this is a really good stack trace that nicely illustrates the double-free in SwXFrame::Modify: Thread A: vcllo.dll!vcl::SolarMutexObject::acquire() Line 35 C++ vcllo.dll!SalYieldMutex::acquire() Line 144 C++ vcllo.dll!SolarMutexGuard::SolarMutexGuard() Line 426 C++ > swlo.dll!sw::UnoImplPtr<SwXFrame::Impl>::~UnoImplPtr<SwXFrame::Impl>() Line 110 C++ swlo.dll!SwXFrame::~SwXFrame() Line 901 C++ swlo.dll!SwXTextFrame::~SwXTextFrame() Line 2521 C++ swlo.dll!SwXTextFrame::`scalar deleting destructor'(unsigned int) C++ cppuhelper3MSC.dll!cppu::OWeakObject::release() Line 204 C++ swlo.dll!cppu::WeakImplHelper6<com::sun::star::lang::XServiceInfo,com::sun::star::beans::XPropertySet,com::sun::star::beans::XPropertyState,com::sun::star::drawing::XShape,com::sun::star::container::XNamed,com::sun::star::lang::XUnoTunnel>::release() Line 111 C++ swlo.dll!SwXTextFrame::release() Line 2530 C++ Thread B: msvcr110d.dll!__crtMessageBoxW(const wchar_t * lpText, const wchar_t * lpCaption, unsigned int uType) Line 249 C msvcr110d.dll!_wassert(const wchar_t * expr, const wchar_t * filename, unsigned int lineno) Line 327 C sal3.dll!`anonymous namespace'::rtl_arena_hash_remove(rtl_arena_st * arena, unsigned long addr, unsigned long size) Line 384 C++ sal3.dll!rtl_arena_free(rtl_arena_st * arena, void * addr, unsigned long size) Line 1044 C++ sal3.dll!rtl_freeMemory_CUSTOM(void * p) Line 146 C++ sal3.dll!rtl_freeMemory(void * p) Line 341 C++ cppuhelper3MSC.dll!cppu::OWeakObject::operator delete(void * pMem) Line 87 C++ swlo.dll!SwXFrame::`scalar deleting destructor'(unsigned int) C++ cppuhelper3MSC.dll!cppu::OWeakObject::release() Line 204 C++ swlo.dll!cppu::WeakImplHelper6<com::sun::star::lang::XServiceInfo,com::sun::star::beans::XPropertySet,com::sun::star::beans::XPropertyState,com::sun::star::drawing::XShape,com::sun::star::container::XNamed,com::sun::star::lang::XUnoTunnel>::release() Line 111 C++ swlo.dll!com::sun::star::uno::Reference<com::sun::star::uno::XInterface>::~Reference<com::sun::star::uno::XInterface>() Line 106 C++ swlo.dll!com::sun::star::lang::EventObject::~EventObject() C++ > swlo.dll!SwXFrame::Modify(const SfxPoolItem * pOld, const SfxPoolItem * pNew) Line 2029 C++ swlo.dll!SwClient::ModifyNotification(const SfxPoolItem * pOldValue, const SfxPoolItem * pNewValue) Line 102 C++ swlo.dll!SwFmt::~SwFmt() Line 240 C++ swlo.dll!SwFrmFmt::~SwFrmFmt() C++ swlo.dll!SwFlyFrmFmt::~SwFlyFrmFmt() Line 2639 C++ swlo.dll!SwFlyFrmFmt::`vector deleting destructor'(unsigned int) C++ swlo.dll!DeleteAndDestroy(SwFrmFmts & rFmts, int aStartIdx, int aEndIdx) Line 438 C++ swlo.dll!SwDoc::~SwDoc() Line 646 C++ swlo.dll!SwDoc::`vector deleting destructor'(unsigned int) C++ swlo.dll!SwDocShell::RemoveLink() Line 450 C++ swlo.dll!SwDocShell::~SwDocShell() Line 370 C++ swlo.dll!SwDocShell::`vbase destructor'() C++ swlo.dll!SwDocShell::`vector deleting destructor'(unsigned int) C++ tllo.dll!SvRefBase::QueryDelete() Line 29 C++ tllo.dll!SvRefBase::ReleaseReference() Line 188 C++ sfxlo.dll!SfxObjectShellRef::~SfxObjectShellRef() Line 756 C++ sfxlo.dll!IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() Line 246 C++ sfxlo.dll!IMPL_SfxBaseModel_DataContainer::`scalar deleting destructor'(unsigned int) C++ sfxlo.dll!SfxBaseModel::dispose() Line 831 C++ swlo.dll!SwXTextDocument::dispose() Line 573 C++ sfxlo.dll!SfxBaseModel::close(unsigned char bDeliverOwnership) Line 1451 C++ swlo.dll!SwXTextDocument::close(unsigned char bDeliverOwnership) Line 581 C++
