Bug 103788 - Navigator crash on mouseover while quickly moving between headings in document
Summary: Navigator crash on mouseover while quickly moving between headings in document
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.4.0.3 release
Hardware: All All
: high critical
Assignee: Michael Stahl (CIB)
URL:
Whiteboard: target:5.4.0 target:5.3.0.1 target:5.2.4
Keywords: bibisected, bisected, haveBacktrace, regression
Depends on:
Blocks:
 
Reported: 2016-11-08 16:56 UTC by Cory Fletcher
Modified: 2016-11-28 11:23 UTC (History)
4 users (show)

See Also:
Crash report or crash signature: ["SwContentTree::GetTabPos(SvTreeListEntry *,SvLBoxTab *)"]


Attachments
Navigator Crash Demonstration (763.34 KB, image/gif)
2016-11-08 16:58 UTC, Cory Fletcher
Details
Navigator Crash Report (6.31 KB, text/plain)
2016-11-08 16:59 UTC, Cory Fletcher
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Cory Fletcher 2016-11-08 16:56:47 UTC
Description:
Quickly moving between different level headings in a Writer document using up and down keys while simultaneously moving the mouse over the headings in Navigator causes LibreOffice to crash in versions 4.4.0.3 to current 5.2.3.3.

Steps to Reproduce:
1. Create new Writer document. Ensure Navigator is visible.
2. Write any text on first line and change style to Heading 1.
3. Write any text on second line and change style to Heading 2.
4. Use the up and down arrow keys to quickly alternate the cursor between the two lines, while simultaneously moving the mouse between the two headers in the Navigator (without clicking).

See demonstration in attached gif file.

Actual Results:  
Immediate crash. 

See crash report in attached txt file and crash reports in http://crashreport.libreoffice.org/stats/signature/SwContentTree::GetTabPos(SvTreeListEntry%20*,SvLBoxTab%20*) for same issue.

Expected Results:
Not crash.


Reproducible: Always

User Profile Reset: Yes

Additional Info:
Reproduced on all versions from 4.4.0.3 to current 5.2.3.3. Could not reproduce on version 4.3.7.2 or earlier. Reproduced on OS X (Mavericks and El Capitan) and Linux (Ubuntu 16.04).

The crash reports in http://crashreport.libreoffice.org/stats/signature/SwContentTree::GetTabPos(SvTreeListEntry%20*,SvLBoxTab%20*) are for the same issue in Windows.


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Comment 1 Cory Fletcher 2016-11-08 16:58:11 UTC
Created attachment 128582 [details]
Navigator Crash Demonstration
Comment 2 Cory Fletcher 2016-11-08 16:59:43 UTC
Created attachment 128584 [details]
Navigator Crash Report
Comment 3 Cory Fletcher 2016-11-08 17:04:09 UTC
The line in the source code at which the crash occurs is here:

https://cgit.freedesktop.org/libreoffice/core/tree/sw/source/uibase/utlui/content.cxx?h=libreoffice-5-2#n1273
Comment 4 Aron Budea 2016-11-09 03:13:53 UTC
This is an excellent bug report, thank you for all the details.

Reproduced with 5.2.3.3 and 5.3 daily build from 11-04 / Windows 7.
Comment 5 Aron Budea 2016-11-09 03:18:17 UTC
Oh yeah, since it's a regression, let's add the appropriate keywords.
Comment 6 Xisco Faulí 2016-11-12 13:48:10 UTC
I can't reproduce it in

Version: 5.3.0.0.alpha1+
Build ID: 60da087d7e182b58b63d4123c9bd96c82376d450
CPU Threads: 4; OS Version: Linux 4.2; UI Render: default; VCL: gtk3; Layout Engine: new; 
Locale: ca-ES (ca_ES.UTF-8); Calc: group
Comment 7 Terrence Enger 2016-11-17 16:32:09 UTC
I was unable to reproduce the bug in daily Linux dbgutil bibisect
repository version 2016-11-14, but working in the win32-5.0 bibisect
repository on Windows Vista, I see from `git bisect bad` (lines
rewrapped) ...

    8b43ab2181ab6003c30c68f46a520377e78ab3b6 is the first bad commit
    commit 8b43ab2181ab6003c30c68f46a520377e78ab3b6
    Author: Norbert Thiebaud <nthiebaud@gmail.com>
    Date:   Sun May 3 07:15:26 2015 -0500

        source sha:329742e6c9da7cd7848d92a6846e3d1249d8d9b4
    
        source sha:329742e6c9da7cd7848d92a6846e3d1249d8d9b4

    :040000 040000 9032c6d3b80c9800c9cfd09c6681f0ba8464e29a
        e4520d0a12b9c740e9191bca0ae7c0b7b0b038e4 M	instdir

and from `git bisect log` (lines rewrapped) ...

