Description: Quickly moving between different level headings in a Writer document using up and down keys while simultaneously moving the mouse over the headings in Navigator causes LibreOffice to crash in versions 4.4.0.3 to current 5.2.3.3. Steps to Reproduce: 1. Create new Writer document. Ensure Navigator is visible. 2. Write any text on first line and change style to Heading 1. 3. Write any text on second line and change style to Heading 2. 4. Use the up and down arrow keys to quickly alternate the cursor between the two lines, while simultaneously moving the mouse between the two headers in the Navigator (without clicking). See demonstration in attached gif file. Actual Results: Immediate crash. See crash report in attached txt file and crash reports in http://crashreport.libreoffice.org/stats/signature/SwContentTree::GetTabPos(SvTreeListEntry%20*,SvLBoxTab%20*) for same issue. Expected Results: Not crash. Reproducible: Always User Profile Reset: Yes Additional Info: Reproduced on all versions from 4.4.0.3 to current 5.2.3.3. Could not reproduce on version 4.3.7.2 or earlier. Reproduced on OS X (Mavericks and El Capitan) and Linux (Ubuntu 16.04). The crash reports in http://crashreport.libreoffice.org/stats/signature/SwContentTree::GetTabPos(SvTreeListEntry%20*,SvLBoxTab%20*) are for the same issue in Windows. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Created attachment 128582 [details] Navigator Crash Demonstration
Created attachment 128584 [details] Navigator Crash Report
The line in the source code at which the crash occurs is here: https://cgit.freedesktop.org/libreoffice/core/tree/sw/source/uibase/utlui/content.cxx?h=libreoffice-5-2#n1273
This is an excellent bug report, thank you for all the details. Reproduced with 5.2.3.3 and 5.3 daily build from 11-04 / Windows 7.
Oh yeah, since it's a regression, let's add the appropriate keywords.
I can't reproduce it in Version: 5.3.0.0.alpha1+ Build ID: 60da087d7e182b58b63d4123c9bd96c82376d450 CPU Threads: 4; OS Version: Linux 4.2; UI Render: default; VCL: gtk3; Layout Engine: new; Locale: ca-ES (ca_ES.UTF-8); Calc: group
I was unable to reproduce the bug in daily Linux dbgutil bibisect repository version 2016-11-14, but working in the win32-5.0 bibisect repository on Windows Vista, I see from `git bisect bad` (lines rewrapped) ... 8b43ab2181ab6003c30c68f46a520377e78ab3b6 is the first bad commit commit 8b43ab2181ab6003c30c68f46a520377e78ab3b6 Author: Norbert Thiebaud <nthiebaud@gmail.com> Date: Sun May 3 07:15:26 2015 -0500 source 329742e6c9da7cd7848d92a6846e3d1249d8d9b4 source 329742e6c9da7cd7848d92a6846e3d1249d8d9b4 :040000 040000 9032c6d3b80c9800c9cfd09c6681f0ba8464e29a e4520d0a12b9c740e9191bca0ae7c0b7b0b038e4 M instdir and from `git bisect log` (lines rewrapped) ... # bad: [b7988d11e5d3751a4b366b2bfc9048f7a30e8526] source 87ac0b1e75a880a68ecb748bd4b34ae5a3d2ae98 # good: [f449493ae11ac76cc7396bddeaa624a60c565936] source 57d6b92b69a31260dea0d84fcd1fc5866ada7adb git bisect start 'origin/master' 'oldest' # bad: [66e2ae767eb4bb83444e3d03bcb90adcbe6d4991] source 5a308b1239a09417507b0d05090ff2d3418d5133 git bisect bad 66e2ae767eb4bb83444e3d03bcb90adcbe6d4991 # bad: [90c1dbb098a6d957f2293692716251ee5a6053ca] source 2813632238380e0bfe40c0e6404a07102cde1398 