Created attachment 110217 [details] xls macro that demonstrates crashes when combobox, radiobutton, textbox values are modified using VBA code On Fri May 10 17:04:39 2013, VBA was updated so that the change() routine of textboxes and comboboxes would be triggered if macro code sets the value. LibreOffice frequently crashes (complete exit) when that happens. This could easily be the same problem noted in bug 86667, but I wrote in that bug that it should focus on the "two documents" part of the crash. I'll mark that one as depending on this bug, which will focus on a crash with a single document open. This commit added the fireChangeEvent call: author Noel Power <noel.power@suse.com> 2013-04-23 17:13:37 (GMT) committer Noel Power <noel.power@suse.com> 2013-05-09 13:11:18 (GMT) commit 4bad1a8e314269f2538133eb241135a225ac3f4f (patch) tree b608bf79ffd0b34bd74d142cd89bb58cda498618 parent 3fb03cc873280c49e04c59062c1ad21b53c7f5df (diff) support api initiated change_event for combox & textbox Change-Id: Iff51a184792e9d12accb902df1772fc07589443b To replicate the bug: Use the test document by clicking on a non-empty cell, which will set the control's value to the value of the cell. The crash occurs VERY easily in Linux - usually within the first three cells selected. On Windows it can also crash, but with much less frequency. If you use the VBA debugger to "step into" the code, you will see the crash happening when you "Exit Sub" from a change() routine. I found three controls in the libreoffice codebase that call fireChangeEvent(). All three are included in the test document, and all can cause the crash.
Confirmed on Linux / 4.3.4.1 and master -> NEW
Created attachment 110218 [details] Linux 4.5 master backtrace
Created attachment 110219 [details] gdbtrace running from 4.1 development code at the time when the bug surfaced. I think the fix might come from this area: if( mpPar.Is() ) 173 { 174 // Register this as element 0, but don't change over the parent! 175 mpPar->GetRef( 0 ) = this; 176 } Similar code can be found in basic/source/class/sbxmod.cxx if( mpPar.Is() ) 2153 { 2154 // Enregister this as element 0, but don't reset the parent! 2155 switch( GetType() ) { 2156 case SbxEMPTY: 2157 case SbxVOID: 2158 break; 2159 default: 2160 mpPar->PutDirect( pThisCopy, 0 ); 2161 break; 2162 } 2163 SetParameters( NULL ); 2164 }
crashes still happen when mpPar->GetRef(0) = this is commented out. Keep looking elsewhere...
Created attachment 110240 [details] bt with debug symbols On pc Debian x86-64 with master sources updated yesterday I could reproduce this. I attached bt with symbols.
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=19d0950451f909086c3732ce29812c4cda513908 Resolves: fdo#86843 avoid getting deleted before finishing Broadcast It will be available in 4.5.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-4": http://cgit.freedesktop.org/libreoffice/core/commit/?id=ca1d5ef57dc1ae7a0ebafc5ed9a11150ca6eb4eb&h=libreoffice-4-4 Resolves: fdo#86843 avoid getting deleted before finishing Broadcast It will be available in 4.4.0.0.beta3. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
That seems to work fine for me now with this fix
Tested the fix and no crashing seen. Can the fix be cherrypicked to the 4.3.5 branch too? Thanks for the help.
https://gerrit.libreoffice.org/#/c/13420/
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-4-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c3d625af537dcb5ca380b7fb30345d0cbd90e4b1&h=libreoffice-4-3 Resolves: fdo#86843 avoid getting deleted before finishing Broadcast It will be available in 4.3.6. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Tested OK on 4.3.6 dev branch. (need to comment out an old assert in order to run the example test .xls under 4.3.6 debug mode).
Migrating Whiteboard tags to Keywords: (bibisected) [NinjaEdit]