Issue 103982

Summary: Crasher in impress when a11y is enabled
Product: Impress Reporter: williewalker <walker.willie>
Component: uiAssignee: eric.savary
Status: CLOSED FIXED QA Contact: issues@graphics <issues>
Severity: Trivial    
Priority: P2 CC: Armin.Le.Grand, issues, joanmarie.diggs
Version: DEV300m52Keywords: regression
Target Milestone: OOo 3.2   
Hardware: Sun   
OS: All   
Issue Type: DEFECT Latest Confirmation in: ---
Developer Difficulty: ---
Description Flags
Patch to solve this crash none

Description williewalker 2009-08-03 21:07:15 UTC
On an OpenSolaris 2009.06 system with accessibility enabled, using the
swa11y32_2nd_en-US_SolarisIntel.tar file Thomas Lange made for me
(300m51(Build:9408)[CWS:swa11y32_2nd]), perform the following.  Note that this
seems to be a relatively new crasher (i.e., it doesn't crash on the OOo that
comes with OpenSolaris 2009.06).

0. Enable a11y, log out, and log back in if a11y is not already enabled.

1. Launch simpress

2. In resulting Presentation Wizard dialog, press the Create button.

3. In Task Pane/Layouts, click the "Title, Text" image to create a new slide.

4. In the slide, click on the first/only bulleted item ("Click to add an
outline"), i.e. as if you wished to edit the text.

5. Press Esc.

Result: simpress crashes. Reproducible 100% of the time.

Here's "where" in the core file:

