168526 – Sporadic crash when deleting a page break on macOS

Bug 168526 - Sporadic crash when deleting a page break on macOS

Summary: Sporadic crash when deleting a page break on macOS

Status:	NEW

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Writer (show other bugs)
Version: (earliest affected)	26.2.0.0 alpha0+ master
Hardware:	All macOS (All)

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	Writer-Page-Break Crash
	Show dependency tree / graph

Reported:	2025-09-23 21:21 UTC by Telesto
Modified:	2025-10-21 17:25 UTC (History)
CC List:	3 users (show)

See Also:
Crash report or crash signature:

Attachments
Example file (44.65 KB, application/vnd.oasis.opendocument.text) 2025-09-23 21:22 UTC, Telesto	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Telesto 2025-09-23 21:21:38 UTC

Description:
Sporadic crash when deleting a page break on macOS

Steps to Reproduce:
1. Open the attached file
2. Place cursor at beginning of the text at page 2
3. Insert -> More Breaks -> Manual page Break -> Select Page Style -> Landscape & OK
4. Hoover over the page break. When the popup appears click it and select delete page break

Still no clue what I do different. It only crashes 1 out of 8 times or so

Actual Results:
Crash

Expected Results:
No crash


Reproducible: Sometimes


User Profile Reset: No

Additional Info:
Version: 26.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 18bde21b1d700bbf97e001a13ba9389dc7f9efc7
CPU threads: 8; OS: macOS 14.7.4; UI render: Skia/Metal; VCL: osx
Locale: nl-NL (nl_NL.UTF-8); UI: en-US
Calc: threaded

