Apache OpenOffice (AOO) Bugzilla – Issue 105988
svx: a11y crash on leaving centered text
Last modified: 2010-01-08 09:16:54 UTC
with a11y enabled (under GNOME) create a new presentation, select centred text layout, type in a work, click outside the frame -> crash. valgrind output is... ==23042== Invalid read of size 2 ==23042== at 0x664E0C2: SvPtrarr::Count() const (svarray.hxx:674) ==23042== by 0x66818FE: SfxBroadcaster::Broadcast(SfxHint const&) (brdcst.cxx:68) ==23042== by 0xC7EDF3B: SvxTextEditSourceImpl::Notify(SfxBroadcaster&, SfxHint const&) (unoshtxt.cxx:415) ==23042== by 0x66818E9: SfxBroadcaster::Broadcast(SfxHint const&) (brdcst.cxx:73) ==23042== by 0xC704588: SdrObjEditView::SdrEndTextEdit(unsigned char) (svdedxv.cxx:808) ==23042== by 0xF4C33EB: ??? (in /usr/lib64/openoffice.org/basis3.2/program/libsdlx.so) ==23042== by 0xF75A948: ??? (in /usr/lib64/openoffice.org/basis3.2/program/libsdlx.so) ==23042== by 0xF4D4DAD: ??? (in /usr/lib64/openoffice.org/basis3.2/program/libsdlx.so) ==23042== by 0xF4E9357: ??? (in /usr/lib64/openoffice.org/basis3.2/program/libsdlx.so) ==23042== by 0x8170B80: ImplHandleMouseEvent(Window*, unsigned short, unsigned char, long, long, unsigned long, unsigned short, unsigned short) (winproc.cxx:812) ==23042== by 0x817275C: ImplHandleSalMouseButtonDown(Window*, SalMouseEvent*) (winproc.cxx:2076) ==23042== by 0x8171687: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (winproc.cxx:2408) ==23042== Address 0x2c417d9a is 42 bytes inside a block of size 184 free'd ==23042== at 0x4C25A72: free (vg_replace_malloc.c:325) ==23042== by 0xC7ED919: SvxTextEditSourceImpl::~SvxTextEditSourceImpl() (unoshtxt.cxx:265) ==23042== by 0xC7EDA74: SvxTextEditSourceImpl::release() (unoshtxt.cxx:303) ==23042== by 0xC7F0A8D: SvxTextEditSource::~SvxTextEditSource() (unoshtxt.cxx:1063) ==23042== by 0xBD77DDA: accessibility::AccessibleProxyEditSource_Impl::~AccessibleProxyEditSource_Impl() (AccessibleEmptyEditSource.cxx:200) ==23042== by 0xBD7834E: accessibility::AccessibleEmptyEditSource::Switch2ProxyEditSource() (auto_ptr.h:168) ==23042== by 0xBD78411: accessibility::AccessibleEmptyEditSource::Notify(SfxBroadcaster&, SfxHint const&) (AccessibleEmptyEditSource.cxx:348) ==23042== by 0x66818E9: SfxBroadcaster::Broadcast(SfxHint const&) (brdcst.cxx:73) ==23042== by 0xC7EDF3B: SvxTextEditSourceImpl::Notify(SfxBroadcaster&, SfxHint const&) (unoshtxt.cxx:415) ==23042== by 0x66818E9: SfxBroadcaster::Broadcast(SfxHint const&) (brdcst.cxx:73) ==23042== by 0xC704588: SdrObjEditView::SdrEndTextEdit(unsigned char) (svdedxv.cxx:808) ==23042== by 0xF4C33EB: ??? (in /usr/lib64/openoffice.org/basis3.2/program/libsdlx.so) Attached is a simple workaround to add an acquire of the SvxTextEditSourceImpl in SvxTextEditSourceImpl::Notify for the lifetime of that method in order to avoid any of the notified objects dropping the count to 0 and deleting it before the Notify has been completed
Created attachment 65418 [details] workaround
related to issue 104003 and issue 103982 I'd guess
Reassigned.
MT/MD: Can reproduce in OOo320 latest. Crash, data loss possible. Patch applied, MD suggest to integrate the patch in 3.2.
cl->tl: one for you as owner of the editeninge. The attached patch looks ok but I personaly would replace the acquire() and release() calls to one rtl::Reference< SvxTextEditSourceImpl > xThis( this );
.
Fixed in CWS ooo32gsl09.
Verified in CWS ooo32gsl09
Fixed and integrated => closing now..