  [1] 0xf2b70957(0x0, 0x8044c58, 0x97f4f60, 0xfef710e4, 0x1000000), at 0xf2b70957 
  [2] EditTextObject::operator==(0x8, 0x9a286b0, 0x8044c98, 0xf2b6dff4,
0xfee22a00), at 0xf2b6e009 
  [3] EditTextObject::operator==(0x8, 0x9a286b0, 0x0, 0xf2bcc526), at 0xf2b6e009 
  [4] OutlinerParaObject::operator==(0x80e0934, 0x97f2bec, 0x8044cf8,
0xf285d554), at 0xf2bcc547 
  [5] 0xf285d571(0x80e0930, 0x97f2be8, 0x8b63ff0, 0xf285ca0a), at 0xf285d571 
  [6] 0xf285ca58(0xf0aac2ec, 0xf0aac43c, 0x8044d10, 0xf285d10e), at 0xf285ca58 
  [7] 0xf285d123(0xf0aac2ec, 0xf0aac43c, 0x8044d68, 0xf285d40e), at 0xf285d123 
  [8] 0xf285d423(0xf0aac2ec, 0xf0aac43c, 0xffffffff, 0xf2868050), at 0xf285d423 
  [9] 0xf28680c3(0xf0aac2b0, 0xf0aac400, 0xf35280b8, 0xf3499312), at 0xf28680c3 
  [10] drawinglayer::primitive2d::arePrimitive2DReferencesEqual(0xf0abd530,
0xf0abd710, 0x0, 0xf34993b2), at 0xf3499383 
  [11] drawinglayer::primitive2d::arePrimitive2DSequencesEqual(0x97dffc0,
0x8044e1c, 0x0, 0xf2e8c022), at 0xf349940b 
0x97dffb0, 0x8044eb8, 0xf288aa5a), at 0xf2e8c057 
  [13] SdrObject::RecalcBoundRect(0x81775a8, 0x8044ed0, 0x89a5808, 0xf288aa08),
at 0xf288aa96 
  [14] SdrObject::GetCurrentBoundRect(0x81775a8, 0x0, 0x8044f58, 0xf299e6da), at
  [15] SdrMarkList::TakeBoundRect(0x97bea20, 0x97bee48, 0x97bee64, 0xf28bb85a),
at 0xf299e762 
  [16] SdrMarkView::SetMarkRects(0x97bdff8), at 0xf28bb89c 
  [17] SdrMarkView::AdjustMarkHdl(0x97bdff8, 0x97bdff8, 0xf316ad98, 0xf28b7e4e),
at 0xf28bd922 
  [18] SdrMarkView::ModelHasChanged(0x97bdff8, 0x4, 0x0, 0xf29b6e8c), at 0xf28b7ee4 
  [19] SdrEditView::ModelHasChanged(0x97bdff8, 0x5, 0x60, 0xf2984a89), at
  [20] SdrObjEditView::ModelHasChanged(0x97bdff8, 0x60, 0x29, 0xf1ae1e68), at
  [21] 0xf1ae1e7a(0x97bdff8, 0x0, 0x0, 0xf1b3fe8a), at 0xf1ae1e7a 
  [22] 0xf1b3fea2(0x97bdff8, 0x60, 0x29, 0xf2907f2e), at 0xf1b3fea2 
  [23] SdrPaintView::FlushComeBackTimer(0x97bdff8, 0x256f, 0x29, 0xf28bbc09), at
  [24] SdrMarkView::PickHandle(0x97bdff8), at 0xf28bbc25 
  [25] 0xf1de8a30(0x8174660, 0x8045580, 0x97bb548, 0xf1de7cf6), at 0xf1de8a30 
  [26] 0xf1de818c(0x8174660, 0x8045580, 0xa1, 0xf1dfc665), at 0xf1de818c 
  [27] 0xf1dfc67a(0x8174660, 0x8045580, 0x8045328, 0xf1af74e2), at 0xf1dfc67a 
  [28] 0xf1af771e(0x97bb160, 0x8045580, 0x97bb548, 0x1), at 0xf1af771e 
  [29] 0xf1b0f9a3(0x97bb160, 0x8045580, 0x97bb548, 0xfd8eeb5c), at 0xf1b0f9a3 
  [30] 0xf1b00ff2(0x97bb548, 0x8045580, 0x80454c0, 0xfd8ef3a9), at 0xf1b00ff2 
  [31] 0xfd8f01d5(0x89e6bb8, 0x3, 0x1, 0x19d, 0x193, 0x6b127b8a, 0x0, 0x1), at
  [32] 0xfd8f3db1(0x89e6bb8, 0x8afe6f0, 0x2, 0x80457b0, 0x0, 0x0), at 0xfd8f3db1 
  [33] 0xfc63bc02(0x815f0b8, 0x944e420), at 0xfc63bc02 
  [34] _gtk_marshal_BOOLEAN__BOXED(0x8b00520, 0x8045930, 0x2, 0x8e352f0,
0x8045958, 0x0), at 0xf8969f2a 
  [35] g_closure_invoke(0x8b00520, 0x8045930, 0x2, 0x8e352f0, 0x8045958, 0x1,
