67708 – crash deleting object / undo stack oddness ...

Bug 67708 - crash deleting object / undo stack oddness ...

Summary: crash deleting object / undo stack oddness ...

Status:	RESOLVED DUPLICATE of bug 78854

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Impress (show other bugs)
Version: (earliest affected)	4.1.0.4 release
Hardware:	Other All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-03 11:50 UTC by Michael Meeks
Modified:	2015-02-12 13:55 UTC (History)
CC List:	2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Meeks 2013-08-03 11:50:17 UTC

Unexpected crash when deleting an image - a bit nasty; I'd been using LibreOffice for some half and hour before getting it:

Program received signal SIGSEGV, Segmentation fault.
0xae013def in SdrObject::Free (_rpObject=@0x204785dc: 0x0) at /data/opt/libreoffice/libreoffice-4-1/svx/source/svdraw/svdobj.cxx:515
515	    delete pObject;
(gdb) bt
#0  0xae013def in SdrObject::Free (_rpObject=@0x204785dc: 0x0) at /data/opt/libreoffice/libreoffice-4-1/svx/source/svdraw/svdobj.cxx:515
#1  0xae0699f3 in SdrUndoObjList::~SdrUndoObjList (this=0x204785d0, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/svx/source/svdraw/svdundo.cxx:772
#2  0xad40a6b6 in SdrUndoRemoveObj::~SdrUndoRemoveObj (this=0x204785d0, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svx/svdundo.hxx:296
#3  0xad40a712 in SdrUndoDelObj::~SdrUndoDelObj (this=0x204785d0, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svx/svdundo.hxx:333
#4  0xad40a8bd in sd::UndoDeleteObject::~UndoDeleteObject (this=0x204785d0, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/sd/inc/undo/undoobjects.hxx:66
#5  0xad40a900 in sd::UndoDeleteObject::~UndoDeleteObject (this=0x204785d0, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/sd/inc/undo/undoobjects.hxx:66
#6  0xb765478e in SfxUndoArray::~SfxUndoArray (this=0xb3c7f30, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/svl/source/undo/undo.cxx:1479
#7  0xb7656de9 in SfxListUndoAction::~SfxListUndoAction (this=0xb3c7f28, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svl/undo.hxx:149
#8  0xb7656e2a in SfxListUndoAction::~SfxListUndoAction (this=0xb3c7f28, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svl/undo.hxx:149
#9  0xb765478e in SfxUndoArray::~SfxUndoArray (this=0x9c12028, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/svl/source/undo/undo.cxx:1479
#10 0xb7656de9 in SfxListUndoAction::~SfxListUndoAction (this=0x9c12020, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svl/undo.hxx:149
#11 0xb7656e2a in SfxListUndoAction::~SfxListUndoAction (this=0x9c12020, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svl/undo.hxx:149
#12 0xb765478e in SfxUndoArray::~SfxUndoArray (this=0x1dc97538, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/svl/source/undo/undo.cxx:1479
#13 0xb7656de9 in SfxListUndoAction::~SfxListUndoAction (this=0x1dc97530, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svl/undo.hxx:149
#14 0xb7656e2a in SfxListUndoAction::~SfxListUndoAction (this=0x1dc97530, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/include/svl/undo.hxx:149
#15 0xb7654d67 in svl::undo::impl::UndoManagerGuard::~UndoManagerGuard (this=0xbfffde14, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/svl/source/undo/undo.cxx:358
#16 0xb76562b4 in SfxUndoManager::EnterListAction (this=0x86dd6a0, rComment=..., rRepeatComment=..., nId=0)
    at /data/opt/libreoffice/libreoffice-4-1/svl/source/undo/undo.cxx:1025
#17 0xad409683 in sd::UndoManager::EnterListAction (this=0x86dd6a0, rComment=..., rRepeatComment=..., nId=0)
    at /data/opt/libreoffice/libreoffice-4-1/sd/source/core/undo/undomanager.cxx:35
#18 0xad5c39b5 in sd::DrawView::DeleteMarked (this=0x8df70a8) at /data/opt/libreoffice/libreoffice-4-1/sd/source/ui/view/drawview.cxx:552
#19 0xad4b6106 in sd::FuDraw::KeyInput (this=0x213a6340, rKEvt=...) at /data/opt/libreoffice/libreoffice-4-1/sd/source/ui/func/fudraw.cxx:404
#20 0xad4cf6d0 in KeyInput (rKEvt=..., this=0x213a6340) at /data/opt/libreoffice/libreoffice-4-1/sd/source/ui/func/fusel.cxx:914
#21 sd::FuSelection::KeyInput (this=0x213a6340, rKEvt=...) at /data/opt/libreoffice/libreoffice-4-1/sd/source/ui/func/fusel.cxx:899
#22 0xad5f1392 in sd::DrawViewShell::FuSupport (this=0x1c7d0bb8, rReq=...)
    at /data/opt/libreoffice/libreoffice-4-1/sd/source/ui/view/drviewse.cxx:870
