Bug 168900 - Crash upon clicking into any spinbox while JAWS is running
Summary: Crash upon clicking into any spinbox while JAWS is running
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: UI (show other bugs)
Version:
(earliest affected)
7.3.0.3 release
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: accessibility
Depends on:
Blocks: a11y-Windows Crash
  Show dependency treegraph
 
Reported: 2025-10-16 14:08 UTC by Gabor Kelemen (Collabora)
Modified: 2025-10-21 17:19 UTC (History)
2 users (show)

See Also:
Crash report or crash signature: https://crashreport.libreoffice.org/stats/crash_details/814b4fbe-3d68-470c-86b5-2b0c9836c50d

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gabor Kelemen (Collabora) 2025-10-16 14:08:17 UTC 
When JAWS is running, clicking into any spinbox on the LO UI crashes LO.

1. Start JAWS
2. Start Writer
3. In the UI move the cursor into any spinbox such as the Spacing or Indent ones on Writer's Paragraph sidebar.
-> Crash

Version: 26.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: d60ff8c8bd4e3ebf8f84f53448ead3c838332ea9
CPU threads: 14; OS: Windows 10 X86_64 (build 19045); UI render: Skia/Raster; VCL: win
Locale: de-DE (hu_HU); UI: en-US
Calc: threaded

Seems to happen since 7.3, before this did not crash:

https://cgit.freedesktop.org/libreoffice/core/commit/?id=349a8801b9ee98f4f9ee1d35f7d28e17baedf7cc

commit 349a8801b9ee98f4f9ee1d35f7d28e17baedf7cc
Author: Michael Weghorn <m.weghorn@posteo.de>
Date:   Wed Jul 28 09:39:07 2021 +0200

    a11y: Expose FormattedField as spinbox
Comment 1 Michael Weghorn 2025-10-17 12:13:11 UTC 
Could reproduce with some beta demo version of JAWS.

From what I remember seeing in the backtrace, that was somewhere in the platform-specific code - winaccessibility and what JAWS itself runs, as it runs in-process, maybe some use-after-free problem similar to the one fixed in

    commit 38e2dde00da0207c5f7157bb427a006d32dfeb5b
    Author: Michael Weghorn
    Date:   Tue Mar 7 10:35:38 2023 +0000
    
        tdf#154039 wina11y: Increase refcount for returned COM interface

?

In any case, it looked like a more low-level platform bridge problem than like an issue with commit 349a8801b9ee98f4f9ee1d35f7d28e17baedf7cc by itself. (It might be that some problematic code path is only executed with that commit in place, while it wasn't previously.)

(Right now, my JAWS setup is broken after trying to switch to a newer version, so can't paste the backtrace or experiment further at the moment...)