[Bug 124392] CRASH when close particular document after having applied style

Wed, 12 Mar 2014 06:21:45 -0700 

https://issues.apache.org/ooo/show_bug.cgi?id=124392

Andre <awf....@googlemail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |o...@apache.org

--- Comment #18 from Andre <awf....@googlemail.com> ---
Oliver (orw) has found the root cause (beware, this is not for the faint of
heart):

- A double click on of the styles is handled (eventually) by 
SfxCommonTemplateDialog_Impl::Execute_Impl().

- It executes a slot call of SID_STYLE_APPLY.

- This call is made synchronously.

- The same method is also used to handle, for instance, SID_STYLE_NEW
(triggered by right mouse click in "Styles and Formatting" dialog, then context
menu->New...).  This opens a dialog that is model for the application window
but not modal with respect to the "Styles and Formatting" dialog.  That means
that while the "Graphics Style..." dialog is open, and the SID_STYLE_NEW slot
call is still pending (remember, it is made synchronously), the S&F dialog can
be closed.

- To handle the destruction of the SfxCommonTemplateDialog_Impl class (which
implements the S&F dialog) right in the middle of one of its methods, somebody
came up with the clever idea to introduce a class named Deleted.  It contains a
single boolean which is initialized to false and set to true in the destructor
of SfxCommonTemplateDialog_Impl.  This allows this (pseudo) code:

   Deleted aDeleted;
   make slot call that possibly deletes this
   if (aDeleted.IsDeleted())
       return without touching any member variables

- In order to allow the ~SfxCommonTemplateDialog_Impl to access the local
Deleted object on the stack, its pointer is stored in the member pbDeleted.

- In our case (processing the SID_STYLE_NEW slot) the pbDeleted member is set
to the pointer of the a local variable on the stack but it is not reset when
the method is left.

- Therefore, when the closer is clicked, pbDeleted still holds a pointer.  This
pointer now points to some random memory on the stack.  Accessing and modifying
it leads to the crash.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

Reply via email to