#23 0xad5f759c in SfxStubDrawViewShellFuSupport (pShell=0x1c7d0bb8, rReq=...)
    at /data/opt/libreoffice/libreoffice-4-1/workdir/unxlngi6.pro/SdiTarget/sd/sdi/sdslots.hxx:1447
#24 0xb791a23e in SfxShell::CallExec (this=0x1c7d0bb8, pFunc=0xad5f757f <SfxStubDrawViewShellFuSupport(SfxShell*, SfxRequest&)>, rReq=...)
    at /data/opt/libreoffice/libreoffice-4-1/include/sfx2/shell.hxx:185
#25 0xb79147cc in SfxDispatcher::Call_Impl (this=0x86e2010, rShell=..., rSlot=..., rReq=..., bRecord=1 '\001')
    at /data/opt/libreoffice/libreoffice-4-1/sfx2/source/control/dispatch.cxx:243
#26 0xb7916d02 in SfxDispatcher::PostMsgHandler (this=0x86e2010, pReq=0x1cf27f80)
    at /data/opt/libreoffice/libreoffice-4-1/sfx2/source/control/dispatch.cxx:1222
#27 0xb7916be8 in SfxDispatcher::LinkStubPostMsgHandler (pThis=0x86e2010, pCaller=0x1cf27f80)
    at /data/opt/libreoffice/libreoffice-4-1/sfx2/source/control/dispatch.cxx:1193
#28 0xb78c131d in Call (pCaller=<optimized out>, this=<optimized out>) at /data/opt/libreoffice/libreoffice-4-1/include/tools/link.hxx:123
#29 Call (pCaller=0x1cf27f80, this=0x8a24808) at /data/opt/libreoffice/libreoffice-4-1/include/sfx2/genlink.hxx:45
#30 SfxHintPoster::Event (this=0x8a24800, pPostedHint=0x1cf27f80) at /data/opt/libreoffice/libreoffice-4-1/sfx2/source/notify/hintpost.cxx:62
#31 0xb78c12d3 in DoEvent_Impl (pPostedHint=0x1cf27f80, this=0x8a24800)
    at /data/opt/libreoffice/libreoffice-4-1/sfx2/source/notify/hintpost.cxx:52
#32 SfxHintPoster::LinkStubDoEvent_Impl (pThis=0x8a24800, pCaller=0x1cf27f80)
    at /data/opt/libreoffice/libreoffice-4-1/sfx2/source/notify/hintpost.cxx:56
#33 0xb6a58edf in Link::Call (this=0x1ed7d758, pCaller=0x1cf27f80) at /data/opt/libreoffice/libreoffice-4-1/include/tools/link.hxx:123
#34 0xb6ca9671 in ImplHandleUserEvent (pSVEvent=0x1ca22d40) at /data/opt/libreoffice/libreoffice-4-1/vcl/source/window/winproc.cxx:1986
#35 ImplWindowFrameProc (pWindow=0x85cd248, nEvent=22, pEvent=0x1ca22d40)
    at /data/opt/libreoffice/libreoffice-4-1/vcl/source/window/winproc.cxx:2601
#36 0xb6cb0baa in SalFrame::CallCallback (this=0x85cd508, nEvent=22, pEvent=0x1ca22d40)
    at /data/opt/libreoffice/libreoffice-4-1/vcl/inc/salframe.hxx:243
#37 0xb6cb097e in SalGenericDisplay::DispatchInternalEvent (this=0x80b7b68)
    at /data/opt/libreoffice/libreoffice-4-1/vcl/generic/app/gendisp.cxx:91
#38 0xb3647507 in GtkData::userEventFn (data=0x805bde0) at /data/opt/libreoffice/libreoffice-4-1/vcl/unx/gtk/app/gtkdata.cxx:935
#39 0xb364756c in call_userEventFn (data=data@entry=0x805bde0) at /data/opt/libreoffice/libreoffice-4-1/vcl/unx/gtk/app/gtkdata.cxx:945
#40 0xb5e7ac70 in g_idle_dispatch (source=source@entry=0x1d959188, callback=0xb364753c <call_userEventFn(void*)>, user_data=0x805bde0)
    at gmain.c:5205
#41 0xb5e7e123 in g_main_dispatch (context=0x8081be0, context@entry=0x84fa5d8) at gmain.c:3054
#42 g_main_context_dispatch (context=context@entry=0x8081be0) at gmain.c:3630
#43 0xb5e7e4c0 in g_main_context_iterate (context=context@entry=0x8081be0, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3701
#44 0xb5e7e5a1 in g_main_context_iteration (context=0x8081be0, may_block=0) at gmain.c:3762
#45 0xb36472e9 in GtkData::Yield (this=0x805bde0, bWait=true, bHandleAllCurrentEvents=false)
    at /data/opt/libreoffice/libreoffice-4-1/vcl/unx/gtk/app/gtkdata.cxx:574
#46 0xb364779b in GtkInstance::Yield (this=0x805bd98, bWait=true, bHandleAllCurrentEvents=false)
    at /data/opt/libreoffice/libreoffice-4-1/vcl/unx/gtk/app/gtkinst.cxx:405
#47 0xb6a52aee in ImplYield (i_bWait=true, i_bAllEvents=false) at /data/opt/libreoffice/libreoffice-4-1/vcl/source/app/svapp.cxx:422
#48 0xb6a50878 in Application::Yield (i_bAllEvents=false) at /data/opt/libreoffice/libreoffice-4-1/vcl/source/app/svapp.cxx:456
#49 0xb6a508a9 in Application::Execute () at /data/opt/libreoffice/libreoffice-4-1/vcl/source/app/svapp.cxx:401
#50 0xb7f54a86 in desktop::Desktop::Main (this=0xbfffee2c) at /data/opt/libreoffice/libreoffice-4-1/desktop/source/app/app.cxx:1720
#51 0xb6a56990 in ImplSVMain () at /data/opt/libreoffice/libreoffice-4-1/vcl/source/app/svmain.cxx:162
#52 0xb6a56a62 in SVMain () at /data/opt/libreoffice/libreoffice-4-1/vcl/source/app/svmain.cxx:198
#53 0xb7f70c29 in soffice_main () at /data/opt/libreoffice/libreoffice-4-1/desktop/source/app/sofficemain.cxx:82