    # bad: [b7988d11e5d3751a4b366b2bfc9048f7a30e8526]
        source sha:87ac0b1e75a880a68ecb748bd4b34ae5a3d2ae98
    # good: [f449493ae11ac76cc7396bddeaa624a60c565936]
        source sha:57d6b92b69a31260dea0d84fcd1fc5866ada7adb
    git bisect start 'origin/master' 'oldest'
    # bad: [66e2ae767eb4bb83444e3d03bcb90adcbe6d4991]
        source sha:5a308b1239a09417507b0d05090ff2d3418d5133
    git bisect bad 66e2ae767eb4bb83444e3d03bcb90adcbe6d4991
    # bad: [90c1dbb098a6d957f2293692716251ee5a6053ca]
        source sha:2813632238380e0bfe40c0e6404a07102cde1398
    git bisect bad 90c1dbb098a6d957f2293692716251ee5a6053ca
    # bad: [5b8e174eb7b3d996d6c90862d7228e1b928a9787]
        source sha:4de09a9efdb62cf90ce18662852e556cf7148e14
    git bisect bad 5b8e174eb7b3d996d6c90862d7228e1b928a9787
    # bad: [175f015ea35c89712f927eaef03b6a77895fc1a9]
        source sha:b46f781440130e6a629bf9ae14a62310d2a31021
    git bisect bad 175f015ea35c89712f927eaef03b6a77895fc1a9
    # bad: [b8cd2bb2104ad294e312019417ae140fdb87766e]
        source sha:fdba97bb3940b2763167510fab91df4b33293115
    git bisect bad b8cd2bb2104ad294e312019417ae140fdb87766e
    # bad: [f0242df5af685c9704ec1082e83405b7a730ff2b]
        source sha:af90d610e3c09c32b15beee2d42d86a4dd6aac4d
    git bisect bad f0242df5af685c9704ec1082e83405b7a730ff2b
    # good: [280b414ab8da683cb13a415f2670245ad040f719]
        source sha:46bdfa98c107e0aba92e42b46c0c5a287251017b
    git bisect good 280b414ab8da683cb13a415f2670245ad040f719
    # bad: [f5ebed82e101cabb87d112fd96d4e2d4a80de9de]
        source sha:674c7abbd6b5e9014812d4f8839f62639fe9a7f4
    git bisect bad f5ebed82e101cabb87d112fd96d4e2d4a80de9de
    # good: [765d7783977fe500687b37da3bea3de1769e011a]
        source sha:0469d54c22d691a70eca407421306192a4ae0a12
    git bisect good 765d7783977fe500687b37da3bea3de1769e011a
    # good: [909b095511bd61805b5baba4fc9817cd30588e2c]
        source sha:c1a0e74d3ce81e3e84c782e1a2f13dc814bf6575
    git bisect good 909b095511bd61805b5baba4fc9817cd30588e2c
    # bad: [4b9acdd0909c6e1ee66610dd1247f152fd286132]
        source sha:17e51f427b3f0cec74ac8e0a1b3f51189006ae6f
    git bisect bad 4b9acdd0909c6e1ee66610dd1247f152fd286132
    # bad: [56c7bf833e1e11ae0b1d440f4fc87b77d81ae799]
        source sha:880f94b86ad8559081839fc444bfa1a589fdec29
    git bisect bad 56c7bf833e1e11ae0b1d440f4fc87b77d81ae799
    # bad: [8b43ab2181ab6003c30c68f46a520377e78ab3b6]
        source sha:329742e6c9da7cd7848d92a6846e3d1249d8d9b4
    git bisect bad 8b43ab2181ab6003c30c68f46a520377e78ab3b6
    # first bad commit: [8b43ab2181ab6003c30c68f46a520377e78ab3b6]
        source sha:329742e6c9da7cd7848d92a6846e3d1249d8d9b4

and from `git log` in a source repository (lines rewrapped) ...

    commit 329742e6c9da7cd7848d92a6846e3d1249d8d9b4
    Author: Michael Stahl <mstahl@redhat.com>
    Date:   Fri Nov 21 15:16:20 2014 +0100

        fdo#85886 don't redraw the Navigator content tree if nothing
        changed
    
        This fixes the flickering of the scrollbar on re-draw once a
        second.  Perhaps it helps for the performance issue too.
    
        Change-Id: I2ec8f0a8a241b128113bfa3d47fb09ba472b4a7e


I am removing keyword bibisectRequest and adding bisected.
Comment 8 Xisco Faulí 2016-11-22 13:32:16 UTC
Adding Cc: to Michael Stahl
Comment 9 Michael Stahl (CIB) 2016-11-24 22:03:54 UTC
fixed on master
Comment 10 Commit Notification 2016-11-24 22:05:22 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=cbdf4e007650cfda4f7808402e8e24ae66d45792

tdf#103788 sw: fix use-after-free in navigator dialog

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 11 Commit Notification 2016-11-25 13:02:43 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-5-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=dbfa3841018672d8af8e9bf1bdb4caf6cdf0ce7d&h=libreoffice-5-3

tdf#103788 sw: fix use-after-free in navigator dialog

It will be available in 5.3.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 12 Cory Fletcher 2016-11-27 21:03:55 UTC
Tested on the daily build. Fix worked, could not reproduce.
Comment 13 Commit Notification 2016-11-28 11:23:45 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-5-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=09b714195bc61773c6021a78247478e86ee90d41&h=libreoffice-5-2

tdf#103788 sw: fix use-after-free in navigator dialog

It will be available in 5.2.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.