156820 – Crash when changing color with custom colour picker accessed from overflowing toolbar

Bug 156820 - Crash when changing color with custom colour picker accessed from overflowing toolbar

Summary: Crash when changing color with custom colour picker accessed from overflowing...

Status:	VERIFIED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	LibreOffice (show other bugs)
Version: (earliest affected)	7.3.0.0 alpha0+
Hardware:	All All

Importance:	medium critical
Assignee:	Matt K

URL:
Whiteboard:	target:24.8.0 target:24.2.0.2 target:...
Keywords:	bibisected, bisected, haveBacktrace, regression

Duplicates (1):	155817 (view as bug list)
Depends on:
Blocks:	Color-Picker-Dialog Toolbars-Overflow Crash
	Show dependency tree / graph

Reported:	2023-08-19 19:54 UTC by Chris Peñalver
Modified:	2024-01-28 00:10 UTC (History)
CC List:	9 users (show)

See Also:	154072
Crash report or crash signature:	["std::_Function_handler<void (int), cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::{lambda(int)#1}>::_M_invoke(std::_Any_data const&, int&&)"]

Attachments
temp.odp (22.82 KB, application/vnd.oasis.opendocument.presentation) 2023-08-19 19:55 UTC, Chris Peñalver	Details
macOS backtrace (14.26 KB, application/vnd.oasis.opendocument.text) 2023-08-20 13:54 UTC, Chris Peñalver	Details
bt with debug symbols (gen rendering) (8.04 KB, text/plain) 2023-09-30 13:28 UTC, Julien Nabet	Details
Valgrind trace (273.89 KB, text/x-log) 2023-12-12 20:10 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Peñalver 2023-08-19 19:54:21 UTC

Description:
In current LO or daily below do the following:

1) Open attached file.

2) Enable the Text Formatting toolbar via View > Toolbars > Text Formatting

3) Highlight text on slide 1 > Font Color > Custom Color... > in the window Pick a Color type in the field Hex #: 414074

4) Click OK

WORKAROUND: Highlight text > Secondary click > Character... > Font Color

Version: 7.5.5.2 (AARCH64) / LibreOffice Community
Build ID: ca8fe7424262805f223b9a2334bc7181abbcbf5e
CPU threads: 8; OS: Mac OS X 13.5; UI render: default; VCL: osx
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded

Version: 24.2.0.0.alpha0+ (AARCH64) / LibreOffice Community
Build ID: 218a7650a5cf03f895bed19c68d6f02daec536e9
CPU threads: 8; OS: Mac OS X 13.5; UI render: Skia/Metal; VCL: osx
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded

Steps to Reproduce:
See above.

Actual Results:
See above.

Expected Results:
See above.


Reproducible: Always


User Profile Reset: Yes

Additional Info:
See above.

Comment 1 Chris Peñalver 2023-08-19 19:55:38 UTC

Created attachment 189044 [details]
temp.odp

Comment 2 Julien Nabet 2023-08-20 10:35:52 UTC

Would it be possible to retrieve a bt? (see https://wiki.documentfoundation.org/QA/BugReport/Debug_Information#macOS:_How_to_get_debug_information)

On pc Debian x86-64 with master sources updated today, I don't reproduce this.

Comment 3 Chris Peñalver 2023-08-20 13:54:22 UTC

Created attachment 189049 [details]
macOS backtrace

Reproduced in latest master (i.e. appears LO+macOS'ism):

Version: 24.2.0.0.alpha0+ (AARCH64) / LibreOffice Community
Build ID: 91358f11ee7e87c8c8290b9507f64d8f90aac3ea
CPU threads: 8; OS: Mac OS X 13.5; UI render: Skia/Raster; VCL: osx
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded

Comment 4 Julien Nabet 2023-08-20 15:55:53 UTC

Could you give a try at https://wiki.documentfoundation.org/QA/FirstSteps ?

Comment 5 Chris Peñalver 2023-08-20 15:57:39 UTC

Hi Julien,

We are past all that. This is ready for a developer to review and resolve.

Thanks!

Comment 6 Julien Nabet 2023-08-20 15:59:06 UTC

I saw something resembling skia, so you confirm you tried to disable skia rendering?