(gdb) up
#1  0xae0699f3 in SdrUndoObjList::~SdrUndoObjList (this=0x204785d0, __in_chrg=<optimized out>)
    at /data/opt/libreoffice/libreoffice-4-1/svx/source/svdraw/svdundo.cxx:772
772	        SdrObject::Free( pObj );
(gdb) l
767	    {
768	        // Attribute have to go back to the regular Pool
769	        SetOwner(sal_False);
770	
771	        // now delete
772	        SdrObject::Free( pObj );
773	    }
774	}
775	
776	void SdrUndoObjList::SetOwner(bool bNew)
(gdb) p pObj
$1 = (SdrObject *) 0x0
(gdb) down
#0  0xae013def in SdrObject::Free (_rpObject=@0x204785dc: 0x0) at /data/opt/libreoffice/libreoffice-4-1/svx/source/svdraw/svdobj.cxx:515
515	    delete pObject;
(gdb) l
510	    SvxShape* pShape = pObject->getSvxShape();
511	    if ( pShape && pShape->HasSdrObjectOwnership() )
512	        // only the shape is allowed to delete me, and will reset the ownership before doing so
513	        return;
514	
515	    delete pObject;
516	}
517	
518	SdrObjPlusData* SdrObject::NewPlusData() const
519	{
(gdb) p pObject
$2 = (SdrObject *) 0x1ca11058
(gdb) p _rpObject
$3 = (SdrObject *&) @0x204785dc: 0x0

Comment 1 Cor Nouws 2013-08-03 14:40:43 UTC

so you work in a presentation, delete an image there, and approx. half an hour later there is the crash?

Comment 2 Michael Meeks 2013-08-03 16:39:50 UTC

Nah - I work on a presentation for half an hour, and eventually (over-long undo stack?), I delete an object and bang.

Could be some generic memory corruption of course, but the NULL ptr is perhaps indicative of something interesting ?

Comment 3 Caolán McNamara 2015-02-12 13:55:32 UTC

I'm going to pretend this is a dup of fixed 78854

*** This bug has been marked as a duplicate of bug 78854 ***