git bisect bad 90c1dbb098a6d957f2293692716251ee5a6053ca # bad: [5b8e174eb7b3d996d6c90862d7228e1b928a9787] source 4de09a9efdb62cf90ce18662852e556cf7148e14 git bisect bad 5b8e174eb7b3d996d6c90862d7228e1b928a9787 # bad: [175f015ea35c89712f927eaef03b6a77895fc1a9] source b46f781440130e6a629bf9ae14a62310d2a31021 git bisect bad 175f015ea35c89712f927eaef03b6a77895fc1a9 # bad: [b8cd2bb2104ad294e312019417ae140fdb87766e] source fdba97bb3940b2763167510fab91df4b33293115 git bisect bad b8cd2bb2104ad294e312019417ae140fdb87766e # bad: [f0242df5af685c9704ec1082e83405b7a730ff2b] source af90d610e3c09c32b15beee2d42d86a4dd6aac4d git bisect bad f0242df5af685c9704ec1082e83405b7a730ff2b # good: [280b414ab8da683cb13a415f2670245ad040f719] source 46bdfa98c107e0aba92e42b46c0c5a287251017b git bisect good 280b414ab8da683cb13a415f2670245ad040f719 # bad: [f5ebed82e101cabb87d112fd96d4e2d4a80de9de] source 674c7abbd6b5e9014812d4f8839f62639fe9a7f4 git bisect bad f5ebed82e101cabb87d112fd96d4e2d4a80de9de # good: [765d7783977fe500687b37da3bea3de1769e011a] source 0469d54c22d691a70eca407421306192a4ae0a12 git bisect good 765d7783977fe500687b37da3bea3de1769e011a # good: [909b095511bd61805b5baba4fc9817cd30588e2c] source c1a0e74d3ce81e3e84c782e1a2f13dc814bf6575 git bisect good 909b095511bd61805b5baba4fc9817cd30588e2c # bad: [4b9acdd0909c6e1ee66610dd1247f152fd286132] source 17e51f427b3f0cec74ac8e0a1b3f51189006ae6f git bisect bad 4b9acdd0909c6e1ee66610dd1247f152fd286132 # bad: [56c7bf833e1e11ae0b1d440f4fc87b77d81ae799] source 880f94b86ad8559081839fc444bfa1a589fdec29 git bisect bad 56c7bf833e1e11ae0b1d440f4fc87b77d81ae799 # bad: [8b43ab2181ab6003c30c68f46a520377e78ab3b6] source 329742e6c9da7cd7848d92a6846e3d1249d8d9b4 git bisect bad 8b43ab2181ab6003c30c68f46a520377e78ab3b6 # first bad commit: [8b43ab2181ab6003c30c68f46a520377e78ab3b6] source 329742e6c9da7cd7848d92a6846e3d1249d8d9b4 and from `git log` in a source repository (lines rewrapped) ... commit 329742e6c9da7cd7848d92a6846e3d1249d8d9b4 Author: Michael Stahl <mstahl@redhat.com> Date: Fri Nov 21 15:16:20 2014 +0100 fdo#85886 don't redraw the Navigator content tree if nothing changed This fixes the flickering of the scrollbar on re-draw once a second. Perhaps it helps for the performance issue too. Change-Id: I2ec8f0a8a241b128113bfa3d47fb09ba472b4a7e I am removing keyword bibisectRequest and adding bisected.
Adding Cc: to Michael Stahl
fixed on master
Michael Stahl committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=cbdf4e007650cfda4f7808402e8e24ae66d45792 tdf#103788 sw: fix use-after-free in navigator dialog It will be available in 5.4.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-5-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=dbfa3841018672d8af8e9bf1bdb4caf6cdf0ce7d&h=libreoffice-5-3 tdf#103788 sw: fix use-after-free in navigator dialog It will be available in 5.3.0.1. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Tested on the daily build. Fix worked, could not reproduce.
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-5-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=09b714195bc61773c6021a78247478e86ee90d41&h=libreoffice-5-2 tdf#103788 sw: fix use-after-free in navigator dialog It will be available in 5.2.4. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.