this is essentially the same crash as the ones on the Linux-RHEL6-x86_64@14-with-check tinderbox earlier this year: the delete m_p is a double-free too, since SwXBookmark::Modify has created and released a new uno::Reference. Program terminated with signal 11, Segmentation fault. #0 0x00002aadd838683e in sw::UnoImplPtr<SwXBookmark::Impl>::~UnoImplPtr (this=0x142ba018, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/inc/unobaseclass.hxx:112 112 delete m_p; // #i105557#: call dtor with locked solar mutex Thread 1 (Thread 0x2aaddf9df700 (LWP 10234)): #0 0x00002aadd838683e in sw::UnoImplPtr<SwXBookmark::Impl>::~UnoImplPtr (this=0x142ba018, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/inc/unobaseclass.hxx:112 #1 0x00002aadd8382704 in SwXBookmark::~SwXBookmark (this=0x142b9fc0, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/source/core/unocore/unobkm.cxx:152 #2 0x00002aadd8382768 in SwXBookmark::~SwXBookmark (this=0x142b9fc0, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/source/core/unocore/unobkm.cxx:152 #3 0x00002aadc145886c in cppu::OWeakObject::release (this=0x142b9fc0) at /home/tinderbox/master/cppuhelper/source/weak.cxx:204 #4 0x00002aadd8387e1a in cppu::WeakImplHelper1<com::sun::star::rdf::XMetadatable>::release (this=0x142b9fc0) at /home/tinderbox/master/solver/unxlngx6/inc/cppuhelper/implbase1.hxx:110 #5 0x00002aadd8387c7a in cppu::ImplInheritanceHelper5<sfx2::MetadatableMixin, com::sun::star::lang::XUnoTunnel, com::sun::star::lang::XServiceInfo, com::sun::star::beans::XPropertySet, com::sun::star::container::XNamed, com::sun::star::text::XTextContent>::release (this=0x142b9fc0) at /home/tinderbox/master/solver/unxlngx6/inc/cppuhelper/implbase5.hxx:211 #6 0x00002aadd1ca404d in bridges::cpp_uno::shared::freeUnoInterfaceProxy (pEnv=0x1d83600, pProxy=0x14346440) at /home/tinderbox/master/bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:43 Thread 9 (Thread 0x2aadd7106700 (LWP 10199)): #0 0x00000030b5e0e1e5 in __lll_unlock_wake () from /lib64/libpthread.so.0 #1 0x00000030b5e0a6f7 in _L_unlock_657 () from /lib64/libpthread.so.0 #2 0x00000030b5e0a65f in pthread_mutex_unlock () from /lib64/libpthread.so.0 #3 0x00002aadc05e784b in osl_releaseMutex (Mutex=0x121daa0) at /home/tinderbox/master/sal/osl/unx/mutex.c:163 #4 0x00002aadc4d2969c in vcl::SolarMutexObject::release (this=0x121a1e0) at /home/tinderbox/master/vcl/source/app/solarmutex.cxx:45 #5 0x00002aadc531ff03 in SalYieldMutex::release (this=0x121a1e0) at /home/tinderbox/master/vcl/generic/app/geninst.cxx:63 #6 0x00002aadd7bbc577 in SolarMutexGuard::~SolarMutexGuard (this=0x2aadd71050e0, __in_chrg=<value optimized out>) at /home/tinderbox/master/solver/unxlngx6/inc/vcl/svapp.hxx:433 #7 0x00002aadd88c173d in SwXTextDocument::close (this=0x13ddf430, bDeliverOwnership=1 '\001') at /home/tinderbox/master/sw/source/ui/uno/unotxdoc.cxx:583 #8 0x00002aadd1c99cfe in gcc3::callVirtualMethod (pThis=0x13ddf630, nVtableIndex=5, pRegisterReturn=0x0, pReturnTypeRef=0x1222330, bSimpleReturn=true, pStack=0x2aadd7105240, nStack=0, pGPR=0x2aadd71052e0, nGPR=2, pFPR=0x2aadd71052a0, nFPR=0) at /home/tinderbox/master/bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:119
so creating a uno::Reference from "this" is not thread-safe unless we're inside a UNO method of "this". so we could fix this by: a) send EventObjects without a Source from the ::Modify methods b) put a WeakReference to "this" into all these objects and create the EventObject with that unfortunately if we're really called from a dying SwFrmFmt it's not possible to access it's WeakReference member any more from SwX*::Modify since Modify will be called from base class dtor ~SwFmt or even ~SwClient in many cases and at that point SwFrmFmt member is already dead...
c) refactor SwFmt / SwFrmFmt dtors to notify from the subclass, and use the WeakReference SwFrmFmt::m_wXObject to check if it's still alive
went with option b) even though it is quite cheesy, because it can be applied everywhere without doing case-by-case analysis of where exactly Modify is being called from various dtors in an inheritance hierarchy. master should be fixed for everything that already uses sw::UnoImplPtr SwXFrame/SwXTextFrame/SwXTextGraphicObject/SwXTextEmbeddedObject SwXTextTable SwXMeta/SwXMetaField SwXBookmark/SwXFieldmark SwXTextField SwXFieldMaster SwXDocumentIndexMark SwXDocumentIndex SwXTextSection SwXParagraph SwXReferenceMark SwXFootnote
shall we call this fixed then, seeing as it was logged in 2013 and last comment says you implemented solution b