0x0, 0xfc414b5d), at 0xfc3ff3d6 
  [36] signal_emit_unlocked_R(0x80bdea0, 0x0, 0x815f0b8, 0x8045aa0, 0x8e352f0,
0x14, 0x8045a60, 0x8000000), at 0xfc4158ce 
  [37] g_signal_emit_valist(0x815f0b8, 0x2a, 0x0, 0x8045b4c), at 0xfc414536 
  [38] g_signal_emit(0x815f0b8, 0x2a, 0x0, 0x944e420, 0x8045b6c, 0x81412d8,
0x8045b78, 0xf8a7a4b1), at 0xfc41493d 
  [39] gtk_widget_event_internal(0x815f0b8, 0x944e420, 0x8045b98, 0xf8a7a284),
at 0xf8a7a6d6 
  [40] gtk_widget_event(0x815f0b8, 0x944e420, 0x1, 0xf89674ea), at 0xf8a7a319 
  [41] gtk_main_do_event(0x944e420, 0x0, 0x8045c08, 0xfc59559d), at 0xf89677ba 
  [42] gdk_event_dispatch(0x808cda0, 0x0, 0x0, 0xfc482714), at 0xfc5955d2 
  [43] g_main_context_dispatch(0x808cde8, 0x0, 0x89eb890, 0x9), at 0xfc4828da 
  [44] g_main_context_iterate(0x808cde8, 0x0, 0x1, 0x8065478), at 0xfc482f7d 
  [45] g_main_context_iteration(0x0, 0x0, 0x8045d78, 0xfc60b642), at 0xfc483205 
  [46] 0xfc60b73e(0x8066b00, 0x1, 0x0, 0xfc3468b0), at 0xfc60b73e 
  [47] X11SalInstance::Yield(0x8061ee0, 0x1, 0x0, 0xfd6cb646), at 0xfc3468d9 
  [48] Application::Yield(0x0, 0xf316ad98, 0x8045e18, 0xf2bfa248), at 0xfd6cb69c 
  [49] 0xf2bfa278(0x9a2e6f8, 0x1, 0x0, 0xf2bf2878), at 0xf2bfa278 
  [50] 0xf2bf28f6(0x9a4cbf0, 0x9a2e6f8, 0xf0aa7b48, 0xf2d9849a), at 0xf2bf28f6 
  [51] 0xf2d9857d(0xf0abbaa0, 0x8045fa0, 0x0, 0xf284f2ec), at 0xf2d9857d 
  [52] 0xf2d97afa(0x8045fd0, 0xf0abbaa0, 0x8045fa0, 0x8045f7c), at 0xf2d97afa 
  [53] 0xfe965acf(0x1, 0x0, 0x0, 0xfe965d6c, 0x8046088), at 0xfe965acf 
  [54] 0xfe965d81(0xfef90018, 0x8046020, 0x0, 0x81011b8, 0xfe9cab58,
0xfe4a0100), at 0xfe965d81 
  [55] 0xfe965e5e(0x8047980, 0x300, 0x80460d8, 0xfd6d22f8), at 0xfe965e5e 
  [56] 0xfd6d2322(0xfeb85068, 0x8046130, 0x1, 0x0, 0xfeeda7ef, 0xfec626e8), at
  [57] vos::signalHandlerFunction_impl(0xfeb85068, 0x8046130, 0x0, 0xfec24262),
at 0xfe499f3b 
  [58] 0xfec24285(0x8046130, 0xfef74b80, 0x0, 0xfec24381), at 0xfec24285 
  [59] 0xfec2440b(0xb, 0x0, 0x8046230), at 0xfec2440b 
  [60] __sighndlr(0xb, 0x0, 0x8046230, 0xfec24374), at 0xfeeed0cf 
  [61] call_user_handler(0xb), at 0xfeee01bf 
  [62] sigacthandler(0xb, 0x0, 0x8046230, 0xf, 0x0, 0x0), at 0xfeee03ef 
  [63] 0xf2b70957(0x8, 0x9a286b0, 0x8046498, 0xf2b6dff4, 0xfee22a00), at 0xf2b70957 
  [64] EditTextObject::operator==(0x8, 0x9a286b0, 0x0, 0xf2bcc526), at 0xf2b6e009 
  [65] OutlinerParaObject::operator==(0x80e0934, 0x97f2e1c, 0x80464f8,
0xf285d554), at 0xf2bcc547 
  [66] 0xf285d571(0x80e0930, 0x97f2e18, 0x8b63ff0, 0xf285ca0a), at 0xf285d571 
  [67] 0xf285ca58(0xf0aac2ec, 0xf0a7acf8, 0x8046510, 0xf285d10e), at 0xf285ca58 
  [68] 0xf285d123(0xf0aac2ec, 0xf0a7acf8, 0x8046568, 0xf285d40e), at 0xf285d123 
  [69] 0xf285d423(0xf0aac2ec, 0xf0a7acf8, 0xffffffff, 0xf2868050), at 0xf285d423 
  [70] 0xf28680c3(0xf0aac2b0, 0xf0a7acbc, 0xf35280b8, 0xf3499312), at 0xf28680c3 
