Bug 159023 - Crash in SwTextFrame::MapModelToView(SwTextNode const*, int) const after pasting table and navigating left in footnote
Summary: Crash in SwTextFrame::MapModelToView(SwTextNode const*, int) const after past...
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
7.0.0.3 release
Hardware: x86-64 (AMD64) All
: medium critical
Assignee: Michael Stahl (allotropia)
URL:
Whiteboard: target:24.8.0 target:25.2.0
Keywords: bibisected, bisected, regression
Depends on:
Blocks: Footnote-Endnote Crash
  Show dependency treegraph
 
Reported: 2024-01-04 17:10 UTC by Stéphane Guillou (stragu)
Modified: 2024-10-28 09:19 UTC (History)
3 users (show)

See Also:
Crash report or crash signature: ["SwTextFrame::MapModelToView(SwTextNode const*, int) const","SwTextFrame::MapModelToView"]


Attachments
sample ODT (12.36 KB, application/vnd.oasis.opendocument.text)
2024-01-04 17:10 UTC, Stéphane Guillou (stragu)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stéphane Guillou (stragu) 2024-01-04 17:10:33 UTC
Created attachment 191764 [details]
sample ODT

This bug was filed from the crash reporting server and is br-814dc209-d8a3-4359-a307-df9d69d342ff.
=========================================

Discovered while testing bug 158740.

Steps:
1. Open attachment
2. Copy the table
3. Place cursor at the beginning of footnote paragraph
5. Paste
6. Move cursor to the left twice

Result: https://crashreport.libreoffice.org/stats/crash_details/814dc209-d8a3-4359-a307-df9d69d342ff

In 7.0, 

Not reproduced in 6.4.0.3, reproduced in:

Version: 7.0.6.2
Build ID: 144abb84a525d8e30c9dbbefa69cbbf2d8d4ae3b
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded
...with different signature: https://crashreport.libreoffice.org/stats/crash_details/ce6122a4-7b82-4829-9f55-5cc7f89b7707

Up to a recent trunk build:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 960e37af28807ed1b376e26c4504ab755a81dfd5
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

Bibisected with linux-64-7.0 repo to first bad build [6a226c611e759b48cdc0f1b60578836ecd7aaa44] which points to:

commit 166b5010b402a41b192b1659093a25acf9065fd9
author	Michael Stahl Thu Apr 02 17:18:37 2020 +0200
committer	Michael Stahl Fri Apr 03 17:20:22 2020 +0200
tdf#130685 sw_redlinehide: fix copying to position following redline
Change-Id: I82e0f5b320cab201e762f58800f83e08f4f01048
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91596

Michael, can you please have a look?
Comment 1 Telesto 2024-01-04 20:02:02 UTC
Confirm
Version: 24.2.0.0.alpha1+ (X86_64) / LibreOffice Community
Build ID: a9ad36ae46ff76c0d59b0d170314fdd3a9ee5d35
CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win
Locale: nl-NL (nl_NL); UI: en-US
Calc: CL threaded
Comment 2 Julien Nabet 2024-01-05 10:40:16 UTC
On pc Debian x86-64 with master sources updated today, I don't reproduce the crash.
Comment 3 Matt K 2024-01-08 23:42:05 UTC
I was able to repro an assert firing at:

SwTextFrame::MapModelToView(SwTextNode const*const pNode, sal_Int32 const nIndex) const

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 205dd919179f34815d7e16c8dc73d2a7efd34535
CPU threads: 16; OS: Windows 10.0 Build 22631; UI render: Skia/Raster; VCL: win
Locale: en-US (en_US); UI: en-US
Calc: threaded
Comment 4 Michael Stahl (allotropia) 2024-01-18 11:06:08 UTC
can't reproduce - i can't paste the table inside the footnote because table isn't allowed in footnote - i can paste the table at the start of the body paragraph that contains the footnote reference (in case that was intended), but then i don't get a crash moving the cursor.
Comment 5 Stéphane Guillou (stragu) 2024-01-18 16:15:10 UTC
(In reply to Michael Stahl (allotropia) from comment #4)
> can't reproduce - i can't paste the table inside the footnote because table
> isn't allowed in footnote - i can paste the table at the start of the body
> paragraph that contains the footnote reference (in case that was intended),
> but then i don't get a crash moving the cursor.

The table does not show either for me, but still it is a required step to then crash it.
Does it not crash for you following exactly the steps in Description?
Comment 6 Telesto 2024-01-18 16:39:56 UTC
Slightly confused: The steps are nearly identical as bug 159025 comment 6. So problem source might be the same
Comment 7 Commit Notification 2024-01-22 07:56:27 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/4b68824d18316762a6afc35d355221e0228aebf8

tdf#159023 sw_redlinehide: fix layout frames copying table into footer

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Michael Stahl (allotropia) 2024-01-22 07:57:55 UTC
okay thanks not sure what i did, perhaps used the wrong cursor key :)

turns out the table is in fact pasted, but as just 4 paragraphs, and the problem was that the layout frames for those paragraphs were not created.

fixed on master

next problem is that after pasting, Undo will crash with 

sw/source/core/txtnode/thints.cxx:1346: bool SwTextNode::InsertHint(SwTextAttr*, SetAttrMode): Assertion `pAttr && pAttr->GetStart() <= Len()' failed.

apparently this is the crash that https://bugs.documentfoundation.org/show_bug.cgi?id=159025#c6 is about and it's a pre-existing one (can repro in LO 6.1) so should be tracked there, not here.
Comment 9 Stéphane Guillou (stragu) 2024-01-25 06:21:14 UTC
Thank you Michael, I verified the fix in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: d0dcd87788910e3c9f67a2b68534019c05b77bad
CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded
Comment 10 Commit Notification 2024-10-28 09:19:11 UTC
Samuel Adesola committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/dba98bdebcf99c957d883c18f44db2602956e281

tdf#159023 CPP unit test for Crash in SwTextFrame::MapModelToView Fix

It will be available in 25.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.