Bug 91239 - any basic window lead to crash (VclPtr related ?)
Summary: any basic window lead to crash (VclPtr related ?)
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
Version:
(earliest affected)
5.0.0.0.alpha0+ Master
Hardware: Other All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:5.0.0
Keywords:
Depends on:
Blocks: VclPtr
  Show dependency treegraph
 
Reported: 2015-05-12 13:13 UTC by Laurent Godard
Modified: 2015-05-15 18:00 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent Godard 2015-05-12 13:13:57 UTC 
a simple macro statement as
Print "Hello"

displays the window
when "ok", on closing, libreoffice crashes

same behaviour on more "complex" dialogs

gdb bt
---------

    soffice.bin: /home/lgodard/projets/libreoffice/build/git/core/include/vcl/outdev.hxx :283 : void OutputDevice::release() const:  l'assertion « mnRefCnt>0 » a échoué.
     
    Program received signal SIGABRT, Aborted.
    0x00007ffff748c107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: Aucun fichier ou dossier de ce type.
    (gdb) bt
    #0  0x00007ffff748c107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff748d4e8 in __GI_abort () at abort.c:89
    #2  0x00007ffff7485226 in __assert_fail_base (fmt=0x7fffdece703a "%s%s%s :%u : %s%s l'assertion « %s » a échoué.\n%n", assertion=assertion@entry=0x7ffff16732d0 "mnRefCnt>0",
        file=file@entry=0x7ffff1673288 "/home/lgodard/projets/libreoffice/build/git/core/include/vcl/outdev.hxx", line=line@entry=283,
        function=function@entry=0x7ffff1674800 <OutputDevice::release() const::__PRETTY_FUNCTION__> "void OutputDevice::release() const") at assert.c:92
    #3  0x00007ffff74852d2 in __GI___assert_fail (assertion=0x7ffff16732d0 "mnRefCnt>0", file=0x7ffff1673288 "/home/lgodard/projets/libreoffice/build/git/core/include/vcl/outdev.hxx", line=283,
        function=0x7ffff1674800 <OutputDevice::release() const::__PRETTY_FUNCTION__> "void OutputDevice::release() const") at assert.c:101
    #4  0x00007ffff0f68ae4 in OutputDevice::release (this=0x7fffffffc290) at /home/lgodard/projets/libreoffice/build/git/core/include/vcl/outdev.hxx:283
    #5  0x00007ffff0f6910f in rtl::Reference<vcl::Window>::~Reference (this=0x1902c40, __in_chrg=<optimized out>) at /home/lgodard/projets/libreoffice/build/git/core/include/rtl/ref.hxx:81
    #6  0x00007ffff0f68d00 in VclPtr<vcl::Window>::~VclPtr (this=0x1902c40, __in_chrg=<optimized out>) at /home/lgodard/projets/libreoffice/build/git/core/include/vcl/vclptr.hxx:83
    #7  0x00007ffff100a35a in ImplSVEvent::~ImplSVEvent (this=0x1902c30, __in_chrg=<optimized out>) at /home/lgodard/projets/libreoffice/build/git/core/vcl/inc/svdata.hxx:399
    #8  0x00007ffff10edcab in ImplHandleUserEvent (pSVEvent=0x1902c30) at /home/lgodard/projets/libreoffice/build/git/core/vcl/source/window/winproc.cxx:2035
    #9  0x00007ffff10ef381 in ImplWindowFrameProc (_pWindow=0x1510c70, nEvent=22, pEvent=0x1902c30) at /home/lgodard/projets/libreoffice/build/git/core/vcl/source/window/winproc.cxx:2586
    #10 0x00007ffff14f9ea9 in SalFrame::CallCallback (this=0x1511580, nEvent=22, pEvent=0x1902c30) at /home/lgodard/projets/libreoffice/build/git/core/vcl/inc/salframe.hxx:244
    #11 0x00007ffff14f9aca in SalGenericDisplay::DispatchInternalEvent (this=0x13d4ca0) at /home/lgodard/projets/libreoffice/build/git/core/vcl/generic/app/gendisp.cxx:90
    #12 0x00007fffe258df0a in GtkData::userEventFn (data=0x637990) at /home/lgodard/projets/libreoffice/build/git/core/vcl/unx/gtk/app/gtkdata.cxx:945
    #13 0x00007fffe258df86 in call_userEventFn (data=0x637990) at /home/lgodard/projets/libreoffice/build/git/core/vcl/unx/gtk/app/gtkdata.cxx:955
    #14 0x00007fffeb189b4d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
    #15 0x00007fffeb189f20 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
    #16 0x00007fffeb189fcc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
    #17 0x00007fffe258cce4 in GtkData::Yield (this=0x637990, bWait=false, bHandleAllCurrentEvents=false) at /home/lgodard/projets/libreoffice/build/git/core/vcl/unx/gtk/app/gtkdata.cxx:580
    #18 0x00007fffe258fcce in GtkInstance::Yield (this=0x634930, bWait=false, bHandleAllCurrentEvents=false) at /home/lgodard/projets/libreoffice/build/git/core/vcl/unx/gtk/app/gtkinst.cxx:394
    #19 0x00007ffff1454672 in ImplYield (i_bWait=false, i_bAllEvents=false) at /home/lgodard/projets/libreoffice/build/git/core/vcl/source/app/svapp.cxx:353
    #20 0x00007ffff1450cc1 in Application::Reschedule (i_bAllEvents=false) at /home/lgodard/projets/libreoffice/build/git/core/vcl/source/app/svapp.cxx:377
    #21 0x00007ffff479f773 in SbiRuntime::Step (this=0x24a8a50) at /home/lgodard/projets/libreoffice/build/git/core/basic/source/runtime/runtime.cxx:766
    #22 0x00007ffff4737d0c in SbModule::Run (this=0x1ed8510, pMeth=0x24a7690) at /home/lgodard/projets/libreoffice/build/git/core/basic/source/classes/sbxmod.cxx:1179
Comment 1 Julien Nabet 2015-05-13 18:07:03 UTC 
On pc Debian x86-64 with master sources updated today (0ac80267730300f53e2410ffe9c0883f19f656a6), I don't have a crash when running the macro in Basic editor.
But if I close the window, I got a "crash like" behavior and this on console:
warn:legacy.osl:6224:1:vcl/source/window/window.cxx:271: Window ( 23SfxFrameViewWindow_Impl ()) with live children destroyed:  9ScrollBar () 9ScrollBar () 12ScrollBarBox () N6basctl6TabBarE () N6basctl17ModulWindowLayoutE ()
Window ( 23SfxFrameViewWindow_Impl ()) with live children destroyed:  9ScrollBar () 9ScrollBar () 12ScrollBarBox () N6basctl6TabBarE () N6basctl17ModulWindowLayoutE ()
Comment 2 Laurent Godard 2015-05-14 07:10:23 UTC 
I confirm the initial report is now solved. no more problem on basic or dialog statement

The error on exit is confirmed.
Should I open a different bug report ?
Comment 3 Julien Nabet 2015-05-14 08:20:34 UTC 
IMHO since there has been no comment from users or generated comments by gerrit, I'd be ok to "convert" this one, so no need to create a new one.
Comment 4 Julien Nabet 2015-05-14 10:11:08 UTC 
With this patch:
diff --git a/basctl/source/basicide/baside2.cxx b/basctl/source/basicide/baside2.cxx
index 2d8d794..b8ffde1 100644
--- a/basctl/source/basicide/baside2.cxx
+++ b/basctl/source/basicide/baside2.cxx
@@ -1483,8 +1483,8 @@ ModulWindowLayout::~ModulWindowLayout()
 
 void ModulWindowLayout::dispose()
 {
-    aWatchWindow.disposeAndClear();
     aStackWindow.disposeAndClear();
+    aWatchWindow.disposeAndClear();
     pChild.clear();
     Layout::dispose();
 }
diff --git a/basctl/source/basicide/basidesh.cxx b/basctl/source/basicide/basidesh.cxx
index 1c01f29..1cd01cd 100644
--- a/basctl/source/basicide/basidesh.cxx
+++ b/basctl/source/basicide/basidesh.cxx
@@ -225,6 +225,12 @@ Shell::~Shell()
     SetWindow( 0 );
     SetCurWindow( 0 );
 
