soffice.bin crashed with SIGSEGV in com::sun::star::uno::Reference<com::sun::star::accessibility::XAccessibleEventListener>::operator->()

Created attachment 188856
backtrace without debug symbols

This bug was filed from the crash reporting server and is br-5dddbbb0-0ccd-4622-b1e4-8632bf974151.
=========================================

Steps:
1. Open Calc
2. Write some text in cell A1
3. Select all text in formula bar, Ctrl + C
4. Paste into cell B1
5. Close LO, don't save
6. Reopen: crash reporter dialog

Repro in:

Version: 7.6.0.2 (X86_64) / LibreOffice Community
Build ID: 41d6f628ba3f046f16b5fa9fa8db8d4c2ab3b582
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

But not in a recent master build.

7.6 crash report: https://crashreport.libreoffice.org/stats/crash_details/5dddbbb0-0ccd-4622-b1e4-8632bf974151

No crash with gen VCL. No crash with bibisect repo or debug build, so no bibisect nor debug symbols in backtrace.

(no repro in 7.5.5.2)

I can't repro
Version: 7.6.0.2 (X86_64) / LibreOffice Community
Build ID: 41d6f628ba3f046f16b5fa9fa8db8d4c2ab3b582
CPU threads: 16; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win
Locale: es-ES (es_ES); UI: en-US
Calc: CL threaded

That's an accessibility thing that is crashing at exit. I wonder if it is the same root as the recently fixed bug #156463 which is also an a11y crash on exit

Since this is not reproducible with the bisect repos, I guess we have to wait until 7.6.0.3 builds are available ( in 1-2 days ) and retest.
I also believe this is related to bug 156463

On pc Debian x86-64 with master sources updated today + gtk3, I don't reproduce this.

Remark: I just noticed that the pasted text in cell B1 was in 17.6 pt whereas initial A1 is 10 pt.
To have this, I must copy the test from formula bar, if I just copy A1, I don't have this bug.
Anyway, that's another story than this bugtracker.

(In reply to Julien Nabet from comment #5)
> Remark: I just noticed that the pasted text in cell B1 was in 17.6 pt
> whereas initial A1 is 10 pt.

This is tracked in bug 156209

(In reply to Stéphane Guillou (stragu) from comment #0)
> No crash with gen VCL. No crash with bibisect repo or debug build, so no
> bibisect nor debug symbols in backtrace.

I've encountered a crash on exit w/ gtk3 with a similar backtrace with a master debug build, see pending Gerrit change https://gerrit.libreoffice.org/c/core/+/155848 with a full backtrace in the commit message.

It probably doesn't fix the problem described here, though - if that one still exists - but the underlying problem might be similar.

Michael Weghorn committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/79cc574270582d03408286544d99227881f13bb8

related tdf#156683 a11y: Dispose FrameSelectorImpl a11y children

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Michael Weghorn committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/d6c20138ef1a045ca8e830db5ee09bc5d77153be

related tdf#156683 a11y: Dispose FrameSelectorImpl a11y children

It will be available in 7.6.1.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Michael Weghorn committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/978cce0001ef9f37fb5fa5037a876f31ec558166

tdf#156683 a11y: Dispose a11y cells with tab list box header

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Still reproduced in 7.6.0.3:

Version: 7.6.0.3 (X86_64) / LibreOffice Community
Build ID: 69edd8b8ebc41d00b4de3915dc82f8f0fc3b6265
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

(In reply to Stéphane Guillou (stragu) from comment #11)
> Still reproduced in 7.6.0.3:
> ...

The patch has been pushed in 7.6 but it should be ok from 7.6.1 not 7.6.0 so it's expected.

(In reply to Julien Nabet from comment #12)
> The patch has been pushed in 7.6 but it should be ok from 7.6.1 not 7.6.0 so
> it's expected.

I was just following up on comment 4, but you're right, I should have gone straight to the pre-release.
Still, as Michael predicted, not fixed by d6c20138ef1a045ca8e830db5ee09bc5d77153be in:

Version: 7.6.1.1 (X86_64) / LibreOffice Community
Build ID: c7cda394c5de06de37d8109c310df89a4d4c3a98
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

Michael Weghorn committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/5f8c9245a2d4d6387fe702fafe24c79139436401

tdf#156683 a11y: Dispose a11y cells with tab list box header

It will be available in 7.6.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Also reproducible with (e.g. today's) 7.6 daily build, with these warnings on stderr (not all of which have to be related):

warn:legacy.osl:13577:13577:comphelper/source/misc/accessiblewrapper.cxx:457: OAccessibleContextWrapperHelper::disposing(): inner context is no broadcaster!
warn:legacy.osl:13577:13577:sc/source/ui/view/tabvwshh.cxx:232: no accessibility broadcaster?
warn:legacy.osl:13577:13577:sc/source/ui/view/tabvwshh.cxx:232: no accessibility broadcaster?
warn:legacy.osl:13577:13577:sc/source/ui/view/tabvwshh.cxx:232: no accessibility broadcaster?
warn:legacy.osl:13577:13577:sc/source/ui/view/tabvwshh.cxx:232: no accessibility broadcaster?
warn:legacy.osl:13577:13577:comphelper/source/misc/accessiblewrapper.cxx:457: OAccessibleContextWrapperHelper::disposing(): inner context is no broadcaster!
warn:desktop:13577:13577:desktop/source/app/crashreport.cxx:61: minidump generated: /home/michi/.config/libreofficedev/4/crash//527047d1-fab0-441a-ccee53bf-0c64fedb.dmp

Version: 7.6.2.0.0+ (X86_64) / LibreOffice Community
Build ID: e79bd728e66272d14881d40167dcf57ef48571eb
CPU threads: 12; OS: Linux 6.4; UI render: default; VCL: gtk3
Locale: en-GB (en_GB.UTF-8); UI: en-US
Calc: threaded

(In reply to Michael Weghorn from comment #15)
> Also reproducible with (e.g. today's) 7.6 daily build, (...)

