Created attachment 169374 [details] The docx document This error occurs on a docx document. Move the edit point behind "分包人" on the first page. Press Enter you will get this Error. This error reproduces on libreoffice 6.4.5 openSUSE release and Libreoffice 7.0.4 Windows release
Created attachment 169377 [details] How to reproduce thie error
The backtrace log: (gdb) bt #0 0x00007ff987d77890 in rtl_stringbuffer_insert@plt () from /usr/lib64/libreoffice/program/libmergedlo.so #1 0x00007ff98830c0d8 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #2 0x00007ff98830ec39 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #3 0x00007ff988293f0c in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #4 0x00007ff956dab0fa in ?? () from /usr/lib64/libreoffice/program/../program/libswlo.so #5 0x00007ff956dab4cd in ?? () from /usr/lib64/libreoffice/program/../program/libswlo.so #6 0x00007ff957351a27 in ?? () from /usr/lib64/libreoffice/program/../program/libswlo.so #7 0x00007ff95737c873 in ?? () from /usr/lib64/libreoffice/program/../program/libswlo.so #8 0x00007ff956db34fb in ?? () from /usr/lib64/libreoffice/program/../program/libswlo.so #9 0x00007ff95737e449 in SwTextFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const () from /usr/lib64/libreoffice/program/../program/libswlo.so #10 0x00007ff956d7233d in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const () from /usr/lib64/libreoffice/program/../program/libswlo.so #11 0x00007ff956d7233d in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const () from /usr/lib64/libreoffice/program/../program/libswlo.so #12 0x00007ff956d79177 in ?? () from /usr/lib64/libreoffice/program/../program/libswlo.so #13 0x00007ff957047dd1 in SwViewShell::Paint(OutputDevice&, tools::Rectangle const&) () from /usr/lib64/libreoffice/program/../program/libswlo.so #14 0x00007ff956a89fac in SwCursorShell::Paint(OutputDevice&, tools::Rectangle const&) () from /usr/lib64/libreoffice/program/../program/libswlo.so #15 0x00007ff9572c7f5b in SwEditWin::Paint(OutputDevice&, tools::Rectangle const&) () from /usr/lib64/libreoffice/program/../program/libswlo.so --Type <RET> for more, q to quit, c to continue without paging-- #16 0x00007ff98933ef1c in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #17 0x00007ff98933e932 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #18 0x00007ff98933ed23 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #19 0x00007ff98933e932 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #20 0x00007ff98933ed23 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #21 0x00007ff98933e932 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #22 0x00007ff98933ed23 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #23 0x00007ff98933e932 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #24 0x00007ff98933ed23 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #25 0x00007ff98933e932 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #26 0x00007ff98933ed23 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #27 0x00007ff9893434c8 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #28 0x00007ff9890452b1 in Scheduler::ProcessTaskScheduling() () from /usr/lib64/libreoffice/program/libmergedlo.so #29 0x00007ff976901adb in ?? () from /usr/lib64/libreoffice/program/libvclplug_gtk3lo.so #30 0x00007ff9815884a4 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0 #31 0x00007ff981588840 in ?? () from /usr/lib64/libglib-2.0.so.0 #32 0x00007ff981588b02 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0 #33 0x00007ff975fd8233 in gtk_dialog_run () from /usr/lib64/libgtk-3.so.0 #34 0x00007ff9768d9eba in ?? () from /usr/lib64/libreoffice/program/libvclplug_gtk3lo.so #35 0x00007ff98910aabe in SalGenericSystem::ShowNativeMessageBox(rtl::OUString const&, rtl::OUString const&) () from /usr/lib64/libreoffice/program/libmergedlo.so #36 0x00007ff9886144b5 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so --Type <RET> for more, q to quit, c to continue without paging-- #37 0x00007ff988682699 in ?? () from /usr/lib64/libreoffice/program/libmergedlo.so #38 0x00007ff989094c7f in ImplSVMain() () from /usr/lib64/libreoffice/program/libmergedlo.so #39 0x00007ff98866c665 in soffice_main () from /usr/lib64/libreoffice/program/libmergedlo.so #40 0x000055a8b879177b in ?? () #41 0x00007ff986d9034a in __libc_start_main () from /lib64/libc.so.6 #42 0x000055a8b87917ba in ?? ()
