https://bugs.documentfoundation.org/show_bug.cgi?id=162911
--- Comment #10 from Armin Le Grand <[email protected]> --- Getting closer. Indeed happens in the UNDO, the SwTextINetFormat that later causes the crash by being accessed is deleted there. Stack is: libsvllo.so!SfxPoolItemHolder::~SfxPoolItemHolder(SfxPoolItemHolder * const this) (/home/alg/lo/h_work01/svl/source/items/itemset.cxx:171) libswlo.so!SwTextAttr::~SwTextAttr(SwTextAttr * const this) (/home/alg/lo/h_work01/sw/source/core/txtnode/txatbase.cxx:46) libswlo.so!SwTextINetFormat::~SwTextINetFormat(SwTextINetFormat * const this) (/home/alg/lo/h_work01/sw/source/core/txtnode/txtatr2.cxx:136) libswlo.so!SwTextINetFormat::~SwTextINetFormat(SwTextINetFormat * const this) (/home/alg/lo/h_work01/sw/source/core/txtnode/txtatr2.cxx:136) libswlo.so!SwTextAttr::Destroy(SwTextAttr * pToDestroy) (/home/alg/lo/h_work01/sw/source/core/txtnode/txatbase.cxx:61) libswlo.so!SwTextNode::DeleteAttributes(SwTextNode * const this, const sal_uInt16 nWhich, const sal_Int32 nStart, const sal_Int32 nEnd) (/home/alg/lo/h_work01/sw/source/core/txtnode/thints.cxx:1878) libswlo.so!SwHistoryResetText::SetInDoc(SwHistoryResetText * const this, SwDoc * pDoc) (/home/alg/lo/h_work01/sw/source/core/undo/rolbck.cxx:444) libswlo.so!SwHistory::TmpRollback(SwHistory * const this, SwDoc * pDoc, sal_uInt16 nStart, bool bToFirst) (/home/alg/lo/h_work01/sw/source/core/undo/rolbck.cxx:1237) Thus a good place for a BP is sw/source/core/txtnode/thints.cxx:1878 where pTextHt gets destroyed (A). BUT that instance is later accessed by the stack in comment 9 since it still gets referenced by a SwFormatINetFormat and accessed using rAttr.StaticWhichCast(RES_TXTATR_INETFMT).GetTextINetFormat()->GetCharFormat() in sw/source/core/text/atrstck.cxx:146 (B). Thus (A) deletes something that is still referenced by (B). I guess (A) would also have to cleanup the reference to (A) in (B). I have no idea about that SW code there. Why did that work before? Probably because that Items put directly in the Pool were never deleted due to their RefCnt not really working - these were deleted by a kind of 'silent garbage collection' when the pool got deleted itself (at SW shutdown). That RefCnt stuff was never cleaned-up, maybe by purpose (?). -- You are receiving this mail because: You are the assignee for the bug.
