Bug Hunting Session
Bug 58630 - Calc - CRASH when using Validity
Summary: Calc - CRASH when using Validity
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
4.0.0.0.beta1
Hardware: Other All
: medium normal
Assignee: Caolán McNamara
URL:
Whiteboard: target:4.1.0 target:4.0.2
Keywords: haveBacktrace
Depends on:
Blocks:
 
Reported: 2012-12-21 20:50 UTC by Michel Rudelle
Modified: 2013-04-05 10:33 UTC (History)
10 users (show)

See Also:
Crash report or crash signature:


Attachments
Bug 58630 - WinDbg session (11.24 KB, text/plain)
2013-02-11 09:38 UTC, bfoman (inactive)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Rudelle 2012-12-21 20:50:58 UTC
Version 4.0.0.0.beta1+ (Build ID: b0eb7231a9643d71be3125be7248c91242339ab
under Vista

Steps to reproduce :
Open a new spreadsheet and select any cell
1/ Data > Validity > Cell range
2/ click the icon “shrink” at the right of the Source field (without entering anything)
3/ in the new window, click the icon “shrink” (without entering anything)
4/ the return is incorrect, the Source field is not displayed
5/ OK

Again on the same cell or another one:
   Item 4: the return now presents two overlapping windows:
Click OK on the first
Click OK on the 2nd => CRASH
Then, if I accept to recover the file, I get the following message:
"The file '$(ARG1)' is corrupt and therefore cannot be opened. LOdev can try to repair the file."

I checked with versions 3.5.7 and 3.6.4: no crash 

Confirmed on the French list fr-qa
Comment 1 ydutrieux 2012-12-21 23:05:15 UTC
Confirmé sous Version 4.0.0.0.beta1+ (Build ID: 6d4a55bf38a1c470c49f904dbbddf94eb2f6154)
win7 - 32bits 

Confirmé sous libo Version 4.0.0.0.beta1+ (Build ID: 51ecd2f55d608f853852335808b643f61b9a844)
TinderBox: Linux-x86_64_11-Release-Configuration, Branch:libreoffice-4-0, Time: 2012-12-17_20:11:04

Ubuntu 12.04 - 64bits
Comment 2 Julien Nabet 2012-12-22 14:35:54 UTC
On pc Debian x86-64 with master sources updated today, I reproduce this too until overlapping.
(I must have missed something about the crash since I didn't reproduce it)

Noticed this log twice:
warn:vcl.layout:21569:1:/home/julien/compile-libreoffice/libo/vcl/source/window/dialog.cxx:1203: Dialog has become non-layout because extra children have been added directly to it.
Comment 3 m.a.riosv 2012-12-22 23:19:40 UTC
Confirmed:
Win7x64 Ultimate
Version 4.0.0.0.beta2 (Build ID: 4104d660979c57e1160b5135634f732918460a0)
Comment 4 Julien Nabet 2013-02-09 10:56:13 UTC
Michel/mariosv: do you still reproduce this with final release 4.0?
If yes, could you try to retrieve a backtrace (even without symbols if you can't)?
Comment 5 m.a.riosv 2013-02-09 12:19:20 UTC
(In reply to comment #4)
> Michel/mariosv: do you still reproduce this with final release 4.0?
> If yes, could you try to retrieve a backtrace (even without symbols if you
> can't)?

Hi Julian

reproducible with:
Win7x64 Ultimate
Version 4.0.0.3 (Build ID: 7545bee9c2a0782548772a21bc84a9dcc583b89)

I never get the back-trace, but I think there is a comment in some place about how to do if, if I find it I'll try.
Comment 6 Julien Nabet 2013-02-09 12:51:47 UTC
mariosv: here some info for Windows part, https://wiki.documentfoundation.org/BugReport#How_to_get_a_backtrace_.28on_Windows.29
Comment 7 m.a.riosv 2013-02-09 14:01:07 UTC
(In reply to comment #6)
> mariosv: here some info for Windows part,
> https://wiki.documentfoundation.org/BugReport#How_to_get_a_backtrace_.
> 28on_Windows.29

Hi Julien, thanks for the link.

I had found a comment from Michael in nabble using Dr. Memory. I hope I can do a try this night.

Miguel Ángel.
Comment 8 bfoman (inactive) 2013-02-09 16:31:46 UTC
Will check.
Comment 9 m.a.riosv 2013-02-09 23:05:36 UTC
I have not done any compilation, this is the result with:
Win7x64 Ultimate
Version 4.0.0.3 (Build ID: 7545bee9c2a0782548772a21bc84a9dcc583b89)

Command line:
"C:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" "C:\Program Files (x86)\LibreOffice 4.0\program\soffice.exe"

Log file:
"
Dr. Memory version 1.5.0 build 5 built on Aug 31 2012 16:19:51
Application cmdline: ""C:\Program Files (x86)\LibreOffice 4.0\program\soffice.exe""
Recorded 63 suppression(s) from default C:\Program Files (x86)\Dr. Memory/bin/suppress-default.txt

Error #1: LEAK 126 direct bytes 0x00803388-0x00803406 + 0 indirect bytes
# 0 KERNELBASE.dll!LocalAlloc                +0x5e     (0x754158de <KERNELBASE.dll+0x158de>)
# 1 SHELL32.dll!CommandLineToArgvW           +0x89     (0x756d9f22 <SHELL32.dll+0x19f22>)
# 2 soffice.exe!?                            +0x0      (0x01351212 <soffice.exe+0x1212>)
# 3 soffice.exe!?                            +0x0      (0x01351770 <soffice.exe+0x1770>)
# 4 soffice.exe!?                            +0x0      (0x01351f9d <soffice.exe+0x1f9d>)
# 5 KERNEL32.dll!BaseThreadInitThunk         +0x11     (0x76ef33aa <KERNEL32.dll+0x133aa>)
# 6 ntdll.dll!RtlInitializeExceptionChain    +0x62     (0x778e9ef2 <ntdll.dll+0x39ef2>)
# 7 ntdll.dll!RtlInitializeExceptionChain    +0x35     (0x778e9ec5 <ntdll.dll+0x39ec5>)

Error #2: LEAK 126 direct bytes 0x007ffd00-0x007ffd7e + 0 indirect bytes
# 0 KERNELBASE.dll!LocalAlloc                +0x5e     (0x754158de <KERNELBASE.dll+0x158de>)
# 1 SHELL32.dll!CommandLineToArgvW           +0x89     (0x756d9f22 <SHELL32.dll+0x19f22>)
# 2 soffice.exe!?                            +0x0      (0x01351212 <soffice.exe+0x1212>)
# 3 soffice.exe!?                            +0x0      (0x013515f6 <soffice.exe+0x15f6>)
# 4 soffice.exe!?                            +0x0      (0x01351f9d <soffice.exe+0x1f9d>)
# 5 KERNEL32.dll!BaseThreadInitThunk         +0x11     (0x76ef33aa <KERNEL32.dll+0x133aa>)
# 6 ntdll.dll!RtlInitializeExceptionChain    +0x62     (0x778e9ef2 <ntdll.dll+0x39ef2>)
# 7 ntdll.dll!RtlInitializeExceptionChain    +0x35     (0x778e9ec5 <ntdll.dll+0x39ec5>)

DUPLICATE ERROR COUNTS:

SUPPRESSIONS USED:

ERRORS FOUND:
      0 unique,     0 total unaddressable access(es)
      0 unique,     0 total uninitialized access(es)
      0 unique,     0 total invalid heap argument(s)
      0 unique,     0 total GDI usage error(s)
      0 unique,     0 total warning(s)
      2 unique,     2 total,    252 byte(s) of leak(s)
      0 unique,     0 total,      0 byte(s) of possible leak(s)
ERRORS IGNORED:
    322 still-reachable allocation(s)
         (re-run with "-show_reachable" for details)
Details: C:\Users\MARV\AppData\Roaming/Dr. Memory/DrMemory-soffice.exe.6728.000/results.txt
"

Miguel Ángel
Comment 10 bfoman (inactive) 2013-02-11 09:38:19 UTC
Created attachment 74591 [details]
Bug 58630 - WinDbg session

