Summary: | Crash: Selecting an option in dropdown content control leads to unexpected exit with code 139 | ||
---|---|---|---|
Product: | LibreOffice | Reporter: | Hossein <hossein> |
Component: | Writer | Assignee: | Caolán McNamara <caolan.mcnamara> |
Status: | VERIFIED FIXED | ||
Severity: | critical | CC: | hossein, ilmari.lauhakangas, stephane.guillou, vmiklos |
Priority: | medium | Keywords: | bibisected, bisected, haveBacktrace |
Version: | 7.4.3.2 release | ||
Hardware: | All | ||
OS: | Linux (All) | ||
Whiteboard: | target:7.6.0 target:7.5.3 | ||
Crash report or crash signature: | ["SwDropDownContentControlButton::LaunchPopup()"] | Regression By: | |
Bug Depends on: | |||
Bug Blocks: | 100156, 107742, 133092 | ||
Attachments: | Backtrace using gdb |
Description
Hossein
2022-11-28 00:52:55 UTC
The last part should be: (a typo in replacing path) Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault. 0x00007fffb0a6c3a8 in SwDropDownContentControlButton::LaunchPopup (this=0x55555d0499e0) at sw/source/core/crsr/dropdowncontentcontrolbutton.cxx:83 83 m_xTreeView = m_xPopupBuilder->weld_tree_view("list"); #0 0x00007fffb0a6c3a8 in SwDropDownContentControlButton::LaunchPopup() (this=0x55555d0499e0) at sw/source/core/crsr/dropdowncontentcontrolbutton.cxx:83 #1 0x00007fffb0a1f1cf in SwContentControlButton::StartPopup() (this=0x55555d0499e0) at sw/source/core/crsr/contentcontrolbutton.cxx:91 #2 0x00007fffb0a1f1a2 in SwContentControlButton::MouseButtonDown(MouseEvent const&) (this=0x55555d0499e0) at sw/source/core/crsr/contentcontrolbutton.cxx:87 #3 0x00007fffeec3ba1b in ImplHandleMouseEvent(VclPtr<vcl::Window> const&, NotifyEventType, bool, long, long, unsigned long, unsigned short, MouseEventModifiers) (xWindow=..., nSVEvent=NotifyEventType::MOUSEBUTTONDOWN, bMouseLeave=false, nX=671, nY=403, nMsgTime=28221840, nCode=1, nMode=(MouseEventModifiers::SIMPLECLICK | MouseEventModifiers::SELECT)) at vcl/source/window/winproc.cxx:707 #4 0x00007fffeec425a5 in ImplHandleSalMouseButtonDown(vcl::Window*, SalMouseEvent const*) (pWindow=0x5555572ebc20, pEvent=0x7fffffffc740) at vcl/source/window/winproc.cxx:2340 #5 0x00007fffeec43853 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) (_pWindow=0x5555572ebc20, nEvent=SalEvent::MouseButtonDown, pEvent=0x7fffffffc740) at vcl/source/window/winproc.cxx:2691 #6 0x00007fffe4a01f84 in SalFrame::CallCallback(SalEvent, void const*) const (this=0x55555679b150, nEvent=SalEvent::MouseButtonDown, pEvent=0x7fffffffc740) at vcl/inc/salframe.hxx:306 #7 0x00007fffe4a01106 in GtkSalFrame::CallCallbackExc(SalEvent, void const*) const (this=0x55555679b150, nEvent=SalEvent::MouseButtonDown, pEvent=0x7fffffffc740) at vcl/unx/gtk3/gtkframe.cxx:6138 #8 0x00007fffe49f9a20 in GtkSalFrame::DrawingAreaButton(SalEvent, int, int, int, unsigned int, unsigned int) (this=0x55555679b150, nEventType=SalEvent::MouseButtonDown, nEventX=671, nEventY=403, nButton=1, nTime=28221840, nState=16) at vcl/unx/gtk3/gtkframe.cxx:3127 #9 0x00007fffe49f9da8 in GtkSalFrame::signalButton(_GtkWidget*, _GdkEventButton*, void*) (pEvent=0x55555e98b970, frame=0x55555679b150) at vcl/unx/gtk3/gtkframe.cxx:3214 The problem seems to be GTK specific. I could not reproduce it with X11, or on Windows: Not reproducible with X11 gen UI: Version: 7.5.0.0.alpha1+ (X86_64) / LibreOffice Community Build ID: cb7e6003ad06d71a27baeb435366b91f87bdeb2f CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: x11 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded Also not reproducible on Windows: Version: 7.5.0.0.alpha1+ (X86_64) / LibreOffice Community Build ID: 360b5861fb46353e7a6b9f5abf13339cd719a8df CPU threads: 32; OS: Windows 10.0 Build 19044; UI render: Skia/Raster; VCL: win Locale: en-US (en_DE); UI: en-US Calc: threaded Selected, waited, selected