On Thu, 2012-03-08 at 19:45 +0100, Dézsi Szabolcs wrote: > Hi! > > Error is in svx/source/sdr/overlay/overlaymanagerbuffered.cxx > > 386: Window& rWindow = static_cast< Window& >(rmOutputDevice); > 387: Cursor* pCursor = rWindow.GetCursor(); > > Maybe something is with the timing of instructions because there are > two lines which are exactly the same, and there works everything:
I think this is a bit screwed up, here's a valgrind trace I generated with export VALGRIND=memcheck and repeated the how-to-reproduce step. The line "pCandidate->Update();" in overlaymanagerbuffered.cxx:376 triggers a series of events that deletes the overlaymanager who's ImpBufferTimerHandler is still executing, i.e. "this" is destroyed. We get lucky sometimes because sometimes the drawing happens while the flashing text cursor is not-drawn state when we enter. In the absence of alternative ideas, we could try and work some reference count stuff in there. Even with pulling the window/cursor info out while reference is still valid before this gets deleted, there's still use of some members at the end of the method which are equally broken :-( C.
==24731== Invalid read of size 8 ==24731== at 0x24A3DB85: sdr::overlay::OverlayManagerBuffered::ImpBufferTimerHandler(AutoTimer*) (overlaymanagerbuffered.cxx:386) ==24731== by 0x24A3D220: sdr::overlay::OverlayManagerBuffered::LinkStubImpBufferTimerHandler(void*, void*) (overlaymanagerbuffered.cxx:220) ==24731== by 0x8545893: Link::Call(void*) const (link.hxx:140) ==24731== by 0x855F9D0: Timer::Timeout() (timer.cxx:256) ==24731== by 0x855F639: Timer::ImplTimerCallbackProc() (timer.cxx:144) ==24731== by 0x17FFADD8: SalTimer::CallCallback() (saltimer.hxx:66) ==24731== by 0x17FFA4B6: sal_gtk_timeout_dispatch (gtkdata.cxx:849) ==24731== by 0x3066844ACC: g_main_context_dispatch (gmain.c:2441) ==24731== by 0x30668452C7: g_main_context_iterate (gmain.c:3089) ==24731== by 0x306684549B: g_main_context_iteration (gmain.c:3152) ==24731== by 0x17FF9809: GtkData::Yield(bool, bool) (gtkdata.cxx:587) ==24731== by 0x17FFC233: GtkInstance::Yield(bool, bool) (gtkinst.cxx:605) ==24731== by 0x8557614: ImplYield(bool, bool) (svapp.cxx:458) ==24731== by 0x8553C14: Application::Yield(bool) (svapp.cxx:492) ==24731== by 0x8553BB5: Application::Execute() (svapp.cxx:435) ==24731== by 0x4EAC7E8: desktop::Desktop::Main() (app.cxx:1885) ==24731== by 0x855D168: ImplSVMain() (svmain.cxx:178) ==24731== by 0x855D2AE: SVMain() (svmain.cxx:215) ==24731== by 0x4EDC255: soffice_main (in /home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/lib/libsofficeapp.so) ==24731== by 0x400733: sal_main (in /home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin) ==24731== by 0x400718: main (in /home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin) ==24731== Address 0xd473a30 is 80 bytes inside a block of size 1,168 free'd ==24731== at 0x4A062BC: operator delete(void*) (vg_replace_malloc.c:387) ==24731== by 0x24A3DE8F: sdr::overlay::OverlayManagerBuffered::~OverlayManagerBuffered() (overlaymanagerbuffered.cxx:425) ==24731== by 0x24A71194: SdrPaintWindow::impCreateOverlayManager(bool) (sdrpaintwindow.cxx:178) ==24731== by 0x24A7157F: SdrPaintWindow::DrawOverlay(Region const&, bool) (sdrpaintwindow.cxx:274) ==24731== by 0x24B8EA45: SdrPaintView::EndCompleteRedraw(SdrPaintWindow&, bool) (svdpntv.cxx:767) ==24731== by 0x24969D29: FmFormView::EndCompleteRedraw(SdrPaintWindow&, bool) (fmview.cxx:498) ==24731== by 0x24B8EBDF: SdrPaintView::EndDrawLayers(SdrPaintWindow&, bool) (svdpntv.cxx:810) ==24731== by 0x20FFCF97: ViewShell::DLPostPaint2(bool) (viewsh.cxx:192) ==24731== by 0x21003243: ViewShell::Paint(Rectangle const&) (viewsh.cxx:1681) ==24731== by 0x20A336C1: SwCrsrShell::Paint(Rectangle const&) (crsrsh.cxx:1165) ==24731== by 0x211F3CA0: SwEditWin::Paint(Rectangle const&) (edtwin2.cxx:535) ==24731== by 0x88EF845: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2419) ==24731== by 0x890101B: Window::Update() (window.cxx:7453) ==24731== by 0x24A3DB57: sdr::overlay::OverlayManagerBuffered::ImpBufferTimerHandler(AutoTimer*) (overlaymanagerbuffered.cxx:376) ==24731== by 0x24A3D220: sdr::overlay::OverlayManagerBuffered::LinkStubImpBufferTimerHandler(void*, void*) (overlaymanagerbuffered.cxx:220) ==24731== by 0x8545893: Link::Call(void*) const (link.hxx:140) ==24731== by 0x855F9D0: Timer::Timeout() (timer.cxx:256) ==24731== by 0x855F639: Timer::ImplTimerCallbackProc() (timer.cxx:144) ==24731== by 0x17FFADD8: SalTimer::CallCallback() (saltimer.hxx:66) ==24731== by 0x17FFA4B6: sal_gtk_timeout_dispatch (gtkdata.cxx:849) ==24731== by 0x3066844ACC: g_main_context_dispatch (gmain.c:2441) ==24731== by 0x30668452C7: g_main_context_iterate (gmain.c:3089) ==24731== by 0x306684549B: g_main_context_iteration (gmain.c:3152) ==24731== by 0x17FF9809: GtkData::Yield(bool, bool) (gtkdata.cxx:587) ==24731== by 0x17FFC233: GtkInstance::Yield(bool, bool) (gtkinst.cxx:605) ==24731== by 0x8557614: ImplYield(bool, bool) (svapp.cxx:458) ==24731== by 0x8553C14: Application::Yield(bool) (svapp.cxx:492) ==24731== by 0x8553BB5: Application::Execute() (svapp.cxx:435) ==24731== by 0x4EAC7E8: desktop::Desktop::Main() (app.cxx:1885) ==24731== by 0x855D168: ImplSVMain() (svmain.cxx:178) ==24731== by 0x855D2AE: SVMain() (svmain.cxx:215) ==24731== by 0x4EDC255: soffice_main (in /home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/lib/libsofficeapp.so) ==24731== by 0x400733: sal_main (in /home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin) ==24731== by 0x400718: main (in /home/caolan/LibreOffice/libreoffice-3-5/solver/unxlngx6.pro/installation/opt/program/soffice.bin)
_______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
