Created attachment 55619 [details] The attached document contains the xforms document used to reproduce the error. The attached document contains an xforms document. The document is ready to have its instance name changed. When the instance name is changed office crashes. To reproduce 1) open the attached document 2) left click the instances box low on the right hand pane 3) choose "edit" from the dropdown 4) rename the instance to say "ThisCustomer" 5) click the OK button 6) The window disappears.
Writer chrashes.
first please please when giving steps to reproduce a bug make sure the instructions are really clear, not everyone ( even experienced people ) have used all features of libreoffice. e.g. step 2 caused me no end of confusion as this afaict refers to using the "Data navigator" from the "Form toolbar" which in your case you must have at some stage docked at the bottom right quadrant. Also you don't mention which platform you experience this problem on. Right now I tried this with the latest 3.5 branch ( on linux ) but cannot reproduce it.
Tone, please confirm that Noel tested the right thing. Also please provide information about your system and the tested version. Hmm, this bugs is not easy to reproduce. It is more complicated scenario that affects only limited group of users => it can't block the release => lowering the severity a bit.
Created attachment 57849 [details] Accessing the edit instance name dialog
Created attachment 57850 [details] Click OK to crash
Created attachment 57851 [details] About box for LibreOffice
I hope these help. Tony
(In reply to comment #7) > I hope these help. > > Tony yes, those helped, in fact I picked the 'edit' from the drop down the 'models' drop down and didn't notice the 'instances' drop down at all ( I'm afraid I got confused just finding the data navigator ) confirmed it dumps when pressing 'ok' thanks for the update. I'll attach some traces
no need to press ok, even pressing cancel will do when raising the instances dialog we get ( not sure if harmless or not ) didn't check ==15207== Thread 1: ==15207== Conditional jump or move depends on uninitialised value(s) ==15207== at 0x92649EE: CheckBox::SetState(TriState) (button.cxx:3748) ==15207== by 0x25CCC358: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsvxcorelo.so) ==15207== by 0x9223DC7: Link::Call(void*) const (link.hxx:140) ==15207== by 0x92B673D: MenuButton::Select() (menubtn.cxx:218) ==15207== by 0x92B5FFC: MenuButton::ImplExecuteMenu() (menubtn.cxx:86) ==15207== by 0x92B65F3: MenuButton::MouseButtonDown(MouseEvent const&) (menubtn.cxx:186) ==15207== by 0x9616062: ImplHandleMouseEvent(Window*, unsigned short, unsigned char, long, long, unsigned long, unsigned short, unsigned short) (winproc.cxx:804) ==15207== by 0x961B7B8: ImplHandleSalMouseButtonDown(Window*, SalMouseEvent*) (winproc.cxx:2066) ==15207== by 0x961AAC5: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (winproc.cxx:2393) ==15207== by 0x13458D7A: SalFrame::CallCallback(unsigned short, void const*) const (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so) ==15207== by 0x134552B7: GtkSalFrame::signalButton(_GtkWidget*, _GdkEventButton*, void*) (gtkframe.cxx:2847) ==15207== by 0x137F6277: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2200.1) ==15207== ==15207== Conditional jump or move depends on uninitialised value(s) ==15207== at 0x9264A04: CheckBox::SetState(TriState) (button.cxx:3751) ==15207== by 0x25CCC358: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsvxcorelo.so) ==15207== by 0x9223DC7: Link::Call(void*) const (link.hxx:140) ==15207== by 0x92B673D: MenuButton::Select() (menubtn.cxx:218) ==15207== by 0x92B5FFC: MenuButton::ImplExecuteMenu() (menubtn.cxx:86) ==15207== by 0x92B65F3: MenuButton::MouseButtonDown(MouseEvent const&) (menubtn.cxx:186) ==15207== by 0x9616062: ImplHandleMouseEvent(Window*, unsigned short, unsigned char, long, long, unsigned long, unsigned short, unsigned short) (winproc.cxx:804) ==15207== by 0x961B7B8: ImplHandleSalMouseButtonDown(Window*, SalMouseEvent*) (winproc.cxx:2066) ==15207== by 0x961AAC5: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (winproc.cxx:2393) ==15207== by 0x13458D7A: SalFrame::CallCallback(unsigned short, void const*) const (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so) ==15207== by 0x134552B7: GtkSalFrame::signalButton(_GtkWidget*, _GdkEventButton*, void*) (gtkframe.cxx:2847) ==15207== by 0x137F6277: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2200.1) ==15207== pressing cancle warn:vcl:15207:1:/media/FreeAgent-3/LibreOffice-onegit/core/vcl/source/control/button.cxx:1830: No handler installed for CancelButton ==15207== Invalid read of size 8 ==15207== at 0x95EA0DE: Window::IsVisible() const (window2.cxx:1561) ==15207== by 0x92CED12: TabControl::ImplPaint(Rectangle const&, bool) (tabctrl.cxx:1122) ==15207== by 0x92CEB26: TabControl::Paint(Rectangle const&) (tabctrl.cxx:1083) ==15207== by 0x95F454D: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2417) ==15207== by 0x95F46AF: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2441) ==15207== by 0x95F46AF: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2441) ==15207== by 0x95F46AF: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2441) ==15207== by 