Can reproduce with OOo 2.0.3rc7 WinXP SP2.

P2 -> Crash.

Hwoarang

SBA-> CD: As discussed, find HDUs stack_i66664.txt attached.
Crash report id is 1840699 / r9vvwf.

Created attachment 37388 [details]
Stack data

cd: Accepted. Added stack provided by HDU. Looks similiar to the stack trace 
issue 125817.

WARNING: Stack unwind information not available. Following frames may be 
wrong.
NTDLL+0x4d989
0x1070000
NTDLL+0x4b80c
msvcr71!free+0xc3
sfx680mi!SfxStatusDispatcher::~SfxStatusDispatcher(void)+0x1d
sfx680mi!SfxOfficeDispatch::~SfxOfficeDispatch(void)+0x85 [o:
\ooc680\src\sfx2\source\control\unoctitm.cxx @ 424]
sfx680mi!SfxOfficeDispatch::`scalar deleting destructor'(void)+0xf
cppuhelper3MSC!cppu::OWeakObject::release(void)+0x5f [o:
\ooc680\src\cppuhelper\source\weak.cxx @ 218]
sfx680mi!SfxStatusDispatcher::release(void)+0xf [o:
\ooc680\src\sfx2\source\control\unoctitm.cxx @ 334]
sfx680mi!SfxOfficeDispatch::release(void)+0xb [o:
\ooc680\src\sfx2\source\control\unoctitm.cxx @ 362]
sfx680mi!SfxStateCache::~SfxStateCache(void)+0x8c [o:
\src680\src\sfx2\source\control\statcach.cxx @ 265]
sfx680mi!SfxBindings::DeleteControllers_Impl(void)+0x1b9 [o:
\ooc680\src\sfx2\source\control\bindings.cxx @ 420]
sfx680mi!SfxBindings::~SfxBindings(void)+0x4a [o:
\ooc680\src\sfx2\source\control\bindings.cxx @ 345]
sfx680mi!SfxBindings::`vector deleting destructor'(void)+0x49
sfx680mi!SfxFrame::DoClose_Impl(void)+0x48 [o:
\ooc680\src\sfx2\source\view\frame.cxx @ 245]
sfx680mi!SfxBaseController::dispose(void)+0x2f5 [o:
\ooc680\src\sfx2\source\view\sfxbasecontroller.cxx @ 1261]
fwk680mi!framework::Frame::setComponent(class com::sun::star::uno::
Reference<com::sun::star::awt::XWindow> * xComponentWindow = 0x00eaf358, 
class com::sun::star::uno::Reference<com::sun::star::frame::XController> * 
xController = 0x00eaf374)+0x128 [o:\src680\src\framework\source\services\frame.
cxx @ 1510]
sfx680mi!SfxViewFrame::SwitchToViewShell_Impl(unsigned short nViewId = 
0xc6c8, unsigned char bIsIndex = 0x01 '')+0x269 [o:
\ooc680\src\sfx2\source\view\viewfrm.cxx @ 2522]
sfx680mi!SfxTopViewFrame::SfxTopViewFrame(class SfxFrame * pFrame = 
0x00000014, class SfxObjectShell * pObjShell = 0x0b8db9c8, unsigned short 
nViewId = 0)+0x18c [o:\ooc680\src\sfx2\source\view\topfrm.cxx @ 1270]
sfx680mi!SfxTopFrame::InsertDocument(class SfxObjectShell * pDoc = 
0x0b8db9c8)+0x2e9 [o:\ooc680\src\sfx2\source\view\topfrm.cxx @ 930]
sfx680mi!SfxFrameLoader_Impl::load(class com::sun::star::uno::Sequence<com::
sun::star::beans::PropertyValue> * rArgs = 0x00eaf64c, class com::sun::star::uno
::Reference<com::sun::star::frame::XFrame> * rFrame = 0x00eaf658)+0x147d [o:
\ooc680\src\sfx2\source\view\frmload.cxx @ 570]
fwk680mi!framework::LoadEnv::impl_loadContent(void)+0x514 [o:
\src680\src\framework\source\loadenv\loadenv.cxx @ 1328]
fwk680mi!framework::LoadEnv::startLoading(void)+0x73 [o:
\src680\src\framework\source\loadenv\loadenv.cxx @ 553]
fwk680mi!framework::LoadEnv::loadComponentFromURL(class com::sun::star::
uno::Reference<com::sun::star::frame::XComponentLoader> * xLoader = 
0x00eaf7e4, class com::sun::star::uno::Reference<com::sun::star::lang::
XMultiServiceFactory> * xSMGR = 0x00eaf7fc, class rtl::OUString * sURL = 
0x00eaf918, class rtl::OUString * sTarget = 0x00eaf85c, long nFlags = 0, class 
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> * lArgs = 
0x00eaf864)+0x82 [o:\src680\src\framework\source\loadenv\loadenv.cxx @ 360]
fwk680mi!framework::Frame::loadComponentFromURL(class rtl::OUString * sURL 
= 0x00eaf918, class rtl::OUString * sTargetFrameName = 0x00eaf85c, long 
nSearchFlags = 0, class com::sun::star::uno::Sequence<com::sun::star::beans::
PropertyValue> * lArguments = 0x00eaf864)+0x7b [o:
