Bug Hunting Session
Bug 113519 - Crash when editing code "ActiveCell.String = " in the built-in editor "BASIC"
Summary: Crash when editing code "ActiveCell.String = " in the built-in editor "BASIC"
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: BASIC (show other bugs)
Version:
(earliest affected)
6.0.0.0.alpha1+
Hardware: All All
: highest critical
Assignee: Julien Nabet
URL: https://hub.libreoffice.org/git-core/...
Whiteboard: target:6.0.0
Keywords: bibisected, bisected, haveBacktrace, regression
Depends on:
Blocks:
 
Reported: 2017-10-30 11:13 UTC by max7
Modified: 2017-11-01 22:08 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments
OS message, signature of the problem (5.77 KB, text/plain)
2017-10-30 11:13 UTC, max7
Details
bt with debug symbols (6.01 KB, text/plain)
2017-10-30 19:54 UTC, Julien Nabet
Details

Note You need to log in before you can comment on or make changes to this bug.
Description max7 2017-10-30 11:13:25 UTC
Created attachment 137366 [details]
OS message, signature of the problem

At me the error stably is reproduced in the built-in editor of the code "BASIC":

1) Create an empty module for macros "BASIC";
2) Open it for editing;
3) Delete all the code;
4) Insert this code:
      Sub Main
         ActiveCell.String = ""
      End Sub
5) Put the text cursor in front of the ".String=";
6) Press the "enter" key;
7) ... Profit!
Comment 1 Xisco Faulí 2017-10-30 11:54:59 UTC
Confirmed in

Version: 6.0.0.0.alpha1+
Build ID: d30522e46ca884e9bc74af21711d9537e8118859
CPU threads: 4; OS: Linux 4.10; UI render: default; VCL: gtk3; 
Locale: ca-ES (ca_ES.UTF-8); Calc: group
Comment 2 Xisco Faulí 2017-10-30 12:05:02 UTC
Regression introduced by:

author	Julien Nabet <serval2412@yahoo.fr>	2017-09-27 22:18:05 (GMT)
committer	Michael Stahl <mstahl@redhat.com>	2017-09-28 11:10:58 (GMT)
commit	19910c461230f70bb9e98ad44db3525f0d755724 (patch)
tree	7dbb8eb1769cca940375cee2ff26e8a595e1d8e6
parent	4fca2ef76a6dfe6c74ada71ab4806dc4ad568b82 (diff)
tdf#112658: fix leak when calling TextEngine::SetAttrib
TextCharAttribList::RemoveAttrib lets a dangling pointer
when release unique_ptr obj maAttribs[n]
So retrieve a unique_ptr from the different layers until
SentenceEditWindow_Impl::ChangeMarkedWord (SpellDialog.cxx).

Bisected with: bibisect-linux64-6.0

Adding Cc: to Julien Nabet
Comment 3 Julien Nabet 2017-10-30 12:59:45 UTC
Xisco: looking at message, thought it could already be fixed with https://cgit.freedesktop.org/libreoffice/core/commit/?id=f49ba490a566225d2c6b3925cfe39756a01625ba but considering your buildid, it's another bug since it includes the quoted commit.
I'll take a look.
Comment 4 max7 2017-10-30 18:46:44 UTC
Test #1:

1) Create an empty module for macros "BASIC";
2) Open it for editing;
3) Delete all the code;
4) Insert this code (without leading "spaces"):

Sub Main
.
End Sub

5) Put the text cursor in front of the ".";
6) Press the "enter" key;
7) ... no error occurs!

=============================================

Test #2:

1) Create an empty module for macros "BASIC";
2) Open it for editing;
3) Delete all the code;
4) Insert this code ("space" before ".", not "tab"):

Sub Main
 .
End Sub

5) Put the text cursor in front of the ".";
6) Press the "enter" key;
7) ... crash occurs!

=============================================

Failure occurs only if, when moving to a new line, a "space" (not "tab") is inserted before the "dot" to align the code.
Comment 5 max7 2017-10-30 19:03:21 UTC
Sorry.
As I found out, crash occurs when any code is moved to a new line, if there are automatically inserted spaces before it for alignment.
Comment 6 max7 2017-10-30 19:20:21 UTC
With different combinations, the following call stack happens:

vcllo!TextAttrib::operator!=+0xda8:
00007fff`52caa9f8 458b5a0c mov r11d,dword ptr [r10+0Ch] ds:000000cc`f5fa6389=????????

 # Call Site
00 vcllo!TextAttrib::operator!=+0xda8
01 vcllo!TextAttribFontColor::GetColor+0x5cd
02 vcllo!TextEngine::ImpInsertText+0x1bb
03 vcllo!TextView::KeyInput+0x2d8
04 basctllo!Point::operator+=+0x597b
05 vcllo!vcl::Window::ImplAsyncFocusHdl+0x15b5
06 vcllo!FloatingWindow::ImplSetMouseDown+0x27b
07 vcllo!CommandMediaData::GetPassThroughToOS+0x25ed
08 vcllo!WorkWindow::IsFullScreenMode+0x6ad
09 vcllo!WorkWindow::IsFullScreenMode+0xf10
0a USER32!DispatchMessageW+0x15d
0b USER32!NotifyWinEvent+0x237
0c vcllo!WinBlocklistParser::parse+0xa2fc
0d vcllo!WinBlocklistParser::parse+0x9d1b
0e vcllo!Application::Execute+0x161
0f sofficeapp+0xe49f
10 vcllo!DeInitVCL+0xbfe
11 vcllo!SVMain+0x32
12 sofficeapp!soffice_main+0x75
13 soffice+0x102e
14 soffice!main+0x2d7
15 KERNEL32!BaseThreadInitThunk+0x22
16 ntdll!RtlUserThreadStart+0x34
Comment 7 Julien Nabet 2017-10-30 19:54:30 UTC
Created attachment 137381 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.
Comment 8 max7 2017-10-30 21:25:43 UTC
Everything is so confusing ...
I'm interested.
Here: https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/edit/textdoc.cxx#n331
in line 331, the contents of the link "rAttrib" are destroyed, and
in line 332, garbage is inserted.
Or not?
Comment 9 Julien Nabet 2017-10-30 21:36:56 UTC
I submitted a patch to review:
https://gerrit.libreoffice.org/#/c/44077/

With it, I don't reproduce the crash.
Comment 10 Commit Notification 2017-10-31 08:30:00 UTC
Julien Nabet committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c2b018b94408703aef4e5d3429a9c0ab826f5b7c

tdf#113519: fix crash by releasing returned unique_ptr

It will be available in 6.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 11 Julien Nabet 2017-10-31 08:43:23 UTC
Max7/Xisco: don't hesitate to reopen this tracker if you still reproduce this with a build including the patch.
Comment 12 max7 2017-11-01 06:08:01 UTC
Yes, thanks.
Fixed.