Apache OpenOffice (AOO) Bugzilla – Issue 124629
css::ui::dialogs::Wizard crashes
Last modified: 2017-05-20 10:35:16 UTC
Created attachment 83133 [details] Zip file with a sample code - Unzip the attached example and build it with the SDK - execute it with the target DummyWizard.run A Writer document and a Draw document will be created, the wizard will be executed with any of this document's container window as parent. - On the Wizard press "Next" button until reaching the end of the wizard, then press "Finish" button The client application exits without error - Close the two document - OpenOffice crashes: Application Error Fatal exception: Signal 6 Stack: /opt/openoffice4/program/libuno_sal.so.3(+0x37b9a)[0x7f5b51a25b9a] /opt/openoffice4/program/libuno_sal.so.3(+0x37ccc)[0x7f5b51a25ccc] /opt/openoffice4/program/libuno_sal.so.3(+0x37d69)[0x7f5b51a25d69] /lib64/libc.so.6[0x3e6aa35cb0] /lib64/libc.so.6(gsignal+0x39)[0x3e6aa35c39] /lib64/libc.so.6(abort+0x148)[0x3e6aa37348] /opt/openoffice4/program/libvcl.so(+0x1546b9)[0x7f5b4e3ef6b9] /opt/openoffice4/program/libsofficeapp.so(+0x2353b)[0x7f5b5178453b] /opt/openoffice4/program/libvcl.so(+0x17ecc0)[0x7f5b4e419cc0] /opt/openoffice4/program/libuno_sal.so.3(+0x36962)[0x7f5b51a24962] /opt/openoffice4/program/libuno_sal.so.3(+0x37d4a)[0x7f5b51a25d4a] /lib64/libc.so.6[0x3e6aa35cb0] /opt/openoffice4/program/libvcl.so(+0x37d667)[0x7f5b4e618667] /opt/openoffice4/program/libvcl.so(+0x37d6b2)[0x7f5b4e6186b2] /opt/openoffice4/program/libvcl.so(_ZN6WindowD2Ev+0x22)[0x7f5b4e62cad6] /opt/openoffice4/program/libsvt.so(+0x32c218)[0x7f5b4fb50218] /opt/openoffice4/program/libvcl.so(_ZN3vcl11LazyDeletorI6WindowED0Ev+0x110)[0x7f5b4e62f6a6] /opt/openoffice4/program/libvcl.so(_ZN3vcl10LazyDelete5flushEv+0x34)[0x7f5b4e5a4d04] /opt/openoffice4/program/libvcl.so(+0x17c20c)[0x7f5b4e41720c] /opt/openoffice4/program/libvcl.so(_ZN11Application7ExecuteEv+0x1b)[0x7f5b4e4163db] /opt/openoffice4/program/libsofficeapp.so(+0x2d9ed)[0x7f5b5178e9ed] /opt/openoffice4/program/libvcl.so(+0x17f5a5)[0x7f5b4e41a5a5] /opt/openoffice4/program/libvcl.so(_Z6SVMainv+0x1e)[0x7f5b4e41a670] /opt/openoffice4/program/libsofficeapp.so(soffice_main+0x9c)[0x7f5b517b614c] /opt/openoffice4/program/soffice.bin(main+0xb)[0x400f7b] /lib64/libc.so.6(__libc_start_main+0xf5)[0x3e6aa21d65] /opt/openoffice4/program/soffice.bin(__gxx_personality_v0+0xb9)[0x400eb9] /opt/openoffice4/program/soffice: line 121: 7496 Aborted "$sd_prog/$sd_binary" "$@"
Created attachment 83134 [details] GDB backtrace The backtrace shows clearly what's happening: - the code that creates the wizard dialog owns it, this means that when the client application releases its reference to it, the wizard dialog (a C++ UNO object, lifetime controller by reference count) should die - but that's not the case. There is another object holding a reference to the UNO dialog (svt::uno::Wizard): its VCL dialog (svt::uno::WizardShell). The VCL dialog is constructed with a reference to the UNO dialog, this prevents the UNO dialog from being deleted when the client code released its references. In the normal case, when the UNO dialog dies, it deletes the VCL dialog, but as its VCL dialog holds a reference to it, the VCL dialog is first deleted by the vcl::LazyDeletor. In this case, when the VCL dialog dies, its reference to the UNO dialog is deleted, and the UNO dialog starts to die. Here the cyclic bug: when the UNO dialog is being deleted it deletes the VCL dialog, but this is already in its destructor.
"arielch" committed SVN revision 1586340 into trunk: i124629 - UNO Wizard - avoid crash by removing unneeded reference
The commit from revision 1586340 solves the crash described in this bug. The implementation has other bugs, that will be reported apart. Setting this as fixed.