again from the same, no crash Version: 7.5.0.0.alpha1+ (X86_64) / LibreOffice Community Build ID: d45d65559f11ecb34b14e3b5c838391c62c8c694 CPU threads: 8; OS: Linux 6.0; UI render: default; VCL: gtk3 Locale: fi-FI (fi_FI.UTF-8); UI: en-US Calc: threaded Could get the same segfault on SwDropDownContentControlButton::LaunchPopup() in non-debug 7.5.2.2 without waiting at all, by pressing twice alt+down in the first dropdown content control. Crash report: https://crashreport.libreoffice.org/stats/crash_details/e3df02e2-60b3-483d-84f5-e3448ee021ed Version: 7.5.2.2 (X86_64) / LibreOffice Community Build ID: 53bb9681a964705cf672590721dbc85eb4d0c3a2 CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded With gtk VCL, using Alt + Down the first time allows entering the dropdown. Further Down presses to navigate the options don't crash it, but another Alt + Down does. With kf5 or gen VCLs, no crash. Bibisected with linux-64-7.4 repo to first bad commit 5fd5f3e7b44717eab066389806f70ff7a008d7a6 which points to core commit: commit e2095410b00b8a374ba35ea5fab584a79a46cfe2 author Miklos Vajna <vmiklos@collabora.com> Mon Oct 10 10:07:10 2022 +0200 committer Xisco Fauli <xiscofauli@libreoffice.org> Tue Oct 11 16:33:43 2022 +0200 tdf#151261 DOCX import: fix dropdown SDT when the item display text is missing [...] Reviewed-on: https://gerrit.libreoffice.org/c/core/+/141151 Not calling it a regression as this is the commit that made an actual dropdown available for gtk. Miklos, can you please have a look? Hrm, could you please provide clear repro steps that you used for the bisect? Playing around with alt-down and this file and gtk3, I could not get it to crash on master. Thanks. (In reply to Miklos Vajna from comment #5) > Hrm, could you please provide clear repro steps that you used for the > bisect? Playing around with alt-down and this file and gtk3, I could not get > it to crash on master. Thanks. I just figured I couldn't reproduce with X11, but could with Wayland, that might be why? Hossein, can you confirm? 0. GNOME + Wayland session 1. Open attachment attachment 182846 [details] 2. Click on first dropdown control 3. Alt + Down: dropdown expands 4. Alt + Down a second time: crash re-launched while already launched causes the original to be destroyed during the re-creation and the m_xTreeView is cleared, leading to null-dereference. I can make that not crash anyway Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/e97c8ceb003488589bf14c7ea335eaa3e1a86975 tdf#152257 popup already launched, don't relaunch It will be available in 7.6.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. done in trunk, backport to 7-5 in gerrit Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5": https://git.libreoffice.org/core/commit/3bf0727bb03f1b330e9c43f9f5d7eb3bced08e2e tdf#152257 popup already launched, don't relaunch It will be available in 7.5.3. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Thank you Caolán! Verified fixed in: Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 5cc29848b78b6c5ab01aa7a66b1dd7caff5f9385 CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded (In reply to Stéphane Guillou (stragu) from comment #6) > I just figured I couldn't reproduce with X11, but could with Wayland, that > might be why? Hossein, can you confirm? > > 0. GNOME + Wayland session > 1. Open attachment attachment 182846 [details] > 2. Click on first dropdown control > 3. Alt + Down: dropdown expands > 4. Alt + Down a second time: crash Nice path to reproduce the problem, thanks! I've built the commit exactly before e97c8ceb003488589bf14c7ea335eaa3e1a86975, with Wayland it crashes with these steps, but with X11 it doesn't. With e97c8ceb003488589bf14c7ea335eaa3e1a86975, the problem no longer happens with Wayland. Thanks |