91721 – CRASH - calling context menu to edit properties of listbox control in database form

Bug 91721 - CRASH - calling context menu to edit properties of listbox control in database form

Summary: CRASH - calling context menu to edit properties of listbox control in databas...

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Base (show other bugs)
Version: (earliest affected)	5.0.0.0.beta1
Hardware:	x86-64 (AMD64) macOS (All)

Importance:	highest critical
Assignee:	László Németh

URL:
Whiteboard:	target:5.1.0 target:5.0.0.0.beta4
Keywords:	regression

Depends on:
Blocks:	VclPtr
	Show dependency tree / graph

Reported:	2015-05-29 14:03 UTC by Alex Thurgood
Modified:	2016-10-25 19:24 UTC (History)
CC List:	6 users (show)

See Also:
Crash report or crash signature:

Attachments
Full bt (29.49 KB, text/plain) 2015-05-29 14:22 UTC, Alex Thurgood	Details
bt with debug symbols (9.10 KB, text/plain) 2015-05-29 21:18 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Thurgood 2015-05-29 14:03:43 UTC

Wile testing bug 91628 on master build OSX, I get a systematic crash when I change a default textbox controlto a listbox control, and then try to access the new control's properties via the context menu.

1) Create sample ODB file containing a table with ID, and two VARCHAR fields, populate with some sampe data.

2) Create a form via the form creation wizard. Accept the defaults.

3) Save the database.

4) Open the newly created form in Form design mode, select one of the textbox controls which are bound to VARCHAR and swap it for a listbox (right mouse button, "enter group", right mouse button on textbox control, "replace with" listbox).

5) Still keeping the selected control, right mouse button click to activate the multiple selection property of the control.

6)Close the properties window

7) Save form.

8) Attempt to redisplay the fields properties via right mouse button click ==>> CRASH

reproducible 100%
regression over LO 4432

Comment 1 Alex Thurgood 2015-05-29 14:22:10 UTC

Created attachment 116135 [details]
Full bt

Comment 2 Alex Thurgood 2015-05-29 14:23:34 UTC

VCLPtr shenanigans ?

Comment 3 Lionel Elie Mamane 2015-05-29 14:50:00 UTC

Backtrace without symbols is not usable, so remove keyword.

Comment 4 Alex Thurgood 2015-05-29 16:32:11 UTC

(In reply to Lionel Elie Mamane from comment #3)
> Backtrace without symbols is not usable, so remove keyword.

Sorry about that, I'd forgotten that I haven't got a debug build - on OSX --enable-dbgutil has been failing since bug 90502

Comment 5 Julien Nabet 2015-05-29 21:18:00 UTC

Created attachment 116156 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I don't reproduce this exactly.
I mean, I don't have a crash after saving the form and opening again the properties.
I got a crash after having enabled multiselection on field, saved, at the very moment when I close the form.
So perhaps my bt is completely unrelated.

Comment 6 Michael Meeks 2015-06-10 12:48:35 UTC

Laszlo - can you take a look at this one ? it looks rather like the bindings bits you nailed before; but will take some investigation. I guess one thing to do would be to try to write a unit test to reproduce similar looking scenarios in eg. sfx2/qa/cppunit/test_controlleritem.cxx - which I created the other day. That test shows a double-dispose is just fine; but (somehow) I guess the ID is changing causing this crash.

The lame fix is to bail out of ::Release() when nId >= pCaches.size() - but I'd like to understand and have a unit test that shows how and why that happens these days =) but possibly the fix is as simple as that (?) ;-)

I guess we are doing:

#4  0x00002aaaae92f63a in SfxBindings::Release(SfxControllerItem&) (this=0x2e24b00, rItem=...)
    at /home/julien/compile-libreoffice/libreoffice/sfx2/source/control/bindings.cxx:1033

... from the same 'this' or object ...

#15 0x00002aaaae92caee in SfxBindings::~SfxBindings() (this=0x2e24b00, __in_chrg=<optimized out>)
    at /home/julien/compile-libreoffice/libreoffice/sfx2/source/control/bindings.cxx:291
#16 0x00002aaaae92cb90 in SfxBindings::~SfxBindings() (this=0x2e24b00, __in_chrg=<optimized out>)
    at /home/julien/compile-libreoffice/libreoffice/sfx2/source/control/bindings.cxx:295

which perhaps causes the grief. Either way writing a custom SfxControllerItem to provoke that and unit testing it would be great; thanks !

Comment 7 Commit Notification 2015-06-15 09:01:39 UTC

László Németh committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=d505f1600d9aeb095405b9f62eaf444d5d399860

tdf#91721: fix crash during listbox control editing in database form

It will be available in 5.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Comment 8 Commit Notification 2015-06-15 13:29:37 UTC

László Németh committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=dc5fb55f8211645ad5d6358625938e4bc015cb68&h=libreoffice-5-0

tdf#91721: fix crash during listbox control editing in database form

It will be available in 5.0.0.0.beta4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.