Description: Crash swlo!SwDrawTextInfo::GetSperren+1069 scrolling DOCX to bottom Steps to Reproduce: 1. Open the attached file (DOCX export of attachment 163472 [details] bug 135091) 2. Press page down until bottom -> Crash Actual Results: Crash Expected Results: No crash Reproducible: Always User Profile Reset: No Additional Info: Version: 7.3.0.0.alpha0+ (x64) / LibreOffice Community Build ID: 93115d2c54d645bcf2f80fde325e3ede39dee4d5 CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win Locale: nl-NL (nl_NL); UI: en-US Calc: CL
Created attachment 175922 [details] Example file
Created attachment 175923 [details] BT without symbols
No crash with Version: 7.0.0.0.beta1+ (x64) Build ID: 2891e91a513520d68ea2b8c59c14335861a15253 CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win Locale: nl-NL (nl_NL); UI: en-US Calc: CL Bug 135091 mentions a pre-existing assert..
Created attachment 175939 [details] gdb bt On pc Debian x86-64 with master sources updated today, I got a crash.
Extra info: (gdb) p rInf.GetText() $3 = "" (gdb) p rInf.GetIdx() $4 = {m_value = 0} (gdb) p rInf.GetLen() $5 = {m_value = 1} Noel: noticing https://cgit.freedesktop.org/libreoffice/core/commit/?id=d4dc6b5cfdb02ad00a06ad32650948648abe010d use std::vector for fetching DX array data because I'm trying to track down a related heap corruption, and that is much easier if the access to the array is checked by the std::vector debug runtime thought you might be interested in this one. Perhaps this document with your patch revealed a bug?
>Extra info: >(gdb) p rInf.GetText() >$3 = "" >(gdb) p rInf.GetIdx() >$4 = {m_value = 0} >(gdb) p rInf.GetLen() >$5 = {m_value = 1} This means that rInf has become corrupt somehow because the length does not match the string.
Created attachment 176037 [details] Valgrind trace Here's a Valgrind trace retrieved on pc Debian x86-64 with master sources updated today + gen rendering
The whole mechanism involved here is too complicated for me. I understand nothing about TextFrameIndex and layout features. Can't help here => uncc myself
Bibisected using bibisect-linux-64-7.3-CN repo, to the following range: 9a58ec3f6f65da27e3b26e1173b6661b743e66a4..426930d0c4bd6f782a04a92e8a36e92cd65e186f 426930d0c4bd (speedup dynamic_cast to SwTextFrame, 2021-08-28, Noel Grandin) 69e0567e118f (tdf#135683 speed up layout of large writer tables, 2021-08-28, Noel Grandin) 9ca9faabd400 (vcl: move TextLayoutCache to own module header, 2021-03-07, Chris Sherlock)
*** Bug 145929 has been marked as a duplicate of this bug. ***
(In reply to Kevin Suo from comment #9) > Bibisected using bibisect-linux-64-7.3-CN repo, to the following range: > 9a58ec3f6f65da27e3b26e1173b6661b743e66a4.. > 426930d0c4bd6f782a04a92e8a36e92cd65e186f > > 426930d0c4bd (speedup dynamic_cast to SwTextFrame, 2021-08-28, Noel Grandin) > 69e0567e118f (tdf#135683 speed up layout of large writer tables, 2021-08-28, > Noel Grandin) > 9ca9faabd400 (vcl: move TextLayoutCache to own module header, 2021-03-07, > Chris Sherlock) Actually it can be bisected with SAL_USE_VCLPLUGIN=gen Regression introduced by: author Noel Grandin <noel.grandin@collabora.co.uk> 2021-09-02 20:05:09 +0200 committer Noel Grandin <noel.grandin@collabora.co.uk> 2021-09-04 08:17:06 +0200 commit d4dc6b5cfdb02ad00a06ad32650948648abe010d (patch) tree 02446cd93e68aba9b78db6eb7fc902e782c6faf9 parent 86fa9c907387e96c9c93f1e17239730271fedbfd (diff) use std::vector for fetching DX array data Bisected with: bibisect-linux64-7.3 Adding Cc: to Noel Grandin
Created attachment 177549 [details] minimized reproducer Steps to reproduce: 1. Open minimized reproduced 2. Page down to the bottom 3. Page up to the top -> Crash
*** Bug 146749 has been marked as a duplicate of this bug. ***
Noel Grandin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/0e4bcbb67dda204ba78f99df68a63458c29e7470 tdf#145321 Crash scrolling DOCX to bottom It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-7-3": https://git.libreoffice.org/core/commit/68fa037b8f1300ffb950cc3ba4be4347f976eb83 tdf#145321 Crash scrolling DOCX to bottom It will be available in 7.3.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-7-3-0": https://git.libreoffice.org/core/commit/6ae00fc24786eac379e6e64ac3e6d83c6a057b24 tdf#145321 Crash scrolling DOCX to bottom It will be available in 7.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/1103240cb3e884ea6024a690eeed743934662a12 tdf#145321: sw_uiwriter3: Add unittest It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Verified. No crash in Version: 7.3.1.0.0+ / LibreOffice Community Build ID: 216ad305810d1d36cf5874fd9842111d426899a8 CPU threads: 4; OS: Linux 5.13; UI render: default; VCL: gtk3 Locale: ro-RO (ro_RO.UTF-8); UI: en-US Calc: threaded