\src680\src\framework\source\services\frame.cxx @ 487]
sfx680mi!SfxHelpWindow_Impl::loadHelpContent(class rtl::OUString * sHelpURL = 
0x00eaf918, unsigned char bAddToHistory = 0x01 '')+0x149 [o:
\ooc680\src\sfx2\source\appl\newhelp.cxx @ 1655]
sfx680mi!SfxHelpWindow_Impl::OpenHdl(class SfxHelpIndexWindow_Impl * 
__formal = 0x076aa768)+0x2f6 [o:\ooc680\src\sfx2\source\appl\newhelp.cxx @ 
3197]
sfx680mi!SfxHelpWindow_Impl::LinkStubOpenHdl(void * pThis = 0x0768a528, void * 
pCaller = 0x076aa768)+0xe [o:\ooc680\src\sfx2\source\appl\newhelp.cxx @ 3157]
tl680mi!Link::Call(void * pCaller = 0x076aa768)+0x11 [o:\src680\src\tools\inc\link.
hxx @ 154]
vcl680mi!Control::ImplCallEventListenersAndHandler(unsigned long nEvent = 
0x455, class Link * rHandler = 0x076aa894, void * pCaller = 0x076aa768)+0x41 [o:
\ooc680\src\vcl\source\control\ctrl.cxx @ 384]
vcl680mi!ListBox::DoubleClick(void)+0x12 [o:\ooc680\src\vcl\source\control\lstbox.
cxx @ 981]
vcl680mi!ListBox::ImplDoubleClickHdl(void * p = 0x076aa768)+0x8 [o:
\ooc680\src\vcl\source\control\lstbox.cxx @ 306]
vcl680mi!ListBox::LinkStubImplDoubleClickHdl(void * pThis = 0x076aa768, void * 
pCaller = 0x076ad7cc)+0xe [o:\ooc680\src\vcl\source\control\lstbox.cxx @ 303]
tl680mi!Link::Call(void * pCaller = 0x076ad7cc)+0x11 [o:\src680\src\tools\inc\link.
hxx @ 154]
vcl680mi!ImplListBoxWindow::MouseButtonDown(class MouseEvent * rMEvt = 
0x00eaf9e0)+0xf9 [o:\ooc680\src\vcl\source\control\ilstbox.cxx @ 854]
vcl680mi!ImplHandleMouseEvent(class Window * pWindow = 0x0529f678, unsigned 
short nSVEvent = 1, unsigned char bMouseLeave = 0x00 '', long nX = 16777412, 
long nY = 0, unsigned long nMsgTime = 0x45dab4, unsigned short nCode = 1, 
unsigned short nMode = 3)+0xae5 [o:\ooc680\src\vcl\source\window\winproc.cxx 
@ 873]
vcl680mi!ImplHandleSalMouseButtonDown(class Window * pWindow = 
0x0529f678, struct SalMouseEvent * pEvent = 0x00eafb60)+0x32 [o:
\ooc680\src\vcl\source\window\winproc.cxx @ 2109]
vcl680mi!ImplWindowFrameProc(void * pInst = 0x0529f678, class SalFrame * 
pFrame = 0x0767d410, unsigned short nEvent = 3, void * pEvent = 0x00eafb60)
+0xbb [o:\ooc680\src\vcl\source\window\winproc.cxx @ 2358]
vcl680mi!SalFrame::CallCallback(unsigned short nEvent = 3, void * pEvent = 
0x00eafb60)+0x16 [o:\ooc680\src\vcl\inc\salframe.hxx @ 302]
vcl680mi!ImplHandleMouseMsg(struct HWND__ * hWnd = 0x0016014e, unsigned 
int nMsg = 0x201, unsigned int wParam = 1, long lParam = 194828760)+0x2de [o:
\ooc680\src\vcl\win\source\window\salframe.cxx @ 3312]
vcl680mi!SalFrameWndProc(struct HWND__ * hWnd = 0x0016014e, unsigned int 
nMsg = 0x201, unsigned int wParam = 1, long lParam = 12845103, int * rDef = 
0x00eafbfc)+0x745 [o:\ooc680\src\vcl\win\source\window\salframe.cxx @ 5609]
vcl680mi!SalFrameWndProcW(struct HWND__ * hWnd = 0x0016014e, unsigned 
int nMsg = 0x201, unsigned int wParam = 1, long lParam = 12845103)+0x30 [o:
\ooc680\src\vcl\win\source\window\salframe.cxx @ 6000]
USER32+0x3158f
USER32+0x31dc9
USER32+0x31e7e
vcl680mi!ImplSalDispatchMessage(struct tagMSG * pMsg = 0x00eafcfc)+0x26 [o:
\ooc680\src\vcl\win\source\app\salinst.cxx @ 713]
vcl680mi!ImplSalYield(unsigned char bWait = 0x01 '')+0x46 [o:
\ooc680\src\vcl\win\source\app\salinst.cxx @ 740]
vcl680mi!WinSalInstance::Yield(unsigned char bWait = 0x01 '')+0x9e [o:
\ooc680\src\vcl\win\source\app\salinst.cxx @ 789]
vcl680mi!Application::Yield(void)+0x37 [o:\ooc680\src\vcl\source\app\svapp.cxx @ 
546]
vcl680mi!Application::Execute(void)+0x1d [o:\ooc680\src\vcl\source\app\svapp.cxx 
@ 506]
soffice+0xa9f1
vcl680mi!ImplSVMain(void)+0x3f [o:\ooc680\src\vcl\source\app\svmain.cxx @ 243]
vcl680mi!SVMain(void)+0x1c [o:\ooc680\src\vcl\source\app\svmain.cxx @ 274]
soffice+0x1024
soffice+0x1066
KERNEL32+0x28989 

