Reproduced on Fedora 20 x86-64: Version: 5.0.0.0.alpha1+ Build ID: a21a0b6dceaf965673ae601318e77991919c8f6a Steps to reproduce: 1. Open LO from command line calling instdir/program/soffice 2. Create a new Writer document. 3. Click on the "insert table" button in the toolbar 4. Do not insert a table; instead, click again on the button to close it 5. The application will crash at this point. I'm not sure if the bug can be reproduced outside my own machine. As a side node, it didn't happen when I ran LO by calling soffice.bin directly.
GDB output: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff457f9ab in vcl::Window::dispose (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/window.cxx:554 554 if ( mpWindowImpl->mbFrame ) ... (gdb) bt #0 0x00007ffff457f9ab in vcl::Window::dispose (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/window.cxx:554 #1 0x00007ffff452d28f in SystemWindow::dispose (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/syswin.cxx:123 #2 0x00007ffff448e24c in FloatingWindow::dispose (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/floatwin.cxx:213 #3 0x00007ffff6da0c66 in SfxPopupWindow::dispose (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/sfx2/source/toolbox/tbxitem.cxx:1217 #4 0x00007fffe057582e in TableWindow::dispose (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/svx/source/tbxctrls/layctrl.cxx:166 #5 0x00007ffff46d7678 in OutputDevice::disposeOnce (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/vcl/source/outdev/outdev.cxx:203 #6 0x00007ffff6da120c in SfxPopupWindow::Delete (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/sfx2/source/toolbox/tbxitem.cxx:1387 #7 0x00007ffff6da0ed1 in SfxPopupWindow::Close (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/sfx2/source/toolbox/tbxitem.cxx:1271 #8 0x00007ffff6da0f32 in SfxPopupWindow::PopupModeEnd (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/sfx2/source/toolbox/tbxitem.cxx:1289 #9 0x00007fffe0576725 in TableWindow::PopupModeEnd (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/svx/source/tbxctrls/layctrl.cxx:355 #10 0x00007ffff448f476 in FloatingWindow::ImplEndPopupModeHdl (this=0x1d45260) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/floatwin.cxx:525 #11 0x00007ffff448f421 in FloatingWindow::LinkStubImplEndPopupModeHdl (instance=0x1d45260, data=0x0) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/floatwin.cxx:520 #12 0x00007ffff43d2eb7 in Link<void*, long>::Call (this=0x1d33f10, data=0x0) at /home/jaragunde/projects/libreoffice/core/include/tools/link.hxx:141 #13 0x00007ffff45a22af in ImplHandleUserEvent (pSVEvent=0x1d44a40) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/winproc.cxx:2030 #14 0x00007ffff45a38d9 in ImplWindowFrameProc (pWindow=0x118b210, nEvent=22, pEvent=0x1d44a40) at /home/jaragunde/projects/libreoffice/core/vcl/source/window/winproc.cxx:2583 #15 0x00007ffff4aa38d4 in SalFrame::CallCallback (this=0x118bb20, nEvent=22, pEvent=0x1d44a40) at /home/jaragunde/projects/libreoffice/core/vcl/inc/salframe.hxx:244 #16 0x00007ffff4aa337a in SalGenericDisplay::DispatchInternalEvent (this=0x10e8cb0) at /home/jaragunde/projects/libreoffice/core/vcl/generic/app/gendisp.cxx:90 #17 0x00007fffea532f18 in GtkData::userEventFn (data=0x424320) at /home/jaragunde/projects/libreoffice/core/vcl/unx/gtk/app/gtkdata.cxx:944 #18 0x00007fffea532f94 in call_userEventFn (data=0x424320) at /home/jaragunde/projects/libreoffice/core/vcl/unx/gtk/app/gtkdata.cxx:954 #19 0x00000035f84492a6 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #20 0x00000035f8449628 in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0 #21 0x00000035f84496dc in g_main_context_iteration () from /lib64/libglib-2.0.so.0 #22 0x00007fffea531d16 in GtkData::Yield (this=0x424320, bWait=true, bHandleAllCurrentEvents=false) at /home/jaragunde/projects/libreoffice/core/vcl/unx/gtk/app/gtkdata.cxx:579 #23 0x00007fffea536334 in GtkInstance::Yield (this=0x424240, bWait=true, bHandleAllCurrentEvents=false) at /home/jaragunde/projects/libreoffice/core/vcl/unx/gtk/app/gtkinst.cxx:394 #24 0x00007ffff49e146c in ImplYield (i_bWait=true, i_bAllEvents=false) at /home/jaragunde/projects/libreoffice/core/vcl/source/app/svapp.cxx:353 #25 0x00007ffff49dd889 in Application::Yield () at /home/jaragunde/projects/libreoffice/core/vcl/source/app/svapp.cxx:382 #26 0x00007ffff49dd837 in Application::Execute () at /home/jaragunde/projects/libreoffice/core/vcl/source/app/svapp.cxx:336 #27 0x00007ffff7e03cc4 in desktop::Desktop::Main (this=0x7fffffffdc10) at /home/jaragunde/projects/libreoffice/core/desktop/source/app/app.cxx:1605 #28 0x00007ffff49e619a in ImplSVMain () at /home/jaragunde/projects/libreoffice/core/vcl/source/app/svmain.cxx:162 #29 0x00007ffff49e62d7 in SVMain () at /home/jaragunde/projects/libreoffice/core/vcl/source/app/svmain.cxx:196 #30 0x00007ffff7e4b55d in soffice_main () at /home/jaragunde/projects/libreoffice/core/desktop/source/app/sofficemain.cxx:96 #31 0x00000000004008f7 in sal_main () at /home/jaragunde/projects/libreoffice/core/desktop/source/app/main.c:48 #32 0x00000000004008dd in main (argc=1, argv=0x7fffffffdf38) at /home/jaragunde/projects/libreoffice/core/desktop/source/app/main.c:47
(gdb) p mpWindowImpl $1 = (WindowImpl *) 0x9999999999999999
Cannot reproduce with Version: 5.0.0.0.alpha1+ Build ID: d2ab54bb0d07d285c91a8ac17f53559e438d042a TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time: 2015-05-03_01:03:40
On pc Debian x86-64 with master sources updated yesterday (4000a0e6524f09612a3fe8f0a6214e0a68b7e007), I could reproduce the crash with the same bt.
