now (LT 5.7), the dynamic menu is only set, when the document is not empty. That is not the nice way, but it prevents LO from crashing. A better solution would be, if it solved at the side of LO." They also refer to that bug that seems to be related and roots in a LibreOffice's GTK3 issue: "Maybe there is also a relation to issue https://github.com/languagetool-org/languagetool/issues/6390. LO seems to have a serious problem with gtk3."
FredKruse from the LanguageTool team did some more investigation of this bug. I post it here, because it seems to be relevant concerning the LibreOffice bug: "I could reproduce the bug described at #6390. I opened LibreOffice from the console. As fast as possible, I opened and close the same document. After five or six times, a second menubar appears and LO crashes. I got the following console output: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. (soffice:195767): Gdk-WARNING **: 18:45:58.075: XSetErrorHandler() called with a GDK error trap pushed. Don't do that. (soffice:195767): GLib-CRITICAL **: 18:46:31.638: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.639: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.692: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.693: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.693: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.693: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.695: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.696: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed (soffice:195767): GLib-CRITICAL **: 18:46:31.697: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed Fatal exception: Signal 11 Stack: /usr/lib/libreoffice/program/libuno_sal.so.3(+0x3ffc3)[0x7f6815886fc3] /usr/lib/libreoffice/program/libuno_sal.so.3(+0x4013a)[0x7f681588713a] /usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so(+0xbe3bf9)[0x7f67edf48bf9] /usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so(JVM_handle_linux_signal+0x201)[0x7f67edf4e8f1] /usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so(+0xbdc93c)[0x7f67edf4193c] /lib/x86_64-linux-gnu/libc.so.6(+0x430c0)[0x7f68156720c0] /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_hash_table_lookup+0x50)[0x7f6814d89760] /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0(+0xe8aaa)[0x7f6814fbbaaa] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_closure_invoke+0x1b2)[0x7f6814e87802] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x28814)[0x7f6814e9b814] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_signal_emit_valist+0x10ae)[0x7f6814ea6bbe] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_signal_emit+0x93)[0x7f6814ea70f3] /usr/lib/libreoffice/program/libvclplug_gtk3lo.so(+0x181096)[0x7f680e8d9096] /usr/lib/libreoffice/program/libvclplug_gtk3lo.so(+0x17b8e9)[0x7f680e8d38e9] /usr/lib/libreoffice/program/libmergedlo.so(_ZN4Menu7disposeEv+0x128)[0x7f6818704ef8] /usr/lib/libreoffice/program/libmergedlo.so(+0x2e65aae)[0x7f6818715aae] /usr/lib/libreoffice/program/libmergedlo.so(+0x2e65dce)[0x7f6818715dce] /usr/lib/libreoffice/program/libmergedlo.so(_ZN4Menu7disposeEv+0x134)[0x7f6818704f04] /usr/lib/libreoffice/program/libmergedlo.so(+0x2e65aae)[0x7f6818715aae] /usr/lib/libreoffice/program/libmergedlo.so(+0x2e65dce)[0x7f6818715dce] /usr/lib/libreoffice/program/libmergedlo.so(_ZN4Menu7disposeEv+0x134)[0x7f6818704f04] /usr/lib/libreoffice/program/libmergedlo.so(_ZN8VCLXMenuD1Ev+0xf7)[0x7f68182c6687] /usr/lib/libreoffice/program/libmergedlo.so(+0x2a18d37)[0x7f68182c8d37] /usr/lib/libreoffice/program/libgcc3_uno.so(+0xbf5e)[0x7f681583ef5e] /usr/lib/libreoffice/program/libuno_cppu.so.3(+0x25fc2)[0x7f68135f8fc2] /usr/lib/libreoffice/program/libuno_cppu.so.3(+0x24315)[0x7f68135f7315] /usr/lib/libreoffice/program/libuno_cppu.so.3(uno_Environment_invoke+0x98)[0x7f68135f7808] /usr/lib/libreoffice/program/libjava_uno.so(Java_com_sun_star_bridges_jni_1uno_JNI_1proxy_finalize__J+0x68)[0x7f67ec0d0738] [0x7f67d86846fb] The bug happens also in the libjava_uno.so. So, there should be a relation, I think."
Was the new gdb log and the log outputs from the LanguageTool team helpful to identify the cause for the crashes at the side of LibreOffice? (comments 7 to 10) Can I provide any other bug information to help finding the cause?
About "(soffice:195767): Gdk-WARNING **: 18:45:58.075: XSetErrorHandler() called with a GDK error trap pushed. Don't do that." I found this link https://stackoverflow.com/questions/55446534/how-to-fix-java22494-gdk-warning Now I'm not sure if it generates just a warning or can trigger a crash.
