Bug 108863 - CRASH: Bad allocation if undo count is set to zero (0) (steps in comment 3)
Summary: CRASH: Bad allocation if undo count is set to zero (0) (steps in comment 3)
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Draw (show other bugs)
Version:
(earliest affected)
5.4.0.1 rc
Hardware: All All
: high critical
Assignee: Michael Stahl (CIB)
URL:
Whiteboard: target:6.0.0 target:5.4.0.2
Keywords: haveBacktrace
: 109054 (view as bug list)
Depends on:
Blocks: Undo-Zero-Steps
  Show dependency treegraph
 
Reported: 2017-06-29 14:28 UTC by Telesto
Modified: 2017-07-26 16:46 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments
GDB trace of crash with master (19.89 KB, text/plain)
2017-06-30 12:13 UTC, Buovjaga
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Telesto 2017-06-29 14:28:53 UTC
Description:
Hmm I probably underestimated the impact of a zero undo count. Draw crashes too. So again the question comes up: should 0 at undo should be forbidden since we've got an assert? See also 108836

Steps to Reproduce:
1. Open Draw
2. Insert a shape or image
3. Delete it -> crash



http://crashreport.libreoffice.org/stats/crash_details/fcb6e037-1c2c-4a28-93cb-d3b5332549a2




Actual Results:  
Crash

Expected Results:
No crash?


Reproducible: Always

User Profile Reset: No

Additional Info:
Version: 6.0.0.0.alpha0+
Build ID: 9f3814af7264ce90685a82cbf4eb015a38f22bf7
CPU threads: 4; OS: Windows 6.19; UI render: default; 
TinderBox: Win-x86@42, Branch:master, Time: 2017-06-28_00:47:42
Locale: nl-NL (nl_NL); Calc: CL


User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Comment 1 Xisco Faulí 2017-06-29 14:32:53 UTC
@Michael, one for you?
Comment 2 Buovjaga 2017-06-29 19:44:26 UTC
I don't get a crash.

For testers: https://help.libreoffice.org/Common/Memory#Number_of_undo_steps

Version: 6.0.0.0.alpha0+ (x64)
Build ID: e0f67add2ec56706ce06a03572535266f21c0303
CPU threads: 4; OS: Windows 6.19; UI render: default; 
TinderBox: Win-x86_64@42, Branch:master, Time: 2017-06-27_23:04:56
Locale: fi-FI (fi_FI); Calc: group

Arch Linux 64-bit, KDE Plasma 5
Version: 6.0.0.0.alpha0+
Build ID: 98befbb26217b0bf3f35354e418a355280c52cfc
CPU threads: 8; OS: Linux 4.11; UI render: default; VCL: kde4; 
Locale: fi-FI (fi_FI.UTF-8); Calc: group
Built on June 29th 2017
Comment 3 Telesto 2017-06-29 21:29:37 UTC
(In reply to Buovjaga from comment #2)
> I don't get a crash.
> 
Hmm, I think I know why. I tried it with a simple shape after the first crash, without resetting the user profile. Sorry for the fuzz

1. Save https://upload.wikimedia.org/wikipedia/commons/3/3d/LARGE_elevation.jpg
2. Open Draw
3. Set the undo count to zero (https://help.libreoffice.org/Common/Memory#Number_of_undo_steps)
4. Insert - Image -> LARGE_elevation.jpg
5. Delete it -> crash
Comment 4 Telesto 2017-06-29 21:48:46 UTC
Maybe zero should be forbidden after all. I'm generating quite a lot of crashes: bug 108833, bug 108863, bug 108836. :(
Comment 5 Buovjaga 2017-06-30 12:13:22 UTC
Created attachment 134412 [details]
GDB trace of crash with master

Arch Linux 64-bit, KDE Plasma 5
Version: 6.0.0.0.alpha0+
Build ID: 98befbb26217b0bf3f35354e418a355280c52cfc
CPU threads: 8; OS: Linux 4.11; UI render: default; VCL: kde4; 
Locale: fi-FI (fi_FI.UTF-8); Calc: group
Built on June 29th 2017
Comment 6 Buovjaga 2017-06-30 12:17:29 UTC
*** Bug 108833 has been marked as a duplicate of this bug. ***
Comment 7 Buovjaga 2017-06-30 12:19:30 UTC
Ok I didn't notice 108836 was fixed.

*** This bug has been marked as a duplicate of bug 108836 ***
Comment 8 Telesto 2017-06-30 13:16:52 UTC
(In reply to Buovjaga from comment #7)
> Ok I didn't notice 108836 was fixed.
> 
> *** This bug has been marked as a duplicate of bug 108836 ***

Nope, these bugs (bug 108833, bug 108863) aren't fixed with bug 108836. I didn't notice more issues when I reported bug 108836. Now I found multiple problems :( The main question is what to do. 
1. Let it go for know (nobody uses it anyhow)
2. The use of 0 should be forbidden
3. Fix all individual crashing bugs related to 0

Version: 6.0.0.0.alpha0+
Build ID: 83634c9d11ea730f6525c66ba26a87e9d1ef3936
CPU threads: 4; OS: Windows 6.19; UI render: default; 
TinderBox: Win-x86@42, Branch:master, Time: 2017-06-30_08:34:23
Locale: nl-NL (nl_NL); Calc: CL
Comment 9 Commit Notification 2017-06-30 15:16:43 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=495284716f49072e432b8425944cc67dfe0df0e0

tdf#108863 sd: disable Undo earlier if no Undo Steps

It will be available in 6.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 10 Commit Notification 2017-06-30 15:16:51 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=a54ba50db2c341f0f0e47d77dbe64a6e588bc911

tdf#108863 svx: fix use-after-free in SdrEditView::DeleteMarkedObj()

It will be available in 6.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 11 Michael Stahl (CIB) 2017-06-30 15:23:35 UTC
fixed on master
Comment 12 Telesto 2017-06-30 15:26:57 UTC
(In reply to Michael Stahl from comment #11)
> fixed on master

Thanks for fixing =)
Comment 13 Commit Notification 2017-07-04 10:31:51 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=0755d19069403ef16f55326c3a567ddf84d4d9ec&h=libreoffice-5-4

tdf#108863 sd: disable Undo earlier if no Undo Steps

It will be available in 5.4.0.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 14 Commit Notification 2017-07-04 10:33:27 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c6640f93273475b6d686f14820051cbfa4b1b6c2&h=libreoffice-5-4

tdf#108863 svx: fix use-after-free in SdrEditView::DeleteMarkedObj()

It will be available in 5.4.0.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 15 Telesto 2017-07-11 17:44:47 UTC
*** Bug 109054 has been marked as a duplicate of this bug. ***