  [71] drawinglayer::primitive2d::arePrimitive2DReferencesEqual(0xf0abd530,
0xf0abd680, 0x0, 0xf34993b2), at 0xf3499383 
  [72] drawinglayer::primitive2d::arePrimitive2DSequencesEqual(0x97dffc0,
0x804661c, 0x80000000, 0xf2e8c022), at 0xf349940b 
0x97dffb0, 0x8046678, 0xf288aa5a), at 0xf2e8c057 
  [74] SdrObject::RecalcBoundRect(0x81775a8, 0x1, 0x996cae0, 0xf288aa08), at
  [75] SdrObject::GetCurrentBoundRect(0x81775a8, 0x81befc8, 0x8c3db9e,
0xf288e1e1), at 0xf288aa35 
  [76] SdrObject::SetOutlinerParaObject(0x81775a8, 0x81befc8, 0x1, 0xf2936a1a),
at 0xf288e260 
  [77] SdrTextObj::EndTextEdit(0x81775a8), at 0xf2936a97 
  [78] SdrObjEditView::SdrEndTextEdit(0x97bdff8, 0x0, 0xf3086320, 0xf1ae228a),
at 0xf2986e2b 
  [79] 0xf1ae2342(0x97bdff8, 0x0, 0x80468e8, 0xf1dffdd6), at 0xf1ae2342 
  [80] 0xf1dffe0f(0x8174660, 0x8046920, 0x97bb548, 0xf1dfe936), at 0xf1dffe0f 
  [81] 0xf1dfebf0(0x8174660, 0x8046ac0, 0xfeffb130, 0xf1af6f0a), at 0xf1dfebf0 
  [82] 0xf1af7057(0x97bb160, 0x8046ac0, 0x97bb548, 0xf1b0f272), at 0xf1af7057 
  [83] 0xf1b0f4ec(0x97bb160, 0x8046ac0, 0x97bb548, 0xf1b00f30), at 0xf1b0f4ec 
  [84] 0xf1b00f53(0x97bb548, 0x8046ac0, 0x8046b48, 0xfd8f0ced), at 0xf1b00f53 
  [85] 0xfd8f1089(0x89e6bb8, 0x4, 0x501, 0x0, 0x0, 0x1, 0xfd49d6e4, 0xfd8f38d5),
at 0xfd8f1089 
  [86] 0xfd8f3c14(0x89e6bb8, 0x8afe6f0, 0x5, 0x8046da0, 0x0, 0x0), at 0xfd8f3c14 
  [87] 0xfc62fe4c(0x8afe6f0, 0x0, 0xff1b, 0x9, 0x0, 0x6b1277ca, 0x0, 0x1, 0x0,
0x0), at 0xfc62fe4c 
  [88] 0xfc63d25b(0x815f0b8, 0x944e018), at 0xfc63d25b 
  [89] _gtk_marshal_BOOLEAN__BOXED(0x8b00480, 0x8047100, 0x2, 0x8e352a0,
0x8047128, 0x0), at 0xf8969f2a 
  [90] g_closure_invoke(0x8b00480, 0x8047100, 0x2, 0x8e352a0, 0x8047128, 0x1,
0x0, 0xfc414b5d), at 0xfc3ff3d6 
  [91] signal_emit_unlocked_R(0x80bd750, 0x0, 0x815f0b8, 0x8047270, 0x8e352a0,
0x14, 0x8047230, 0x8000000), at 0xfc4158ce 
  [92] g_signal_emit_valist(0x815f0b8, 0x27, 0x0, 0x804731c), at 0xfc414536 
  [93] g_signal_emit(0x815f0b8, 0x27, 0x0, 0x944e018, 0x804733c, 0x81412d8,
0x8047348, 0xf8a7a4b1), at 0xfc41493d 
  [94] gtk_widget_event_internal(0x815f0b8, 0x944e018, 0x8047368, 0xf8a7a284),
at 0xf8a7a6d6 
  [95] gtk_widget_event(0x815f0b8, 0x944e018, 0x80473a8, 0xf8968a5d), at 0xf8a7a319 
  [96] gtk_propagate_event(0x815f0b8, 0x944e018, 0x0, 0xf89674ea), at 0xf8968a8b 
  [97] gtk_main_do_event(0x944e018, 0x0, 0x8047418, 0xfc59559d), at 0xf896784e 
  [98] gdk_event_dispatch(0x808cda0, 0x0, 0x0, 0xfc482714), at 0xfc5955d2 
  [99] g_main_context_dispatch(0x808cde8, 0x0, 0x89eb890, 0x9), at 0xfc4828da 
  [100] g_main_context_iterate(0x808cde8, 0x1, 0x1, 0x8065478), at 0xfc482f7d
Comment 1 eric.savary 2009-08-03 22:37:20 UTC
@williewalker: I'll have only tomorrow access to Solaris.
Can you check this please in the master too so that we know if this is due to
the CWS or a recent change?

