https://bugs.freedesktop.org/show_bug.cgi?id=39950
--- Comment #12 from Lionel Elie Mamane <[email protected]> 2011-11-18 13:12:10 PST --- So, on master the crash happens in SdrHint constructor SdrHint::SdrHint(const SdrObject& rNewObj), at line maRectangle = rNewObj.GetLastBoundRect(); in file svx/source/svdraw/svdmodel.cxx; that's currently line 2133. The immediate reason is that rNewObj has a trashed vtable. In gdb (with the GNU C++ compiler), do "p /a (*(void***)&rNewObj)[0]@10 to see the first ten entries of the vtable and see they don't make sense. I think the pointer &rNewObj has been deleted() or something like that. Going up the call stack, we land in SdrObjList::InsertObject in file svx/source/svdraw/svdpage.cxx line 405: // Hier muss ein anderer Broadcast her! // Repaint ab Objekt Nummer ... (Achtung: GroupObj) if(pObj->GetPage()) { SdrHint aHint(*pObj); So the object with trashed vtable is *pObj. A few lines up, there is, at line 388: NbcInsertObject(pObj, nPos, pReason); Stepping through the code shows that *before* this function call, *pObj's vtable looks good and it is trashed afterwards. That's a virtual function. The actual implemention called is rptui::OReportPage::NbcInsertObject in file reportdesign/source/core/sdr/RptPage.cxx. It ends with these lines: // now that the shape is inserted into its structures, we can allow the OObjectBase // to release the reference to it OObjectBase* pObjectBase = dynamic_cast< OObjectBase* >( pObj ); OSL_ENSURE( pObjectBase, "OReportPage::NbcInsertObject: what is being inserted here?" ); if ( pObjectBase ) pObjectBase->releaseUnoShape(); If one comments out (or skips with gdb) the "pObjectBase->releaseUnoShape()", that particular crash does not happen anymore. If you test it, beware, the vtable gets trashed not during the call to releaseUnoShape, but just after, during the call to the destructor of xShape above. However, I doubt removing that line is the right fix; we need to understand why the assumption in the comment is not true anymore. For what it is worth, even without that pObjectBase->releaseUnoShape(), it just crashes a bit later in rptui::OReportSection::Paste, file reportdesign/source/ui/report/ReportSection.cxx line 295: pNeuObj->SetLogicRect(aRet); call stack: #0 0x000000000123f250 in ?? () #1 0x00007fffd6297e63 in stoc_inspect::ImplIntrospectionAdapter::getPropertyByName (this=0x2230640, Name="Size") at /home/master/src/libreoffice/core/stoc/source/inspect/introspection.cxx:1085 #2 0x00007fffd02463fe in rptui::OXUndoEnvironment::propertyChange (this=0x1c92ec0, _rEvent=...) at /home/master/src/libreoffice/core/reportdesign/source/core/sdr/UndoEnv.cxx:324 #3 0x00007fffda8fb1f4 in cppu::OInterfaceContainerHelper::NotifySingleListener<com::sun::star::beans::XPropertyChangeListener, com::sun::star::beans::PropertyChangeEvent>::operator() (this=0x7fffffffa400, listener=...) at /home/master/src/libreoffice/core/solver/unxlngx6/inc/cppuhelper/interfacecontainer.h:271 #4 0x00007fffda8fa639 in cppu::OInterfaceContainerHelper::forEach<com::sun::star::beans::XPropertyChangeListener, cppu::OInterfaceContainerHelper::NotifySingleListener<com::sun::star::beans::XPropertyChangeListener, com::sun::star::beans::PropertyChangeEvent> > (this=0x2219970, func=...) at /home/master/src/libreoffice/core/solver/unxlngx6/inc/cppuhelper/interfacecontainer.h:288 #5 0x00007fffda8f98d0 in cppu::OInterfaceContainerHelper::notifyEach<com::sun::star::beans::XPropertyChangeListener, com::sun::star::beans::PropertyChangeEvent> (this=0x2219970, NotificationMethod=&virtual table offset 32, Event=...) at /home/master/src/libreoffice/core/solver/unxlngx6/inc/cppuhelper/interfacecontainer.h:302 #6 0x00007fffda8f798e in svx::PropertyChangeNotifier::notifyPropertyChange (this=0x220bc28, _eProperty=svx::eShapeSize) at /home/master/src/libreoffice/core/svx/source/unodraw/shapepropertynotifier.cxx:178 #7 0x00007fffda7b7682 in SdrObject::notifyShapePropertyChange (this=0x1ad4300, _eProperty=svx::eShapeSize) at /home/master/src/libreoffice/core/svx/source/svdraw/svdobj.cxx:2865 #8 0x00007fffda7b6d44 in SdrObject::SendUserCall (this=0x1ad4300, eUserCall=SDRUSERCALL_RESIZE, rBoundRect=...) at /home/master/src/libreoffice/core/svx/source/svdraw/svdobj.cxx:2722 #9 0x00007fffda7b2004 in SdrObject::SetLogicRect (this=0x1ad4300, rRect=...) at /home/master/src/libreoffice/core/svx/source/svdraw/svdobj.cxx:1608 #10 0x00007fffcf4287b3 in rptui::OReportSection::Paste (this=0x1d219f8, _aAllreadyCopiedObjects=uno::Sequence of length 1 = {...}, _bForce=true) at /home/master/src/libreoffice/core/reportdesign/source/ui/report/ReportSection.cxx:295 Going up down the call stack to stoc_inspect::ImplIntrospectionAdapter::getPropertyByName in file stoc/source/inspect/introspection.cxx: │1082 Property ImplIntrospectionAdapter::getPropertyByName(const OUString& Name) │1083 throw( RuntimeException ) │1084 { >│1085 return mpAccess->getProperty( Name, PropertyConcept::ALL ); │1086 } Again, the problem is trashed vtable: (gdb) print /a (*(void***)mpAccess)[0]@10 $14 = {0x7500065007000a6, 0x21, 0x7ffff70b4eb8 <main_arena+88>, 0x222f890, 0x20, 0x40, 0x500000001, 0x622b60, 0x647c50, 0x648930} Note for future refrence: (gdb) print Name $15 = "Size" Let's go back to following what happens for the crash being discussed. The call to SdrObjList::InsertObject above is just a few lines up in rptui::OReportSection::Paste: if ( pObject ) { SdrObject* pNeuObj = pObject->Clone(); pNeuObj->SetPage( m_pPage ); pNeuObj->SetModel( m_pModel.get() ); SdrInsertReason aReason(SDRREASON_VIEWCALL); m_pPage->InsertObject(pNeuObj,CONTAINER_APPEND,&aReason); Frankly, my hunch tells me that the problem is in pObject->Clone(), but I was not able to follow what happens there. It is a maze of virtual and non-virtual functions and operator= . Here is the stderr while it is being called: Error: No Service Name given! From File /home/master/src/libreoffice/core/reportdesign/source/core/sdr/ReportDrawPage.cxx at Line 82 Error: ::comphelper::copyProperties: could not copy property 'CustomShapeData' to the destination set (a 'com.sun.star.comp.report.Shape' implementation). Caught an exception of type 'com.sun.star.lang.WrappedTargetException', saying 'non-RuntimeException occurred when accessing an interface type attribute'. From File /home/master/src/libreoffice/core/comphelper/source/property/property.cxx at Line 139 Error: ::comphelper::copyProperties: could not copy property 'CustomShapeEngine' to the destination set (a 'com.sun.star.comp.report.Shape' implementation). Caught an exception of type 'com.sun.star.lang.WrappedTargetException', saying 'non-RuntimeException occurred when accessing an interface type attribute'. From File /home/master/src/libreoffice/core/comphelper/source/property/property.cxx at Line 139 Error: ::comphelper::copyProperties: could not copy property 'CustomShapeGeometry' to the destination set (a 'com.sun.star.comp.report.Shape' implementation). Caught an exception of type 'com.sun.star.lang.WrappedTargetException', saying 'non-RuntimeException occurred when accessing an interface type attribute'. From File /home/master/src/libreoffice/core/comphelper/source/property/property.cxx at Line 139 -- Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. _______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