Heaviest stack for the main thread of the target process:
  20  start + 1909 (dyld + 25413) [0x7ff80b7ee345]
  20  main + 16 (soffice + 1296) [0x10e97e510]
  20  soffice_main + 217 (libmergedlo.dylib + 23898905) [0x1192f2b19]
  20  ImplSVMain() + 450 (libmergedlo.dylib + 42248450) [0x11a472902]
  20  AquaSalInstance::SVMainHook(int*) + 156 (libvclplug_osxlo.dylib + 159340) [0x1131e1e6c]
  20  ??? (AppKit + 17651) [0x7ff80f28c4f3]
  20  ??? (AppKit + 198058) [0x7ff80f2b85aa]
  20  ??? (AppKit + 5295406) [0x7ff80f794d2e]
  20  -[VCL_NSApplication sendEvent:] + 81 (libvclplug_osxlo.dylib + 439185) [0x113226391]
  20  AquaSalInstance::handleAppDefinedEvent(NSEvent*) + 89 (libvclplug_osxlo.dylib + 149561) [0x1131df839]
  20  ImplSVMain() + 477 (libmergedlo.dylib + 42248477) [0x11a47291d]
  20  desktop::Desktop::Main() + 4617 (libmergedlo.dylib + 23764105) [0x1192d1c89]
  20  Application::Execute() + 160 (libmergedlo.dylib + 42203408) [0x11a467910]
  20  ImplYield(bool, bool) + 739 (libmergedlo.dylib + 42205395) [0x11a4680d3]
  20  AquaSalInstance::DoYield(bool, bool) + 820 (libvclplug_osxlo.dylib + 151716) [0x1131e00a4]
  20  -[VCL_NSApplication sendEvent:] + 1290 (libvclplug_osxlo.dylib + 440394) [0x11322684a]
  20  ??? (AppKit + 9773472) [0x7ff80fbda1a0]
  20  ??? (AppKit + 1701123) [0x7ff80f427503]
  20  ??? (AppKit + 1701975) [0x7ff80f427857]
  20  ??? (AppKit + 2254835) [0x7ff80f4ae7f3]
  20  -[SalFrameView sendMouseEventToFrame:button:eventtype:] + 1352 (libvclplug_osxlo.dylib + 405496) [0x11321dff8]
  20  ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) + 833 (libmergedlo.dylib + 38971137) [0x11a152701]
  20  ImplHandleSalMouseButtonDown(vcl::Window*, SalMouseEvent const*) + 169 (libmergedlo.dylib + 38973497) [0x11a153039]
  20  ImplHandleMouseEvent(VclPtr<vcl::Window> const&, NotifyEventType, bool, long, long, unsigned long, unsigned short, MouseEventModifiers) + 4999 (libmergedlo.dylib + 38963271) [0x11a150847]
  20  MenuButton::ExecuteMenu() + 536 (libmergedlo.dylib + 39462088) [0x11a1ca4c8]
  20  MenuButton::Select() + 216 (libmergedlo.dylib + 39462536) [0x11a1ca688]
  20  SwPageBreakWin::SelectHdl(rtl::OUString const&) + 86 (libswlo.dylib + 9657862) [0x1ad51ee06]
  20  SwBreakDashedLine::execute(std::__1::basic_string_view<char16_t, std::__1::char_traits<char16_t>>) + 1028 (libswlo.dylib + 9659092) [0x1ad51f2d4]
  20  sw::DocumentContentOperationsManager::InsertItemSet(SwPaM const&, SfxItemSet const&, SetAttrMode, SwRootFrame const*) + 225 (libswlo.dylib + 1734369) [0x1acd906e1]
  20  (anonymous namespace)::lcl_InsAttr(SwDoc&, SwPaM const&, SfxItemSet const&, SetAttrMode, SwUndoAttr*, SwRootFrame const*, SwTextAttr**) + 2720 (libswlo.dylib + 1726144) [0x1acd8e6c0]
  20  SwTextNode::SetAttr(SfxPoolItem const&) + 74 (libswlo.dylib + 5357594) [0x1ad10501a]
  20  SwContentNode::SetAttr(SfxPoolItem const&) + 430 (libswlo.dylib + 2407598) [0x1ace34cae]
  20  sw::ClientNotifyAttrChg(SwModify&, SwAttrSet const&, SwAttrSet&, SwAttrSet&) + 112 (libswlo.dylib + 433088) [0x1acc52bc0]
  20  SwTextNode::TriggerNodeUpdate(sw::AttrSetChangeHint const&) + 454 (libswlo.dylib + 5413622) [0x1ad112af6]
  20  sw::BroadcastingModify::CallSwClientNotify(SfxHint const&) const + 18 (libswlo.dylib + 432946) [0x1acc52b32]
  20  SwModify::CallSwClientNotify(SfxHint const&) const + 197 (libswlo.dylib + 432757) [0x1acc52a75]
  20  SwTextFrame::SwClientNotify(SwModify const&, SfxHint const&) + 6495 (libswlo.dylib + 5021519) [0x1ad0b2f4f]
