Bug Hunting Session
Bug 40261 - [CRASH] - EDITing XML Form in Writer Causes crash
Summary: [CRASH] - EDITing XML Form in Writer Causes crash
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
3.4.3 RC1
Hardware: All All
: high blocker
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
: 43567 44842 45891 46154 (view as bug list)
Depends on:
Blocks: mab3.5
  Show dependency treegraph
 
Reported: 2011-08-20 19:46 UTC by digital ant
Modified: 2012-02-25 05:45 UTC (History)
7 users (show)

See Also:
Crash report or crash signature:


Attachments
Time profile of soffice process leading up to crash (108.90 KB, text/plain)
2011-08-24 09:05 UTC, Alex Thurgood
Details

Note You need to log in before you can comment on or make changes to this bug.
Description digital ant 2011-08-20 19:46:42 UTC
LibO 3.4.3 rc1 on OSX 10.6.8

Open Writer, click File, New, XML Form Document
In Form Control toolbox, click any control and then click to put it in your document.
Double click control to edit it.
Crash

Process:         soffice [2280]
Path:            /Applications/LibreOffice.app/Contents/MacOS/soffice
Identifier:      org.libreoffice.script
Version:         3.4.3 (???)
Code Type:       X86 (Native)
Parent Process:  launchd [127]

Date/Time:       2011-08-20 22:39:16.539 -0400
OS Version:      Mac OS X 10.6.8 (10K549)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000044220000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libpcrmxi.dylib               	0x2e4ecbb2 component_getFactory + 196898
1   libpcrmxi.dylib               	0x2e4eba8d component_getFactory + 192509
2   libpcrmxi.dylib               	0x2e587f76 component_getFactory + 832742
3   libpcrmxi.dylib               	0x2e4c5f76 component_getFactory + 38118
4   libpcrmxi.dylib               	0x2e5051c9 component_getFactory + 296761
5   libpcrmxi.dylib               	0x2e5041d8 component_getFactory + 292680
6   libpcrmxi.dylib               	0x2e50433a component_getFactory + 293034
7   libpcrmxi.dylib               	0x2e4c0380 component_getFactory + 14576
8   libpcrmxi.dylib               	0x2e4c936e component_getFactory + 51422
9   libpcrmxi.dylib               	0x2e4c9c4f component_getFactory + 53695
10  libpcrmxi.dylib               	0x2e4c9d7c component_getFactory + 53996
11  libsvxmxi.dylib               	0x1fecaf9b FmPropBrw::implSetNewSelection(std::set<com::sun::star::uno::Reference<com::sun::star::uno::XInterface>, comphelper::OInterfaceCompare<com::sun::star::uno::XInterface>, std::allocator<com::sun::star::uno::Reference<com::sun::star::uno::XInterface> > > const&) + 603
12  libsvxmxi.dylib               	0x1fecdebc FmPropBrw::StateChanged(unsigned short, unsigned short, SfxPoolItem const*) + 204
13  libsfxmxi.dylib               	0x00490a6e SfxStateCache::SetState_Impl(unsigned short, SfxPoolItem const*, unsigned char) + 414
14  libsfxmxi.dylib               	0x00475fef SfxBindings::UpdateControllers_Impl(SfxInterface const*, SfxFoundCache_Impl const*, SfxPoolItem const*, unsigned short) + 495
15  libsfxmxi.dylib               	0x0047640e SfxBindings::Update_Impl(SfxStateCache*) + 542
16  libsfxmxi.dylib               	0x00477737 SfxBindings::NextJob_Impl(Timer*) + 455
17  libvclmxi.dylib               	0x01720cbc Timer::Timeout() + 28
18  libvclmxi.dylib               	0x01720dd9 Timer::ImplTimerCallbackProc() + 121
19  libvclmxi.dylib               	0x01a29c21 SalGetDesktopEnvironment() + 24929
20  com.apple.Foundation          	0x904055b1 __NSFireTimer + 282
21  com.apple.CoreFoundation      	0x9a697a6b __CFRunLoopRun + 8059
22  com.apple.CoreFoundation      	0x9a6953f4 CFRunLoopRunSpecific + 452
23  com.apple.CoreFoundation      	0x9a695221 CFRunLoopRunInMode + 97
24  com.apple.HIToolbox           	0x91fddd60 RunCurrentEventLoopInMode + 392
25  com.apple.HIToolbox           	0x91fddb17 ReceiveNextEventCommon + 354
26  com.apple.HIToolbox           	0x91fdd99c BlockUntilNextEventMatchingListInMode + 81
27  com.apple.AppKit              	0x99859595 _DPSNextEvent + 847
28  com.apple.AppKit              	0x99858dd6 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 156
29  libvclmxi.dylib               	0x01a24272 SalGetDesktopEnvironment() + 1970
30  libvclmxi.dylib               	0x01718190 Application::Yield(bool) + 96
31  libvclmxi.dylib               	0x0171827c Application::Execute() + 76
32  libsofficeapp.dylib           	0x0006a785 0x58000 + 75653
33  libvclmxi.dylib               	0x01720278 DeInitVCL() + 3624
34  libvclmxi.dylib               	0x01a2382b component_getFactory + 209547
35  libvclmxi.dylib               	0x01a28c5b SalGetDesktopEnvironment() + 20891
36  com.apple.AppKit              	0x9981b253 -[NSApplication run] + 917
37  com.apple.AppKit              	0x99813289 NSApplicationMain + 574
38  libvclmxi.dylib               	0x01a245b7 SalGetDesktopEnvironment() + 2807
39  libvclmxi.dylib               	0x01720321 SVMain() + 17
40  libsofficeapp.dylib           	0x00096f65 soffice_main + 245
41  org.libreoffice.script        	0x00001ebe main + 30
42  org.libreoffice.script        	0x00001822 start + 258
43  org.libreoffice.script        	0x00001749 start + 41