Comment 7 Chris Peñalver 2023-08-20 16:09:09 UTC

(In reply to Julien Nabet from comment #6)
> I saw something resembling skia, so you confirm you tried to disable skia
> rendering?

Hi Julien, thanks for the follow up insight.

As it was discovered skia was set as false by default, I twiddled all to true (notice UI render below went from Default to Skia/Raster) and it still crashes. If you have any other specific targets please feel free to advise:

Version: 7.5.5.2 (AARCH64) / LibreOffice Community
Build ID: ca8fe7424262805f223b9a2334bc7181abbcbf5e
CPU threads: 8; OS: Mac OS X 13.5; UI render: Skia/Raster; VCL: osx
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded

Comment 8 Julien Nabet 2023-08-20 19:28:18 UTC

Alex: I don't remember if you've got Arm or Intel mac but do you reproduce this?

Comment 9 Alex Thurgood 2023-08-20 22:36:50 UTC

(In reply to Julien Nabet from comment #8)
> Alex: I don't remember if you've got Arm or Intel mac but do you reproduce
> this?

On Arm M1, would have to try and reproduce.
I've had crashing with font changes in Calc in the past (7342, I think), but not had crashing like that in Draw changing font colour, which is similar to Impress in many respects.

Let me test and report back.

Comment 10 Stéphane Guillou (stragu) 2023-09-30 00:12:36 UTC

Reproduced on macOS:

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: d88779fc86385dde1215fd28b78a69eacc6b4f97
CPU threads: 2; OS: Mac OS X 13.2.1; UI render: Skia/Raster; VCL: osx
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded

As well as Linux:

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: e9a0c97de95688b2f86bbb4dd8c823af5442401c
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

In 7.6.2.1 as well, crash report: https://crashreport.libreoffice.org/stats/crash_details/e96e69e6-f85e-44de-a3c3-78e1cd858871

No crash in 7.2.7.2, crash in 7.3.7.2 -> regression.

I noticed that it only crashes if the toolbar overflows and I have to expand it with the caret button to reach the font colour button.
Same happens if changing the highlight colour with the custom colour picker. In Writer too.
Does not crash if changing the colour with the dropdown palette.

Comment 11 Julien Nabet 2023-09-30 13:28:41 UTC

Created attachment 189906 [details]
bt with debug symbols (gen rendering)

On pc Debian x86-64 with master sources updated today, I could reproduce this.

Comment 12 Julien Nabet 2023-09-30 14:33:17 UTC

I tried to do a bibisect and used linux-64-6.2 but never reproduced the pb during the dozen of steps.

Comment 13 raal 2023-09-30 15:35:46 UTC

This seems to have begun at the below commit in bibisect repository/OS linux-64-7.3.
Adding Cc: to Stephan Bergmann ; Could you possibly take a look at this one?
Thanks
 baf6e14708eaace9307290c4cff04f5b5741bf28 is the first bad commit
commit baf6e14708eaace9307290c4cff04f5b5741bf28
Author: Jenkins Build User <tdf@pollux.tdf>
Date:   Thu Aug 19 10:20:15 2021 +0200

    source f54ccf09a5073b6e544c976da68de0c9fc0bdf6c

150644: Combine com.sun.star.cui.[Asynchronous]ColorPicker implementation decls | https://gerrit.libreoffice.org/c/core/+/150644

Comment 14 Stéphane Guillou (stragu) 2023-10-01 08:23:07 UTC

(In reply to raal from comment #13)
> This seems to have begun at the below commit in bibisect repository/OS
> linux-64-7.3.
> Adding Cc: to Stephan Bergmann ; Could you possibly take a look at this one?
> Thanks
> Date:   Thu Aug 19 10:20:15 2021 +0200
>     source f54ccf09a5073b6e544c976da68de0c9fc0bdf6c
> 150644: Combine com.sun.star.cui.[Asynchronous]ColorPicker implementation
> decls | https://gerrit.libreoffice.org/c/core/+/150644

Confirmed with linux bibisect repo that it started at commit f54ccf09a5073b6e544c976da68de0c9fc0bdf6c, but that one's by Szymon, not Stephan :)

Szymon, can you please have a look?