  20  SwContentFrame::SwClientNotify(SwModify const&, SfxHint const&) + 584 (libswlo.dylib + 4176888) [0x1acfe4bf8]
  20  SwContentFrame::UpdateAttr_(SfxPoolItem const*, SfxPoolItem const*, SwContentFrameInvFlags&, SwAttrSetChg*, SwAttrSetChg*) + 351 (libswlo.dylib + 4177999) [0x1acfe504f]
  20  SwFrame::CheckPageDescs(SwPageFrame*, bool, SwPageFrame**) + 1313 (libswlo.dylib + 3800001) [0x1acf88bc1]
  20  SwLayoutFrame::SetFrameFormat(SwFrameFormat*) + 104 (libswlo.dylib + 4015032) [0x1acfbd3b8]
  20  SwPageFrame::SwClientNotify(SwModify const&, SfxHint const&) + 390 (libswlo.dylib + 3789302) [0x1acf861f6]
  20  vtable for SwIterator<SwFrame, sw::BroadcastingModify, (sw::IteratorMode)1> + 16 (libswlo.dylib + 14504432) [0x1ad9be1f0]
  20  _sigtramp + 29 (libsystem_platform.dylib + 16349) [0x7ff80bba8fdd]
  20  (anonymous namespace)::signalHandlerFunction(int, __siginfo*, void*) + 122 (libuno_sal.dylib.3 + 296538) [0x10ef8965a]
  20  callSignalHandler(oslSignalInfo*) + 42 (libuno_sal.dylib.3 + 26874) [0x10ef478fa]
  20  VCLExceptionSignal_impl(void*, oslSignalInfo*) + 251 (libmergedlo.dylib + 42253499) [0x11a473cbb]
  20  desktop::Desktop::Exception(ExceptionCategory) + 304 (libmergedlo.dylib + 23751104) [0x1192ce9c0]
  20  desktop::(anonymous namespace)::impl_callRecoveryUI(bool, bool) + 490 (libmergedlo.dylib + 23751834) [0x1192cec9a]
  20  non-virtual thunk to (anonymous namespace)::RecoveryUI::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) + 18 (libmergedlo.dylib + 26516242) [0x119571b12]
  20  (anonymous namespace)::RecoveryUI::dispatchWithReturnValue(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) + 541 (libmergedlo.dylib + 26514013) [0x11957125d]
  20  virtual thunk to SalInstanceDialog::run() + 52 (libmergedlo.dylib + 41906500) [0x11a41f144]
  20  Dialog::Execute() + 85 (libmergedlo.dylib + 38330389) [0x11a0b6015]
  20  ImplYield(bool, bool) + 739 (libmergedlo.dylib + 42205395) [0x11a4680d3]
  20  AquaSalInstance::DoYield(bool, bool) + 1507 (libvclplug_osxlo.dylib + 152403) [0x1131e0353]
  20  -[VCL_NSApplication sendEvent:] + 81 (libvclplug_osxlo.dylib + 439185) [0x113226391]
  20  AquaSalInstance::handleAppDefinedEvent(NSEvent*) + 389 (libvclplug_osxlo.dylib + 149861) [0x1131df965]
  20  AquaSalTimer::handleDispatchTimerEvent(NSEvent*) + 47 (libvclplug_osxlo.dylib + 224383) [0x1131f1c7f]
  20  AquaSalTimer::callTimerCallback() + 71 (libvclplug_osxlo.dylib + 224039) [0x1131f1b27]
  20  Scheduler::CallbackTaskScheduling() + 3557 (libmergedlo.dylib + 42129301) [0x11a455795]
  20  SwPageBreakWin::FadeHandler(Timer*) + 292 (libswlo.dylib + 9661092) [0x1ad51faa4]
  20  SwBreakDashedLine::UpdatePosition(std::__1::optional<Point> const&) + 114 (libswlo.dylib + 9650626) [0x1ad51d1c2]
  19  SwFrame::ImplFindPageFrame() + 24 (libswlo.dylib + 3490952) [0x1acf3d488]
 *19  hndl_alltraps + 95 (kernel + 895135) [0xffffff80003be89f]
 *11  user_trap + 1259 (kernel + 2711211) [0xffffff8000579eab]
 *11  exception_triage_thread + 409 (kernel + 1320905) [0xffffff80004267c9]
 *10  exception_deliver + 1482 (kernel + 1319562) [0xffffff800042628a]
 *10  mach_exception_raise + 239 (kernel + 1840847) [0xffffff80004a56cf]
 *4   ??? (kernel + 1340930) [0xffffff800042b602]
 *2   ipc_port_adjust_special_reply_port_locked + 1255 (kernel + 1192631) [0xffffff80004072b7]
 *2   mpsc_daemon_enqueue + 27 (kernel + 1442011) [0xffffff80004440db]
 *2   ??? (kernel + 1754723) [0xffffff8000490663]

