Bug 166637 - Crash when clicking a dot in the control pane of a built-in dialog
Summary: Crash when clicking a dot in the control pane of a built-in dialog
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
Version:
(earliest affected)
25.8.0.0 alpha0+
Hardware: All Windows (All)
: medium normal
Assignee: Mike Kaganski
URL:
Whiteboard: target:25.8.0
Keywords:
Depends on:
Blocks:
 
Reported: 2025-05-19 08:00 UTC by nobu
Modified: 2025-05-20 03:19 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description nobu 2025-05-19 08:00:38 UTC 
Description:
Crash when clicking a dot in the control pane of a built-in dialog.

Steps to Reproduce:
1. Open Basic IDE.
2. Select a Dialog.
   ex. Application Macro & Dialogs > Tools > DlgOverwriteAll
3. Select control in Dialog.
   ex. cmdYes button
4. Click the corner of the control, the center of the side, or one of the eight dots in total.

Actual Results:
5. Crash.

Expected Results:
5. Nothing happens.


Reproducible: Always


User Profile Reset: No

Additional Info:

Not reproduced with
Version: 25.2.3.2 (X86_64) / LibreOffice Community
Build ID: bbb074479178df812d175f709636b368952c2ce3
CPU threads: 4; OS: Windows 10 X86_64 (10.0 build 19045); UI render: Skia/Raster; VCL: win
Locale: en-US (ja_JP); UI: en-US
Calc: CL threaded

Reproducible with
Version: 25.8.0.0.alpha1+ (X86_64) / LibreOffice Community
Build ID: 94231af057db7871fb993582e2015c0fa21dde46
CPU threads: 4; OS: Windows 10 X86_64 (build 19045); UI render: Skia/Raster; VCL: win
Locale: en-US (ja_JP); UI: en-US
Calc: CL threaded
Comment 1 Xisco Faulí 2025-05-19 08:17:17 UTC 
Hi nobu,
Would it be possible to have a screencast showing how to reproduce the issue ?
I tried to follow the steps but I was not able to reproduce the crash
Comment 2 Mike Kaganski 2025-05-19 08:30:42 UTC 
Repro in debug build.
Comment 3 Mike Kaganski 2025-05-19 08:35:43 UTC 
Regression after 62dd6274c71bc840f5c5abcd4b1fa536238aa25d.

Call stack in nullptr dereference:

> sfxlo.dll!com::sun::star::uno::Reference<com::sun::star::view::XSelectionSupplier>::operator->() Line 387	C++
> sfxlo.dll!`anonymous namespace'::GetSelectedShapeOfView(const com::sun::star::uno::Reference<com::sun::star::frame::XController> & xController) Line 2827	C++
> sfxlo.dll!SfxViewShell::GetSignPDFCertificate() Line 2873	C++
> svxcorelo.dll!SdrDragView::BegDragObj(const Point & rPnt, OutputDevice * pOut, SdrHdl * pHdl, short nMinMov, SdrDragMethod * _pForcedMeth) Line 418	C++
> basctllo.dll!basctl::DlgEdFuncSelect::MouseButtonDown(const MouseEvent & rMEvt) Line 452	C++
> basctllo.dll!basctl::DlgEditor::MouseButtonDown(const MouseEvent & rMEvt) Line 435	C++
> basctllo.dll!basctl::DialogWindow::MouseButtonDown(const MouseEvent & rMEvt) Line 135	C++
> vcllo.dll!ImplHandleMouseEvent(const VclPtr<vcl::Window> & xWindow, NotifyEventType nSVEvent, bool bMouseLeave, __int64 nX, __int64 nY, unsigned __int64 nMsgTime, unsigned short nCode, MouseEventModifiers nMode) Line 706	C++
> vcllo.dll!ImplHandleSalMouseButtonDown(vcl::Window * pWindow, const SalMouseEvent * pEvent) Line 2338	C++
> vcllo.dll!ImplWindowFrameProc(vcl::Window * _pWindow, SalEvent nEvent, const void * pEvent) Line 2683	C++
> vcllo.dll!SalFrame::CallCallback(SalEvent nEvent, const void * pEvent) Line 310	C++
> vclplug_winlo.dll!ImplHandleMouseMsg(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 3306	C++
> vclplug_winlo.dll!SalFrameWndProc(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam, bool & rDef) Line 5794	C++
> vclplug_winlo.dll!SalFrameWndProcW(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 6130	C++
> user32.dll!UserCallWinProcCheckWow(struct _ACTIVATION_CONTEXT *,__int64 (*)(struct tagWND *,unsigned int,unsigned __int64,__int64),struct HWND__ *,enum _WM_VALUE,unsigned __int64,__int64,void *,int)	Unknown
> user32.dll!DispatchMessageWorker()	Unknown
> vclplug_winlo.dll!ImplSalDispatchMessage(const tagMSG * pMsg) Line 442	C++
> vclplug_winlo.dll!ImplSalYield(bool bWait, bool bHandleAllCurrentEvents) Line 511	C++
> vclplug_winlo.dll!WinSalInstance::DoYield(bool bWait, bool bHandleAllCurrentEvents) Line 548	C++
> vcllo.dll!ImplYield(bool i_bWait, bool i_bAllEvents) Line 385	C++
> vcllo.dll!Application::Yield() Line 488	C++
> vcllo.dll!Application::Execute() Line 361	C++
> sofficeapp.dll!desktop::Desktop::Main() Line 1680	C++
> vcllo.dll!ImplSVMain() Line 231	C++
> vcllo.dll!SVMain() Line 250	C++
> sofficeapp.dll!soffice_main() Line 122	C++
> soffice.bin!sal_main() Line 51	C
> soffice.bin!main(int argc, char * * argv) Line 49	C
Comment 4 Mike Kaganski 2025-05-19 08:48:17 UTC 
https://gerrit.libreoffice.org/c/core/+/185506
Comment 5 Commit Notification 2025-05-19 10:56:11 UTC 
Mike Kaganski committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/9a91a2899947bc906ea5b7b1a740f00cce04a3c0

tdf#166637: Do not dereference a result of UNO_QUERY unconditionally

It will be available in 25.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 nobu 2025-05-20 03:19:29 UTC 
The latest downloads won't crash.
[2025-05-19]
Version: 25.8.0.0.alpha1+ (X86_64) / LibreOffice Community
Build ID: 6190fe56f72008e0b6d0e502bf94099e72b9d202
CPU threads: 4; OS: Windows 10 X86_64 (build 19045); UI render: Skia/Raster; VCL: win
Locale: en-US (ja_JP); UI: en-US
Calc: CL threaded