A very obvious difference in addition to the crash/hang is that changes aren't shown. In terms more familiar to Latin script users, the Enter has to be added before "分包人(全称)" for the issue to occur. Confirmed using LO 7.2.0.0.alpha0+ (f2389a70da606768a39ee599de6a5b24058734aa) & 6.3.0.4 / Ubuntu. Fine in 6.2.0.3. Bibisected regression to the 6.3 backport of the following commit using repo bibisect-linux-64-6.3. Addings CC: to László Németh. https://cgit.freedesktop.org/libreoffice/core/commit/?id=0e27158c4f6a6a7676a77afb6b37dd30b3f6d100 author László Németh <nemeth@numbertext.org> 2019-06-12 13:26:16 +0200 committer László Németh <nemeth@numbertext.org> 2019-06-12 21:00:05 +0200 tdf#89991 DOCX: import/export Show changes mode
Created attachment 169378 [details] Screenshot from 6.2.0.3
(In reply to Hillwood Yang from comment #0) > Created attachment 169374 [details] > The docx document > > This error occurs on a docx document. Move the edit point behind "分包人" on > the first page. Press Enter you will get this Error. > > This error reproduces on libreoffice 6.4.5 openSUSE release and Libreoffice > 7.0.4 Windows release Sorry, I mean the new line is behind "承包人(全称): 重庆钢铁集团建设工程有限公司" 😂
@Áron: are you sure, that patch caused the problem? That was only import fix of the state of the Show changes mode, i.e. is not possible to continue the bibisect to find the real place of the problem, setting the Show Changes mode manually before the bibisected commit? More details about the assert: soffice.bin: /home/laci/libreoffice/sw/source/core/text/txtfrm.cxx:1169: std::pair<SwTextNode*, int> sw::MapViewToModel(const sw::MergedPara&, TextFrameIndex): Assertion `nIndex == 0 && "view index out of bounds"' failed. Thread 1 "soffice.bin" received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: Nincs ilyen fájl vagy könyvtár. (gdb) bt #0 0x00007ffff77aafb7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff77ac921 in __GI_abort () at abort.c:79 #2 0x00007ffff779c48a in __assert_fail_base (fmt=0x7ffff7923750 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7fffcde8c820 "nIndex == 0 && \"view index out of bounds\"", file=file@entry=0x7fffcde8c2c8 "/home/laci/libreoffice/sw/source/core/text/txtfrm.cxx", line=line@entry=1169, function=function@entry=0x7fffcde8f140 <sw::MapViewToModel(sw::MergedPara const&, o3tl::strong_int<int, Tag_TextFrameIndex>)::__PRETTY_FUNCTION__> "std::pair<SwTextNode*, int> sw::MapViewToModel(const sw::MergedPara&, TextFrameIndex)") at assert.c:92 #3 0x00007ffff779c502 in __GI___assert_fail (assertion=0x7fffcde8c820 "nIndex == 0 && \"view index out of bounds\"", file=0x7fffcde8c2c8 "/home/laci/libreoffice/sw/source/core/text/txtfrm.cxx", line=1169, function=0x7fffcde8f140 <sw::MapViewToModel(sw::MergedPara const&, o3tl::strong_int<int, Tag_TextFrameIndex>)::__PRETTY_FUNCTION__> "std::pair<SwTextNode*, int> sw::MapViewToModel(const sw::MergedPara&, TextFrameIndex)") at assert.c:101 #4 0x00007fffcd1b22b1 in sw::MapViewToModel(sw::MergedPara const&, o3tl::strong_int<int, Tag_TextFrameIndex>) (rMerged=..., i_nIndex=...) at /home/laci/libreoffice/sw/source/core/text/txtfrm.cxx:1169 #5 0x00007fffcd116c8d in SwAttrIter::SeekAndChgAttrIter(o3tl::strong_int<int, Tag_TextFrameIndex>, OutputDevice*) (this=0x7ffffffeffd0, nNewPos=..., pOut=0x55555b4a1680) at /home/laci/libreoffice/sw/source/core/text/itratr.cxx:154 #6 0x00007fffcd1273e3 in SwTextIter::SeekAndChg(SwTextSizeInfo&) (this=0x7ffffffeffd0, rInf=...) at /home/laci/libreoffice/sw/source/core/text/itrtxt.hxx:312 #7 0x00007fffcd1381ae in SwTextPainter::DrawTextLine(SwRect const&, SwSaveClip&, bool) (this=0x7ffffffeffd0, rPaint=..., rClip=..., bUnderSized=false) at /home/laci/libreoffice/sw/source/core/text/itrpaint.cxx:331 #8 0x00007fffcd0fe521 in SwTextFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const (this=0x55555b173de0, rRenderContext=..., rRect=...) at /home/laci/libreoffice/sw/source/core/text/frmpaint.cxx:752 #9 0x00007fffccfdfe32 in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const (this=0x55555b17a4c0, rRenderContext=..., rRect=...) at /home/laci/libreoffice/sw/source/core/layout/paintfrm.cxx:3461 #10 0x00007fffccfdfe32 in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const (this=0x55555b17a9f0, rRenderContext=..., rRect=...) at /home/laci/libreoffice/sw/source/core/layout/paintfrm.cxx:3461 #11 0x00007fffccfdebd3 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const (this=0x55555a55c8f0, rRenderContext=..., rRect=..., pPrintData=0x0) at /home/laci/libreoffice/sw/source/core/layout/paintfrm.cxx:3170
(In reply to László Németh from comment #6) > @Áron: are you sure, that patch caused the problem? That was only import fix > of the state of the Show changes mode, i.e. is not possible to continue the > bibisect to find the real place of the problem, setting the Show Changes > mode manually before the bibisected commit? You're absolutely right, resetting to bibisectRequest for now. To anyone trying to bibisect this, in earlier commits, disable Show Changes, and press Enter afterwards to trigger the bug. Btw, I don't get an immediate crash (not in current master, either), more like a hang after a few further steps, like trying to move around with the caret. Another bug is that the part with "分包人(全称)" is shown duplicated after pressing Enter, might or might not be related to the hang/crash. All is good in bibisect-linux-64-6.1, buggy in bibisect-linux-64-6.2, but might be from backported commit(s) from 6.3.
for me in 7.x head 130a866a2e289d78a680a57c0cdf84e7dd17d285 it's hanging rather than crashing as such; it's getting stuck in CountCJKCharacters: while ( nPos < nEnd ) { nPos = TextFrameIndex(g_pBreakIt->GetBreakIter()->nextCharacters( rText, sal_Int32(nPos), rLocale, i18n::CharacterIteratorMode::SKIPCELL, 1, nDone)); nCount++; } SwTextPaintInfo::DrawBackBrush entry: 0x577cc10 lcl_AddSpace: (!pStr) nPos=23 nEnd=26 SwScriptInfo::CountCJKCharacters '承包人(全称): 重庆钢铁集团建设工程有限公司' nPos: 23 nEnd: 26 SwScriptInfo::CountCJKCharacters loop bottom: nPos: 23 nEnd: 26 nDone: 0 nCount: 1 SwScriptInfo::CountCJKCharacters loop bottom: nPos: 23 nEnd: 26 nDone: 0 nCount: 2 SwScriptInfo::CountCJKCharacters loop bottom: nPos: 23 nEnd: 26 nDone: 0 nCount: 3 SwScriptInfo::CountCJKCharacters loop bottom: nPos: 23 nEnd: 26 nDone: 0 nCount: 4 so nextCharacters is always giving the same answer
and: SwScriptInfo::CountCJKCharacters '承包人(全称): 重庆钢铁集团建设工程有限公司' nPos: 23 nEnd: 26 BreakIterator_Unicode::nextCharacters '承包人(全称): 重庆钢铁集团建设工程有限公司' oldStartPos:23 nStartPos: -1 nDone: 0 nCount: 1 so the nextCharacters is immediately exiting. I count 23 actual characters in that string. I think the 26 is coming from lcl_AddSpace in portxt.cxx: nPos = rInf.GetIdx(); nEnd = rInf.GetIdx() + rPor.GetLen();
Ah, so if I add: +++ b/sw/source/core/text/porlay.cxx @@ -2648,17 +2648,24 @@ TextFrameIndex SwScriptInfo::CountCJKCharacters(const OUString &rText, TextFrameIndex nPos, TextFrameIndex const nEnd, LanguageType aLang) { TextFrameIndex nCount(0); if (nEnd > nPos) { sal_Int32 nDone = 0; const lang::Locale &rLocale = g_pBreakIt->GetLocale( aLang ); while ( nPos < nEnd ) { + TextFrameIndex nOldPos = nPos; nPos = TextFrameIndex(g_pBreakIt->GetBreakIter()->nextCharacters( rText, sal_Int32(nPos), rLocale, i18n::CharacterIteratorMode::SKIPCELL, 1, nDone)); + if (nPos == nOldPos) { + SAL_WARN("sw.core", "CountCJKCharacters not moving" ); + break; + } nCount++; } then I get the bad_array_new_length back.
