Description: Crash while undoing Steps to Reproduce: 1. Open attachment 119202 [details] (bug 94225) 2. Type below the image 'AAA' 3. Press CTRL+A and CTRL+C 4. Deselect AAA 4. Press enter to add a new line below AAA 5. CTRL+V 6. Three times CTRL+Z -> Crash Actual Results: Crash Expected Results: No crash Reproducible: Always User Profile Reset: No Additional Info: Crashreport http://crashreport.libreoffice.org/stats/crash_details/4e3afced-8389-49f8-981f-ddbd9f4bc944 Related comments from Julien Nabet posted into bug 94225 #c34-36 Created attachment 133411 [details] bt with debug symbols On pc Debian x86-64 with master sources updated yesterday, I still reproduce this but with a different bt. I used Telesto's reproduce case. --- Here is the state of nodes: (gdb) p aNd $5 = SwNodeIndex (node 13) (gdb) p aNd.GetNode() $6 = (SwNode &) @0x5555578be330: {<BigPtrEntry> = {_vptr.BigPtrEntry = 0x7fffca6162f0 <vtable for SwEndNode+16>, m_pBlock = 0x5555578be240, m_nOffset = 13}, m_nNodeType = SwNodeType::End, m_nAFormatNumLvl = 0 '\000', m_bSetNumLSpace = false, m_bIgnoreDontExpand = false, static s_nSerial = 82, m_nSerial = 7, m_pAnchoredFlys = std::unique_ptr<std::__debug::vector<SwFrameFormat*, std::allocator<SwFrameFormat*> >> containing 0x0, m_pStartOfSection = 0x5555578be490} (gdb) p nNode $7 = 13 (gdb) p pTmpDoc->GetNodes() $8 = (SwNodes &) @0x5555578add80: {<BigPtrArray> = BigPtrArray of length 19 = { [ 0] 0x5555578a79c0 StartNode , [ 1] 0x5555578a6cb0 EndNode , [ 2] 0x5555578a8ab0 StartNode , [ 3] 0x555557898320 EndNode , [ 4] 0x555557898f00 StartNode , [ 5] 0x555557aeb780 StartNode , [ 6] 0x555557aeb230 GrfNode , [ 7] 0x555557ae9670 EndNode , [ 8] 0x55555c328620 StartNode , [ 9] 0x55555c90cc30 GrfNode , [ 10] 0x555557829080 EndNode , [ 11] 0x5555578be1b0 EndNode , [ 12] 0x5555578be490 StartNode , [ 13] 0x5555578be330 EndNode , [ 14] 0x5555578be3c0 StartNode , [ 15] 0x5555578d7ba0 TextNode "Qwe qwe qwe qwe", [ 16] 0x555557990b10 TextNode "AAA", [ 17] 0x55555ca16960 TextNode "", [ 18] 0x5555578be2a0 EndNode }, m_vIndices = 0x5555578d71f8, m_pMyDoc = 0x5555578be590, m_pEndOfPostIts = 0x5555578a6cb0, m_pEndOfInserts = 0x555557898320, m_pEndOfAutotext = 0x5555578be1b0, m_pEndOfRedlines = 0x5555578be330, m_pEndOfContent = 0x5555578be2a0, m_pOutlineNodes = 0x555557898430, m_bInNodesDel = false, m_bInDelUpdOutline = false} --- It seems nNode = 13 is wrong since it's obviously not a content but don't know how to track down the evolution of list of nodes. Indeed, I'd like to dump the list before starting to undo and after each undo. Also nNode (which isn't a local var here) should be renamed so it would avoid to retrieve lots of results in Opengrok. User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Reproduced in LibreOffice 3.3.0 OOO330m19 (Build:6) tag libreoffice-3.3.0.4
Created attachment 133442 [details] backtrace
This bug surely relates to https://bugs.documentfoundation.org/show_bug.cgi?id=94225. Crush happens here https://opengrok.libreoffice.org/xref/core/sw/source/core/undo/unins.cxx#234 SwNodeIndex aNd( pTmpDoc->GetNodes(), nNode); SwContentNode* pCNd = aNd.GetNode().GetContentNode(); SwPaM aPaM( *pCNd, nContent ); As I've described in https://bugs.documentfoundation.org/show_bug.cgi?id=94225#c44, fly anchored to last para haven't got deleted. As a result, node indices, stored in Undo clases become invalid, which leads to crush. Code above creates aNd index pointing to start section node. GetContentNode returns nullptr and SwPaM constructor crushes LO. This bug will be resolved as bug 94255 gets resolved. *** This bug has been marked as a duplicate of bug 94255 ***
*** This bug has been marked as a duplicate of bug 94225 ***