Bug Hunting Session
Bug 55496 - Cancel of Mail Merge Wizard causes access to already deleted SfxItemPool
Summary: Cancel of Mail Merge Wizard causes access to already deleted SfxItemPool
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.0.0.0.alpha0+ Master
Hardware: All All
: medium normal
Assignee: Michael Stahl (CIB)
URL:
Whiteboard: target:3.7.0
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-01 13:00 UTC by Stephan Bergmann
Modified: 2012-10-01 21:18 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2012-10-01 13:00:07 UTC
At least with recent unxlngx6 master, soffice --writer, "Tools - Mail Merge Wizard...", proceed to step "8. Save, print or send", then "Cancel":

Invalid read of size 8
 at 0x6941920: SfxItemPool::GetFrozenIdRanges() const (/svl/source/items/itempool.cxx:919)
 by 0x69544DD: SfxItemSet::~SfxItemSet() (/svl/source/items/itemset.cxx:330)
 by 0x69545A8: SfxItemSet::~SfxItemSet() (/svl/source/items/itemset.cxx:336)
 by 0x6533960: SfxPrinter::~SfxPrinter() (/sfx2/source/view/printer.cxx:188)
 by 0x65339C8: SfxPrinter::~SfxPrinter() (/sfx2/source/view/printer.cxx:190)
 by 0x2B415782: SwMailMergeOutputPage::~SwMailMergeOutputPage() (/sw/source/ui/dbui/mmoutputpage.cxx:386)
 by 0x2B415D98: SwMailMergeOutputPage::~SwMailMergeOutputPage() (/sw/source/ui/dbui/mmoutputpage.cxx:387)
 by 0x6F10A17: svt::OWizardMachine::~OWizardMachine() (/svtools/source/dialogs/wizardmachine.cxx:231)
 by 0x2B3F3938: SwMailMergeWizard::~SwMailMergeWizard() (/sw/source/ui/dbui/mailmergewizard.cxx:114)
 by 0x88B1C07: vcl::LazyDeletor<Window>::~LazyDeletor() (/solver/unxlngx6/inc/vcl/lazydelete.hxx:171)
 by 0x88B2158: vcl::LazyDeletor<Window>::~LazyDeletor() (/solver/unxlngx6/inc/vcl/lazydelete.hxx:173)
 by 0x87BFBE4: vcl::LazyDelete::flush() (/vcl/source/helper/lazydelete.cxx:54)
 by 0x84FFCA4: Application::Yield(bool) (/vcl/source/app/svapp.cxx:439)
 by 0x84FFCE6: Application::Execute() (/vcl/source/app/svapp.cxx:413)
 by 0x4EACD8F: desktop::Desktop::Main() (/desktop/source/app/app.cxx:1712)
 by 0x8509340: ImplSVMain() (/vcl/source/app/svmain.cxx:173)
 by 0x85093F4: SVMain() (/vcl/source/app/svmain.cxx:210)
 by 0x4EE4074: soffice_main (/desktop/source/app/sofficemain.cxx:83)
 by 0x4007CA: main (/desktop/source/app/main.c:25)
Address 0x19af5f00 is 16 bytes inside a block of size 32 free'd
 at 0x4A0614C: operator delete(void*) (/home/sbergman/valgrind/src/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:477)
 by 0x6946D60: SfxItemPool::Free(SfxItemPool*) (/svl/source/items/itempool.cxx:366)
 by 0x221404BD: SwDoc::~SwDoc() (/sw/source/core/doc/docnew.cxx:717)
 by 0x22141938: SwDoc::~SwDoc() (/sw/source/core/doc/docnew.cxx:718)
 by 0x2284A731: SwDocShell::RemoveLink() (/sw/source/ui/app/docshini.cxx:512)
 by 0x2284A859: SwDocShell::~SwDocShell() (/sw/source/ui/app/docshini.cxx:420)
 by 0x2284A9D8: SwDocShell::~SwDocShell() (/sw/source/ui/app/docshini.cxx:428)
 by 0x653FB15: SfxViewFrame::ReleaseObjectShell_Impl() (/solver/unxlngx6/inc/tools/ref.hxx:188)
 by 0x6544E41: SfxViewFrame::~SfxViewFrame() (/sfx2/source/view/viewfrm.cxx:1473)
 by 0x6545388: SfxViewFrame::~SfxViewFrame() (/sfx2/source/view/viewfrm.cxx:1494)
 by 0x6540891: SfxViewFrame::Close() (/sfx2/source/view/viewfrm.cxx:1133)
 by 0x6510097: SfxFrame::DoClose_Impl() (/sfx2/source/view/frame.cxx:175)
 by 0x653B173: SfxBaseController::dispose() (/sfx2/source/view/sfxbasecontroller.cxx:1041)
 by 0x1BDDAE24: framework::Frame::setComponent(com::sun::star::uno::Reference<com::sun::star::awt::XWindow> const&, com::sun::star::uno::Reference<com::sun::star::frame::XController> const&) (/framework/source/services/frame.cxx:1380)
 by 0x1BDD8039: framework::Frame::close(unsigned char) (/framework/source/services/frame.cxx:1633)
 by 0x6511ED7: SfxFrame::DoClose() (/sfx2/source/view/frame.cxx:140)
 by 0x228318CB: (anonymous namespace)::SwMailMergeWizardExecutor::LinkStubCancelHdl(void*, void*) (/sw/source/ui/app/apphdl.cxx:568)
 by 0x88B6F3B: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (/solver/unxlngx6/inc/tools/link.hxx:123)
 by 0x88C6305: SalGenericDisplay::DispatchInternalEvent() (/vcl/inc/salframe.hxx:278)
 by 0x16465135: GtkData::userEventFn(void*) (/vcl/unx/gtk/app/gtkdata.cxx:954)
 by 0x164651A8: call_userEventFn (/vcl/unx/gtk/app/gtkdata.cxx:964)
 by 0x3575647694: g_main_context_dispatch (/usr/src/debug/glib-2.32.4/glib/gmain.c:2539)
 by 0x35756479C7: g_main_context_iterate.isra.23 (/usr/src/debug/glib-2.32.4/glib/gmain.c:3146)
 by 0x3575647A83: g_main_context_iteration (/usr/src/debug/glib-2.32.4/glib/gmain.c:3207)
 by 0x16464E90: GtkData::Yield(bool, bool) (/vcl/unx/gtk/app/gtkdata.cxx:591)
 by 0x84FFC43: Application::Yield(bool) (/vcl/source/app/svapp.cxx:434)
 by 0x84FFCE6: Application::Execute() (/vcl/source/app/svapp.cxx:413)
 by 0x4EACD8F: desktop::Desktop::Main() (/desktop/source/app/app.cxx:1712)
 by 0x8509340: ImplSVMain() (/vcl/source/app/svmain.cxx:173)
 by 0x85093F4: SVMain() (/vcl/source/app/svmain.cxx:210)
 by 0x4EE4074: soffice_main (/desktop/source/app/sofficemain.cxx:83)
 by 0x4007CA: main (/desktop/source/app/main.c:25)
Comment 1 Michael Stahl (CIB) 2012-10-01 21:17:23 UTC
ah LazyDeletor... that must be the relic of the 90s attitude of "real men don't use reference counting", and to fix up the inevitable crash-fest resulting from that this class was invented to delay the deletion until some later point when hopefully nobody references it...

... so there's a SwMailMergeWizard, and there's AbstractMailMergeWizard, and in between them there's AbstractMailMergeWizard_Impl of course... so i'd need to add 3 forwarding methods to clean up that item set :(

further investigation reveals that the SwMailMergeOutputPage's
cloning of the SwDoc's printer appears to be unnecessary, removing that
appears to be simpler...
Comment 2 Not Assigned 2012-10-01 21:18:41 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=f3020438938d019784d32fffeaf5f18dc6175ed8

fdo#55496: fix lifecycle of SwMailMergeOutputPage:



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.