My bad array for me is coming from: #2 0x00007fa24d923317 in OutputDevice::ImplLayout (this=0x841d980, rOrigStr=..., nMinIndex=26, nLen=-3, rLogicalPos=..., nLogicalWidth=<optimized out>, pDXArray=0x6df5ed0, flags=SalLayoutFlags::NONE, pLayoutCache=0x0, pGlyphs=0x0) at /discs/fast/core/vcl/source/outdev/text.cxx:1289 1289 xDXPixelArray.reset(new DeviceCoordinate[nLen]); (gdb) list 1284 if( pDXArray) 1285 { 1286 if(mbMap) 1287 { 1288 // convert from logical units to font units using a temporary array 1289 xDXPixelArray.reset(new DeviceCoordinate[nLen]); 'nLen' is -3 here. (hmm, difference between nEnd nPos previously?)
I've just done two small hacks; https://gerrit.libreoffice.org/c/core/+/111291 OutputDevice::ImplLayout don't trust nLen https://gerrit.libreoffice.org/c/core/+/111292 CountCJKCharacters: Don't get caught at end of string which stops it actually crashing; however I don't think it's actually happy - for example, when you hit return it now splits that line OK; but then moving down from the upper line doesn't move, and I'm also seeing some redraw artifacts there of the old line. So I'm guessing it still needs to figure out where the odd lengths come from
Created attachment 170099 [details] Minimal failing document I've chopped the input file down to this tiny case of 4 visible characters; place the caret after the first (bold) character and hit return and it fails for me.
Hello, any progress on this bug so far?
This issue is still reproducible in Version: 7.4.0.0.alpha0+ / LibreOffice Community Build ID: 2761545769ef564b14fc8cd854a35c42bc269f02 CPU threads: 8; OS: Linux 5.10; UI render: default; VCL: gtk3 Locale: es-ES (es_ES.UTF-8); UI: en-US Calc: threaded Steps: 1. Open attachment 170099 [details] 2. Move the cursor twice to the right 3. Move the cursor once to the left 4. Press Enter -> Crash
Regression introduced by: https://cgit.freedesktop.org/libreoffice/core/commit/?id=eb92dc08f2abf5ed088da0d736266f213adf00de author Michael Stahl <Michael.Stahl@cib.de> 2018-11-27 18:28:41 +0100 committer Michael Stahl <Michael.Stahl@cib.de> 2018-12-01 08:44:45 +0100 commit eb92dc08f2abf5ed088da0d736266f213adf00de (patch) tree fcf7ef2fcf4d9d3816bda789320ee58153d8d5b9 parent b9a5d49761351eee327e9bc8518d9388d409058d (diff) sw_redlinehide_4a: SwAutoFormat iterates frames, not nodes Bisected with: bibisect-linux64-6.3 Adding Cc: to Michael Stahl
soffice.bin: /home/xisco/libreoffice/include/rtl/ustring.hxx:843: sal_Unicode rtl::OUString::operator[](sal_Int32) const: Assertion `index >= 0 && static_cast<sal_uInt32>(index) < static_cast<sal_uInt32>(getLength())' failed. Unspecified Application Error
Michael Stahl committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/6518c45dc0c2fb67500af85b97ed40466fd1d1e0 tdf#140077 sw_redlinehide: fix crash on SplitNode() It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
fixed on master
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-7-3": https://git.libreoffice.org/core/commit/c485690c48c92647b8edeca04be8cafcc8de9628 tdf#140077 sw_redlinehide: fix crash on SplitNode() It will be available in 7.3.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-7-2": https://git.libreoffice.org/core/commit/c85863a3b4c632cdf6b6a7448fcf49ffb6bb5f11 tdf#140077 sw_redlinehide: fix crash on SplitNode() It will be available in 7.2.7. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Verified in Version: 7.5.0.0.alpha0+ (x64) / LibreOffice Community Build ID: 4e2ce2a460458f17ee4360c45a2da2fc4b4d753e CPU threads: 14; OS: Windows 10.0 Build 19044; UI render: Skia/Raster; VCL: win Locale: en-US (hu_HU); UI: en-US Calc: threaded following comment 15 steps Writer no longer crashes.