Created attachment 175820 [details] sample document from which a deterministic crash is just 3 steps. If you open the attached document (sample_18.odt), click the image and press the TAB key 3 times. Result: LO Writer crashes. Version: 7.1.5.2 (x64) / LibreOffice Community Build ID: 85f04e9f809797b8199d13c421bd8a2b025d52b5 CPU threads: 12; OS: Windows 10.0 Build 19043; UI render: Skia/Raster; VCL: win Locale: hu-HU (en_AU); UI: en-GB Calc: threaded
I installed the newest version of LO (7.2.2.2). It crashes the same way.
https://crashreport.libreoffice.org/stats/crash_details/c7db036f-c2a0-4235-bfbb-f25aec1c59ea
I can only say that at least for me, it crashes at the *second* press of TAB (i.e., the first TAB moves selection from the green rectangle to the Lorem ipsum box, and the second generates segfault). Same crash with LO 3.3.0, and with OOo 2.4.3. If you open the file in read-only mode, it switches successfully in loop: green rectangle -> Lorem ipsum box -> black arrow in front of the green rectangle -> green rectangle again ... Interestingly, OOo 2.2.0 doesn't crash, but instead of moving from Lorem ipsum to arrow, it adds rows to the table "Table30".
I guess the final <tab> leaving the draw object, is attempting to add a new row to the table, but can't. Version: 7.2.2.1 (x64) / LibreOffice Community Build ID: 0e408af0b27894d652a87aa5f21fe17bf058124c CPU threads: 8; OS: Windows 10.0 Build 19043; UI render: Skia/Vulkan; VCL: win Locale: en-US (en_US); UI: en-US Calc: CL =-WinDbg stack trace "~* kp" of crash thread 0 -= . 0 Id: 2f90.3538 Suspend: 1 Teb: 0000007a`d745d000 Unfrozen # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- swlo!SwFormat::GetDoc [C:\cygwin64\home\buildslave\source\libo-core\sw\inc\format.hxx @ 123] 01 0000007a`d7f8da00 00007ffc`b36acb31 swlo!SwFormat::getIDocumentSettingAccess(void)+0xd [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\attr\format.cxx @ 717] 02 0000007a`d7f8da30 00007ffc`b37233dc swlo!SwFlowFrame::GetUpperSpaceAmountConsideredForPrevFrameAndPageGrid(void)+0x31 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\flowfrm.cxx @ 1729] 03 0000007a`d7f8da90 00007ffc`b35b9b71 swlo!SwFrame::GetFrameAnchorPos(bool bIgnoreFlysAnchoredAtThisFrame = <Value unavailable error>)+0xcc [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 313] 04 0000007a`d7f8dac0 00007ffc`b35b978b swlo!SwDrawView::CalcAnchor(void)+0x2d1 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\draw\dview.cxx @ 744] 05 0000007a`d7f8dba0 00007ffc`bdd99236 swlo!SwDrawView::AddCustomHdl(void)+0x9b [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\draw\dview.cxx @ 227] 06 0000007a`d7f8dbf0 00007ffc`bdd96f50 mergedlo!SdrMarkView::SetMarkHandles(class SfxViewShell * pOtherShell = 0x00000000`00000000)+0xeb6 [C:\cygwin64\home\buildslave\source\libo-core\svx\source\svdraw\svdmrkv.cxx @ 1417] 07 0000007a`d7f8dd80 00007ffc`b35ac95e mergedlo!SdrMarkView::MarkObj(class SdrObject * pObj = 0x000001f6`88c58610, class SdrPageView * pPV = 0x00000000`00000000, bool bUnmark = true, bool bDoNoSetMarkHdl = false, class std::vector<basegfx::B2DRange,std::allocator<basegfx::B2DRange> > * rSubSelections = 0x0000007a`d7f8de50 { size=0 })+0x1f0 [C:\cygwin64\home\buildslave\source\libo-core\svx\source\svdraw\svdmrkv.cxx @ 2142] 08 0000007a`d7f8de20 00007ffc`b3722f9c swlo!SwDrawContact::DisconnectFromLayout(bool _bMoveMasterToInvisibleLayer = true)+0x1fe [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\draw\dcontact.cxx @ 1676] 09 0000007a`d7f8ded0 00007ffc`b37232a7 swlo!SwFrame::DestroyImpl(void)+0x12c [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 351] 0a (Inline Function) --------`-------- swlo!SwFrame::DestroyFrame+0x17 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 389] 0b 0000007a`d7f8df10 00007ffc`b37232a7 swlo!SwLayoutFrame::DestroyImpl(void)+0x2b7 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 572] 0c (Inline Function) --------`-------- swlo!SwFrame::DestroyFrame+0x17 