Comment 15 Stephan Bergmann 2023-10-05 13:52:28 UTC

FYI, what I see when reproducing the recipe from comment 0 on Linux with ASan is

> ==1325068==ERROR: AddressSanitizer: heap-use-after-free on address 0x50f0000d6420 at pc 0x557754a66184 bp 0x7fffaf569490 sp 0x7fffaf568c50
> WRITE of size 4 at 0x50f0000d6420 thread T0
>  #0 in __asan_memcpy at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
>  #1 in cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0::operator()(int) const at cui/source/dialogs/colorpicker.cxx:1350:21
>  #2 in void std::__invoke_impl<void, cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0&, int>(std::__invoke_other, cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0&, int&&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/invoke.h:61:14
>  #3 in std::enable_if<is_invocable_r_v<void, cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0&, int>, void>::type std::__invoke_r<void, cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0&, int>(cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0&, int&&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/invoke.h:111:2
>  #4 in std::_Function_handler<void (int), cui::(anonymous namespace)::ColorPicker::startExecuteModal(com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XDialogClosedListener> const&)::$_0>::_M_invoke(std::_Any_data const&, int&&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/std_function.h:290:9
>  #5 in std::function<void (int)>::operator()(int) const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/std_function.h:591:9
>  #6 in (anonymous namespace)::GtkInstanceDialog::asyncresponse(int) at vcl/unx/gtk3/gtkinst.cxx:10012:9
>  #7 in (anonymous namespace)::GtkInstanceDialog::signalAsyncResponse(_GtkWidget*, int, void*) at vcl/unx/gtk3/gtkinst.cxx:6882:16
>  #8 in g_closure_invoke at <null>
>  #9  at <null>
>  #10  at <null>
>  #11 in g_signal_emit_valist at <null>
>  #12 in g_signal_emit at <null>
>  #13  at <null>
>  #14 in g_signal_emit_valist at <null>
>  #15 in g_signal_emit at <null>
>  #16  at <null>
>  #17 in g_closure_invoke at <null>
>  #18  at <null>
>  #19  at <null>
>  #20 in g_signal_emit_valist at <null>
>  #21 in g_signal_emit at <null>
>  #22  at <null>
>  #23  at <null>
>  #24  at <null>
>  #25 in g_signal_emit_valist at <null>
>  #26 in g_signal_emit at <null>
>  #27  at <null>
>  #28 in g_cclosure_marshal_VOID__BOXEDv at <null>
>  #29  at <null>
>  #30 in g_signal_emit_valist at <null>
>  #31 in g_signal_emit at <null>
>  #32  at <null>
>  #33  at <null>
>  #34  at <null>
>  #35 in gtk_event_controller_handle_event at <null>
>  #36  at <null>
>  #37  at <null>
>  #38  at <null>
>  #39 in g_signal_emit_valist at <null>
>  #40 in g_signal_emit at <null>
>  #41  at <null>
>  #42  at <null>
>  #43 in gtk_main_do_event at <null>
>  #44  at <null>
>  #45  at <null>
>  #46  at <null>
>  #47  at <null>
>  #48 in g_main_context_iteration at <null>
>  #49 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtkdata.cxx:405:31
>  #50 in GtkInstance::DoYield(bool, bool) at vcl/unx/gtk3/gtkinst.cxx:434:29
>  #51 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:377:48
>  #52 in Application::Yield() at vcl/source/app/svapp.cxx:461:5
>  #53 in Application::Execute() at vcl/source/app/svapp.cxx:355:13
>  #54 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1601:13
>  #55 in ImplSVMain() at vcl/source/app/svmain.cxx:204:35
>  #56 in SVMain() at vcl/source/app/svmain.cxx:236:12
>  #57 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
>  #58 in sal_main at desktop/source/app/main.c:51:15
>  #59 in main at desktop/source/app/main.c:49:1
>  #60 in __libc_start_call_main at <null>
>  #61 in __libc_start_main@GLIBC_2.2.5 at <null>
>  #62 in _start at <null>
> 
> 0x50f0000d6420 is located 96 bytes inside of 168-byte region [0x50f0000d63c0,0x50f0000d6468)
> freed by thread T0 here:
>  #0 in free at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
>  #1 in rtl_freeMemory at sal/rtl/alloc_global.cxx:43:5
>  #2 in cppu::OWeakObject::operator delete(void*) at include/cppuhelper/weak.hxx:91:11
>  #3 in cui::(anonymous namespace)::ColorPicker::~ColorPicker() at cui/source/dialogs/colorpicker.cxx:1228:7
>  #4 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:230:9
>  #5 in comphelper::WeakComponentImplHelper<com::sun::star::lang::XServiceInfo, com::sun::star::ui::dialogs::XExecutableDialog, com::sun::star::ui::dialogs::XAsynchronousExecutableDialog, com::sun::star::lang::XInitialization, com::sun::star::beans::XPropertyAccess>::release() at include/comphelper/compbase.hxx:70:70
>  #6 in com::sun::star::uno::Reference<com::sun::star::ui::dialogs::XAsynchronousExecutableDialog>::~Reference() at include/com/sun/star/uno/Reference.hxx:114:22
>  #7 in SvColorDialog::~SvColorDialog() at svtools/source/dialogs/colrdlg.cxx:51:1
>  #8 in std::default_delete<SvColorDialog>::operator()(SvColorDialog*) const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/unique_ptr.h:99:2
>  #9 in std::unique_ptr<SvColorDialog, std::default_delete<SvColorDialog>>::~unique_ptr() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/unique_ptr.h:404:4
>  #10 in PaletteManager::~PaletteManager() at svx/source/tbxctrls/PaletteManager.cxx:99:1
>  #11 in void std::destroy_at<PaletteManager>(PaletteManager*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/stl_construct.h:88:15
