Description: In any spreadsheet, type: -(!1) and click enter. A dialog appears with the text "LibreOffice Calc found an error in the formula entered. Do you want to accept the correction proposed below? =-(1)". Click no. Libreoffice crashes. Steps to Reproduce: 1. Type "-(!1)" into a calc spreadsheet without the quotes and hit enter 2. In the dialog that appears, click No Actual Results: LibreOffice crashes with the following stacktrace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BREAKPOINT (SIGABRT) Exception Codes: 0x0000000000000001, 0x000000019cc54bb8 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: soffice [1495] Application Specific Information: BUG IN LIBDISPATCH: Unexpected event Abort Cause 7 abort() called Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x19cdaa600 __pthread_kill + 8 1 libsystem_pthread.dylib 0x19cde2f70 pthread_kill + 288 2 libsystem_c.dylib 0x19ccef908 abort + 128 3 libuno_sal.dylib.3 0x1026b8298 (anonymous namespace)::signalHandlerFunction(int, __siginfo*, void*) (.cold.1) + 28 4 libuno_sal.dylib.3 0x1026acd08 (anonymous namespace)::signalHandlerFunction(int, __siginfo*, void*) + 1056 5 libsystem_platform.dylib 0x19ce18184 _sigtramp + 56 6 libsclo.dylib 0x38cb42a14 ScDocFunc::SetEditCell(ScAddress const&, EditTextObject const&, bool) + 196 7 libsclo.dylib 0x38cf1b06c (anonymous namespace)::finalizeFormulaProcessing(std::__1::shared_ptr<(anonymous namespace)::FormulaProcessingContext>) + 1016 8 libsclo.dylib 0x38cf1b7f8 std::__1::__function::__func<(anonymous namespace)::runAutoCorrectQueryAsync(std::__1::shared_ptr<(anonymous namespace)::FormulaProcessingContext>)::$_0, std::__1::allocator<(anonymous namespace)::runAutoCorrectQueryAsync(std::__1::shared_ptr<(anonymous namespace)::FormulaProcessingContext>)::$_0>, void (int)>::operator()(int&&) + 212 9 libmergedlo.dylib 0x10c59a8ec Dialog::EndDialog(long) + 844 10 libmergedlo.dylib 0x10c654d98 Control::ImplCallEventListenersAndHandler(VclEventId, std::__1::function<void ()> const&) + 100 11 libmergedlo.dylib 0x10c6385f8 Button::Click() + 64 12 libmergedlo.dylib 0x10c63be78 PushButton::Tracking(TrackingEvent const&) + 640 13 libmergedlo.dylib 0x10c61ae1c vcl::Window::EndTracking(TrackingEventFlags) + 624 14 libmergedlo.dylib 0x10c62e89c ImplHandleMouseEvent(VclPtr<vcl::Window> const&, NotifyEventType, bool, long, long, unsigned long, unsigned short, MouseEventModifiers) + 3540 15 libmergedlo.dylib 0x10c630ebc ImplHandleSalMouseButtonUp(vcl::Window*, SalMouseEvent const*) + 160 16 libmergedlo.dylib 0x10c630648 ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) + 788 17 libvclplug_osxlo.dylib 0x106158f5c -[SalFrameView sendMouseEventToFrame:button:eventtype:] + 456 18 AppKit 0x1a1542b50 _routeMouseUpEvent + 132 19 AppKit 0x1a0b33058 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404 20 AppKit 0x1a0b32cf4 -[NSWindow(NSEventRouting) sendEvent:] + 284 21 AppKit 0x1a133059c -[NSApplication(NSEventRouting) sendEvent:] + 1656 22 libvclplug_osxlo.dylib 0x10615e5c4 -[VCL_NSApplication sendEvent:] + 1112 23 libvclplug_osxlo.dylib 0x10612bbe4 AquaSalInstance::DoYield(bool, bool) + 672 24 libmergedlo.dylib 0x10c8fd580 Application::Yield() + 96 25 libmergedlo.dylib 0x10c8fd474 Application::Execute() + 176 26 libmergedlo.dylib 0x10b977d78 desktop::Desktop::Main() + 2660 27 libmergedlo.dylib 0x10c905108 ImplSVMain() + 392 28 libvclplug_osxlo.dylib 0x10612b548 AquaSalInstance::handleAppDefinedEvent(NSEvent*) + 96 29 libvclplug_osxlo.dylib 0x10615e1c8 -[VCL_NSApplication sendEvent:] + 92 30 AppKit 0x1a0f43984 -[NSApplication _handleEvent:] + 60 31 AppKit 0x1a09feba4 -[NSApplication run] + 520 32 AppKit 0x1a09d544c NSApplicationMain + 888 33 libvclplug_osxlo.dylib 0x10612d658 AquaSalInstance::SVMainHook(int*) + 152 34 libmergedlo.dylib 0x10c9050e4 ImplSVMain() + 356 35 libmergedlo.dylib 0x10b993628 soffice_main + 200 36 soffice 0x1025eff6c main + 20 37 dyld 0x19ca60274 start + 2840 Expected Results: Libreoffice should not crash, and the cell should keep the value of -(!1) Reproducible: Always User Profile Reset: No Additional Info: Version: 24.8.2.1 (AARCH64) / LibreOffice Community Build ID: 0f794b6e29741098670a3b95d60478a65d05ef13 CPU threads: 10; OS: macOS 15.0; UI render: Skia/Metal; VCL: osx Locale: en-GB (en_NO.UTF-8); UI: en-US Calc: threaded