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 389] 0d 0000007a`d7f8df60 00007ffc`b3722db3 swlo!SwLayoutFrame::DestroyImpl(void)+0x2b7 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 572] 0e 0000007a`d7f8dfb0 00007ffc`b367b967 swlo!SwFrame::DestroyFrame(class SwFrame * pFrame = 0x000001f6`977919a0)+0x23 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\layout\ssfrm.cxx @ 391] 0f (Inline Function) --------`-------- swlo!sw::ClientIteratorBase::IsChanged+0x8 [C:\cygwin64\home\buildslave\source\libo-core\sw\inc\calbck.hxx @ 310] 10 (Inline Function) --------`-------- swlo!SwIterator<SwRowFrame,SwFormat,0>::Next+0x8 [C:\cygwin64\home\buildslave\source\libo-core\sw\inc\calbck.hxx @ 335] 11 0000007a`d7f8dfe0 00007ffc`b3765bcd swlo!FndBox_::DelFrames(class SwTable * rTable = 0x000001f6`9784f550)+0x457 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\frmedt\tblsel.cxx @ 2206] 12 0000007a`d7f8e080 00007ffc`b356e293 swlo!SwTable::InsertRow(class SwDoc * pDoc = 0x000001f6`9776c5a0, class SwSelBoxes * rBoxes = 0x0000007a`d7f8e3c0, unsigned short nCnt = 1, bool bBehind = true)+0x17d [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\table\swnewtable.cxx @ 1505] 13 0000007a`d7f8e2a0 00007ffc`b33c2702 swlo!SwDoc::InsertRow(class SwSelBoxes * rBoxes = 0x0000007a`d7f8e3c0, unsigned short nCnt = 1, bool bBehind = true)+0x283 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\docnode\ndtbl.cxx @ 1809] 14 0000007a`d7f8e3a0 00007ffc`b3c93ad3 swlo!SwCursorShell::GoNextCell(bool bAppendLine = true)+0x282 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\core\crsr\trvltbl.cxx @ 90] 15 0000007a`d7f8e450 00007ffc`be6227e2 swlo!SwEditWin::KeyInput(class KeyEvent * rKEvt = 0x0000007a`d7f8e6b0)+0x2ba3 [C:\cygwin64\home\buildslave\source\libo-core\sw\source\uibase\docvw\edtwin.cxx @ 2564] 16 0000007a`d7f8e670 00007ffc`be6261ec mergedlo!ImplHandleKey(class vcl::Window * pWindow = 0x000001f6`972b5e60, MouseNotifyEvent nSVEvent = KEYINPUT (0n4), unsigned short nKeyCode = <Value unavailable error>, unsigned short nCharCode = 9, unsigned short nRepeat = 0, bool bForward = true)+0x3f2 [C:\cygwin64\home\buildslave\source\libo-core\vcl\source\window\winproc.cxx @ 995] 17 0000007a`d7f8e7c0 00007ffc`beb0eecc mergedlo!ImplWindowFrameProc(class vcl::Window * _pWindow = 0x000001f6`972b5e60, SalEvent nEvent = KeyInput (0n5), void * pEvent = 0x0000007a`d7f8eba0)+0x3bc [C:\cygwin64\home\buildslave\source\libo-core\vcl\source\window\winproc.cxx @ 2656] 18 0000007a`d7f8eb40 00007ffc`bb62d591 mergedlo!SalFrame::CallCallback(SalEvent nEvent = <Value unavailable error>, void * pEvent = <Value unavailable error>)+0x1c [C:\cygwin64\home\buildslave\source\libo-core\vcl\inc\salframe.hxx @ 306] 19 0000007a`d7f8eb70 00007ffc`bb632916 vclplug_winlo!ImplHandleKeyMsg(struct HWND__ * hWnd = 0x00000000`000f075e, unsigned int nMsg = <Value unavailable error>, unsigned int64 wParam = 9, int64 lParam = 0n983040, int64 * rResult = 0x0000007a`d7f8ec78)+0x391 [C:\cygwin64\home\buildslave\source\libo-core\vcl\win\window\salframe.cxx @ 3604] 1a 0000007a`d7f8ec10 00007ffc`bb633a2d vclplug_winlo!SalFrameWndProc(struct HWND__ * hWnd = 0x00000000`000f075e, unsigned int nMsg = 0x100, unsigned int64 wParam = 9, int64 lParam = 0n983041, bool * rDef = 0x0000007a`d7f8eda0)+0x7e6 [C:\cygwin64\home\buildslave\source\libo-core\vcl\win\window\salframe.cxx @ 5573] 1b 0000007a`d7f8ed70 00007ffd`370be858 vclplug_winlo!SalFrameWndProcW(struct HWND__ * hWnd = 0x00000000`000f075e, unsigned int nMsg = 0x100, unsigned int64 wParam = 9, int64 lParam = 0n983041)+0x4d [C:\cygwin64\home\buildslave\source\libo-core\vcl\win\window\salframe.cxx @ 5891] 1c 0000007a`d7f8ede0 00007ffd`370be4ee USER32!UserCallWinProcCheckWow+0x2f8 1d 0000007a`d7f8ef70 00007ffc`b87df1b0 USER32!CallWindowProcW+0x8e 1e 0000007a`d7f8efc0 00007ffd`370be858 opengl32!wglWndProc+0x2a0 1f 0000007a`d7f8f030 00007ffd`370be299 USER32!UserCallWinProcCheckWow+0x2f8 20 0000007a`d7f8f1c0 00007ffc`bb5c3a2d