>  #12 in void std::_Destroy<PaletteManager>(PaletteManager*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/stl_construct.h:149:7
>  #13 in void std::allocator_traits<std::allocator<void>>::destroy<PaletteManager>(std::allocator<void>&, PaletteManager*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/alloc_traits.h:672:4
>  #14 in std::_Sp_counted_ptr_inplace<PaletteManager, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/shared_ptr_base.h:617:2
>  #15 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/shared_ptr_base.h:350:8
>  #16 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/shared_ptr_base.h:1070:11
>  #17 in std::__shared_ptr<PaletteManager, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/shared_ptr_base.h:1523:31
>  #18 in std::shared_ptr<PaletteManager>::~shared_ptr() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/shared_ptr.h:179:11
>  #19 in SvxColorToolBoxControl::~SvxColorToolBoxControl() at svx/source/tbxctrls/tbcontrl.cxx:3595:1
>  #20 in SvxColorToolBoxControl::~SvxColorToolBoxControl() at svx/source/tbxctrls/tbcontrl.cxx:3592:1
>  #21 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:230:9
>  #22 in cppu::WeakImplHelper<com::sun::star::frame::XStatusListener, com::sun::star::frame::XToolbarController, com::sun::star::lang::XInitialization, com::sun::star::util::XUpdatable, com::sun::star::lang::XComponent>::release() at include/cppuhelper/implbase.hxx:115:66
>  #23 in svt::ToolboxController::release() at svtools/source/uno/toolboxcontroller.cxx:155:29
>  #24 in cppu::ImplInheritanceHelper<svt::ToolboxController, com::sun::star::lang::XServiceInfo>::release() at include/cppuhelper/implbase.hxx:171:64
>  #25 in cppu::ImplInheritanceHelper<svt::PopupWindowController, com::sun::star::frame::XSubToolbarController>::release() at include/cppuhelper/implbase.hxx:171:64
>  #26 in com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>::~Reference() at include/com/sun/star/uno/Reference.hxx:114:22
>  #27 in std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>::~pair() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/stl_pair.h:190:12
>  #28 in void std::destroy_at<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>>(std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/stl_construct.h:88:15
>  #29 in void std::allocator_traits<std::allocator<std::__detail::_Hash_node<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, true>>>::destroy<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>>(std::allocator<std::__detail::_Hash_node<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, true>>&, std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/alloc_traits.h:557:4
>  #30 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, true>>>::_M_deallocate_node(std::__detail::_Hash_node<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, true>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/hashtable_policy.h:2027:7
>  #31 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, true>>>::_M_deallocate_nodes(std::__detail::_Hash_node<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, true>*) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/hashtable_policy.h:2049:4
>  #32 in std::_Hashtable<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>, std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>, std::allocator<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>>, std::__detail::_Select1st, std::equal_to<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>>, std::hash<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true>>::clear() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/hashtable.h:2481:13
>  #33 in std::__cxx1998::unordered_map<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>, std::hash<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>>, std::equal_to<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>>, std::allocator<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>>>::clear() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/unordered_map.h:802:14
>  #34 in std::__debug::unordered_map<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>, std::hash<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>>, std::equal_to<o3tl::strong_int<unsigned short, ToolBoxItemIdTag>>, std::allocator<std::pair<o3tl::strong_int<unsigned short, ToolBoxItemIdTag> const, com::sun::star::uno::Reference<com::sun::star::frame::XStatusListener>>>>::clear() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/debug/unordered_map:234:9
>  #35 in framework::ToolBarManager::RemoveControllers() at framework/source/uielement/toolbarmanager.cxx:1026:22
>  #36 in framework::ToolBarManager::dispose() at framework/source/uielement/toolbarmanager.cxx:830:9
>  #37 in framework::ToolBarManager::OverflowEventListener(VclWindowEvent&) at framework/source/uielement/toolbarmanager.cxx:2063:29
>  #38 in framework::ToolBarManager::LinkStubOverflowEventListener(void*, VclWindowEvent&) at framework/source/uielement/toolbarmanager.cxx:2056:1
>  #39 in Link<VclWindowEvent&, void>::Call(VclWindowEvent&) const at include/tools/link.hxx:111:45
>  #40 in vcl::Window::CallEventListeners(VclEventId, void*) at vcl/source/window/event.cxx:262:23
>  #41 in ImplDockingWindowWrapper::PopupModeEnd(FloatingWindow*) at vcl/source/window/dockmgr.cxx:883:14
> 
> previously allocated by thread T0 here:
>  #0 in malloc at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
>  #1 in rtl_allocateMemory at sal/rtl/alloc_global.cxx:30:12