Comment 1 Telesto 2025-09-23 21:22:17 UTC

Created attachment 202941 [details]
Example file

Comment 2 Patrick (volunteer) 2025-09-25 20:39:44 UTC

I think I found the line of code where the crash is occurring. In the following debug patch, I found getRootFrame() is returning a nullptr and the then crashes on the line following the fprintf().

Not sure why getRootFrame() is a nullptr so we probably need a Writer developer to debug this further:

diff --git a/sw/source/core/layout/pagechg.cxx b/sw/source/core/layout/pagechg.cxx
index 070b8b8ccf32..c962ad1795e4 100644
--- a/sw/source/core/layout/pagechg.cxx
+++ b/sw/source/core/layout/pagechg.cxx
@@ -1527,6 +1527,7 @@ SwPageFrame *SwFrame::InsertPage( SwPageFrame *pPrevPage, bool bFootnote )
 
 sw::sidebarwindows::SidebarPosition SwPageFrame::SidebarPosition() const
 {
+    fprintf( stderr, "Root frame: %p\n", getRootFrame() );
     SwViewShell *pSh = getRootFrame()->GetCurrShell();
     if( !pSh || pSh->GetViewOptions()->getBrowseMode() )
     {

Comment 3 Telesto 2025-09-25 20:58:25 UTC

@Ilmari
(In reply to Patrick (volunteer) from comment #2)
> ......we probably need a Writer developer to debug this further:

Any idea who can help out? Not sure if this is truly macOS specific, but I was unable to reproduce it on Windows in my quick testing.

Comment 4 Patrick (volunteer) 2025-09-25 23:46:49 UTC

Some additional data: the crash is due to an SwPageFrame being used after deletion. Using the debug patch at the end of this comment, I get the following output:

SwPageFrame new: 1 0x78d88de00
SwPageFrame new: 2 0x78dfaa6c0
SwPageFrame new: 3 0x78b488000
SwPageFrame delete: 2 0x78b488000
SwPageFrame will crash: 0x78b488000

Note that the third SwPageFrame created is deleted and then its SwPageFrame::SidebarPosition() is called later.

diff --git a/sw/source/core/layout/pagechg.cxx b/sw/source/core/layout/pagechg.cxx
index 070b8b8ccf32..a75cb7cf123c 100644
--- a/sw/source/core/layout/pagechg.cxx
+++ b/sw/source/core/layout/pagechg.cxx
@@ -67,6 +67,8 @@
 #include <txtfly.hxx>
 #include <frmatr.hxx>
 
+static std::map<SwPageFrame*, SwPageFrame*> aPageFrames;
+
 using namespace ::com::sun::star;
 
 SwBodyFrame::SwBodyFrame( SwFrameFormat *pFormat, SwFrame* pSib ):
@@ -194,6 +196,8 @@ SwPageFrame::SwPageFrame( SwFrameFormat *pFormat, SwFrame* pSib, SwPageDesc *pPg
     m_pDesc( pPgDsc ),
     m_nPhyPageNum( 0 )
 {
+aPageFrames[this] = this;
+fprintf(stderr, "SwPageFrame new: %lu %p\n", aPageFrames.size(), this);
     SetDerivedVert( false );
     SetDerivedR2L( false );
     if( m_pDesc )
@@ -322,6 +326,12 @@ void SwPageFrame::DestroyImpl()
 
 SwPageFrame::~SwPageFrame()
 {
+auto it = aPageFrames.find(this);
+if (it != aPageFrames.end())
+{
+aPageFrames.erase(it);
+fprintf(stderr, "SwPageFrame delete: %lu %p\n", aPageFrames.size(), this);
+}
 }
 
 void SwPageFrame::CheckGrid( bool bInvalidate )
@@ -1527,6 +1537,8 @@ SwPageFrame *SwFrame::InsertPage( SwPageFrame *pPrevPage, bool bFootnote )
 
 sw::sidebarwindows::SidebarPosition SwPageFrame::SidebarPosition() const
 {
+if (!getRootFrame())
+fprintf(stderr, "SwPageFrame will crash: %p\n", this);
     SwViewShell *pSh = getRootFrame()->GetCurrShell();
     if( !pSh || pSh->GetViewOptions()->getBrowseMode() )
     {

Comment 5 Noel Grandin 2025-09-26 06:33:43 UTC

I would suggest just patching the code with a workaroud, something like

sw::sidebarwindows::SidebarPosition SwPageFrame::SidebarPosition() const
{
    if (!getRootFrame())
        return sw::sidebarwindows::SidebarPosition::RIGHT;
}

these kinds of writer bugs are hell to track down, writer has such a web of pointers.

Comment 6 Telesto 2025-09-28 08:16:40 UTC

FWIW same or quite similar bt: bug 167405