0x95F48B7: Window::ImplCallOverlapPaint() (window.cxx:2477) ==15207== by 0x95F49BB: Window::ImplHandlePaintHdl(void*) (window.cxx:2497) ==15207== by 0x95F4922: Window::LinkStubImplHandlePaintHdl(void*, void*) (window.cxx:2491) ==15207== by 0x9223DC7: Link::Call(void*) const (link.hxx:140) ==15207== by 0x923E582: Timer::Timeout() (timer.cxx:255) I guess here is the real problem ( need more debug info though ) ==15207== Address 0x1eacb0d8 is 440 bytes inside a block of size 2,856 free'd ==15207== at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==15207== by 0x25CCC397: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsvxcorelo.so) ==15207== by 0x9223DC7: Link::Call(void*) const (link.hxx:140) ==15207== by 0x92B673D: MenuButton::Select() (menubtn.cxx:218) ==15207== by 0x92B5FFC: MenuButton::ImplExecuteMenu() (menubtn.cxx:86) ==15207== by 0x92B65F3: MenuButton::MouseButtonDown(MouseEvent const&) (menubtn.cxx:186) ==15207== by 0x9616062: ImplHandleMouseEvent(Window*, unsigned short, unsigned char, long, long, unsigned long, unsigned short, unsigned short) (winproc.cxx:804) ==15207== by 0x961B7B8: ImplHandleSalMouseButtonDown(Window*, SalMouseEvent*) (winproc.cxx:2066) ==15207== by 0x961AAC5: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (winproc.cxx:2393) ==15207== by 0x13458D7A: SalFrame::CallCallback(unsigned short, void const*) const (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so) ==15207== by 0x134552B7: GtkSalFrame::signalButton(_GtkWidget*, _GdkEventButton*, void*) (gtkframe.cxx:2847) ==15207== by 0x137F6277: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2200.1) ==15207== ==15207== Invalid read of size 1 ==15207== at 0x95EA0E5: Window::IsVisible() const (window2.cxx:1561) ==15207== by 0x92CED12: TabControl::ImplPaint(Rectangle const&, bool) (tabctrl.cxx:1122) ==15207== by 0x92CEB26: TabControl::Paint(Rectangle const&) (tabctrl.cxx:1083) ==15207== by 0x95F454D: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2417) ==15207== by 0x95F46AF: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2441) ==15207== by 0x95F46AF: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2441) ==15207== by 0x95F46AF: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2441) ==15207== by 0x95F48B7: Window::ImplCallOverlapPaint() (window.cxx:2477) ==15207== by 0x95F49BB: Window::ImplHandlePaintHdl(void*) (window.cxx:2497) ==15207== by 0x95F4922: Window::LinkStubImplHandlePaintHdl(void*, void*) (window.cxx:2491) ==15207== by 0x9223DC7: Link::Call(void*) const (link.hxx:140) ==15207== by 0x923E582: Timer::Timeout() (timer.cxx:255) ==15207== Address 0x205 is not stack'd, malloc'd or (recently) free'd ==15207==
==23747== Address 0x1f6d1de8 is 440 bytes inside a block of size 2,856 free'd ==23747== at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==23747== by 0x25FEA3B9: svxform::XFormsPage::~XFormsPage() (datanavi.cxx:360) ==23747== by 0x25FF4395: svxform::DataNavigatorWindow::MenuSelectHdl(MenuButton*) (datanavi.cxx:1884) ==23747== by 0x25FF3046: svxform::DataNavigatorWindow::LinkStubMenuSelectHdl(void*, void*) (datanavi.cxx:1650) ==23747== by 0x9223DC7: Link::Call(void*) const (link.hxx:140) ==23747== by 0x92B673D: MenuButton::Select() (menubtn.cxx:218) ==23747== by 0x92B5FFC: MenuButton::ImplExecuteMenu() (menubtn.cxx:86) ==23747== by 0x92B65F3: MenuButton::MouseButtonDown(MouseEvent const&) (menubtn.cxx:186) more detail seems to have been introduced by commit f7f47366ea78a71853fcaca2fa402bef667d9cce I see no reason why we should delete a page we are using ( especially without actually deleting it from the tab container thing, I suggest reverting this part @@ -1885,6 +1885,7 @@ namespace svxform m_aTabCtrl.SetPageText( nId, sNewName ); bIsDocModified = true; } + delete(pPage); } break; } at least
Noel Power committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=7b860d4970604f08ebd2e818bfd63891dd940804 fix crash using instances dialog of dataform navigator fdo#44816
Noel Power committed a patch related to this issue. It has been pushed to "libreoffice-3-5": http://cgit.freedesktop.org/libreoffice/core/commit/?id=369aea7f7402e9dc98e9347ae58999dad2d21652&g=libreoffice-3-5 fix crash using instances dialog of dataform navigator fdo#44816 It will be available in LibreOffice 3.5.2.
Noel Power committed a patch related to this issue. It has been pushed to "libreoffice-3-4": http://cgit.freedesktop.org/libreoffice/libs-core/commit/?id=0aaa35c6d3b07a273af6a1be2d26add4a9d537cd&g=libreoffice-3-4 fix crash using instances dialog of dataform navigator fdo#44816 It will be available in LibreOffice 3.4.6.
looking at the history this is probably a regression in LO 3.4
Noel Power committed a patch related to this issue. It has been pushed to "libreoffice-3-5-1": http://cgit.freedesktop.org/libreoffice/core/commit/?id=1f6625282d773ab798714c562589e380f90b6252&g=libreoffice-3-5-1 fix crash using instances dialog of dataform navigator fdo#44816 It will be available already in LibreOffice 3.5.1.
@Noel: Is this fixed now?
(In reply to comment #14) > looking at the history this is probably a regression in LO 3.4 your right, thanks for the 3.4 processing (In reply to comment #16) > @Noel: Is this fixed now? yes, marking as such