>  #2 in cppu::OWeakObject::operator new(unsigned long) at include/cppuhelper/weak.hxx:89:18
>  #3 in com_sun_star_cui_ColorPicker_get_implementation at cui/source/dialogs/colorpicker.cxx:1265:27
>  #4 in com::sun::star::uno::XInterface* std::__invoke_impl<com::sun::star::uno::XInterface*, com::sun::star::uno::XInterface* (*&)(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&), com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&>(std::__invoke_other, com::sun::star::uno::XInterface* (*&)(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&), com::sun::star::uno::XComponentContext*&&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/invoke.h:61:14
>  #5 in std::enable_if<is_invocable_r_v<com::sun::star::uno::XInterface*, com::sun::star::uno::XInterface* (*&)(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&), com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&>, com::sun::star::uno::XInterface*>::type std::__invoke_r<com::sun::star::uno::XInterface*, com::sun::star::uno::XInterface* (*&)(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&), com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&>(com::sun::star::uno::XInterface* (*&)(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&), com::sun::star::uno::XComponentContext*&&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/invoke.h:114:9
>  #6 in std::_Function_handler<com::sun::star::uno::XInterface* (com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&), com::sun::star::uno::XInterface* (*)(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&)>::_M_invoke(std::_Any_data const&, com::sun::star::uno::XComponentContext*&&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/std_function.h:290:9
>  #7 in std::function<com::sun::star::uno::XInterface* (com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&)>::operator()(com::sun::star::uno::XComponentContext*, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/14.0.0/../../../../include/c++/14.0.0/bits/std_function.h:591:9
>  #8 in cppuhelper::ServiceManager::Data::Implementation::doCreateInstanceWithArguments(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) at cppuhelper/source/servicemanager.cxx:723:13
>  #9 in cppuhelper::ServiceManager::Data::Implementation::createInstanceWithArguments(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, bool, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&) at cppuhelper/source/servicemanager.cxx:694:16
>  #10 in cppuhelper::ServiceManager::createInstanceWithArgumentsAndContext(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&) at cppuhelper/source/servicemanager.cxx:1019:36
>  #11 in non-virtual thunk to cppuhelper::ServiceManager::createInstanceWithArgumentsAndContext(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&) at cppuhelper/source/servicemanager.cxx
>  #12 in com::sun::star::cui::AsynchronousColorPicker::createWithParent(com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, com::sun::star::uno::Reference<com::sun::star::awt::XWindow> const&) at workdir/UnoApiHeadersTarget/offapi/normal/com/sun/star/cui/AsynchronousColorPicker.hpp:48:137
>  #13 in SvColorDialog::ExecuteAsync(weld::Window*, std::function<void (int)> const&) at svtools/source/dialogs/colrdlg.cxx:117:20
>  #14 in PaletteManager::PopupColorPicker(weld::Window*, rtl::OUString const&, Color const&) at svx/source/tbxctrls/PaletteManager.cxx:408:18
>  #15 in ColorWindow::OpenPickerClickHdl(weld::Button&) at svx/source/tbxctrls/tbcontrl.cxx:2288:22
>  #16 in ColorWindow::LinkStubOpenPickerClickHdl(void*, weld::Button&) at svx/source/tbxctrls/tbcontrl.cxx:2278:1
>  #17 in Link<weld::Button&, void>::Call(weld::Button&) const at include/tools/link.hxx:111:45
>  #18 in weld::Button::signal_clicked() at include/vcl/weld.hxx:1504:41
>  #19 in (anonymous namespace)::GtkInstanceButton::signalClicked(_GtkButton*, void*) at vcl/unx/gtk3/gtkinst.cxx:9880:16
>  #20  at <null>
>  #21 in g_signal_emit_valist at <null>
>  #22 in g_signal_emit at <null>
>  #23  at <null>
>  #24 in g_closure_invoke at <null>
>  #25  at <null>
>  #26  at <null>
>  #27 in g_signal_emit_valist at <null>
>  #28 in g_signal_emit at <null>
>  #29  at <null>
>  #30  at <null>
>  #31  at <null>
>  #32 in g_signal_emit_valist at <null>
>  #33 in g_signal_emit at <null>
>  #34  at <null>
>  #35 in g_cclosure_marshal_VOID__BOXEDv at <null>
>  #36  at <null>
>  #37 in g_signal_emit_valist at <null>
>  #38 in g_signal_emit at <null>
>  #39  at <null>
> 
> SUMMARY: AddressSanitizer: heap-use-after-free ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3 in __asan_memcpy
> Shadow bytes around the buggy address:
>   0x50f0000d6180: 00 00 05 fa fa fa fa fa fa fa fa fa 00 00 00 00
>   0x50f0000d6200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x50f0000d6280: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
>   0x50f0000d6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
>   0x50f0000d6380: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> =>0x50f0000d6400: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fa fa fa
>   0x50f0000d6480: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
>   0x50f0000d6500: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
>   0x50f0000d6580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
>   0x50f0000d6600: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
>   0x50f0000d6680: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==1325068==ABORTING

