Created attachment 137366 [details] OS message, signature of the problem At me the error stably is reproduced in the built-in editor of the code "BASIC": 1) Create an empty module for macros "BASIC"; 2) Open it for editing; 3) Delete all the code; 4) Insert this code: Sub Main ActiveCell.String = "" End Sub 5) Put the text cursor in front of the ".String="; 6) Press the "enter" key; 7) ... Profit!
Confirmed in Version: 6.0.0.0.alpha1+ Build ID: d30522e46ca884e9bc74af21711d9537e8118859 CPU threads: 4; OS: Linux 4.10; UI render: default; VCL: gtk3; Locale: ca-ES (ca_ES.UTF-8); Calc: group
Regression introduced by: author Julien Nabet <serval2412@yahoo.fr> 2017-09-27 22:18:05 (GMT) committer Michael Stahl <mstahl@redhat.com> 2017-09-28 11:10:58 (GMT) commit 19910c461230f70bb9e98ad44db3525f0d755724 (patch) tree 7dbb8eb1769cca940375cee2ff26e8a595e1d8e6 parent 4fca2ef76a6dfe6c74ada71ab4806dc4ad568b82 (diff) tdf#112658: fix leak when calling TextEngine::SetAttrib TextCharAttribList::RemoveAttrib lets a dangling pointer when release unique_ptr obj maAttribs[n] So retrieve a unique_ptr from the different layers until SentenceEditWindow_Impl::ChangeMarkedWord (SpellDialog.cxx). Bisected with: bibisect-linux64-6.0 Adding Cc: to Julien Nabet
Xisco: looking at message, thought it could already be fixed with https://cgit.freedesktop.org/libreoffice/core/commit/?id=f49ba490a566225d2c6b3925cfe39756a01625ba but considering your buildid, it's another bug since it includes the quoted commit. I'll take a look.
Test #1: 1) Create an empty module for macros "BASIC"; 2) Open it for editing; 3) Delete all the code; 4) Insert this code (without leading "spaces"): Sub Main . End Sub 5) Put the text cursor in front of the "."; 6) Press the "enter" key; 7) ... no error occurs! ============================================= Test #2: 1) Create an empty module for macros "BASIC"; 2) Open it for editing; 3) Delete all the code; 4) Insert this code ("space" before ".", not "tab"): Sub Main . End Sub 5) Put the text cursor in front of the "."; 6) Press the "enter" key; 7) ... crash occurs! ============================================= Failure occurs only if, when moving to a new line, a "space" (not "tab") is inserted before the "dot" to align the code.
Sorry. As I found out, crash occurs when any code is moved to a new line, if there are automatically inserted spaces before it for alignment.
With different combinations, the following call stack happens: vcllo!TextAttrib::operator!=+0xda8: 00007fff`52caa9f8 458b5a0c mov r11d,dword ptr [r10+0Ch] ds:000000cc`f5fa6389=???????? # Call Site 00 vcllo!TextAttrib::operator!=+0xda8 01 vcllo!TextAttribFontColor::GetColor+0x5cd 02 vcllo!TextEngine::ImpInsertText+0x1bb 03 vcllo!TextView::KeyInput+0x2d8 04 basctllo!Point::operator+=+0x597b 05 vcllo!vcl::Window::ImplAsyncFocusHdl+0x15b5 06 vcllo!FloatingWindow::ImplSetMouseDown+0x27b 07 vcllo!CommandMediaData::GetPassThroughToOS+0x25ed 08 vcllo!WorkWindow::IsFullScreenMode+0x6ad 09 vcllo!WorkWindow::IsFullScreenMode+0xf10 0a USER32!DispatchMessageW+0x15d 0b USER32!NotifyWinEvent+0x237 0c vcllo!WinBlocklistParser::parse+0xa2fc 0d vcllo!WinBlocklistParser::parse+0x9d1b 0e vcllo!Application::Execute+0x161 0f sofficeapp+0xe49f 10 vcllo!DeInitVCL+0xbfe 11 vcllo!SVMain+0x32 12 sofficeapp!soffice_main+0x75 13 soffice+0x102e 14 soffice!main+0x2d7 15 KERNEL32!BaseThreadInitThunk+0x22 16 ntdll!RtlUserThreadStart+0x34
Created attachment 137381 [details] bt with debug symbols On pc Debian x86-64 with master sources updated today, I could reproduce this.
Everything is so confusing ... I'm interested. Here: https://cgit.freedesktop.org/libreoffice/core/tree/vcl/source/edit/textdoc.cxx#n331 in line 331, the contents of the link "rAttrib" are destroyed, and in line 332, garbage is inserted. Or not?
I submitted a patch to review: https://gerrit.libreoffice.org/#/c/44077/ With it, I don't reproduce the crash.
Julien Nabet committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=c2b018b94408703aef4e5d3429a9c0ab826f5b7c tdf#113519: fix crash by releasing returned unique_ptr It will be available in 6.0.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Max7/Xisco: don't hesitate to reopen this tracker if you still reproduce this with a build including the patch.
Yes, thanks. Fixed.