130555 – Crash when clearing the 'Find' text field

Bug 130555 - Crash when clearing the 'Find' text field

Summary: Crash when clearing the 'Find' text field

Status:	VERIFIED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Calc (show other bugs)
Version: (earliest affected)	4.1 all versions
Hardware:	All All

Importance:	medium normal
Assignee:	Stephan Bergmann

URL:
Whiteboard:	target:7.0.0 target:6.4.1 target:6.3.6
Keywords:	bibisected, bisected, haveBacktrace, needUITest, regression

Depends on:
Blocks:

Reported:	2020-02-10 11:55 UTC by Pascal Wentz
Modified:	2020-02-12 10:44 UTC (History)
CC List:	5 users (show)

See Also:
Crash report or crash signature:	["cppu::_copyConstructAny(_uno_Any ,void ,_typelib_TypeDescriptionReference ,_typelib_TypeDescription ,void ()(void ),_uno_Mapping *)"]

Attachments
bt with debug symbols (6.08 KB, text/plain) 2020-02-10 13:06 UTC, Julien Nabet	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pascal Wentz 2020-02-10 11:55:53 UTC

This bug was filed from the crash reporting server and is br-ce92c63b-1d09-400e-a422-2c3a74ae3be7.
=========================================

Steps to reproduce:

1. Open LibreOffice Calc 6.4.0.3
2. Press CTRL+F
3. paste '          11.1.2.1.2.1' into the field (without the ')
4. Delete the contents via CTRL+Backspace
5. Observe

The application then will crash.

Comment 1 Xisco Faulí 2020-02-10 12:38:55 UTC

Regression introduced by:

author	Chr. Rossmanith <ChrRossmanith@gmx.de>	2013-01-31 10:18:04 +0100
committer	Norbert Thiebaud <nthiebaud@gmail.com>	2013-02-04 18:51:15 +0000
commit 3270fc628b2e6a8f73ff0d1e4389d9c7595e0a50 (patch)
tree 591395ff88d304a852dba86b7dcaaf93b3f2c125
parent 71ca001ae1621a0a48fb7377c2afd3697e2a2203 (diff)
use OUString(Buffer) in class Edit

Bisected with: bibisect-41max

Comment 2 Xisco Faulí 2020-02-10 12:39:57 UTC

Steps to reproduce it:
1. Open writer
2. Ctrl + F
3. add a space
4. Ctrl + Backspace

-> Crash/hang.

Comment 3 Julien Nabet 2020-02-10 13:06:49 UTC

Created attachment 157770 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I got an assertion.

Comment 4 m_a_riosv 2020-02-10 13:13:49 UTC

Repro
Version: 4.1.6.2 Id. de compilación: 40ff705089295be5be0aae9b15123f687c05b0a
Version: 6.4.0.3 (x64)
Build ID: b0a288ab3d2d4774cb44b62f04d5d28733ac6df8
CPU threads: 4; OS: Windows 10.0 Build 19559; UI render: default; VCL: win; 
Locale: es-ES (es_ES); UI-Language: en-US Calc: threaded
Version: 7.0.0.0.alpha0+ (x64)
Build ID: 090fabdc93b44e7481b8c864ccebd519db6f142d
CPU threads: 4; OS: Windows 10.0 Build 19559; UI render: Skia/Vulkan; VCL: win; 
Locale: es-ES (es_ES); UI-Language: en-US Calc: threaded

4.1 it's the first I have with the find only toolbar, in 3.3 with search&replace doesn't crash, looks it begun with their introduction, so not a regression.

Comment 5 Xisco Faulí 2020-02-10 13:26:39 UTC

I do believe this is a regression, problem is happening in Edit::ImplDelete (this=0x55555d19a770, rSelection=..., nDirection=1 '\001', nMode=12 '\f') at /home/julien/lo/libreoffice/vcl/source/control/edit.cxx:729, which was changed in 3270fc628b2e6a8f73ff0d1e4389d9c7595e0a50

Comment 6 Julien Nabet 2020-02-10 13:31:33 UTC

https://gerrit.libreoffice.org/c/core/+/88370
I don't know if it's the right fix or just a band-aid...

Comment 7 Xisco Faulí 2020-02-10 13:34:25 UTC

(In reply to Julien Nabet from comment #6)
> https://gerrit.libreoffice.org/c/core/+/88370
> I don't know if it's the right fix or just a band-aid...

Let's add Stephan to the loop. he might have more insight here

Comment 8 Pascal Wentz 2020-02-10 13:39:57 UTC

I believe it would crash before it reaches the if condition.
Two ideas: 

- Using a try catch block
- Avoiding the value to reach <0 by design

Comment 9 Commit Notification 2020-02-11 17:38:14 UTC

Stephan Bergmann committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/e8f26dc13b65b1a05d948d9c95110c86315e8f20

tdf#130555: Prevent negative aSelection.Min()

It will be available in 7.0.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 10 Commit Notification 2020-02-12 08:14:45 UTC

Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-6-4":

https://git.libreoffice.org/core/commit/d84eaea950f276e7ba0d155cdbed056bcc815255

tdf#130555: Prevent negative aSelection.Min()

It will be available in 6.4.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 11 Xisco Faulí 2020-02-12 09:43:32 UTC

Verified in

Version: 7.0.0.0.alpha0+
Build ID: 718f540fb63af27c1336f89213444e9af753b8a9
CPU threads: 4; OS: Linux 4.19; UI render: default; VCL: gtk3; 
Locale: en-US (en_US.UTF-8); UI-Language: en-US
Calc: threaded

@Stephan, thanks for fixing this issue!!

Comment 12 Commit Notification 2020-02-12 10:32:11 UTC

Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-6-4-1":

https://git.libreoffice.org/core/commit/9407bd3c08d4bab5a9a39aac9bd1639def31281d

tdf#130555: Prevent negative aSelection.Min()

It will be available in 6.4.1.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 13 Commit Notification 2020-02-12 10:32:24 UTC

Stephan Bergmann committed a patch related to this issue.
It has been pushed to "libreoffice-6-3":

https://git.libreoffice.org/core/commit/6aee963e87836eceee4c65ab55aa8e8e270d7559

tdf#130555: Prevent negative aSelection.Min()

It will be available in 6.3.6.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.