No repro with Version: 25.2.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 4787fd4fc86230893a6da309f45964116b3a67df CPU threads: 4; OS: Linux 6.8; UI render: default; VCL: gtk3 Locale: cs-CZ (cs_CZ.UTF-8); UI: en-US Calc: threaded
can NOT reproduce with: ________________________________________ Version: 7.4.7.2 / LibreOffice Community Build ID: 40(Build:2) CPU threads: 4; OS: Linux 6.6; UI render: Skia/Vulkan; VCL: gtk3 Locale: de-DE (de_DE.UTF-8); UI: de-DE Debian package version: 4:7.4.7-1+deb12u5 Calc: threaded ________________________________________ but can reproduce with: __________________________________________ Version: 24.8.2.1 (AARCH64) / LibreOffice Community Build ID: 0f794b6e29741098670a3b95d60478a65d05ef13 CPU threads: 4; OS: Linux 6.6; UI render: default; VCL: gtk3 Locale: de-DE (de_DE.UTF-8); UI: de-DE Flatpak Calc: threaded ___________________________________________
Not reproducible Version: 25.2.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 4b8cec7e83e675eeafb8d722c5d6fb3181a051d1 CPU threads: 16; OS: Windows 11 X86_64 (10.0 build 22631); UI render: Skia/Raster; VCL: win Locale: es-ES (es_ES); UI: en-US Calc: CL threaded
Potentially, a bug dependent on hardware (ARM-only)?
Created attachment 196901 [details] bt On pc Debian x86-64 with master sources updated today, I could reproduce this.
Noel: I wonder if this could be due to unique_ptr usage and async dialog. Any thoughts here?
I forgot to provide these messages from gdb: #1 0x00007f95ae9a9bec in ScDocFunc::SetEditCell (this=0x558bc1c705f0, rPos=..., rStr=warning: can't find linker symbol for virtual table for `EditTextObject' value warning: found `ReservedWord7' instead ..., bInteraction=true) at sc/source/ui/docshell/docfunc.cxx:1008 1008 rDoc.SetEditText(rPos, rStr.Clone()); (gdb) p rStr $1 = warning: can't find linker symbol for virtual table for `EditTextObject' value warning: found `ReservedWord7' instead (const EditTextObject &) warning: can't find linker symbol for virtual table for `EditTextObject' value warning: found `ReservedWord7' instead @0x558bc612eb00: {_vptr$EditTextObject = 0x7f95b7ddf62c <ReservedWord0>}
(In reply to libreoffice.bugs from comment #0) > Expected Results: > Libreoffice should not crash, and the cell should keep the value of -(!1) no Solution, but a workaround: start the input by a single-straight-quote to protect it from »interpret it as Formula« '-(!1) the quote will not be shown in the Cell
Created attachment 196924 [details] valgrind
Regression introduced by: commit b39c6082aa975ed8e5696c3dc24c3025ed07bbb6 [log] author codewithvk <vivek.javiya@collabora.com> Thu Jan 11 10:27:27 2024 +0530 committer Caolán McNamara <caolan.mcnamara@collabora.com> Wed Jan 31 10:33:48 2024 +0100 tree 73c3312864edf09b43339c735b4ebb315a723fc2 parent a830a34d6d21656d00996c002b0dedf37b7545c0 [diff] Implement Async AutoCorrectQuery Dialogs for Formula Check in calc
@Caolán, I thought you might be interested in this issue
I believe https://gerrit.libreoffice.org/c/core/+/174644 will fix this
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-24-8": https://git.libreoffice.org/core/commit/ffb4747aa6ee82791ce8a8ee35efaacd811f64d2 Resolves: tdf#163275 crash in async dialog use after free It will be available in 24.8.3. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/d96527e9fdf2b981c176a0821b21d75203ee5950 Resolves: tdf#163275 crash in async dialog use after free It will be available in 25.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
On pc Debian x86-64 with master sources updated today with Caolán's patch, it works perfectly. Thank you Caolán!
Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/4a4535300ebd146322bf7e788d0200e4b338f4ad tdf#163275: sc: Add UItest It will be available in 25.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.