Created attachment 166437 [details] minimum example to trigger bug Attached is a minimum working example to demonstrate the crash. This appears to be caused by an interaction between focus traversal of input fields and table cells. To trigger the crash, it appears these conditions must exist: 1. focus is in an input field (e.g. added via CTRL-F2) 2. the focused input field is inside of a table cell 3. text is selected within the focused input field 4. the next input field that would receive focus is also in a table cell 5. the next input field has content before the input field in the table cell For example, click in the first text field once, which should focus the first text field with the text (all spaces) highlighted. Next press TAB to cycle focus to the second text field to crash. The crash has been confirmed on at least these libreoffice versions: libreoffice-writer-5.3.6.1-24.el7.x86_64 libreoffice-writer-6.0.6.1-20.el8.x86_64 libreoffice-writer-6.4.6.2-3.fc32.x86_64
Created attachment 166439 [details] backtrace from crash
Created attachment 166457 [details] bt with debug symbols On pc Debian x86-64 with master sources updated today, I could reproduce this.
I am not really familiar with the LO code base, but tried to at least narrow down the source of the crash. When triggering the focus change, SwTextShell::ExecField is called and triggers this case: case FN_GOTO_NEXT_INPUTFLD: case FN_GOTO_PREV_INPUTFLD: { bool bRet = false; SwFieldType* pField = rSh.GetFieldType( 0, SwFieldIds::Input ); const bool bAddSetExpressionFields = !( rSh.GetViewOptions()->IsReadonly() ); if ( pField != nullptr && rSh.MoveFieldType( pField, FN_GOTO_NEXT_INPUTFLD == nSlot, SwFieldIds::Unknown, bAddSetExpressionFields ) ) { rSh.ClearMark(); if (!rSh.IsMultiSelection() && (nullptr != dynamic_cast<const SwTextInputField*>( SwCursorShell::GetTextFieldAtCursor(rSh.GetCursor(), true)))) { rSh.SttSelect(); rSh.SelectText( SwCursorShell::StartOfInputFieldAtPos( *(rSh.GetCursor()->Start()) ) + 1, SwCursorShell::EndOfInputFieldAtPos( *(rSh.GetCursor()->Start()) ) - 1 ); } else { rSh.StartInputFieldDlg(rSh.GetCurField(true), false, false, GetView().GetFrameWeld()); } bRet = true; } rReq.SetReturnValue( SfxBoolItem( nSlot, bRet )); } break; In the working case, SwCursorShell::GetTextFieldAtCursor(...) != nullptr and the nested if condition is true and focus changes without problem. In the broken case, SwCursorShell::GetTextFieldAtCursor(...) == nullptr, triggering the else case of the nested if, eventually leading to the segfault. Digging further into the GetTextFieldAtCursor code path, the difference arises down in lcl_GetTextAttrs in sw/source/core/txtnode/ndtxt.cxx: static void lcl_GetTextAttrs( std::vector<SwTextAttr *> *const pVector, SwTextAttr **const ppTextAttr, SwpHints const *const pSwpHints, sal_Int32 const nIndex, sal_uInt16 const nWhich, enum SwTextNode::GetTextAttrMode const eMode) When this function is called during focus change in the working case, pSwpHints has a single hint which is assigned to *ppTextAttr, which is then used to get the GetTextFieldAtCursor return value. In the broken case (with text preceding the second input field), pSwpHints has TWO hints, with the hint from the working case at index 1 and another hint at index 0. This block of code in that function breaks early in the broken case: sal_Int32 const nHintStart = pHint->GetStart(); if (nIndex < nHintStart) break; // hints are sorted by which&start, so we are done... nIndex=0 and nHintStart=0 in the working case, but nIndex=0 and nHintStart=1 in the broken case. Hopefully this will hope narrow things down for someone familiar with this code. It might be a while before I can get back to it!
Seeing you spent some time to investigate this bug, thought you might be interested in submitting a first version of a patch? (see https://wiki.documentfoundation.org/Development/GetInvolved for more info). Indeed, I supposed you've already: - downloaded the code - built it to find the part you quoted So you just have to submit an ad hoc license statement + create gerrit account. You may also discuss this on dev forum or IRC
Dear charkins, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
Bug is still present. Version: 7.3.6.2 Build ID: 30(Build:2) CPU threads: 8; OS: Linux 5.19; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded libreoffice-writer-7.3.6.2-3.fc36.x86_64
Bug is still present in libreoffice-writer-7.4.6.2-2.fc37.x86_64: Version: 7.4.6.2 Build ID: 40(Build:2) CPU threads: 8; OS: Linux 6.2; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/5692a58cbfbd5da33b37415383f6eafb80d79177 tdf#137542 don't crash at least It will be available in 7.6.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
lets at least no crash, done in trunk, backport to 7-5 and 7-4 in gerrit
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5": https://git.libreoffice.org/core/commit/508cc73f5301abc00d1ed75e331a22eb01a65f09 tdf#137542 don't crash at least It will be available in 7.5.4. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-4": https://git.libreoffice.org/core/commit/c59204ebc40950147926cc241c3292321abbf444 tdf#137542 don't crash at least It will be available in 7.4.7. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Crash reproduced in 7.3.7.2, report in https://crashreport.libreoffice.org/stats/crash_details/7a386ea6-7d3a-4cd9-b0a9-4f01661ce1bb Fix verified in: Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 5cd9de202765e243e41416802f3e4486b8a96f16 CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded Could not crash when navigating with tab.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5-3": https://git.libreoffice.org/core/commit/b4b13f0bbf95497c7addd7026c602074aa0725de tdf#137542 don't crash at least It will be available in 7.5.3. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.