https://bz.apache.org/ooo/show_bug.cgi?id=125129
--- Comment #12 from [email protected] --- I managed to reproduce this unintentionally while playing with our unit tests, so it is quite a common bug. Let's revisit it. With comments in some of the related files now translated to English, hopefully we can build a better picture of what's going on. Thread 1 received signal SIGSEGV, Segmentation fault. XPropertyList::Count (this=0x0) at source/xoutdev/xtable.cxx:164 164 if( mbListDirty ) (gdb) bt #0 XPropertyList::Count() const (this=0x0) at source/xoutdev/xtable.cxx:164 Proximally, XPropertyList::Count() is called with a NULL "this". In the "if" statement above, it attempts to access this->mbListDirty, resulting in a SIGSEGV. ------------------------------------------------ #1 0x00000008032d6770 in ColorLB::Fill(boost::shared_ptr<XColorList>) (this=0x80f01b6c8, aColorTab=...) at source/dialog/dlgctrl.cxx:1314 void ColorLB::Fill( const XColorListSharedPtr aColorTab ) { long nCount = aColorTab->Count(); The reason frame #0 got a NULL this is because the ColorLB::Fill() method in this frame got passed a NULL "XColorListSharedPtr aColorTab" by its caller, and called Count() on it. So far, these methods seem innocent: they tried to do the right thing, on invalid data they were passed from further upstream. The next 6 frames deal with tab pages, tab dialogs and tab controls, and the bug is probably there somewhere. ------------------------------------------------ #2 0x000000080ef3b390 in SvxAreaTabPage::Construct() (this=0x80f01b020) at source/tabpages/tparea.cxx:831 main/cui/source/tabpages/tparea.cxx: void SvxAreaTabPage::Construct() { // fill colortables / lists aLbColor.Fill( maColorTab ); aLbHatchBckgrdColor.Fill ( maColorTab ); aLbGradient.Fill( maGradientList ); aLbHatching.Fill( maHatchingList ); aLbBitmap.Fill( maBitmapList ); } However (gdb) print maColorTab $1 = {px = 0x0, pn = {pi_ = 0x0}} It is here that the invalid maColorTab began from. But how did it become invalid? As I previously noted: main/cui/source/inc/cuitabarea.hxx class SvxAreaTabPage : public SvxTabPage { .... XColorListSharedPtr maColorTab; .... } typedef ::boost::shared_ptr< XColorList > XColorListSharedPtr; and to become invalid, it was either never written to, or overwritten by an invalid value. The places it is written to include: 1. void SetColorTable( XColorListSharedPtr aColTab ) { maColorTab = aColTab; } which is also called from SvxAreaTabPage::PageCreated() in frame #4. 2. In the constructor: maColorTab(), which probably sets the default NULL value. 3. In SvxAreaTabPage::ActivatePage(): if( *pnColorTableState & CT_CHANGED ) maColorTab = ( (SvxAreaTabDialog*) DLGWIN )->GetNewColorTable(); 4. Through memory corruption, via any pointer anywhere in the code. If so, it will be extremely difficult to fix. Possibilities 1-3 can be tested with debugger breakpoints. It doesn't seem very useful to go into stack frames further upstream, given that the bad value in maColorTab was already set. Let's rather find how and why it arrived at its bad value. ------------------------------------------------ #3 0x000000080ef4239b in SvxAreaTabPage::PageCreated(SfxAllItemSet) (this=0x80f01b020, aSet=...) at source/tabpages/tparea.cxx:2791 #4 0x000000080eb786a1 in SwFrmDlg::PageCreated(unsigned short, SfxTabPage&) (this=0x80ada7860, nId=<optimized out>, rPage=...) at source/ui/frmdlg/frmdlg.cxx:245 #5 0x0000000801468a05 in SfxTabDialog::ActivatePageHdl(TabControl*) (this=0x80ada7860, pTabCtrl=0x80ada7ae8) at source/dialog/tabdlg.cxx:1479 #6 0x0000000801467a28 in SfxTabDialog::LinkStubActivatePageHdl(void*, void*) (pThis=0x80ada7860, pCaller=0x80ada7ae8) at source/dialog/tabdlg.cxx:1383 #7 0x0000000802c17f2f in TabControl::SelectTabPage(unsigned short) (this=0x80ada7ae8, nPageId=10056) at source/control/tabctrl.cxx:1899 #8 0x0000000802e4ea1a in ImplHandleMouseEvent(Window*, unsigned short, unsigned char, long, long, unsigned long, unsigned short, unsigned short) (pWindow=<optimized out>, nSVEvent=1, bMouseLeave=0 '\000', nX=<optimized out>, nY=<optimized out>, nMsgTime=177799169, nCode=1, nMode=3) at source/window/winproc.cxx:800 #9 0x0000000802e525cb in ImplHandleSalMouseButtonDown(Window*, SalMouseEvent*) (pWindow=0x0, pEvent=<optimized out>) at source/window/winproc.cxx:2063 #10 0x0000000806664afd in GtkSalFrame::signalButton(_GtkWidget*, _GdkEventButton*, void*) (pEvent=0x80e139ad0, frame=0x80e54b610) at unx/gtk/window/gtkframe.cxx:2678 ... -- You are receiving this mail because: You are the assignee for the issue.
