Crash in calc

[mmeeks]

Mike Dworski did something =) - Mike ? and we got this:

(gdb) bt
#0  std::vector<std::unique_ptr<SdrPageWindow, std::default_delete<SdrPageWindow> >, std::allocator<std::unique_ptr<SdrPageWindow, std::default_delete<SdrPageWindow> > > >::size (this=<optimized out>) at /opt/rh/devtoolset-12/root/usr/include/c++/12/bits/stl_vector.h:987
#1  SdrPageView::PageWindowCount (this=<optimized out>) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/include/svx/svdpagv.hxx:89
#2  (anonymous namespace)::ScLOKProxyObjectContact::calculateGridOffsetForViewObjectContact (this=<optimized out>, rTarget=..., rClient=...) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/sc/source/ui/view/gridwin4.cxx:1435
#3  0x00007fe79c116545 in sdr::contact::ViewObjectContact::getGridOffset (this=this@entry=0x49332d10) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/include/svx/sdr/contact/viewobjectcontact.hxx:93
#4  0x00007fe79c1179eb in sdr::contact::ViewObjectContact::getPrimitive2DSequence (this=this@entry=0x49332d10, rDisplayInfo=...) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/svx/source/sdr/contact/viewobjectcontact.cxx:475
#5  0x00007fe79c117cc1 in sdr::contact::ViewObjectContact::getObjectRange (this=this@entry=0x49332d10) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/svx/source/sdr/contact/viewobjectcontact.cxx:209
#6  0x00007fe79c117e52 in sdr::contact::ViewObjectContact::triggerLazyInvalidate (this=0x49332d10) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/svx/source/sdr/contact/viewobjectcontact.cxx:262
#7  0x00007fe79c1189e5 in sdr::contact::ObjectContactOfPageView::Invoke (this=0x36cf4660) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/svx/source/sdr/contact/objectcontactofpageview.cxx:104
#8  0x00007fe79cda4e83 in Scheduler::CallbackTaskScheduling () at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/source/app/scheduler.cxx:480
#9  0x00007fe79cf616cb in SalTimer::CallCallback (this=<optimized out>) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/inc/saltimer.hxx:54
#10 SvpSalInstance::CheckTimeout (this=this@entry=0x148a620, bExecuteTimers=bExecuteTimers@entry=true) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/headless/svpinst.cxx:161
#11 0x00007fe79cf619fd in SvpSalInstance::ImplYield (this=this@entry=0x148a620, bWait=bWait@entry=true, bHandleAllCurrentEvents=bHandleAllCurrentEvents@entry=false) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/headless/svpinst.cxx:399
#12 0x00007fe79cf61e0d in SvpSalInstance::DoYield (this=0x148a620, bWait=<optimized out>, bHandleAllCurrentEvents=<optimized out>) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/headless/svpinst.cxx:471
#13 0x00007fe79cdbdd21 in ImplYield (i_bWait=<optimized out>, i_bAllEvents=<optimized out>) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/source/app/svapp.cxx:396
#14 0x00007fe79cdbe4d5 in Application::Execute () at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/source/app/svapp.cxx:374
#15 0x00007fe79ba45a3a in desktop::Desktop::Main (this=0x7ffea81d9b40) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/desktop/source/app/app.cxx:1605
#16 0x00007fe79cdc7201 in ImplSVMain () at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/source/app/svmain.cxx:229
#17 0x00007fe79cdc74d9 in SVMain () at /home/collabora/online-buildscripts/staging/builddir/libreoffice/vcl/source/app/svmain.cxx:261
#18 0x00007fe79ba6930c in soffice_main () at /home/collabora/online-buildscripts/staging/builddir/libreoffice/desktop/source/app/sofficemain.cxx:94
#19 0x00007fe79ba7f505 in lo_runLoop (pPollCallback=0x5c1660 <pollCallback(void*, int)>, pWakeCallback=0x5b0cc0 <wakeCallback(void*)>, pData=0x2fef14a0) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/desktop/source/lib/init.cxx:7565
#20 0x00000000005c88b5 in lok::Office::runLoop (pData=0x2fef14a0, pWakeCallback=0x5b0cc0 <wakeCallback(void*)>, pPollCallback=0x5c1660 <pollCallback(void*, int)>, this=0x2ff6d070)
    at /home/collabora/online-buildscripts/staging/builddir/libreoffice/include/LibreOfficeKit/LibreOfficeKit.hxx:1101
#21 lokit_main (childRoot=..., jailId=..., sysTemplate=..., loTemplate=..., noCapabilities=<optimized out>, noSeccomp=<optimized out>, queryVersion=<optimized out>, displayVersion=<optimized out>, numericIdentifier=<optimized out>) at kit/Kit.cpp:3371
#22 0x000000000059402a in createLibreOfficeKit (childRoot=..., sysTemplate=..., loTemplate=..., queryVersion=queryVersion@entry=false) at kit/ForKit.cpp:447
#23 0x0000000000595abd in forkLibreOfficeKit (childRoot=..., sysTemplate=..., loTemplate=...) at kit/ForKit.cpp:495
#24 0x0000000000599631 in forkit_main (argc=<optimized out>, argv=<optimized out>) at kit/ForKit.cpp:837
#25 0x00007fe79f0c824d in __libc_start_main () from /lib64/libc.so.6
#26 0x000000000055c302 in _start ()
(gdb) l
4	kit/forkit-main.cpp: No such file or directory.
(gdb) up
#1  SdrPageView::PageWindowCount (this=<optimized out>) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/include/svx/svdpagv.hxx:89
89	    sal_uInt32 PageWindowCount() const { return maPageWindows.size(); }
(gdb) p maPageWindows
value has been optimized out
(gdb) p this
$1 = <optimized out>
(gdb) up
#2  (anonymous namespace)::ScLOKProxyObjectContact::calculateGridOffsetForViewObjectContact (this=<optimized out>, rTarget=..., rClient=...) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/sc/source/ui/view/gridwin4.cxx:1435
1435	            if (pPageView->PageWindowCount() > 0)
(gdb) p pPageView
$2 = (SdrPageView *) 0x6200200062006f
(gdb) p *pPageView
Cannot access memory at address 0x6200200062006f
(gdb) p *this
value has been optimized out
(gdb) up
#3  0x00007fe79c116545 in sdr::contact::ViewObjectContact::getGridOffset (this=this@entry=0x49332d10) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/include/svx/sdr/contact/viewobjectcontact.hxx:93