It's not the master anymore (52 vs. 53) but if the master is broken, I think the
53 would crash too.

Thank you!
Comment 2 joaniediggs 2009-08-03 23:13:36 UTC
@es I'm not williewalker, but I just tried to reproduce the crash in 53. It is
reproducible there. (OpenSolaris 2010.02 or whatever it is going to be called.
I'm using build 118.)
Comment 3 eric.savary 2009-08-03 23:22:45 UTC
@joaniediggs: Thank you! :) It means that the CWS is ok but it also gives more
priority than if it was only in the CWS. I'll have a look at it tomorrow.
Comment 4 Armin Le Grand 2009-08-04 10:53:29 UTC
AW: Maybe double to #i101239# which is fixed in CWS aw073 and will be integrated
in DEV300 m54, so check in m54, please.
Comment 5 eric.savary 2009-08-04 11:01:19 UTC
@AW: Unfortunatly not :(
Reproduced on 52, 53, 54.

@AF: you have anyway a CWS for 3.2. Please take over,
Comment 6 groucho266 2009-08-04 11:13:48 UTC
Some observations:
- I can reproduce the crash on Windows as well.
- You don't need the wizard. Just create a new, empty Impress document and
proceed as described above.
- Accessibility support has to be active, but no AT tool is required (on
Windows, at least).  So it is actually quite simple to reproduce.

A better stack is this:
 	svxmi.dll!OutlinerParaObject::OutlinerParaObject()  + 0xc bytes	C++
 	svxmi.dll!drawinglayer::primitive2d::createNewSdrTextAttribute()  + 0x7b bytes	C++
 + 0x26 bytes	C++
 + 0x4f bytes	C++
+ 0x1d bytes	C++
 	svxmi.dll!SdrObject::RecalcBoundRect()  + 0x48 bytes	C++
 	svxmi.dll!SdrObject::GetCurrentBoundRect()  + 0x1a bytes	C++
 	svxmi.dll!SdrObject::SetOutlinerParaObject()  + 0x55 bytes	C++
 	svxmi.dll!SdrTextObj::EndTextEdit()  + 0x51 bytes	C++
 	svxmi.dll!SdrObjEditView::SdrEndTextEdit()  + 0x262 bytes	C++
>	sdmi.dll!sd::View::SdrEndTextEdit(unsigned char bDontDeleteReally=0)  Line 819
+ 0xe bytes	C++
 	sdmi.dll!sd::FuText::MouseButtonDown()  + 0x151 bytes	C++
 	sdmi.dll!sd::ViewShell::MouseButtonDown(const MouseEvent & rMEvt={...},
sd::Window * pWin=0x19132040)  Line 568 + 0x79 bytes	C++
 	sdmi.dll!sd::DrawViewShell::MouseButtonDown(const MouseEvent & rMEvt={...},
sd::Window * pWin=0x19132040)  Line 308	C++
 	sdmi.dll!sd::Window::MouseButtonDown(const MouseEvent & rMEvt={...})  Line 350	C++
 	vclmi.dll!ImplHandleMouseEvent()  + 0xc15 bytes	C++
 	vclmi.dll!ImplHandleSalMouseButtonDown()  + 0x3a bytes	C++
 	vclmi.dll!ImplWindowFrameProc()  + 0x9a bytes	C++
 	vclmi.dll!SalFrame::CallCallback()  + 0x16 bytes	C++
 	vclmi.dll!WinSalFrame::EndSetClipRegion()  + 0x3db bytes	C++
 	vclmi.dll!SalFrameWndProc()  + 0x738 bytes	C++
 	vclmi.dll!SalFrameWndProcW()  + 0x30 bytes	C++
 	user32.dll!GetDC()  + 0x6d bytes	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	user32.dll!GetDC()  + 0x14f bytes	
 	user32.dll!GetWindowLongW()  + 0x127 bytes	
 	user32.dll!DispatchMessageW()  + 0xf bytes	
 	vclmi.dll!ImplDispatchMessage()  + 0x15 bytes	C++
 	vclmi.dll!WinSalInstance::AcquireYieldMutex()  + 0x36 bytes	C++
 	vclmi.dll!ImplSalYield()  + 0x85 bytes	C++
 	vclmi.dll!WinSalInstance::Yield()  + 0x9f bytes	C++
 	vclmi.dll!Application::Yield()  + 0x3d bytes	C++
 	vclmi.dll!Application::Execute()  + 0x24 bytes	C++
 	sofficeapp.dll!GetVersionInfo()  + 0xd8b0 bytes	
 	vclmi.dll!ImplSVMain()  + 0x64 bytes	C++
 	vclmi.dll!SVMain()  + 0x1c bytes	C++
 	sofficeapp.dll!GetVersionInfo()  + 0x3427a bytes	
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49 bytes	
Comment 7 groucho266 2009-08-04 11:17:26 UTC
@AW: The stack shows primitives and the OutlinerParaObject at the top of the
stack.  Please have a closer look.
Comment 8 Armin Le Grand 2009-08-04 12:31:01 UTC
AW: Thanks for the stack and the observations, taking a look...
Comment 9 Armin Le Grand 2009-08-04 14:22:51 UTC
AW: 1st trace: sd's FuText::cancel() leads at least to two calls of
SdrObject::SetOutlinerParaObject(). Basic problem is that maOutlinerParaObject
in SdrTextPrimitive2D::SdrTextPrimitive2D is a reference to an already deleted
OPO. Following the processing...
Comment 10 Armin Le Grand 2009-08-04 15:32:00 UTC
AW: Found. Problem is SvxTextEditSourceImpl::GetBackgroundTextForwarder() which
calls pTextObj->GetEditOutlinerParaObject(). This creates a OPO which the caller
OWNS and has to take care of. When then
mpObject->NbcSetOutlinerParaObjectForText is called, the ownership is handed
over to mpObject. Nonetheless, at the end of the method, if( bTextEditActive )
delete pOutlinerParaObject is called. This deletes an OPO for which no ownership
exists when mpObject->NbcSetOutlinerParaObjectForText was called.