> Steps to reproduce :
> Open a new spreadsheet and select any cell
> 1/ Data > Validity > Cell range
> 2/ click the icon “shrink” at the right of the Source field (without
> entering anything)
> 3/ in the new window, click the icon “shrink” (without entering anything)
> 4/ the return is incorrect, the Source field is not displayed
> 5/ OK

Confirmed with:
LO 4.0.0.3
Build ID: own W7 debug build
Windows 7 Professional SP1 64 bit

Source field is not displayed. Crash on exit. Attached full WinDbg session.
Comment 11 Julien Nabet 2013-02-11 09:57:51 UTC
bfoman: thank you for the bt

Kohei/Markus/Eike: I didn't succeeded in reproducing the crash but others did and bfoman even retrieved a bt, one for you?
Comment 12 Juan Lopez 2013-02-12 21:57:27 UTC
Confirmed for Windows XP SP3. IA32 (X86) processor.
LibreOffice 4.0.0.3
Comment 13 Kohei Yoshida 2013-02-13 15:38:31 UTC
The shifting and mis-behavior of the range picker in the validity dialog is certain concerning.  I think we need to fix that first.  Crash is probably just a manifestation of that glitch.

I believe this dialog is one of the first ones to adopt the new modal range-picker dialog?
Comment 14 Markus Mohrhard 2013-02-13 16:24:36 UTC
(In reply to comment #13)
> I believe this dialog is one of the first ones to adopt the new modal
> range-picker dialog?

No it still uses the old modeless implementation but it might be related to the code changes to allow modal RefEdit dialogs.
Comment 15 Kohei Yoshida 2013-03-07 18:59:02 UTC
I'll put Caolan on CC.  This looks to me like the crasher is caused as a result of the dialog conversion to the new widget layout engine.  Besides the crasher, the dialog does not shrink when clicking the ref picker button.  The two *may* be related...
Comment 16 Caolán McNamara 2013-03-07 21:17:35 UTC
oh great :-( I only encountered the "mangle window hierarchy" refbutton thing a day or two ago for insert->names, unfortunate that it exists in a SfxTabDialog.
Comment 17 Commit Notification 2013-03-08 13:48:16 UTC
Caolan McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=4e0c6a0ac78d3c68922e032eec7f9c05cc39023a

Resolves: fdo#58630 crash with refEdit button in SfxTabDialog



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 18 Commit Notification 2013-03-08 15:52:47 UTC
Caolan McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-4-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=709616cdb1ae8458249384b4c0718bbe5c0cf976&h=libreoffice-4-0

Resolves: fdo#58630 refEdit button shrink mangles dialog


It will be available in LibreOffice 4.0.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 19 Julien Nabet 2013-03-09 12:49:39 UTC
*** Bug 61948 has been marked as a duplicate of this bug. ***
Comment 20 Michel Rudelle 2013-03-10 12:58:58 UTC
I confirm the fix of this bug, thanks for that:
Tested with:
Version 4.1.0.0.alpha0+ (Build ID: d7ca9b5cbcac463dd1baa089180bac2a1c0e5e3)
TinderBox: Win-x86@6, Branch:master, Time: 2013-03-09_23:19:58
and
Version 4.0.2.0+ (Build ID: 4f569b6b787586671626f03a61c20b39142a230)
Vista-32b

But a crash is still there when you try to enter a cell range.
I think it might be a different issue and it is not relevant to reopen this bug. Please have a look at bug 61250
Do you agree about that?
Comment 21 Michel Rudelle 2013-03-10 13:01:22 UTC
(In reply to comment #20)
> Please have a look at bug 61250

Sorry, read please bug 61520
Comment 22 Juan Lopez 2013-04-04 18:32:10 UTC
Tested on LibreOffice 4.0.2.2. Windows XP SP3 (32 bits). Bug wasn't fixed.
Comment 23 grofaty 2013-04-05 06:35:02 UTC
It looks like a duplicate of Bug 61948. I have written several step-by-step instructions how to reproduce the crash, see noted bug.
Comment 24 Caolán McNamara 2013-04-05 10:33:27 UTC
lets keep this one closed and work on bug 61948 because that one has more details as to how to reproduce the remaining broken scenarios