93	    ObjectContact& GetObjectContact() const { return mrObjectContact; }
(gdb) p this
$3 = (const sdr::contact::ViewObjectContact * const) 0x49332d10
(gdb) p *this
$4 = {_vptr.ViewObjectContact = 0x7fe79ecd7258 <vtable for sdr::contact::ViewObjectContactOfSdrObj+16>, mrObjectContact = @0x36cf4660, mrViewContact = @0x3029b460, maObjectRange = empty basegfx::B2DRange, 
  mxPrimitive2DSequence = {<std::deque<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D>, std::allocator<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D> > >> = {<std::_Deque_base<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D>, std::allocator<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D> > >> = {
        _M_impl = {<std::allocator<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D> >> = {<std::__new_allocator<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D> >> = {<No data fields>}, <No data fields>}, <std::_Deque_base<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D>, std::allocator<rtl::Reference<drawinglayer::primitive2d::BasePrimitive2D> > >::_Deque_impl_data> = {_M_map = 0x45d9c7e0, _M_map_size = 8, _M_start = {_M_cur = 0x49790000, _M_first = 0x49790000, _M_last = 0x49790200, _M_node = 0x45d9c7f8}, _M_finish = {_M_cur = 0x49790000, 
              _M_first = 0x49790000, _M_last = 0x49790200, _M_node = 0x45d9c7f8}}, <No data fields>}}, <No data fields>}, <drawinglayer::primitive2d::Primitive2DDecompositionVisitor> = {
      _vptr.Primitive2DDecompositionVisitor = 0x7fe79eb81d30 <vtable for drawinglayer::primitive2d::Primitive2DContainer+16>}, <No data fields>}, mpPrimitiveAnimation = {
    _M_t = {<std::__uniq_ptr_impl<sdr::animation::PrimitiveAnimation, std::default_delete<sdr::animation::PrimitiveAnimation> >> = {
        _M_t = {<std::_Tuple_impl<0, sdr::animation::PrimitiveAnimation*, std::default_delete<sdr::animation::PrimitiveAnimation> >> = {<std::_Tuple_impl<1, std::default_delete<sdr::animation::PrimitiveAnimation> >> = {<std::_Head_base<1, std::default_delete<sdr::animation::PrimitiveAnimation>, true>> = {_M_head_impl = {<No data fields>}}, <No data fields>}, <std::_Head_base<0, sdr::animation::PrimitiveAnimation*, false>> = {_M_head_impl = 0x0}, <No data fields>}, <No data fields>}}, <No data fields>}}, maGridOffset = {<basegfx::B2DTuple> = {<basegfx::Tuple2D<double>> = {mnX = 0, 
        mnY = 0}, <No data fields>}, <No data fields>}, mnActionChangedCount = 17, mbLazyInvalidate = false}
(gdb) up
#4  0x00007fe79c1179eb in sdr::contact::ViewObjectContact::getPrimitive2DSequence (this=this@entry=0x49332d10, rDisplayInfo=...) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/svx/source/sdr/contact/viewobjectcontact.cxx:475
475	        const basegfx::B2DVector& rGridOffset(getGridOffset());
(gdb) up
#5  0x00007fe79c117cc1 in sdr::contact::ViewObjectContact::getObjectRange (this=this@entry=0x49332d10) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/svx/source/sdr/contact/viewobjectcontact.cxx:209
209	            const drawinglayer::primitive2d::Primitive2DContainer& xSequence(getPrimitive2DSequence(aDisplayInfo));
(gdb) p aDisplayInfo
$5 = {maProcessLayers = {m_aData = '\377' <repeats 32 times>}, maRedrawArea = {
    mpB2DPolyPolygon = {<std::_Optional_base<basegfx::B2DPolyPolygon, false, false>> = {<std::_Optional_base_impl<basegfx::B2DPolyPolygon, std::_Optional_base<basegfx::B2DPolyPolygon, false, false> >> = {<No data fields>}, 
        _M_payload = {<std::_Optional_payload<basegfx::B2DPolyPolygon, true, false, false>> = {<std::_Optional_payload_base<basegfx::B2DPolyPolygon>> = {_M_payload = {_M_empty = {<No data fields>}, _M_value = 
Thread 1 "kitbroker_01f" received signal SIGSEGV, Segmentation fault.
basegfx::B2DPolyPolygon::count (this=0x7ffea81d8fa0) at /home/collabora/online-buildscripts/staging/builddir/libreoffice/basegfx/source/polygon/b2dpolypolygon.cxx:251
251	        return mpPolyPolygon->count();
Python Exception <class 'gdb.error'>: The program being debugged was signaled while in a function called from GDB.
GDB remains in the frame where the signal was received.
To change this behavior use "set unwindonsignal on".
Evaluation of the expression containing the function
(basegfx::B2DPolyPolygon::count() const) will be abandoned.
When the function is done executing, GDB will silently stop.
}, _M_engaged = false}, <No data fields>}, <No data fields>}}, <std::_Enable_copy_move<true, true, true, true, std::optional<basegfx::B2DPolyPolygon> >> = {<No data fields>}, <No data fields>}, 
    mpPolyPolygon = {<std::_Optional_base<tools::PolyPolygon, false, false>> = {<std::_Optional_base_impl<tools::PolyPolygon, std::_Optional_base<tools::PolyPolygon, false, false> >> = {<No data fields>}, 
        _M_payload = {<std::_Optional_payload<tools::PolyPolygon, true, false, false>> = {<std::_Optional_payload_base<tools::PolyPolygon>> = {_M_payload = {_M_empty = {<No data fields>}, _M_value = {mpImplPolyPolygon = {m_pimpl = 0x0}}}, 
              _M_engaged = false}, <No data fields>}, <No data fields>}}, <std::_Enable_copy_move<true, true, true, true, std::optional<tools::PolyPolygon> >> = {<No data fields>}, <No data fields>}, 
    mpRegionBand = {<std::__shared_ptr<RegionBand, (__gnu_cxx::_Lock_policy)2>> = {<std::__shared_ptr_access<RegionBand, (__gnu_cxx::_Lock_policy)2, false, false>> = {<No data fields>}, _M_ptr = 0x0, _M_refcount = {_M_pi = 0x0}}, <No data fields>}, mbIsNull = false}, 
  m_WriterPageFrame = {<basegfx::Range2D<int, basegfx::Int32Traits>> = {maRangeX = {mnMinimum = 2147483647, mnMaximum = -2147483648}, maRangeY = {mnMinimum = 2147483647, mnMaximum = -2147483648}}, <No data fields>}, mbControlLayerProcessingActive = false, mbGhostedDrawModeActive = false, 
  mbSubContentActive = false}