Thinking about a solution. The more general problem is OPO ownership per se;
this has changed by making OPO ref-counted and copy-on-write, but there have
also been MemoryLeak fixes for GetEditOutlinerParaObject() (like here) which
went wrong. I will have to take a look at all GetEditOutlinerParaObject() usages...
Comment 11 Armin Le Grand 2009-08-04 15:36:28 UTC
AW: Usages are in svx, sd and sw, inspecting...
Comment 12 Armin Le Grand 2009-08-04 15:52:14 UTC
AW: SvxTextEditSourceImpl::GetBackgroundTextForwarder() is the only user who may
lose ownership in-between; thus it is possible to just make that one usage safe.
Checking for a more common solution which avoids this danger...
Comment 13 Armin Le Grand 2009-08-04 16:08:03 UTC
AW: More common solution too dangerous (too much code), adding solution just for
the single problem part. Also adding as patch (iff needed by someone). Adding to
CWS aw075, too...
Comment 14 Armin Le Grand 2009-08-04 16:09:16 UTC
Created attachment 63951 [details]
Patch to solve this crash
Comment 15 Armin Le Grand 2009-08-04 16:12:14 UTC
AW: Added patch, committed change, done.
Comment 16 Armin Le Grand 2009-08-04 16:33:26 UTC
AW: Added fup task #i104003# for cleaning this up.
Comment 17 Armin Le Grand 2009-08-06 13:51:27 UTC
AW->WG: Please review as described. java accessibility bridge has to be
installed on WIN32 to enable Accessibility at all, but no acc. tools.
Comment 18 wolframgarten 2009-08-10 08:15:02 UTC
Reassigned for testing.
Comment 19 eric.savary 2009-08-10 14:31:19 UTC
Verified in CWS aw075
Comment 20 joaniediggs 2009-11-15 00:41:08 UTC
I see that this was verified as fixed a few months ago. I'm still seeing it in
the latest available dev build for OpenSolaris (OOO320m4 Build:9450). Has the
fix not yet been integrated?
Comment 21 joaniediggs 2009-12-05 20:37:43 UTC
joaniediggs->es I'm still seeing this in OOO320m7 (Build:9461) for OpenSolaris.
Should I be? (i.e. is the fix which you verified not yet integrated in the
externally-available builds?)