This began at the below commit. Adding Cc: to michael.meeks@collabora.com; Could you possibly take a look at this one? Thanks commit e8b97a52c96df9c8e8055407b1e40ed7cb9cfc67 Merge: 2b0be6c 0cde74f Author: Michael Meeks <michael.meeks@collabora.com> Date: Tue Apr 28 11:41:31 2015 +0100 Merge remote-tracking branch 'origin/feature/vclptr' Resolve several thousand lines of conflicts.
Thanks for the report - looks like another duplicate; please do de-duplicate it if you can reproduce with a more recent master build. Thanks ! *** This bug has been marked as a duplicate of bug 91081 ***
@mmeeks: I can still reproduce this one on a master (dbgutil) build as of 0a6012912f76a6fca7c6aac081b4b2940b8d055c
With $ export MALLOC_CHECK_=2 etc. I get a nice, earlier crash - which seems to suggest that the popupwindow is freed before the user event is processed. (gdb) bt #0 vcl::Window::dispose (this=0x20d3660) at /data/opt/libreoffice/master/vcl/source/window/window.cxx:554 #1 0x00007ffff4830188 in SfxPopupWindow::Close (this=0x20d3660) at /data/opt/libreoffice/master/sfx2/source/toolbox/tbxitem.cxx:1271 #2 0x00007fffd45a03bd in TableWindow::PopupModeEnd (this=0x20d3660) at /data/opt/libreoffice/master/svx/source/tbxctrls/layctrl.cxx:355 #3 0x00007ffff263ecfa in ImplEndPopupModeHdl (this=<optimized out>) at /data/opt/libreoffice/master/vcl/source/window/floatwin.cxx:525 #4 FloatingWindow::LinkStubImplEndPopupModeHdl (instance=<optimized out>, data=<optimized out>) at /data/opt/libreoffice/master/vcl/source/window/floatwin.cxx:520 #5 0x00007ffff26b53b7 in Call (data=<optimized out>, this=<optimized out>) at /data/opt/libreoffice/master/include/tools/link.hxx:141 #6 ImplHandleUserEvent (pSVEvent=0x213f520) at /data/opt/libreoffice/master/vcl/source/window/winproc.cxx:2030 #7 ImplWindowFrameProc (pWindow=<optimized out>, nEvent=<optimized out>, pEvent=0x213f520) at /data/opt/libreoffice/master/vcl/source/window/winproc.cxx:2583 #8 0x00007ffff2904fd8 in CallCallback (pEvent=0x213f520, nEvent=22, this=0xf7cd20) at /data/opt/libreoffice/master/vcl/inc/salframe.hxx:244 #9 SalGenericDisplay::DispatchInternalEvent (this=0xf18590) at /data/opt/libreoffice/master/vcl/generic/app/gendisp.cxx:90 #10 0x00007fffe57987b9 in GtkData::userEventFn (data=data@entry=0x61d9f0) at /data/opt/libreoffice/master/vcl/unx/gtk/app/gtkdata.cxx:944 #11 0x00007fffe5798831 in call_userEventFn (data=0x61d9f0) at /data/opt/libreoffice/master/vcl/unx/gtk/app/gtkdata.cxx:954
Michael Meeks committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=0005d50f07f35fa1cb2063cf2cbad465c4068225 tdf#91073 - don't queue an async user event when disposed. It will be available in 5.0.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Meeks committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=207b0799d9b5b7029ccde23787f55e6efc2df2aa tdf#91073 - keep the popup pointer around while we operate on it. It will be available in 5.0.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Thanks for your patches Michael, unfortunately I can still reproduce the bug in a fresh master build. Version: 5.0.0.0.alpha1+ Build ID: bbdd739d6e2024f57e692e646295644faf44af22
Lets try again - holding a reference in the event handler appears to help avoid us keeping deleted pieces around on the stack.
Michael Meeks committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=03e3d888fff9301b8d22484e8b626d6cc0af9127 tdf#91073 - hold a reference on the floatwin in UserEvent handler. It will be available in 5.0.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
(In reply to Commit Notification from comment #13) > Michael Meeks committed a patch related to this issue. > It has been pushed to "master": > > http://cgit.freedesktop.org/libreoffice/core/commit/ > ?id=03e3d888fff9301b8d22484e8b626d6cc0af9127 > > tdf#91073 - hold a reference on the floatwin in UserEvent handler. > I cherry-picked this patch and it fixed the issue for me, thanks :)
Migrating Whiteboard tags to Keywords: (bibisected) [NinjaEdit]