Hope tha thelps.

[Tex2002ans]

I believe this was the steps to cause the crash.

(I can't reproduce on staging OR my local install.)

(Maybe it requires multiple people to be in same document with mixes of Light/Dark settings?)

Describe the Bug

Dark Mode button ON/OFF while Calc formula's popup is open caused crash.

This is the "informational popup" that was open:

Steps to Reproduce

In Calc, I had Dark Mode ON:

0. I had these 3 numbers in 3 cells:

1
2
3

1. Below that, I typed:

• =SUM(

2. With the "=SUM informational popup" open...

• Go to the "View" tab.
• Press "Dark Mode" button.
  • I turned Dark Mode OFF.
• => CRASH

Expected Behavior

No crash.

After Step 2, when it's working properly, it seems like:

• The "formula popup" flashes.
• Dark Mode DOES NOT change.
  • (You have to close the popup before being allowed to change Light/Dark.)

Actual Behavior

CRASH.

After Step 2, Calc:

• Flipped to Light Mode.
  • I don't recall "flashing popup".

So maybe I got the popup/document into some sort of unexpected limbo.

Desktop

• Collabora version: 24.04.4.1
• OS and version: Windows 11
• Browser and version: Chrome 125.0.6422.142 (Official Build) (64-bit)

COOLWSD version: 24.04.4.1 (git hash: 60fdce50 (E))
LOKit version: Collabora Office 24.04.4.1 (git hash: 39fe355)
Served by: openSUSE Leap 15.5
Server ID: ffdfb86f

Additional Context

Happened during COOL Weekly 172.

I was trying to compare the popup's Light/Dark mode so I could see what the differences were + what the popup was "supposed to look like".

I was on 200% Browser Zoom if that influences anything.