120750 – Crash applying bold to textbox control

Bug 120750 - Crash applying bold to textbox control

Summary: Crash applying bold to textbox control

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	LibreOffice (show other bugs)
Version: (earliest affected)	5.3.0.3 release
Hardware:	All All

Importance:	highest critical
Assignee:	Not Assigned

URL:
Whiteboard:	target:6.3.0 target:6.2.0.1 target:6.1.5
Keywords:	bibisected, bisected, regression

Depends on:
Blocks:

Reported:	2018-10-21 10:16 UTC by Maxim Monastirsky
Modified:	2019-01-16 17:04 UTC (History)
CC List:	5 users (show)

See Also:	https://crashreport.libreoffice.org/stats/signature/frm::RichTextControlImpl::executeAttribute(SfxItemSet%20const%20&,SfxItemSet%20&,long,SfxPoolItem%20const%20*,SvtScriptType) 96248 122758
Crash report or crash signature:	["frm::RichTextControlImpl::executeAttribute(SfxItemSet const &,SfxItemSet &,long,SfxPoolItem const *,SvtScriptType)"]

Attachments
reproducer (8.76 KB, application/vnd.oasis.opendocument.text) 2018-10-21 10:16 UTC, Maxim Monastirsky	Details
bt with debug symbols (8.59 KB, text/plain) 2018-10-28 21:00 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maxim Monastirsky 2018-10-21 10:16:57 UTC

Created attachment 145876 [details]
reproducer

1. Open the attached document.
2. Click inside the textbox control.
3. Click on the bold toolbar button => crash.

Used to work in 5.2, broken in 5.3.

Comment 1 Oliver Brinzing 2018-10-21 13:55:56 UTC

crash reproducible with

Version: 6.1.3.1 (x64)
Build-ID: a9670562c26181ec3afbe381c9ff499ae88c98b7
CPU-Threads: 4; BS: Windows 10.0; UI-Render: Standard; 
Gebietsschema: de-DE (de_DE); Calc: group threaded

Version: 6.2.0.0.alpha0+ (x64)
Build ID: 27b0d7237a7e2f32897fa52820c3aa382f6683e9
CPU threads: 4; OS: Windows 10.0; UI render: default; VCL: win; 
Locale: de-DE (de_DE); Calc: threaded

Comment 2 Xisco Faulí 2018-10-21 16:53:17 UTC

Regression introduced by:

https://cgit.freedesktop.org/libreoffice/core/commit/?id=c9493b344a9bd104d0a882f5e9407880c0c63c20

author	Jochen Nitschke <j.nitschke+logerrit@ok.de>	2016-08-28 02:51:40 +0200
committer	Michael Stahl <mstahl@redhat.com>	2016-08-30 13:07:47 +0000
commit c9493b344a9bd104d0a882f5e9407880c0c63c20 (patch)
tree a984f282763eb00038de2aeb88b92e090e91503c
parent 1ae5c5ea82207d90b556e8139ad48ca4ceff9311 (diff)
tdf#96248 delete SfxPoolItems with Which Id >= 4000

Bisected with: bibisect-linux-64-5.3

Adding Cc: to Jochen Nitschke

Comment 3 Aron Budea 2018-10-28 04:50:08 UTC

It might not be related to the crash, but when checking the changed code in the debugger, I noticed pItemArr->maFree was a 36-long vector consisting of 0s. I assume an index should only appear once in there, no?

Comment 4 Julien Nabet 2018-10-28 21:00:18 UTC

Created attachment 146110 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.

Comment 5 Xisco Faulí 2018-12-13 16:32:59 UTC

I've reverted the problematic commit: https://gerrit.libreoffice.org/#/c/65115/

Comment 6 Commit Notification 2018-12-14 11:45:47 UTC

Xisco Fauli committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/+/c5d0d424bd7e78455cb6f9578cf2425ac0787004%5E%21

tdf#120750: Revert "tdf#96248 delete SfxPoolItems with Which Id >= 4000"

It will be available in 6.3.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 7 Commit Notification 2018-12-14 15:41:28 UTC

Xisco Fauli committed a patch related to this issue.
It has been pushed to "libreoffice-6-2":

https://git.libreoffice.org/core/+/f1c47b9ea954342ecffc440784b43cc8cfd99f91%5E%21

tdf#120750: Revert "tdf#96248 delete SfxPoolItems with Which Id >= 4000"

It will be available in 6.2.0.1.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 8 Commit Notification 2018-12-14 17:46:08 UTC

Xisco Fauli committed a patch related to this issue.
It has been pushed to "libreoffice-6-1":

https://git.libreoffice.org/core/+/73c3c3deff69ccd6a2f55952a911738496fb3c32%5E%21

tdf#120750: Revert "tdf#96248 delete SfxPoolItems with Which Id >= 4000"

It will be available in 6.1.5.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.