USER32!DispatchMessageWorker+0x249 21 0000007a`d7f8f240 00007ffc`bb5c3bf4 vclplug_winlo!ImplSalDispatchMessage(struct tagMSG * pMsg = 0x0000007a`d7f8f2a0 {msg=0x100 wp=0x9 lp=0xf0001})+0x4d [C:\cygwin64\home\buildslave\source\libo-core\vcl\win\app\salinst.cxx @ 412] 22 0000007a`d7f8f270 00007ffc`bb5c3921 vclplug_winlo!ImplSalYield(bool bWait = true, bool bHandleAllCurrentEvents = false)+0x194 [C:\cygwin64\home\buildslave\source\libo-core\vcl\win\app\salinst.cxx @ 488] 23 0000007a`d7f8f300 00007ffc`be9b0014 vclplug_winlo!WinSalInstance::DoYield(bool bWait = true, bool bHandleAllCurrentEvents = false)+0x91 [C:\cygwin64\home\buildslave\source\libo-core\vcl\win\app\salinst.cxx @ 517] 24 (Inline Function) --------`-------- mergedlo!ImplYield+0x2d [C:\cygwin64\home\buildslave\source\libo-core\vcl\source\app\svapp.cxx @ 465] 25 (Inline Function) --------`-------- mergedlo!Application::Yield+0x2d [C:\cygwin64\home\buildslave\source\libo-core\vcl\source\app\svapp.cxx @ 532] 26 0000007a`d7f8f330 00007ffc`bd74afa5 mergedlo!Application::Execute(void)+0x164 [C:\cygwin64\home\buildslave\source\libo-core\vcl\source\app\svapp.cxx @ 444] 27 0000007a`d7f8f390 00007ffc`be9bf527 mergedlo!desktop::Desktop::Main(void)+0x11e5 [C:\cygwin64\home\buildslave\source\libo-core\desktop\source\app\app.cxx @ 1587] 28 0000007a`d7f8f6e0 00007ffc`bd76cfc3 mergedlo!ImplSVMain(void)+0x67 [C:\cygwin64\home\buildslave\source\libo-core\vcl\source\app\svmain.cxx @ 199] 29 0000007a`d7f8f710 00007ff6`d562105b mergedlo!soffice_main(void)+0x133 [C:\cygwin64\home\buildslave\source\libo-core\desktop\source\app\sofficemain.cxx @ 98] 2a (Inline Function) --------`-------- soffice!sal_main+0x6 [C:\cygwin64\home\buildslave\source\libo-core\desktop\source\app\main.c @ 49] 2b 0000007a`d7f8f7d0 00007ff6`d5621308 soffice!main(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0x1b [C:\cygwin64\home\buildslave\source\libo-core\desktop\source\app\main.c @ 47] 2c (Inline Function) --------`-------- soffice!invoke_main+0x22 [D:\agent\_work\10\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 2d 0000007a`d7f8f800 00007ffd`36887034 soffice!__scrt_common_main_seh(void)+0x10c [D:\agent\_work\10\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 2e 0000007a`d7f8f840 00007ffd`38862651 KERNEL32!BaseThreadInitThunk+0x14 2f 0000007a`d7f8f870 00000000`00000000 ntdll!RtlUserThreadStart+0x21
To fix this we can either move among the drawing and image objects or add a new row to the table as Mike said happens in OOo 2.2.0. First stab was one that assures standard mode in SwCursorShell::GoNextCell, which allows a new row to be added to the table without crashing. Second stab, which I think is probably better as it is the behavior when in read-only mode, is to make the Tab key move to the next drawing or image object. Here are links to both patches: https://gerrit.libreoffice.org/c/core/+/125434 https://gerrit.libreoffice.org/c/core/+/125435
I agree, moving around the objects is much more logical than changing the document (by adding rows to the table). I think this is what most users would expect. If I wanted to add a row to the table, I would click into the table and would press TAB there.
Jim Raykowski committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/437d5a446733aca0a485218f29d8d7dcea4d3999 tdf#145207 Check for drawing object before Table to handle Tab key It will be available in 7.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Jim Raykowski committed a patch related to this issue. It has been pushed to "libreoffice-7-2": https://git.libreoffice.org/core/commit/5fae86d3f4468cac9af32e44873d57a195a48ff4 tdf#145207 Check for drawing object before Table to handle Tab key It will be available in 7.2.4. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/59e70256a358db136f5fd23651aea96d218b1a64 tdf#145207: sw_uiwriter3: Add unittest It will be available in 7.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
7.2.4 was a hotfix release, updating target in status-whiteboard