pb --> abi: if  I used a non-pro version I got another stack:
>	ucpchelp1.dll!xmlsearch::qe::QueryHitData::getDocument()  Line 166 + 0x16	C++
 	ucpchelp1.dll!chelp::ResultSetForQuery::ResultSetForQuery(const
com::sun::star::uno::Reference<com::sun::star::lang::XMultiServiceFactory> &
xMSF={...}, const
com::sun::star::uno::Reference<com::sun::star::ucb::XContentProvider> &
xProvider={...}, long nOpenMode=0, const
com::sun::star::uno::Sequence<com::sun::star::beans::Property> & seq={...},
const com::sun::star::uno::Sequence<com::sun::star::ucb::NumberedSortingInfo> &
seqSort={...}, chelp::URLParameter & aURLParameter={...}, chelp::Databases *
pDatabases=0x1227b398)  Line 177 + 0x12	C++
 	ucpchelp1.dll!ResultSetForQueryFactory::createResultSet()  Line 352 + 0x56	C++
 	ucpchelp1.dll!chelp::DynamicResultSet::initStatic()  Line 91 + 0x13	C++
 	ucbhelper3MSC.dll!01440ec2() 	
 	ucbhelper3MSC.dll!01441017() 	
 	sfx680mi.dll!SfxContentHelper::GetResultSet()  + 0x12c	C++
 	sfx680mi.dll!SearchTabPage_Impl::SearchHdl(PushButton * __formal=0x00000000) 
Line 1210 + 0xd	C++
 	sfx680mi.dll!SearchTabPage_Impl::LinkStubSearchHdl(void * pThis=0x123962e8,
void * pCaller=0x00000000)  Line 1193 + 0xf	C++
 	tl680mi.dll!0027699e() 	
 	sfx680mi.dll!SearchBox_Impl::PreNotify(NotifyEvent & rNEvt={...})  Line 1057	C++
 	vcl680mi.dll!Window::PreNotify(NotifyEvent & rNEvt={...})  Line 5143 + 0x21	C++
...

After some debuggings I found out that only "equation" makes this trouble
because it produces only one result. Other result counts make no trouble.
Because I found no other search word which produces only result, I am not sure
that this is the problem.

KSO: No time to fix this in 2.0.4 timeframe. Setting target to 2.1.

accepted

cmc->abi: you know, this could be the same double-free as issue 67740 ?

"Help->OpenOffice.org Help->Find, search for "scan", and double click on "General
Glossay" crashes OOo 2.0.3."

Sorry, not enough time to fix this for 2.1 => 2.2

will be fixed with planned change to clucene

2.3

Successfully replicated the issue using OpenOffice 2.1 on Windows XP SP2:

Specified Instructions + Close Help -> Crash OpenOffice

Successfully replicated the issue using OpenOffice 2.1 on Windows XP SP2:

Specified Instructions & Close Help -> Crash OpenOffice

*** Issue 75220 has been marked as a duplicate of this issue. ***

ABI->AB: As discussed ...

STARTED

Some debugging showed that this task probably also is related to the
help indexer that should be replaced anyway. -> P3 as this issue for
sure doesn't match the rule "P2 marks severe problems which affect 
a significant number of customers". -> 2.x for now

Confirming the same crash in Linux m226. No crash in Solaris SPARC m225. See
also issue 80952

wrong component

-> 3.x

The first stack does not fit to the problem, the second one is obsolete
as the corresponding functionality has been replaced completely. Also
I could not reproduce the crash on dev300 m35.

-> FIXED

CLOSED