Thread 1:
0   libSystem.B.dylib             	0x91d71b5a semaphore_timedwait_signal_trap + 10
1   libSystem.B.dylib             	0x91d9f6e1 _pthread_cond_wait + 1066
2   libSystem.B.dylib             	0x91de826c pthread_cond_timedwait + 47
3   libuno_sal.dylib.3            	0x00035e38 rtl_cache_create + 728
4   libSystem.B.dylib             	0x91d9f259 _pthread_start + 345
5   libSystem.B.dylib             	0x91d9f0de thread_start + 34

Thread 2:  Dispatch queue: com.apple.libdispatch-manager
0   libSystem.B.dylib             	0x91d98382 kevent + 10
1   libSystem.B.dylib             	0x91d98a9c _dispatch_mgr_invoke + 215
2   libSystem.B.dylib             	0x91d97f59 _dispatch_queue_invoke + 163
3   libSystem.B.dylib             	0x91d97cfe _dispatch_worker_thread2 + 240
4   libSystem.B.dylib             	0x91d97781 _pthread_wqthread + 390
5   libSystem.B.dylib             	0x91d975c6 start_wqthread + 30

Thread 3:
0   libSystem.B.dylib             	0x91e39096 accept$NOCANCEL$UNIX2003 + 10
1   libSystem.B.dylib             	0x91e37eff accept + 32
2   libuno_sal.dylib.3            	0x00011d3a osl_acceptPipe + 58
3   libsofficeapp.dylib           	0x00093aae 0x58000 + 244398
4   libsofficeapp.dylib           	0x00095ca2 0x58000 + 253090
5   libuno_sal.dylib.3            	0x0000c1b9 osl_setThreadName + 569
6   libSystem.B.dylib             	0x91d9f259 _pthread_start + 345
7   libSystem.B.dylib             	0x91d9f0de thread_start + 34

Thread 4:
0   libSystem.B.dylib             	0x91d71b42 semaphore_wait_signal_trap + 10
1   libSystem.B.dylib             	0x91d9f6f8 _pthread_cond_wait + 1089
2   libSystem.B.dylib             	0x91de805f pthread_cond_wait + 48
3   libuno_sal.dylib.3            	0x00008438 osl_waitCondition + 104
4   libcomphelpgcc3.dylib         	0x0011e034 comphelper::AsyncEventNotifier::run() + 676
5   libpcrmxi.dylib               	0x2e4ec902 component_getFactory + 196210
6   libuno_sal.dylib.3            	0x0000c1b9 osl_setThreadName + 569
7   libSystem.B.dylib             	0x91d9f259 _pthread_start + 345
8   libSystem.B.dylib             	0x91d9f0de thread_start + 34

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x44220000  ebx: 0x2e4c5f24  ecx: 0x00000000  edx: 0x44220000
  edi: 0x0000000f  esi: 0x275f8960  ebp: 0xbfffd9f8  esp: 0xbfffd9c0
   ss: 0x00000023  efl: 0x00010206  eip: 0x2e4ecbb2   cs: 0x0000001b
   ds: 0x00000023   es: 0x00000023   fs: 0x00000000   gs: 0x0000000f
  cr2: 0x44220000
Comment 1 Jean-Baptiste Faure 2011-08-23 22:10:44 UTC
I got a crash in LibO 3.4.3 rc1 on Ubuntu 10.04 x86_64 when playing with some button. What I did:
- File > New > XML form document
- In Form Design toolbar click the button XML then Form Controls toolbar appears
- In Form Control toolbar click on the button "List Box" then the mouse pointer becomes a + and you are able to draw a rectangle in the text doc
- select the rectangle and double-click in it
=> a new dialog start to be visible then crash.

