Description: When a user clicks on the column header of a "com.sun.star.awt.grid.UnoControlGrid" control, or in the empty space below the rows, it sometimes causes Libreoffice to crash. It is caused by an out-of-bounds nChildIndex value being passed to the "AccessibleGridControlTable::getAccessibleChild" function in source file "accessibility/source/extended/AccessibleGridControlTable.cxx". It will try to access the row index with this out-of-bounds value, causing a segmentation fault. Steps to Reproduce: 1: Open the attached file 2: Click on the 'Grid in dialog' button 3: Click on a column header to sort the column, or in the empty area below the rows 4: If it doesn't crash after several clicks, close and reopen the dialog and try again 5: Sometimes it takes several times, but it will eventually crash Libreoffice Actual Results: Libreoffice crashes because of a segmentation fault Expected Results: The grid should sort the rows according to the selected column header without crashing Libreoffice. Reproducible: Always User Profile Reset: Yes Additional Info: Version: 7.4.7.2 / LibreOffice Community Build ID: 40(Build:2) CPU threads: 12; OS: Linux 6.1; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Debian package version: 4:7.4.7-1+deb12u6 Calc: threaded
Created attachment 198647 [details] This is an .ods file with a button and a macro designed to reproduce a crash in LibreOffice. The macro opens a dialog containing a "com.sun.star.awt.grid.UnoControlGrid" control. This bug report describes a crash in LibreOffice when interacting with a "com.sun.star.awt.grid.UnoControlGrid" control. The attached .ods file includes a macro and a button to reproduce the issue. Note that the crash might not occur immediately—it sometimes requires opening and closing the dialog multiple times and clicking on column headers or the empty space below rows. Steps to reproduce and the root cause (an out-of-bounds nChildIndex value) are outlined in the report description.
I've not been able to reproduce this using macOS version: Version: 24.8.4.2 (AARCH64) / LibreOffice Community Build ID: bb3cfa12c7b1bf994ecc5649a80400d06cd71002 CPU threads: 8; OS: macOS 15.2; UI render: Skia/Raster; VCL: osx Locale: en-GB (en_GB.UTF-8); UI: en-US Calc: threaded I closed and reopened the dialog five times and each time re-sorted the columns about 20+ times in random and sequential orders.
Confirm with Version: 25.8.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 9dd225ee8c45d6c944b9ce5578780d89612e9ffb CPU threads: 4; OS: Linux 6.8; UI render: default; VCL: gtk3 Locale: cs-CZ (cs_CZ.UTF-8); UI: en-US Calc: threaded but not in vclplugin=gen gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed Could not find platform independent libraries <prefix>
I saw this twice, so its likely this problem, nChildIndex of -6, detected in dbgutil version like so, but likely more random crashiness in release builds. getAccessibleCellAt is passed nRow of -2 (sounds dubious, from m_aTable.GetCurrentRow()) and nColumn of 0. #0 0x00007ffff78a8014 in __pthread_kill_implementation () at /lib64/libc.so.6 #1 0x00007ffff784ef1e in raise () at /lib64/libc.so.6 #2 0x00007ffff7836902 in abort () at /lib64/libc.so.6 #3 0x00007ffff74a84e9 in __gnu_debug::_Error_formatter::_M_error() const [clone .cold] () at /lib64/libstdc++.so.6 #4 0x00007fffed409583 in std::__debug::vector<rtl::Reference<accessibility::AccessibleGridControlTableCell>, std::allocator<rtl::Reference<accessibility::AccessibleGridControlTableCell> > >::operator[] (this=0x48a5720, __n=18446744073709551610) at /usr/bin/../lib/gcc/x86_64-redhat-linux/14/../../../../include/c++/14/debug/vector:508 #5 0x00007fffed4062a6 in accessibility::AccessibleGridControlTable::getAccessibleChild (this=0x48a5670, nChildIndex=-6) at /home/caolan/LibreOffice/core/vcl/source/accessibility/AccessibleGridControlTable.cxx:66 #6 0x00007fffed407592 in accessibility::AccessibleGridControlTable::getAccessibleCellAt (this=0x48a5670, nRow=-2, nColumn=0) at /home/caolan/LibreOffice/core/vcl/source/accessibility/AccessibleGridControlTable.cxx:191 #7 0x00007fffed3fe0b4 in accessibility::AccessibleGridControl::commitCellEvent (this=0x94bebf0, _nEventId=4, _rNewValue=uno::Any("hyper": 1024), _rOldValue=uno::Any(void)) at /home/caolan/LibreOffice/core/vcl/source/accessibility/AccessibleGridControl.cxx:272 #8 0x00007fffed3ff58b in accessibility::AccessibleGridControlAccess::commitCellEvent (this=0x94b5020, nEventId=4, rNewValue=uno::Any("hyper": 1024), rOldValue=uno::Any(void)) at vcl/inc/accessibility/AccessibleGridControl.hxx:196 #9 0x00007fffeff21b4d in svt::table::TableControl_Impl::commitCellEvent (this=0x488c4e0, i_eventID=4, i_newValue=uno::Any("hyper": 1024), i_oldValue=uno::Any(void)) at /home/caolan/LibreOffice/core/toolkit/source/controls/table/tablecontrol_impl.cxx:2303 #10 0x00007fffeff14deb in svt::table::TableControl::commitCellEventIfAccessibleAlive (this=0x650b3b0, i_eventID=4, i_newValue=uno::Any("hyper": 1024), i_oldValue=uno::Any(void)) at /home/caolan/LibreOffice/core/toolkit/source/controls/table/tablecontrol.cxx:472 #11 0x00007fffefec306b in SVTXGridControl::ProcessWindowEvent (this=0x2624ae0, rVclWindowEvent=...) at /home/caolan/LibreOffice/core/toolkit/source/controls/svtxgridcontrol.cxx:796 #12 0x00007fffefcf380a in VCLXWindow::WindowEventListener (this=0x2624ae0, rEvent=...) at /home/caolan/LibreOffice/core/toolkit/source/awt/vclxwindow.cxx:389 #13 0x00007fffefcf34ed in VCLXWindow::LinkStubWindowEventListener (instance=0x2624ae0, data=...) at /home/caolan/LibreOffice/core/toolkit/source/awt/vclxwindow.cxx:383 #14 0x00007fffed69faa8 in Link<VclWindowEvent&, void>::Call (this=0x8402850, data=...) at include/tools/link.hxx:101 #15 0x00007fffed69c80e in vcl::Window::CallEventListeners (this=0x650b3b0, nEvent=VclEventId::ControlGetFocus, pData=0x0) at /home/caolan/LibreOffice/core/vcl/source/window/event.cxx:262 #16 0x00007fffed876534 in Control::CallEventListeners (this=0x650b3b0, nEvent=VclEventId::ControlGetFocus, pData=0x0) at /home/caolan/LibreOffice/core/vcl/source/control/ctrl.cxx:298 #17 0x00007fffed876011 in Control::ImplCallEventListenersAndHandler (this=0x650b3b0, nEvent=VclEventId::ControlGetFocus, callHandler=...) at /home/caolan/LibreOffice/core/vcl/source/control/ctrl.cxx:305 #18 0x00007fffed875e11 in Control::EventNotify (this=0x650b3b0, rNEvt=...) at /home/caolan/LibreOffice/core/vcl/source/control/ctrl.cxx:233 #19 0x00007fffed7ff38d in vcl::Window::CompatNotify (this=0x650b3b0, rNEvt=...) at /home/caolan/LibreOffice/core/vcl/source/window/window.cxx:3943 #20 0x00007fffed7ff691 in vcl::Window::GetFocus (this=0x650b3b0) at /home/caolan/LibreOffice/core/vcl/source/window/window.cxx:1855 #21 0x00007fffeff12d9f in svt::table::TableControl::GetFocus (this=0x650b3b0) at /home/caolan/LibreOffice/core/toolkit/source/controls/table/tablecontrol.cxx:82 #22 0x00007fffed80b63c in vcl::Window::CompatGetFocus (this=0x650b3b0) at /home/caolan/LibreOffice/core/vcl/source/window/window.cxx:3903 #23 0x00007fffed72c8bd in vcl::Window::ImplGrabFocus (this=0x650b3b0, nFlags=GetFocusFlags::NONE) at /home/caolan/LibreOffice/core/vcl/source/window/mouse.cxx:384 #24 0x00007fffed7f8c57 in vcl::Window::GrabFocus (this=0x650b3b0) at /home/caolan/LibreOffice/core/vcl/source/window/window.cxx:2990 #25 0x00007fffeff14f65 in svt::table::TableControl::GrabFocus (this=0x650b3b0) at /home/caolan/LibreOffice/core/toolkit/source/controls/table/tablecontrol.cxx:493 #26 0x00007fffeff36d68 in svt::table::TableDataWindow::MouseButtonUp (this=0xc2caee0, rMEvt=...) at /home/caolan/LibreOffice/core/toolkit/source/controls/table/tabledatawindow.cxx:176 #27 0x00007fffed81f9c7 in ImplHandleMouseEvent (xWindow=..., nSVEvent=NotifyEventType::MOUSEBUTTONUP, bMouseLeave=false, nX=58, nY=198, nMsgTime=1839711105, nCode=1, nMode=(MouseEventModifiers::SIMPLECLICK | MouseEventModifiers::SELECT)) at /home/caolan/LibreOffice/core/vcl/source/window/winproc.cxx:719
Michael Weghorn committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/57906dde339a71eee87437ae2d11c7474c03befd tdf#164783 toolkit a11y: Only send event for current cell if there's one It will be available in 25.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
The commit from comment 5 fixes the issue I can reproduce (which is the same as Caolán's backtrace in comment 4 shows). Pending backports for 25.2 and 24.8: https://gerrit.libreoffice.org/c/core/+/180680 https://gerrit.libreoffice.org/c/core/+/180681 A retest with a daily build from tomorrow or later would be welcome, to see whether this is it or you see any further issues.
Michael Weghorn committed a patch related to this issue. It has been pushed to "libreoffice-25-2": https://git.libreoffice.org/core/commit/bf5af7725bbd53c70596723e7fc9548d3d89c427 tdf#164783 toolkit a11y: Only send event for current cell if there's one It will be available in 25.2.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Weghorn committed a patch related to this issue. It has been pushed to "libreoffice-24-8": https://git.libreoffice.org/core/commit/1cc254f10bc39eb605ab442cdfac35ad41a0ebb4 tdf#164783 toolkit a11y: Only send event for current cell if there's one It will be available in 24.8.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.