@sbergman: Do comments 7 to 10 contain helpful information to identify the cause of the crashes? This new post in the LanguageTool bug system might provide some additional information: I also experienced, but only the first part of the error, posted by Fred Cruse above when I start libre via cli on debian bullseye. SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. (soffice:195767): Gdk-WARNING **: 18:45:58.075: XSetErrorHandler() called with a GDK error trap pushed. Don't do that.
Indeed I can reproduce with LanguageTool 5.6 (see comment 2) and the instructions from comment 9: Run `soffice --writer`, then after some wait open attachment 178557 [details], the Writer window will end up showing two menu bars, then crash at > ==2802389==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000228ed8 at pc 0x7f01fe373efe bp 0x7ffe3b9ff250 sp 0x7ffe3b9ff248 > READ of size 8 at 0x614000228ed8 thread T0 > #0 in rtl::Reference<Menu>::get() const at include/rtl/ref.hxx:208:16 (instdir/program/libfwklo.so +0x2d1defd) > #1 in VclPtr<Menu>::get() const at include/vcl/vclptr.hxx:146:28 (instdir/program/libfwklo.so +0x3413ed8) > #2 in bool operator==<Menu>(Menu*, VclPtr<Menu> const&) at include/vcl/vclptr.hxx:239:21 (instdir/program/libfwklo.so +0x3402e1e) > #3 in bool operator!=<Menu>(Menu*, VclPtr<Menu> const&) at include/vcl/vclptr.hxx:262:17 (instdir/program/libfwklo.so +0x3400ae0) > #4 in framework::MenuBarManager::Activate(Menu*) at framework/source/uielement/menubarmanager.cxx:563:16 (instdir/program/libfwklo.so +0x33dfba5) > #5 in framework::MenuBarManager::LinkStubActivate(void*, Menu*) at framework/source/uielement/menubarmanager.cxx:561:1 (instdir/program/libfwklo.so +0x33df668) > #6 in Link<Menu*, bool>::Call(Menu*) const at include/tools/link.hxx:111:45 (instdir/program/libvcllo.so +0x742d4b7) > #7 in Menu::Activate() at vcl/source/window/menu.cxx:266:28 (instdir/program/libvcllo.so +0x73d0bf2) > #8 in Menu::HandleMenuActivateEvent(Menu*) const at vcl/source/window/menu.cxx:2540:16 (instdir/program/libvcllo.so +0x741833a) > #9 in GtkSalMenu::ActivateAllSubmenus(Menu*) at vcl/unx/gtk3/gtksalmenu.cxx:1446:15 (instdir/program/libvclplug_gtk3lo.so +0x1a23c85) > #10 in GtkSalMenu::UpdateFull() at vcl/inc/unx/gtk/gtksalmenu.hxx:119:49 (instdir/program/libvclplug_gtk3lo.so +0x19a4e9f) > #11 in GtkSalMenu::SetFrame(SalFrame const*) at vcl/unx/gtk3/gtksalmenu.cxx:1160:9 (instdir/program/libvclplug_gtk3lo.so +0x1a137b9) > #12 in GtkSalMenu::MenuBarHierarchyChangeHandler(Timer*) at vcl/unx/gtk3/gtksalmenu.cxx:610:5 (instdir/program/libvclplug_gtk3lo.so +0x1a11b63) > #13 in GtkSalMenu::LinkStubMenuBarHierarchyChangeHandler(void*, Timer*) at vcl/unx/gtk3/gtksalmenu.cxx:605:1 (instdir/program/libvclplug_gtk3lo.so +0x1a11578) > #14 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:111:45 (instdir/program/libvcllo.so +0xa3a3ac2) > #15 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21 (instdir/program/libvcllo.so +0xa3a30cc) > #16 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:472:16 (instdir/program/libvcllo.so +0xa2005ca) > #17 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13 (instdir/program/libvclplug_gtk3lo.so +0x12afab8) > #18 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtkdata.cxx:721:45 (instdir/program/libvclplug_gtk3lo.so +0x12aa846) > #19 in g_main_context_dispatch at <null> (/lib64/libglib-2.0.so.0 +0x550ae) > #20 at <null> (/lib64/libglib-2.0.so.0 +0xaa307) > #21 in g_main_context_iteration at <null> (/lib64/libglib-2.0.so.0 +0x528a2) > #22 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtkdata.cxx:405:31 (instdir/program/libvclplug_gtk3lo.so +0x12a28e0) > #23 in GtkInstance::DoYield(bool, bool) at vcl/unx/gtk3/gtkinst.cxx:427:29 (instdir/program/libvclplug_gtk3lo.so +0x12bb66d) > #24 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:474:48 (instdir/program/libvcllo.so +0xa2ecddc) > #25 in Application::Yield() at vcl/source/app/svapp.cxx:558:5 (instdir/program/libvcllo.so +0xa2eb4b5) > #26 in Application::Execute() at vcl/source/app/svapp.cxx:452:13 (instdir/program/libvcllo.so +0xa2eaca1) > #27 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13 (instdir/program/libsofficeapp.so +0x821b3e) > #28 in ImplSVMain() at vcl/source/app/svmain.cxx:202:35 (instdir/program/libvcllo.so +0xa38e674) > #29 in SVMain() at vcl/source/app/svmain.cxx:234:12 (instdir/program/libvcllo.so +0xa396da0) > #30 in soffice_main at desktop/source/app/sofficemain.cxx:98:12 (instdir/program/libsofficeapp.so +0xa062ce) > #31 in sal_main at desktop/source/app/main.c:51:15 (instdir/program/soffice.bin +0x31781c) > #32 in main at desktop/source/app/main.c:49:1 (instdir/program/soffice.bin +0x3177f6) > #33 in __libc_start_call_main at <null> (/lib64/libc.so.6 +0x2d55f) > #34 in __libc_start_main@GLIBC_2.2.5 at <null> (/lib64/libc.so.6 +0x2d60b) > #35 in _start at <null> (instdir/program/soffice.bin +0x255494) > > 0x614000228ed8 is located 152 bytes inside of 400-byte region [0x614000228e40,0x614000228fd0) > freed by thread T0 here: > #0 in free at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 (instdir/program/soffice.bin +0x2d7a22) > #1 in rtl_freeMemory at sal/rtl/alloc_global.cxx:51:5 (instdir/program/libuno_sal.so.3 +0x3b7d0c) > #2 in cppu::OWeakObject::operator delete(void*) at include/cppuhelper/weak.hxx:91:11 (instdir/program/libfwklo.so +0x25e121c) > #3 in framework::MenuBarManager::~MenuBarManager() at framework/source/uielement/menubarmanager.cxx:131:1 (instdir/program/libfwklo.so +0x33d1471) > #4 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:230:9 (instdir/program/libuno_cppuhelpergcc3.so.3 +0xca3406) > #5 in comphelper::WeakComponentImplHelper<com::sun::star::frame::XStatusListener, com::sun::star::frame::XFrameActionListener, com::sun::star::ui::XUIConfigurationListener, com::sun::star::awt::XSystemDependentMenuPeer>::release() at include/comphelper/compbase.hxx:66:76 (instdir/program/libfwklo.so +0x2d21052) > #6 in com::sun::star::uno::Reference<com::sun::star::lang::XComponent>::clear() at include/com/sun/star/uno/Reference.hxx:231:15 (instdir/program/libfwklo.so +0x2806534) > #7 in framework::MenuBarWrapper::dispose() at framework/source/uielement/menubarwrapper.cxx:132:23 (instdir/program/libfwklo.so +0x343a3a4) > #8 in framework::LayoutManager::impl_clearUpMenuBar() at framework/source/layoutmanager/layoutmanager.cxx:255:16 (instdir/program/libfwklo.so +0x2cbb767) > #9 in framework::LayoutManager::implts_destroyElements() at framework/source/layoutmanager/layoutmanager.cxx:471:5 (instdir/program/libfwklo.so +0x2cc07ad) > #10 in framework::LayoutManager::implts_reset(bool) at framework/source/layoutmanager/layoutmanager.cxx:440:17 (instdir/program/libfwklo.so +0x2cbff63) > #11 in framework::LayoutManager::frameAction(com::sun::star::frame::FrameActionEvent const&) at framework/source/layoutmanager/layoutmanager.cxx:2715:9 (instdir/program/libfwklo.so +0x2d02aa7) > #12 in (anonymous namespace)::XFrameImpl::implts_sendFrameActionEvent(com::sun::star::frame::FrameAction const&) at framework/source/services/frame.cxx:2950:79 (instdir/program/libfwklo.so +0x2f73ba6) > #13 in (anonymous namespace)::XFrameImpl::setComponent(com::sun::star::uno::Reference<com::sun::star::awt::XWindow> const&, com::sun::star::uno::Reference<com::sun::star::frame::XController> const&) at framework/source/services/frame.cxx:1456:9 (instdir/program/libfwklo.so +0x2f574cb) > #14 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:581:15 (instdir/program/libsfxlo.so +0x5c1a20c) > #15 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:702:13 (instdir/program/libsfxlo.so +0x5c1226b) > #16 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1156:37 (instdir/program/libfwklo.so +0x2e3bc62) > #17 in framework::LoadEnv::start() at framework/source/loadenv/loadenv.cxx:395:20 (instdir/program/libfwklo.so +0x2e323d9) > #18 in framework::LoadEnv::startLoading(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, rtl::OUString const&, int, LoadEnvFeatures) at framework/source/loadenv/loadenv.cxx:300:5 (instdir/program/libfwklo.so +0x2e2aae4) > #19 in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) at framework/source/dispatch/loaddispatcher.cxx:106:19 (instdir/program/libfwklo.so +0x28018b9) > > previously allocated by thread T0 here: > #0 in malloc at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 (instdir/program/soffice.bin +0x2d7cce) > #1 in rtl_allocateMemory at sal/rtl/alloc_global.cxx:38:12 (instdir/program/libuno_sal.so.3 +0x3b7599) > #2 in cppu::OWeakObject::operator new(unsigned long) at include/cppuhelper/weak.hxx:89:18 (instdir/program/libfwklo.so +0x25e0dec) > #3 in framework::MenuBarWrapper::initialize(com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) at framework/source/uielement/menubarwrapper.cxx:210:29 (instdir/program/libfwklo.so +0x343c799) > #4 in framework::MenuBarFactory::CreateUIElement(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, std::basic_string_view<char16_t, std::char_traits<char16_t> >, com::sun::star::uno::Reference<com::sun::star::ui::XUIElement> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&) at framework/source/uifactory/menubarfactory.cxx:158:12 (instdir/program/libfwklo.so +0x384c01f) > #5 in framework::MenuBarFactory::createUIElement(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/uifactory/menubarfactory.cxx:59:5 (instdir/program/libfwklo.so +0x3849a8f) > #6 in non-virtual thunk to framework::MenuBarFactory::createUIElement(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/uifactory/menubarfactory.cxx (instdir/program/libfwklo.so +0x384c2f3) > #7 in (anonymous namespace)::UIElementFactoryManager::createUIElement(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/uifactory/uielementfactorymanager.cxx:439:39 (instdir/program/libfwklo.so +0x386abf1) > #8 in non-virtual thunk to (anonymous namespace)::UIElementFactoryManager::createUIElement(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/uifactory/uielementfactorymanager.cxx (instdir/program/libfwklo.so +0x3870323) > #9 in framework::LayoutManager::implts_createElement(rtl::OUString const&) at framework/source/layoutmanager/layoutmanager.cxx:732:50 (instdir/program/libfwklo.so +0x2cb8c19) > #10 in framework::LayoutManager::implts_createMenuBar(rtl::OUString const&) at framework/source/layoutmanager/layoutmanager.cxx:155:18 (instdir/program/libfwklo.so +0x2cb536b) > #11 in framework::LayoutManager::createElement(rtl::OUString const&) at framework/source/layoutmanager/layoutmanager.cxx:1442:13 (instdir/program/libfwklo.so +0x2ce30a7) > #12 in SfxDispatcher::SetMenu_Impl() at sfx2/source/control/dispatch.cxx:1026:33 (instdir/program/libsfxlo.so +0x40aa568) > #13 in SfxDispatcher::Update_Impl(bool) at sfx2/source/control/dispatch.cxx:1091:9 (instdir/program/libsfxlo.so +0x4098947) > #14 in SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) at sfx2/source/view/sfxbasecontroller.cxx:1249:50 (instdir/program/libsfxlo.so +0x5cb884f) > #15 in SfxBaseController::attachFrame(com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/sfxbasecontroller.cxx:530:9 (instdir/program/libsfxlo.so +0x5cb2f9e) > #16 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:582:18 (instdir/program/libsfxlo.so +0x5c1a40b) > #17 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:702:13 (instdir/program/libsfxlo.so +0x5c1226b) > #18 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1156:37 (instdir/program/libfwklo.so +0x2e3bc62) > #19 in framework::LoadEnv::start() at framework/source/loadenv/loadenv.cxx:395:20 (instdir/program/libfwklo.so +0x2e323d9) > > SUMMARY: AddressSanitizer: heap-use-after-free include/rtl/ref.hxx:208:16 in rtl::Reference<Menu>::get() const > Shadow bytes around the buggy address: > 0x0c288003d180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c288003d190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c288003d1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c288003d1b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa > 0x0c288003d1c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > =>0x0c288003d1d0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd > 0x0c288003d1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c288003d1f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa > 0x0c288003d200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c288003d210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c288003d220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb
*** Bug 147796 has been marked as a duplicate of this bug. ***
Stephan Bergmann committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/6e135909d398a08105e2df4cae834e73f253b440 tdf#147668: Destroy still needs to do its work when called from disposing It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
(In reply to Commit Notification from comment #16) > Stephan Bergmann committed a patch related to this issue. note that that commit is related to, but does not fix this issue
Stephan Bergmann committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/9f041e7678521074b09b20f4088996c86bea5cd0 tdf#147668: Reliably remove GTK menu bar widget It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.