+    pTabBar.disposeAndClear();
+    aObjectCatalog.disposeAndClear();
+    aScrollBarBox.disposeAndClear();
+    aVScrollBar.disposeAndClear();
+    aHScrollBar.disposeAndClear();
+
     for (WindowTable::iterator it = aWindowTable.begin(); it != aWindowTable.end(); ++it)
     {
         // no store; does already happen when the BasicManagers are destroyed

I get now:
warn:vcl.gdi:7355:1:vcl/source/outdev/outdev.cxx:228: OutputDevice::~OutputDevice(): OutputDevice::Push() calls != OutputDevice::Pop() calls
warn:legacy.osl:7355:1:vcl/source/window/window.cxx:271: Window ( 23SfxFrameViewWindow_Impl ()) with live children destroyed:  N6basctl17ModulWindowLayoutE ()
Window ( 23SfxFrameViewWindow_Impl ()) with live children destroyed:  N6basctl17ModulWindowLayoutE ()

Then I noticed in basctl/source/basicide/basides1.cxx this:
   1011             SetWindow(pLayout);
   1012             pLayout = 0;
I removed line 1012 for the test but had this:
soffice.bin: /home/julien/compile-libreoffice/libreoffice/include/vcl/outdev.hxx :283 : void OutputDevice::release() const:  l'assertion « mnRefCnt>0 » failed

I'm a bit stuck :-(
Comment 5 Michael Meeks 2015-05-14 12:49:59 UTC 
Patches look plausible =)

Ultimately, we need to try to work out who are the owners of these widgets; and ensure the owners disposeAndClear them - if we look to the situation beforehand; where there was (perhaps) some boost::shared_ptr or unique_ptr in the class header; we want to manually disposeAndClear those in the reverse order in either a ::dispose method or the destructor really.

Thanks for chasing ! =) do you want to carry on ? or should I look at it ?
Comment 6 Julien Nabet 2015-05-14 14:06:33 UTC 
(In reply to Michael Meeks from comment #5)
> Patches look plausible =)
> 
> Ultimately, we need to try to work out who are the owners of these widgets;
> and ensure the owners disposeAndClear them - if we look to the situation
> beforehand; where there was (perhaps) some boost::shared_ptr or unique_ptr
> in the class header; we want to manually disposeAndClear those in the
> reverse order in either a ::dispose method or the destructor really.
> 
> Thanks for chasing ! =) do you want to carry on ? or should I look at it ?

For the moment I must wait the end of the build since I've updated my local repo.

I can submit patches on gerrit but would prefer to submit a complete one obviously.
The problem is I don't know how to deal "pLayout". It seems there are at least 2 ways:
- remove "pLayout = 0" but got the error I indicated and don't know how to keep on (perhaps http://nabble.documentfoundation.org/tool-for-chasing-elusive-VclPtr-lt-gt-crashers-td4148531.html ?)
- replace "pLayout = 0" by "pLayout.disposeAndClear()" but it fails when opening Basic dialog (not at then closing) with even more live children destroyed than when I began.

In brief, I don't think I can make it so if you've got some time...
Comment 7 Michael Meeks 2015-05-15 16:50:21 UTC 
I can't reproduce with bd4f62dfcefa2dad749431f80a1e6c00c28751ca - I run 'Print "Hello"' - it opens a window, and I close it nicely - bother; now I see I wasted my time and this bug turned into another one half way down [ urgh that's really not ideal ]
Comment 8 Michael Meeks 2015-05-15 17:59:37 UTC 
Julien - thanks for the patch; I pushed that in your name; but there was a fair bit more badness there that I've nailed too.

Thanks for the report !
Comment 9 Commit Notification 2015-05-15 18:00:00 UTC 
Julien Nabet committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=72e6c70738a8c78f824319ec2bbf864e9997806b

tdf#91239 - add missing disposeAndClear logic for basctl.

It will be available in 5.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 10 Commit Notification 2015-05-15 18:00:09 UTC 
Michael Meeks committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=33414c8bf7a4eb8fa912bc0062237637a8e05be2

tdf#91239 - return VclPtr's from Create Fn.s and add missing dispose logic.

It will be available in 5.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.