Bug 126504 - Crash on Undo of paste table below table
Summary: Crash on Undo of paste table below table
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: All All
: high major
Assignee: Not Assigned
URL:
Whiteboard: target:7.1.0
Keywords:
Depends on:
Blocks: Undo-Redo Crash-BigPtrArray
  Show dependency treegraph
 
Reported: 2019-07-22 10:47 UTC by Michael Stahl (allotropia)
Modified: 2020-07-13 10:34 UTC (History)
4 users (show)

See Also:
Crash report or crash signature: ["BigPtrArray::Index2Block(unsigned long)", "SwTextNode::SplitContentNode(SwPosition const &,std::function<void > const *)"]

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Stahl (allotropia) 2019-07-22 10:47:03 UTC 
Description:
this is copied from bug 117215 comment #12

http://bugs.documentfoundation.org/attachment.cgi?id=143307

Telesto 2018-11-28 12:27:11 CET

Created attachment 147089 [details]
Example file

Another (very basic) example with a table instead of image (with a specific anchoring)


Steps to Reproduce:
1. Cursor inside the embedded table 
2. CTRL+A 
3. CTRL+A (full table selected)
3. CTRL+V (below the existing table)
4. CTRL+Z
5. CTRL+Y
6. CTRL+Z

Actual Results:
crash with some invalid nodearray access

Expected Results:
no crash


Reproducible: Always


User Profile Reset: No



Additional Info:
Comment 1 Michael Stahl (allotropia) 2019-07-22 11:08:36 UTC Comment hidden (obsolete)
Comment 2 Michael Stahl (allotropia) 2019-07-22 11:10:37 UTC Comment hidden (obsolete)
Comment 3 Michael Stahl (allotropia) 2019-07-22 11:11:38 UTC Comment hidden (obsolete)
Comment 4 Christian Lohmaier 2019-07-22 11:57:30 UTC Comment hidden (obsolete)
Comment 5 baffclan 2019-07-22 12:36:39 UTC 
Cannot reproduce with 6.3.0.2, 6.4.0.0.alpha0+.


Version: 6.3.0.2 (x64)
Build ID: 728469fa359ba8c83d812146293a0b0aa53945ba
CPU threads: 4; OS: Windows 10.0; UI render: default; VCL: win; 
Locale: ja-JP (ja_JP); UI-Language: en-US
Calc: threaded

Version: 6.4.0.0.alpha0+ (x64)
Build ID: cb28e48bfd7e8727797435dc05bdfe1652fb34f0
CPU threads: 4; OS: Windows 10.0; UI render: GL; VCL: win; 
TinderBox: Win-x86_64@62-TDF, Branch:master, Time: 2019-06-20_23:11:40
Locale: ja-JP (ja_JP); UI-Language: en-US
Calc: threaded

Version: 6.4.0.0.alpha0+ (x64)
Build ID: 59b5eca7030a091b9f39257897e757a51f2345e1
CPU threads: 4; OS: Windows 10.0; UI render: GL; VCL: win; 
TinderBox: Win-x86_64@42, Branch:master, Time: 2019-07-21_01:43:29
Locale: ja-JP (ja_JP); UI-Language: en-US
Calc: threaded
Comment 6 Michael Stahl (allotropia) 2019-07-22 12:59:24 UTC 
i get this, but maybe it's survivable in a non-debug version:

soffice.bin: /home/ms/lo/master/sw/source/core/bastyp/bparr.cxx:84: BigPtrEntry *BigPtrArray::operator[](sal_uLong) const: Assertion `idx < m_nSize' failed.
Comment 7 Xisco Faulí 2020-01-10 10:42:38 UTC 
Another way to get the same crash signature < crashreport.libreoffice.org/stats/crash_details/870d593a-d4a8-444e-b5ab-dec2b7a18948 >

1. Open attachment 142123 [details] from bug 117638
2. Select all
3. Copy
4. Paste 5 times
5. Undo 6 times

-> Crash
Comment 8 Xisco Faulí 2020-01-27 09:43:49 UTC 
I think the following crash may also be related, although the crash signature is different < http://crashreport.libreoffice.org/stats/crash_details/fd2b9d8a-9895-4924-ae3d-549104b81287 >

Steps to reproduce:
1. Open attachment 155681 [details] from bug 124821
2. Select all
3. Cut
4. Paste 2 times
5. Undo 3 times