Reproduced with LibO 3.4.3 rc1 and master.
I do not know if the crash isn't already in 3.4.2.

Best regards. JBF
Comment 2 Jean-Baptiste Faure 2011-08-24 06:10:44 UTC
(In reply to comment #1)
> [...]
> I do not know if the crash isn't already in 3.4.2.

Same crash in LibO 3.4.2 under Ubuntu 10.04 x86_64
Comment 3 vitriol 2011-08-24 06:18:21 UTC
Confirmed in Win7 too.
Comment 4 Alex Thurgood 2011-08-24 07:43:22 UTC
Also present in master dev build 

LibO-dev 3.5.0 
Build ID: 
	a7325bf-a24c961-aea73ba-bf01663-c53c461
	04f358b-fd28b6a-9ae1a63-4de147c-e8d28c5
	de7d101-890c60f-48568db-6a9703b-b31b807
	745f015-9832101-a6ba297-c943149


on Mac OSX.


Alex
Comment 5 Alex Thurgood 2011-08-24 09:04:09 UTC
FWIW, I did a time profile using Shark (Mac dev debugging tool) of the soffice process and events leading up to the crash with a 5ms interval after the initial XForm document had been instantiated - have posted the output as an attachment.


Alex
Comment 6 Alex Thurgood 2011-08-24 09:05:10 UTC
Created attachment 50545 [details]
Time profile of soffice process leading up to crash
Comment 7 Alex Thurgood 2011-08-24 09:10:40 UTC
Additional information :

When the form control is double-clicked, the Property window rectangle and background are drawn (window frame and grey background). However, this window is never filled with the properties of the control, which is where the crash happens. The question is whether it is because the properties take too long to be obtained and/or drawn, or whether there is actually an error in the code that intersects the properties onto the Property window (union function). I don't understand the code well enough for that. Race condition ?


Alex
Comment 8 Alex Thurgood 2011-08-24 09:13:46 UTC
Changed title to better reflect behaviour.
Comment 9 Björn Michaelsen 2011-12-23 12:40:02 UTC
[This is an automated message.]
This bug was filed before the changes to Bugzilla on 2011-10-16. Thus it
started right out as NEW without ever being explicitly confirmed. The bug is
changed to state NEEDINFO for this reason. To move this bug from NEEDINFO back
to NEW please check if the bug still persists with the 3.5.0 beta1 or beta2 prereleases.
Details on how to test the 3.5.0 beta1 can be found at:
http://wiki.documentfoundation.org/QA/BugHunting_Session_3.5.0.-1

more detail on this bulk operation: http://nabble.documentfoundation.org/RFC-Operation-Spamzilla-tp3607474p3607474.html
Comment 10 Jean-Baptiste Faure 2011-12-26 08:47:32 UTC
Crash confirmed in LO 3.5.0 beta2+ (LibreOffice 3.5.0beta2+ Version ID : 8f03437-7f15fca-1fc8c06-ca8e46d-b96fade).

Best regards. JBF
Comment 11 Alex Thurgood 2012-02-09 12:40:30 UTC
*** Bug 43567 has been marked as a duplicate of this bug. ***
Comment 12 Alex Thurgood 2012-02-09 12:48:16 UTC
*** Bug 44842 has been marked as a duplicate of this bug. ***
Comment 13 Jan Holesovsky 2012-02-10 06:25:50 UTC
Fixed in master + sent for review to the ML, I suppose it will get to libreoffice-3-4 and libreoffice-3-5 shortly.

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8912cf30755a2a19d50acc3bb0f5352506638fad
Comment 14 Jan Holesovsky 2012-02-14 07:08:19 UTC
Jan Holesovsky commited a patch related to this issue to "libreoffice-3-5":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=d5d32eb755c8a53292acbf0648fb82baf6729d8a&g=libreoffice-3-5

fdo#40261: Fix crash in XML Form Document.
Comment 15 Jan Holesovsky 2012-02-14 07:38:06 UTC
Jan Holesovsky commited a patch related to this issue to "libreoffice-3-4":

http://cgit.freedesktop.org/libreoffice/components/commit/?id=af14dfc2b5cf9d46ff8e425fdf6dee0978b7c135&g=libreoffice-3-4

fdo#40261: Fix crash in XML Form Document.
Comment 16 Stefano Fraccaro 2012-02-24 07:21:33 UTC
*** Bug 45891 has been marked as a duplicate of this bug. ***
Comment 17 Dries Feys 2012-02-24 07:41:20 UTC
and resolved in LOdev 3.5.1rc0

Thx!
Comment 18 Alex Thurgood 2012-02-25 05:42:40 UTC
*** Bug 46154 has been marked as a duplicate of this bug. ***