Apache OpenOffice (AOO) Bugzilla – Issue 116803
Crash when closing stylist with closer
Last modified: 2013-03-01 20:23:21 UTC
Open a new draw or impress, call the stylist using F11. Right click on default, select modify. Close the dialog with cancel. Close the stylist by clicking on the closer "X". Office crashes. Only reproducible unde rlinux, works in Writer.
*** Issue 117077 has been marked as a duplicate of this issue. ***
Works in 3.2.1. Adding keyword regression.
this is an annoying bug. The crash is actually in sfx module. But as soon as I build sfx with debug information, the crash is gone. I'm trying non pro build now to maybe get more information. Also I suspect it may be caused by the broken sd string resource for the navigator which I fixed in cws sd2gbuild. Will check that if non pro does not give me more information
linux non pro with just sfx lib linked with debug gives me SfxDispatcher::PostMsgHandler as the point of crash
the string resource problem in sd was not the cause. Now back to good old printf debuging...
OSL_TRACE showed me that we do not actually enter SfxDispatcher::PostMsgHandler valgrind gives me this ==22573== Invalid read of size 4 ==22573== at 0x4A2D75A: SfxDispatcher::PostMsgHandler(SfxRequest*) (in /cws/bugfixes/DEV300/oracle/openoffice.org/basis3.4/program/libsfxli.so) ==22573== Address 0x185f7c4 is not stack'd, malloc'd or (recently) free'd ==22573==
my fprintf debugging shows me that the crash is at the end of SfxDispatcher::PostMsgHandler in the line delete pReq; I confirmed that pReq is a valid pointer to a constructed SfxRequest that has not yet been deleted. Valgrind shows me that the invalid read is at an address that looks unrelated to the SfxRequest, f.e. if pReq == 0xa6021c0, the Invalid read is at address 0x1d949d4. This crash also happens after I replace FuTemplate::DoExecute with a simple return statement. Will continue to reduce code in sd module to see if I can pinpoint the source of the problem. Another option could be to compile dispatch.cxx without optimization but that may hide a real memory corruption.
to summarize. Opening the stylist in impress, then select one style (can be presentation or graphic style) and select one of the options in the context menu, select cancel on the next dialog and then close the stylist, the office crashes. Now this crash also happens if the slot called from the context menu does nothing in sd, f.e. just a return in DrawViewShell::FuTemporary. So I'm currently out of ideas how this crash can be caused by the sd module, will try if the noopt compiling of dispatch.cxx changes anything.
Created attachment 76343 [details] compiles sfx2/source/control/dispatch.cxx without compiler optimization on linux compiling sfx2/source/control/dispatch.cxx without optimization fixes this issue. Since there are no crashes on other plattforms, including 64 bit unxlngi I suspect it is safe to assume that this actually is a compiler problem.
cl->mba: as discussed, I propose the attached patch. Please delegate as you see fit.
thanks for the investigation; I applied the patch