Re: [PATCH] fdo#46728: EDITING: soffice.bin crashed with SIGSEGV in Window::GetCursor()

On Thu, 2012-03-08 at 19:45 +0100, Dézsi Szabolcs wrote:
> Hi!
>
> Error is in svx/source/sdr/overlay/overlaymanagerbuffered.cxx
>
> 386: Window& rWindow = static_cast< Window& >(rmOutputDevice);
> 387: Cursor* pCursor = rWindow.GetCursor();
>
> Maybe something is with the timing of instructions because there are
> two lines which are exactly the same, and there works everything:

I think this is a bit screwed up, here's a valgrind trace I generated
with export VALGRIND=memcheck and repeated the how-to-reproduce step.

The line "pCandidate->Update();" in overlaymanagerbuffered.cxx:376
triggers a series of events that deletes the overlaymanager who's
ImpBufferTimerHandler is still executing, i.e. "this" is destroyed.

We get lucky sometimes because sometimes the drawing happens while the
flashing text cursor is not-drawn state when we enter. 

In the absence of alternative ideas, we could try and work some
reference count stuff in there. Even with pulling the window/cursor info
out while reference is still valid before this gets deleted, there's
still use of some members at the end of the method which are equally
broken :-(

C.

==24731== Invalid read of size 8
==24731==    at 0x24A3DB85: sdr::overlay::OverlayManagerBuffered::ImpBufferTimerHandler(AutoTimer*) 
(overlaymanagerbuffered.cxx:386)
==24731==    by 0x24A3D220: 
sdr::overlay::OverlayManagerBuffered::LinkStubImpBufferTimerHandler(void*, void*) 
(overlaymanagerbuffered.cxx:220)
==24731==    by 0x8545893: Link::Call(void*) const (link.hxx:140)
==24731==    by 0x855F9D0: Timer::Timeout() (timer.cxx:256)
==24731==    by 0x855F639: Timer::ImplTimerCallbackProc() (timer.cxx:144)
==24731==    by 0x17FFADD8: SalTimer::CallCallback() (saltimer.hxx:66)
==24731==    by 0x17FFA4B6: sal_gtk_timeout_dispatch (gtkdata.cxx:849)
==24731==    by 0x3066844ACC: g_main_context_dispatch (gmain.c:2441)
==24731==    by 0x30668452C7: g_main_context_iterate (gmain.c:3089)
==24731==    by 0x306684549B: g_main_context_iteration (gmain.c:3152)
==24731==    by 0x17FF9809: GtkData::Yield(bool, bool) (gtkdata.cxx:587)
==24731==    by 0x17FFC233: GtkInstance::Yield(bool, bool) (gtkinst.cxx:605)
==24731==    by 0x8557614: ImplYield(bool, bool) (svapp.cxx:458)
==24731==    by 0x8553C14: Application::Yield(bool) (svapp.cxx:492)
==24731==    by 0x8553BB5: Application::Execute() (svapp.cxx:435)
==24731==    by 0x4EAC7E8: desktop::Desktop::Main() (app.cxx:1885)
==24731==    by 0x855D168: ImplSVMain() (svmain.cxx:178)
==24731==    by 0x855D2AE: SVMain() (svmain.cxx:215)
==24731==    by 0x4EDC255: soffice_main (in 
/home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/lib/libsofficeapp.so)
==24731==    by 0x400733: sal_main (in 
/home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin)
==24731==    by 0x400718: main (in 
/home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin)
==24731==  Address 0xd473a30 is 80 bytes inside a block of size 1,168 free'd
==24731==    at 0x4A062BC: operator delete(void*) (vg_replace_malloc.c:387)
==24731==    by 0x24A3DE8F: sdr::overlay::OverlayManagerBuffered::~OverlayManagerBuffered() 
(overlaymanagerbuffered.cxx:425)
==24731==    by 0x24A71194: SdrPaintWindow::impCreateOverlayManager(bool) (sdrpaintwindow.cxx:178)
==24731==    by 0x24A7157F: SdrPaintWindow::DrawOverlay(Region const&, bool) 
(sdrpaintwindow.cxx:274)
==24731==    by 0x24B8EA45: SdrPaintView::EndCompleteRedraw(SdrPaintWindow&, bool) (svdpntv.cxx:767)
==24731==    by 0x24969D29: FmFormView::EndCompleteRedraw(SdrPaintWindow&, bool) (fmview.cxx:498)
==24731==    by 0x24B8EBDF: SdrPaintView::EndDrawLayers(SdrPaintWindow&, bool) (svdpntv.cxx:810)
==24731==    by 0x20FFCF97: ViewShell::DLPostPaint2(bool) (viewsh.cxx:192)
==24731==    by 0x21003243: ViewShell::Paint(Rectangle const&) (viewsh.cxx:1681)
==24731==    by 0x20A336C1: SwCrsrShell::Paint(Rectangle const&) (crsrsh.cxx:1165)
==24731==    by 0x211F3CA0: SwEditWin::Paint(Rectangle const&) (edtwin2.cxx:535)
==24731==    by 0x88EF845: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2419)
==24731==    by 0x890101B: Window::Update() (window.cxx:7453)
==24731==    by 0x24A3DB57: sdr::overlay::OverlayManagerBuffered::ImpBufferTimerHandler(AutoTimer*) 
(overlaymanagerbuffered.cxx:376)
==24731==    by 0x24A3D220: 
sdr::overlay::OverlayManagerBuffered::LinkStubImpBufferTimerHandler(void*, void*) 
(overlaymanagerbuffered.cxx:220)
==24731==    by 0x8545893: Link::Call(void*) const (link.hxx:140)
==24731==    by 0x855F9D0: Timer::Timeout() (timer.cxx:256)
==24731==    by 0x855F639: Timer::ImplTimerCallbackProc() (timer.cxx:144)
==24731==    by 0x17FFADD8: SalTimer::CallCallback() (saltimer.hxx:66)
==24731==    by 0x17FFA4B6: sal_gtk_timeout_dispatch (gtkdata.cxx:849)
==24731==    by 0x3066844ACC: g_main_context_dispatch (gmain.c:2441)
==24731==    by 0x30668452C7: g_main_context_iterate (gmain.c:3089)
==24731==    by 0x306684549B: g_main_context_iteration (gmain.c:3152)
==24731==    by 0x17FF9809: GtkData::Yield(bool, bool) (gtkdata.cxx:587)
==24731==    by 0x17FFC233: GtkInstance::Yield(bool, bool) (gtkinst.cxx:605)
==24731==    by 0x8557614: ImplYield(bool, bool) (svapp.cxx:458)
==24731==    by 0x8553C14: Application::Yield(bool) (svapp.cxx:492)
==24731==    by 0x8553BB5: Application::Execute() (svapp.cxx:435)
==24731==    by 0x4EAC7E8: desktop::Desktop::Main() (app.cxx:1885)
==24731==    by 0x855D168: ImplSVMain() (svmain.cxx:178)
==24731==    by 0x855D2AE: SVMain() (svmain.cxx:215)
==24731==    by 0x4EDC255: soffice_main (in 
/home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/lib/libsofficeapp.so)
==24731==    by 0x400733: sal_main (in 
/home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin)
==24731==    by 0x400718: main (in 
/home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin)