Description: Crash: after opening print preview, closing print preview, right click on TOC Steps to Reproduce: 1. Open attachment 179758 [details] 2. Press Print Preview in toolbar 3. Close Print preview (button in the toolbar) 4. Right click on TOC (blue) Actual Results: Crash Expected Results: No crash Reproducible: Always User Profile Reset: No Additional Info: Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: c4a58634753a84b09f20f7271d6525a6656522d3 CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win Locale: nl-NL (nl_NL); UI: nl-NL Calc: CL threaded
Created attachment 186496 [details] BT without symbols
FWIW, there is timing component.. It was harder to reproduce with debugger attached, compared without 1. Open attachment 179758 [details] 2. Press Print Preview in toolbar 3. Close Print preview (button in the toolbar) 4. Right click on TOC (blue) -> Crash (or not) 5. Open Print Preview again 6. Right click on toc 7. Close Print Preview button 8. Right Click on TOC -> Should be crashing There are couple of warnings before the crash (1830.1a04): C++ EH exception(1830.1a04): C++ EH exception - code e06d7363 (first chance) - code e06d7363 (first chance) warn:unotools:6192:6660:unotools/source/config/lingucfg.cxx:1133: DBG_UNHANDLED_EXCEPTION in GetVendorImageUrl_Impl exception: com.sun.star.container.NoSuchElementException message: "org.openoffice.lingu.new.Thesaurus" warn:unotools:6192:6660:unotools/source/config/lingucfg.cxx:1133: DBG_UNHANDLED_EXCEPTION in GetVendorImageUrl_Impl exception: com.sun.star.container.NoSuchElementException message: "org.openoffice.lingu.new.Thesaurus"
Created attachment 186497 [details] gdb bt On pc Debian x86-64 with master sources updated today, I got another bt. (I attached too some console logs)
I added some extra traces in the code and now I can't reproduce the crash anymore fun!
(In reply to Julien Nabet from comment #4) > I added some extra traces in the code and now I can't reproduce the crash > anymore fun! @Caolan Any suggestions how debug this. The issue is rather elusive.
hum, I don't seem to reproduce. When closing the print preview is it the dedicated "Close Preview" button of the lower print preview toolbar or the "Toggle Print Preview" button of the upper standard toolbar? And on right clicking is the right click over a mis-spelled word? The backtrace seems to suggest that while the menu is opened a SID_VIEWSHELL0 arrives which triggers dtor of a SwEditWin without disposing some menu. But I can't tell if that SwEditWin is the current one under the current menu or belonging to the print preview, but I can't see how that could arrive at this point in time.
In the original case of comment #1 was the "style inspector" sidebar panel open? I see: 00000025`c505d8b0 00007ffc`caff4afa : 00000000`00000000 00000025`c9222300 00007ffc`d6ed8ae8 00000000`00000000 : swlo!SwView::AttrChangedNotify+0x19 00000025`c505d900 00007ffc`ca49eddc : 00000025`ca4d9f90 00000025`d93529c0 00000000`00000000 00007ffc`ca49ed9c : swlo!org_apache_openoffice_comp_sw_sidebar_SwPanelFactory_get_implementation+0x908a 00000025`c505d950 00007ffc`ca48ff8e : 00000000`0000001c 00000000`00000000 00000000`0000c000 00000000`00000000 : swlo!SwCursorShell::CallChgLnk+0x4c in that original backtrace which suggests that to me, running under valgrind with that panel open I get: ==367204== at 0x371E79E8: SwCursorShell::SetChgLnk(Link<LinkParamNone*, void> const&) (crsrsh.hxx:500) ==367204== by 0x37454D8C: sw::sidebar::WriterInspectorTextPanel::~WriterInspectorTextPanel() (WriterInspectorTextPanel.cxx:86) ==367204== by 0x37454DB3: sw::sidebar::WriterInspectorTextPanel::~WriterInspectorTextPanel() (WriterInspectorTextPanel.cxx:87) ==367204== by 0x8779873: std::default_delete<PanelLayout>::operator()(PanelLayout*) const (unique_ptr.h:95) ==367204== by 0x87798D3: std::__uniq_ptr_impl<PanelLayout, std::default_delete<PanelLayout> >::reset(PanelLayout*) (unique_ptr.h:203) ==367204== by 0x8779750: std::unique_ptr<PanelLayout, std::default_delete<PanelLayout> >::reset(PanelLayout*) (unique_ptr.h:501) ==367204== by 0x87788EA: sfx2::sidebar::SidebarPanelBase::disposing(std::unique_lock<std::mutex>&) (SidebarPanelBase.cxx:86) ==367204== by 0x5F8D0A2: comphelper::WeakComponentImplHelperBase::dispose() (compbase.cxx:25) ==367204== by 0x8779B5D: comphelper::WeakComponentImplHelper<com::sun::star::ui::XContextChangeEventListener, com::sun::star::ui::XUIElement, com::sun::star::ui::XToolPanel, com::sun::star::ui::XSidebarPanel, com::sun::star::ui::XUpdateModel>::dispose() (compbase.hxx:76) ==367204== by 0x87C4B25: sfx2::sidebar::Panel::~Panel() (Panel.cxx:124) ==367204== by 0x8777DB9: void std::_Destroy<sfx2::sidebar::Panel>(sfx2::sidebar::Panel*) (stl_construct.h:151) ==367204== by 0x8777D65: void std::allocator_traits<std::allocator<void> >::destroy<sfx2::sidebar::Panel>(std::allocator<void>&, sfx2::sidebar::Panel*) (alloc_traits.h:648) ==367204== Address 0x414fb320 is 1,776 bytes inside an unallocated block of size 2,480 in arena "client"
I enabled style inspector and could reproduce the crash right away. So I added traces again and again, impossible to reproduce the pb until I get a crash at random. I noticed these: TODO SwView dtr 0x55dc73ab8a20 TODO SwEditWin dispose 0x55dc7091ab10 warn:legacy.osl:41045:41045:sw/source/core/access/accpage.cxx:51: bSelected out of sync warn:legacy.osl:41045:41045:sw/source/core/access/accpage.cxx:51: bSelected out of sync TODO SwEditWin ctr 0x55dc764a50a0 TODO SwView ctr 0x55dc73ab8a20 warn:legacy.osl:41045:41045:sw/source/core/access/acccontext.cxx:91: no window warn:unotools:41045:41045:unotools/source/config/lingucfg.cxx:1133: DBG_UNHANDLED_EXCEPTION in GetVendorImageUrl_Impl exception: com.sun.star.container.NoSuchElementException message: "org.openoffice.lingu.new.Thesaurus at /home/julien/lo/libreoffice/configmgr/source/access.cxx:403" TODO SwView dtr 0x55dc73ab8a20 TODO SwView dtr 0x55dc73ab8a20 The last 2 lines aren't a copy-paste error, the same view is destroyed twice. Hope to find a way to reproduce this with a 100% working process.
https://gerrit.libreoffice.org/c/core/+/150098 is my take on the inspector crash after toggling print preview. I think its the crash from comment #1 It is entirely possible that there is another crash, but I think this is the original problem at least
(In reply to Caolán McNamara from comment #7) > In the original case of comment #1 was the "style inspector" sidebar panel > open? Yes
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/5402e881ea057ac2956dbcf9942015627601da87 tdf#154629 inspector sidebar panel use-after-free on switch to print preview It will be available in 7.6.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
looks ok to me in trunk, backport to 7-5 in gerrit
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5": https://git.libreoffice.org/core/commit/23b09987e06f637bd864f40d8cc43def8d8eaa18 tdf#154629 inspector sidebar panel use-after-free on switch to print preview It will be available in 7.5.3. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-4": https://git.libreoffice.org/core/commit/1915e355c63efa4ebce3bb12ca2ece3ce504934b tdf#154629 inspector sidebar panel use-after-free on switch to print preview It will be available in 7.4.8. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-4-7": https://git.libreoffice.org/core/commit/5dada649f669cf283b544880ba9835f6dfade945 tdf#154629 inspector sidebar panel use-after-free on switch to print preview It will be available in 7.4.7. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.