-> Crash
Comment 9 Xisco Faulí 2020-03-30 11:46:50 UTC 
*** Bug 131676 has been marked as a duplicate of this bug. ***
Comment 10 Bhavesh Patel 2020-04-02 14:53:06 UTC 
*** Bug 131804 has been marked as a duplicate of this bug. ***
Comment 11 Telesto 2020-04-07 15:59:25 UTC Comment hidden (obsolete)
Comment 12 Telesto 2020-04-17 12:08:57 UTC Comment hidden (obsolete)
Comment 13 Telesto 2020-06-17 21:31:37 UTC Comment hidden (obsolete)
Comment 14 Telesto 2020-06-18 10:25:12 UTC 
This is now only about comment 0

Created a bug report for every STR in this bug, until proven fixed (and/ or bibisected).
Comment 15 Xisco Faulí 2020-07-01 10:10:08 UTC 
This issue got fixed by https://cgit.freedesktop.org/libreoffice/core/commit/?id=310271df2e4dc67d223dbec4b23e39ea4a67c042. Thanks Michael for fixing this issue indirectly.
Closing as VERIFIED FIXED
Comment 16 Commit Notification 2020-07-01 13:45:26 UTC 
Xisco Fauli committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/6f9d03561f069cf563874515a7412e125c2b26de

tdf#126504: sw: Add unittest

It will be available in 7.1.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 17 Mike Kaganski 2020-07-13 06:58:39 UTC 
(In reply to Michael Stahl (CIB) from comment #0)
> 1. Cursor inside the embedded table 
> 2. CTRL+A 
> 3. CTRL+A (full table selected)

(In reply to Xisco Faulí from comment #15)
> This issue got fixed by
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=310271df2e4dc67d223dbec4b23e39ea4a67c042. Thanks Michael for fixing this
> issue indirectly.

In current master, I don't see the specific steps working, and I see the unit test failing for that reason for me on Windows. Additionally, the GUI works differently than the unit test, which is also unexpected:

1. Cursor inside Table2.A1 of the tdf126504.odt from the unit test.
2. Ctrl+A (the whole inner table (Table2) is selected).
3. Ctrl+A (it's unselected! and the cursor is blinking again in A1).

I expect that #3 selects A1 as well, but it doesn't happen with Version: 7.1.0.0.alpha0+ (x64)
Build ID: e624459f36a576478f3a6b729341f0ce4e14f42d
CPU threads: 12; OS: Windows 10.0 Build 18363; UI render: Skia/Raster; VCL: win
Locale: ru-RU (ru_RU); UI: en-US
Calc: CL

and with Version: 7.0.0.1 (x64)
Build ID: 04ba7e3f1e51af6c5d653e543a620e36719083fd
CPU threads: 12; OS: Windows 10.0 Build 18363; UI render: Skia/Raster; VCL: win
Locale: ru-RU (ru_RU); UI: en-US
Calc: CL

But what's puzzling me is that the given UI steps suggest that Ctrl+C after those steps should *not* copy anything into clipboard. However, the test fails here:

> tdf133982.docx:
> testTdf133982::TestBody finished in: 830ms
> C:/lo/src/core/sw/qa/extras/uiwriter/uiwriter3.cxx(265) : error : Assertion
> Test name: testTdf126504::TestBody
> equality assertion failed
> - Expected: 4
> - Actual  : 3
> 
> Failures !!!
> Run: 315   Failure total: 1   Failures: 1   Errors: 0

The "- Actual  : 3" seems to suggest that *something* (a table) is actually pasted there. But maybe that's just some leftover in clipboard from a previous test?

Yes of course this is about crash, and what I describe is another bug needing an own report - but I came here because the unit test failing was exactly the one that should had prevented this. Why does it happen?
Comment 18 Xisco Faulí 2020-07-13 10:34:23 UTC 
(In reply to Mike Kaganski from comment #17)
> (In reply to Michael Stahl (CIB) from comment #0)
> > 1. Cursor inside the embedded table 
> > 2. CTRL+A 
> > 3. CTRL+A (full table selected)
> 
> (In reply to Xisco Faulí from comment #15)
> > This issue got fixed by
> > https://cgit.freedesktop.org/libreoffice/core/commit/
> > ?id=310271df2e4dc67d223dbec4b23e39ea4a67c042. Thanks Michael for fixing this
> > issue indirectly.
> 
> In current master, I don't see the specific steps working, and I see the
> unit test failing for that reason for me on Windows. Additionally, the GUI
> works differently than the unit test, which is also unexpected:
> 
> 1. Cursor inside Table2.A1 of the tdf126504.odt from the unit test.
> 2. Ctrl+A (the whole inner table (Table2) is selected).
> 3. Ctrl+A (it's unselected! and the cursor is blinking again in A1).

Yes, GUI behaves differently due to bug 133980