Luckily also reproducible with a local `--enable-dbgutil --enable-breakpad` build of the libreoffice-7-6 branch (but for some reason not master).

This pending Gerrit change (or rather, it's upcoming 7-6 backport) fixes it for me:
https://gerrit.libreoffice.org/c/core/+/156610

It's still possible/likely that other crashes on exit for different scenarios with a similar backtrace will still occur with that fix in place since some change now seems to trigger those when a11y objects haven't properly been disposed before, i.e. pre-existing issues with the object lifecycle now apparently result in a crash, while they didn't before.

It might be possible to identify/bisect (actual bisect, not using pre-built binaries from bibisect repo) what change causes this, but for now I'd rather focus on fixing the root causes if more of these issues pop up.
(IIUC, there shouldn't be any problem of data loss, since the crash is on exit, i.e. after docs have been saved already).

(In reply to Michael Weghorn from comment #16)
> It's still possible/likely that other crashes on exit for different
> scenarios with a similar backtrace will still occur with that fix in place
> since some change now seems to trigger those when a11y objects haven't
> properly been disposed before, i.e. pre-existing issues with the object
> lifecycle now apparently result in a crash, while they didn't before.
>
> It might be possible to identify/bisect (actual bisect, not using pre-built
> binaries from bibisect repo) what change causes this, but for now I'd rather
> focus on fixing the root causes if more of these issues pop up.
> (IIUC, there shouldn't be any problem of data loss, since the crash is on
> exit, i.e. after docs have been saved already).

@Noel: FYI. Any opinion/further thoughts? (Might be related to your previous changes for fixing a11y-related crashes on shutdown.)

Michael Weghorn committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/db0044242a897e447988169630ff74e4c8bfecf9

tdf#156683 a11y: Forward when wrapped a11y context is disposing

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Root cause fixed on master now.
Pending backport for 7-6: https://gerrit.libreoffice.org/c/core/+/156592

Michael Weghorn committed a patch related to this issue.
It has been pushed to "libreoffice-7-6-1":

https://git.libreoffice.org/core/commit/efb93cce623eabee330ac6aecb80ef8b82b8dfd2

tdf#156683 a11y: Dispose a11y cells with tab list box header

It will be available in 7.6.1.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Michael Weghorn committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/d9e31f3c82082226dbc5afa697d0f0ac7e4214a2

tdf#156683 a11y: Handle both disposing variants in context wrapper

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

*** Bug 157042 has been marked as a duplicate of this bug. ***

No crash anymore in:

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 10689e0f24e96781664e734fe23d109af6df77f1
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

Thank you Michael! :)

Michael Weghorn committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/2f1181629a0a11ecc1c6eb5d6a5f09421b14a7c3

tdf#156683 a11y: Forward when wrapped a11y context is disposing

It will be available in 7.6.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Michael Weghorn committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/ed86b56c0e0baf99ca65800eb83de1558f162734

tdf#156683 a11y: Handle both disposing variants in context wrapper

It will be available in 7.6.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

*** Bug 157419 has been marked as a duplicate of this bug. ***

*** Bug 157377 has been marked as a duplicate of this bug. ***

LibreOffice 7.6.2.1 on opensuse Tumbleweed. This just crashed when i closed it. It's a simple spreadsheet I am attaching, but the crash happens randomly at close, not every time.

Application: soffice (soffice), signal: Segmentation fault

[KCrash Handler]
#4 0x00007feea0b5fac0 in rtl_uString_release () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#5 0x00007fee9d6bf2fb in () at /usr/lib64/libreoffice/program/libmergedlo.so
#6 0x00007fee9d8130c3 in () at /usr/lib64/libreoffice/program/libmergedlo.so
#7 0x00007fee9c041b06 in __run_exit_handlers () at /lib64/libc.so.6
#8 0x00007fee9c041c50 in () at /lib64/libc.so.6
#9 0x00007fee9c0281b7 in __libc_start_call_main () at /lib64/libc.so.6
#10 0x00007fee9c028279 in __libc_start_main_impl () at /lib64/libc.so.6
#11 0x0000558e5b66b0c5 in ()
[Inferior 1 (process 31456) detached]

Created attachment 190495
spreadsheet that randomly crashes on close

(In reply to Eric from comment #28)
> LibreOffice 7.6.2.1 on opensuse Tumbleweed. This just crashed when i closed
> it. It's a simple spreadsheet I am attaching, but the crash happens randomly
> at close, not every time.

Didn't crash for me in a quick test, but that doesn't necessarily say much as you say it's random. In any case, unless this is known to be related to the issue originally described here, I think this should be handled in a separate bug report, ideally with some more details on what might help to trigger it.

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: df79eedf6989ab4c2913a23a7e72079bd719168b
CPU threads: 12; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-GB (en_GB.UTF-8); UI: en-US
Calc: threaded

How are you running version 24.2.0.0 of LibreOffice? I thought 7.6.2.x was the latest?

(In reply to Eric from comment #31)
> How are you running version 24.2.0.0 of LibreOffice? I thought 7.6.2.x was
> the latest?
Yes 7.6.2 is the last non dev and non beta release.

Now there are alpha versions (master branch which corresponds nowadays to "24.2") here:
https://dev-builds.libreoffice.org/daily/master/

*** Bug 157855 has been marked as a duplicate of this bug. ***