Comment 16 Stéphane Guillou (stragu) 2023-12-12 12:22:42 UTC

*** Bug 155817 has been marked as a duplicate of this bug. ***

Comment 17 Stéphane Guillou (stragu) 2023-12-12 12:49:11 UTC

Still repro in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 76400f66096a5cdc64cbd72ed9a94961b3200216
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: x11
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

Comment 18 Julien Nabet 2023-12-12 20:10:02 UTC

Created attachment 191397 [details]
Valgrind trace

Comment 19 Matt K 2023-12-18 22:07:28 UTC

Fix is tracked in: https://gerrit.libreoffice.org/c/core/+/160956

Comment 20 Commit Notification 2023-12-22 11:20:59 UTC

Noel Grandin committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/78ccae0d42d168f845ddbd7cb694d80dfb04f84d

tdf#156820 Fix crash in custom color picker

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 21 Commit Notification 2023-12-22 12:15:12 UTC

Noel Grandin committed a patch related to this issue.
It has been pushed to "libreoffice-24-2":

https://git.libreoffice.org/core/commit/2d02bb6c792350b7bc07b029f835bd0223402079

tdf#156820 Fix crash in custom color picker

It will be available in 24.2.0.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 22 Commit Notification 2023-12-23 11:34:31 UTC

Noel Grandin committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/15be0847190fee716689938e70fcb4ade208d97f

tdf#156820 Fix crash in custom color picker

It will be available in 7.6.5.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 23 Stéphane Guillou (stragu) 2024-01-25 02:17:46 UTC

Fix verified in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: d0dcd87788910e3c9f67a2b68534019c05b77bad
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: x11
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

Thank you Noel and Matt!