Bug 90969 - Crash on Document close, from DocBasicItem destruction
Summary: Crash on Document close, from DocBasicItem destruction
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
Version:
(earliest affected)
4.4.0.3 release
Hardware: Other All
: medium normal
Assignee: Michael Stahl (allotropia)
URL:
Whiteboard: target:5.0.0 target:4.4.4
Keywords: bibisected, bisected, regression
: 91040 91214 92012 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-04-30 14:38 UTC by Björn Michaelsen
Modified: 2016-05-29 13:25 UTC (History)
6 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Michaelsen 2015-04-30 14:38:03 UTC 
regression vs. 4.3: crash on close from BASIC -- stacktrace downstream at https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1418551
Comment 1 Björn Michaelsen 2015-04-30 14:39:57 UTC 
StractraceTop:
#0  0x00007fe8106f7e7a in Application::GetSolarMutex () at /build/buildd/libreoffice-4.4.0~rc2/vcl/source/app/svapp.cxx:409
No locals.
#1  0x00007fe812acd81c in SolarMutexGuard (this=<synthetic pointer>) at /build/buildd/libreoffice-4.4.0~rc2/include/vcl/svapp.hxx:1567
No locals.
#2  DocBasicItem::~DocBasicItem (this=0x7fe7d83d1610, __in_chrg=<optimized out>) at /build/buildd/libreoffice-4.4.0~rc2/basic/source/classes/sb.cxx:112
No locals.
#3  0x00007fe812acd949 in DocBasicItem::~DocBasicItem (this=0x7fe7d83d1610, __in_chrg=<optimized out>) at /build/buildd/libreoffice-4.4.0~rc2/basic/source/classes/sb.cxx:116
No locals.
#4  0x00007fe812ad1835 in release (this=<optimized out>) at /build/buildd/libreoffice-4.4.0~rc2/include/cppuhelper/implbase1.hxx:109
No locals.
#5  ~Reference (this=0x7fe7d83d4c78, __in_chrg=<optimized out>) at /build/buildd/libreoffice-4.4.0~rc2/include/rtl/ref.hxx:75
No locals.
#6  ~pair (this=0x7fe7d83d4c70, __in_chrg=<optimized out>) at /usr/include/c++/4.9/bits/stl_pair.h:96
No locals.
#7  destroy<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > (this=<optimized out>, __p=0x7fe7d83d4c70) at /usr/include/c++/4.9/ext/new_allocator.h:124
No locals.
#8  destroy<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > (a=..., p=0x7fe7d83d4c70) at /usr/include/boost/unordered/detail/allocate.hpp:591
No locals.
#9  destroy_value_impl<std::allocator<boost::unordered::detail::ptr_node<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >, std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > (alloc=..., x=0x7fe7d83d4c70) at /usr/include/boost/unordered/detail/allocate.hpp:788
No locals.
#10 delete_node (this=<optimized out>, prev=0x7fe7d81ade10) at /usr/include/boost/unordered/detail/table.hpp:519
        n = 0x7fe7d83d4c70
#11 delete_nodes (end=0x0, prev=0x7fe7d81ade10, this=0x7fe812e09020 <rtl::Static<boost::unordered::unordered_map<StarBASIC const*, rtl::Reference<DocBasicItem>, boost::hash<StarBASIC const*>, std::equal_to<StarBASIC const*>, std::allocator<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >, (anonymous namespace)::GaDocBasicItems>::get()::instance>) at /usr/include/boost/unordered/detail/table.hpp:534
        count = <optimized out>
#12 delete_buckets (this=0x7fe812e09020 <rtl::Static<boost::unordered::unordered_map<StarBASIC const*, rtl::Reference<DocBasicItem>, boost::hash<StarBASIC const*>, std::equal_to<StarBASIC const*>, std::allocator<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >, (anonymous namespace)::GaDocBasicItems>::get()::instance>) at /usr/include/boost/unordered/detail/table.hpp:544
No locals.
#13 ~table (this=0x7fe812e09020 <rtl::Static<boost::unordered::unordered_map<StarBASIC const*, rtl::Reference<DocBasicItem>, boost::hash<StarBASIC const*>, std::equal_to<StarBASIC const*>, std::allocator<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >, (anonymous namespace)::GaDocBasicItems>::get()::instance>, __in_chrg=<optimized out>) at /usr/include/boost/unordered/detail/table.hpp:511
No locals.
#14 ~table_impl (this=0x7fe812e09020 <rtl::Static<boost::unordered::unordered_map<StarBASIC const*, rtl::Reference<DocBasicItem>, boost::hash<StarBASIC const*>, std::equal_to<StarBASIC const*>, std::allocator<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >, (anonymous namespace)::GaDocBasicItems>::get()::instance>, __in_chrg=<optimized out>) at /usr/include/boost/unordered/detail/unique.hpp:170
No locals.
#15 boost::unordered::unordered_map<StarBASIC const*, rtl::Reference<DocBasicItem>, boost::hash<StarBASIC const*>, std::equal_to<StarBASIC const*>, std::allocator<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >::~unordered_map (this=0x7fe812e09020 <rtl::Static<boost::unordered::unordered_map<StarBASIC const*, rtl::Reference<DocBasicItem>, boost::hash<StarBASIC const*>, std::equal_to<StarBASIC const*>, std::allocator<std::pair<StarBASIC const* const, rtl::Reference<DocBasicItem> > > >, (anonymous namespace)::GaDocBasicItems>::get()::instance>, __in_chrg=<optimized out>) at /usr/include/boost/unordered/unordered_map.hpp:1064
No locals.
#16 0x00007fe8152856a9 in __run_exit_handlers (status=0, listp=0x7fe8156096c8 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
Comment 2 Björn Michaelsen 2015-04-30 14:57:04 UTC 
This seems to be caused by a1fad26e045ff1fec0c63243e3516ef2da7f390d "fdo#84935: basic: DocBasicItem is a UNO service, lock SolarMutex in dtor"

The GaDocBasicItems is a rtl::Static<> and seems to thus live longer than even the SolarMutex -- as the change above is trying to get a guard for the mutex in dtor, that map has to be cleared before the SolarMutex is gone.
Comment 3 Matthew Francis 2015-05-04 08:50:32 UTC 
A likely commit has been identified - marking as bisected
Comment 4 Commit Notification 2015-05-12 12:21:52 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=be88e305eeac88e51f83efc004d4b60b87f1e757

tdf#90969: basic: add horrible hack to avoid crash due to ...

It will be available in 5.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 5 Michael Stahl (allotropia) 2015-05-12 12:23:20 UTC 
added a work-around for the BASIC global variable madness on master
Comment 6 Commit Notification 2015-05-12 17:22:01 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=098817edf3c5d16ab476fbb996807e7654597990&h=libreoffice-4-4

tdf#90969: basic: add horrible hack to avoid crash due to ...

It will be available in 4.4.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 7 Caolán McNamara 2015-06-15 14:13:11 UTC 
*** Bug 91214 has been marked as a duplicate of this bug. ***
Comment 8 Gordo 2015-06-16 18:29:17 UTC 
*** Bug 92012 has been marked as a duplicate of this bug. ***
Comment 9 Robinson Tryon (qubit) 2015-12-17 09:00:08 UTC 
Migrating Whiteboard tags to Keywords: (bibisected)
[NinjaEdit]
Comment 10 Julien Nabet 2016-05-29 13:25:13 UTC 
*** Bug 91040 has been marked as a duplicate of this bug. ***