54074 – Crash on Command-D on Mac OS X Mountain Lion 10.8

Bug 54074 - Crash on Command-D on Mac OS X Mountain Lion 10.8

Summary: Crash on Command-D on Mac OS X Mountain Lion 10.8

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Calc (show other bugs)
Version: (earliest affected)	3.6.1.2 release
Hardware:	Other All

Importance:	highest normal
Assignee:	Markus Mohrhard

URL:
Whiteboard:	BSA target:3.7.0 target:3.6.2
Keywords:	regression

Duplicates (2):	54075 54223 (view as bug list)
Depends on:
Blocks:

Reported:	2012-08-26 09:35 UTC by Dexter Ang
Modified:	2013-11-13 19:20 UTC (History)
CC List:	4 users (show)

See Also:
Crash report or crash signature:

Attachments
Sample file for testing crash on Command-D on Mac (7.74 KB, application/vnd.oasis.opendocument.spreadsheet) 2012-08-26 09:35 UTC, Dexter Ang	Details
Crash log I get from the crash on Cmd-D (55.81 KB, text/plain) 2012-08-26 09:37 UTC, Dexter Ang	Details
Apple Crash trace with Calc sheet and Cmd-D (54.23 KB, text/plain) 2012-08-26 11:10 UTC, Alex Thurgood	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dexter Ang 2012-08-26 09:35:54 UTC

Created attachment 66127 [details]
Sample file for testing crash on Command-D on Mac

Problem description: 

Ever since update to 3.6.0 (and tested also on 3.6.1.2), Command-D on several selected cells with formula crashes on Mac OS X 10.8. Did not crash on 3.5.x.

Steps to reproduce:
1. Please download and open attached sample file and open on a Mac.
2. Select C5:C7
3. Press Cmd-D
4. Works
5. Select C5:C8
6. Press Cmd-D

Current behavior:

Crash

Expected behavior:

Should not crash

Platform (if different from the browser): 
              
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1) AppleWebKit/536.25 (KHTML, like Gecko) Version/6.0 Safari/536.25

Comment 1 Dexter Ang 2012-08-26 09:37:55 UTC

Created attachment 66128 [details]
Crash log I get from the crash on Cmd-D

Comment 2 Alex Thurgood 2012-08-26 11:08:23 UTC

Confirming. My own crash log attached too.


Alex

Comment 3 Alex Thurgood 2012-08-26 11:10:17 UTC

Created attachment 66132 [details]
Apple Crash trace with Calc sheet and Cmd-D

Comment 4 Alex Thurgood 2012-08-26 11:19:40 UTC

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000112
0x00ae5db6 in SvtListenerIter::GoStart ()
(gdb) bt
#0  0x00ae5db6 in SvtListenerIter::GoStart ()
#1  0x00ae5317 in SvtBroadcaster::Broadcast ()
#2  0x2173ab70 in ScDocument::Broadcast ()
#3  0x216ff5d8 in ScColumn::DeleteRange ()
#4  0x21700265 in ScColumn::DeleteArea ()
#5  0x21819719 in ScTable::DeleteArea ()
#6  0x21827c5a in ScTable::FillSeries ()
#7  0x2182a242 in ScTable::Fill ()
#8  0x2172a758 in ScDocument::Fill ()
#9  0x21ada412 in ScDocFunc::FillSimple ()
#10 0x21e487d4 in ScViewFunc::FillSimple ()
#11 0x21d76ad5 in ScCellShell::ExecuteEdit ()
#12 0x00805acd in SfxDispatcher::Call_Impl ()
#13 0x00807f54 in SfxDispatcher::PostMsgHandler ()
#14 0x007a5ba9 in SfxHintPoster::LinkStubDoEvent_Impl ()
#15 0x01b10b9f in ImplWindowFrameProc ()
#16 0x01b23723 in AquaSalInstance::Yield ()
#17 0x01810b80 in Application::Yield ()
#18 0x01810c6c in Application::Execute ()
#19 0x0007abbc in desktop::Desktop::Main ()
#20 0x0181a222 in ImplSVMain ()
#21 0x01b22e4b in AquaSalInstance::handleAppDefinedEvent ()
#22 0x01b6346b in -[VCL_NSApplication sendEvent:] ()
#23 0x93d9f73c in -[NSApplication run] ()
#24 0x93d428e6 in NSApplicationMain ()
#25 0x01b24407 in ImplSVMainHook ()
#26 0x0181a2b1 in SVMain ()
#27 0x000a7f86 in soffice_main ()
#28 0x00001f0e in main ()
#29 0x00001872 in _start ()
#30 0x00001799 in start ()
(gdb) c
Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000112
0x00ae5db6 in SvtListenerIter::GoStart ()
(gdb) bt thread all apply
No symbol "thread" in current context.
(gdb) bt all             
No symbol "all" in current context.
(gdb) bt
#0  0x00ae5db6 in SvtListenerIter::GoStart ()
#1  0x00ae5317 in SvtBroadcaster::Broadcast ()
#2  0x2173ab70 in ScDocument::Broadcast ()
#3  0x216ff5d8 in ScColumn::DeleteRange ()
#4  0x21700265 in ScColumn::DeleteArea ()
#5  0x21819719 in ScTable::DeleteArea ()
#6  0x21827c5a in ScTable::FillSeries ()
#7  0x2182a242 in ScTable::Fill ()
#8  0x2172a758 in ScDocument::Fill ()
#9  0x21ada412 in ScDocFunc::FillSimple ()
#10 0x21e487d4 in ScViewFunc::FillSimple ()
#11 0x21d76ad5 in ScCellShell::ExecuteEdit ()
#12 0x00805acd in SfxDispatcher::Call_Impl ()
#13 0x00807f54 in SfxDispatcher::PostMsgHandler ()
#14 0x007a5ba9 in SfxHintPoster::LinkStubDoEvent_Impl ()
#15 0x01b10b9f in ImplWindowFrameProc ()
#16 0x01b23723 in AquaSalInstance::Yield ()
#17 0x01810b80 in Application::Yield ()
#18 0x01810c6c in Application::Execute ()
#19 0x0007abbc in desktop::Desktop::Main ()
#20 0x0181a222 in ImplSVMain ()
#21 0x01b22e4b in AquaSalInstance::handleAppDefinedEvent ()
#22 0x01b6346b in -[VCL_NSApplication sendEvent:] ()
#23 0x93d9f73c in -[NSApplication run] ()
#24 0x93d428e6 in NSApplicationMain ()
#25 0x01b24407 in ImplSVMainHook ()
#26 0x0181a2b1 in SVMain ()
#27 0x000a7f86 in soffice_main ()
#28 0x00001f0e in main ()
#29 0x00001872 in _start ()
#30 0x00001799 in start ()
(gdb) c
Continuing.

Comment 5 Alex Thurgood 2012-08-26 11:21:33 UTC

@Kohei : any idea ?

Alex

Comment 6 Alex Thurgood 2012-08-26 11:25:08 UTC

Note that when running under gdb, the app wouldn't crash, but entered the same Iter loop repeatedly until I quit gdb.


Alex

Comment 7 Alex Thurgood 2012-08-26 11:28:34 UTC

*** Bug 54075 has been marked as a duplicate of this bug. ***

Comment 8 Dexter Ang 2012-08-26 12:08:15 UTC

(In reply to comment #7)
> *** Bug 54075 has been marked as a duplicate of this bug. ***

Please note that in my other bug report, Cmd-D worked (basically steps 1-4 from this bug) with no crash. Then pressing Cmd-Z causes the crash. No idea if it's related. Just wanted to mention that in case it's a different situation.

Comment 9 Markus Mohrhard 2012-08-26 21:02:12 UTC

Looks like another case of the boradcaster lifetime problem.

I'm going to look into this one for 3.6.2

Comment 10 Alex Thurgood 2012-08-27 06:17:16 UTC

OK, assigning to you Markus.

Alex

Comment 11 Markus Mohrhard 2012-08-28 16:53:42 UTC

Ok, I think I fixed it.

Problem was the double delete of Broadcasters in formula cells which have listeners. They were part of the temporary ScNoteCell and of the ScFormulaCell and therefore deleted twice.

Comment 12 Not Assigned 2012-08-28 16:58:54 UTC

Markus Mohrhard committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=7a8040665f40fbcb4fa58c036aa066f061abd9ba

prevent double delete of broadcaster, fdo#54074, fdo#53364

Comment 13 Not Assigned 2012-08-29 08:37:39 UTC

Markus Mohrhard committed a patch related to this issue.
It has been pushed to "libreoffice-3-6":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=cedaa445535e9337294a46cb75c4850294e4f715&g=libreoffice-3-6

prevent double delete of broadcaster, fdo#54074, fdo#53364


It will be available in LibreOffice 3.6.2.

Comment 14 Markus Mohrhard 2012-08-29 21:26:25 UTC

*** Bug 54223 has been marked as a duplicate of this bug. ***