Description: ZWNJ (zero-width non-joiner) is a special Unicode character that is used in many languages including Persian. Zero-width non-joiner https://en.wikipedia.org/wiki/Zero-width_non-joiner It is encoded as U+200C in Unicode, and can be typed by switching keyboard to Persian and pressing "shift+b" in Linux, and "ctrl+shift+2" in Windows. Typing or pasting ZWNJ now leads to crash. Just type a random Persian character and then type ZWNJ and Writer will crash. Steps to Reproduce: 1. Open LibreOffice Writer 2. Typing or pasting ZWNJ now leads to crash. Just type a random Persian character and then type ZWNJ or paste "ب" (two characters, second one is ZWNJ which is not visible). You can copy and paste the text including the double quotes. Actual Results: LibreOffice Writer crashes. Expected Results: The application should not crash, as before Reproducible: Always User Profile Reset: No Additional Info: Pasting ZWNJ alone will not lead to crash, but when it comes with another character before it, it leads to crash.
Works fine in 7.3: Version: 7.3.0.3 / LibreOffice Community Build ID: 0f246aa12d0eee4a0f7adcefbf7c878fc2238db3 CPU threads: 8; OS: Linux 5.13; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded The latest LO 7.4 master has the problem: Version: 7.4.0.0.alpha0+ (x64) / LibreOffice Community Build ID: 71b952340726190d1f178ef0dadfa89677f2c1dd CPU threads: 32; OS: Windows 10.0 Build 19044; UI render: Skia/Raster; VCL: win Locale: en-US (en_DE); UI: en-US Calc: threaded Version: 7.4.0.0.alpha0+ / LibreOffice Community Build ID: 7de27fe664f2fbb310907b5f945010792cd79ed3 CPU threads: 8; OS: Linux 5.13; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded
I couldn't get an informative backtrace using gdb: ./instdir/program/soffice -env:SAL_USE_VCLPLUGIN=gen --backtrace This is created using Qt Creator: 1 __GI_raise raise.c 50 0x7ffff79ef03b 2 __GI_abort abort.c 79 0x7ffff79ce859 3 ?? 0x7ffff7849109 4 std::vector<int>::operator[] vector 427 0x7fffef03a194 5 GenericSalLayout::ApplyDXArray<double> CommonSalLayout.cxx 730 0x7fffef5024d2 6 GenericSalLayout::AdjustLayout CommonSalLayout.cxx 244 0x7fffef4f8ee1 7 MultiSalLayout::ImplAdjustMultiLayout<double> sallayout.cxx 756 0x7fffef4d61a5 8 MultiSalLayout::AdjustLayout sallayout.cxx 717 0x7fffef4d3847 9 OutputDevice::ImplLayout text.cxx 1430 0x7fffef1db97c 10 OutputDevice::DrawTextArray text.cxx 950 0x7fffef1d98b7 11 SwFntObj::DrawText fntcache.cxx 1825 0x7fffc9780438 12 SwSubFont::DrawText_ swfont.cxx 1107 0x7fffc97e2277 13 SwFont::DrawText_ swfont.hxx 315 0x7fffc9645bdc 14 SwTextPaintInfo::DrawText_ inftxt.cxx 715 0x7fffc964efbc 15 SwTextPaintInfo::DrawText inftxt.hxx 751 0x7fffc9687fc9 16 SwTextPortion::Paint portxt.cxx 561 0x7fffc96d3e50 17 SwTextPainter::PaintMultiPortion pormulti.cxx 1747 0x7fffc96c5a3b 18 SwTextPainter::DrawTextLine itrpaint.cxx 394 0x7fffc9682c2f 19 SwTextFrame::PaintSwFrame frmpaint.cxx 756 0x7fffc9645520 20 SwLayoutFrame::PaintSwFrame paintfrm.cxx 3585 0x7fffc94ffb34 21 SwLayoutFrame::PaintSwFrame paintfrm.cxx 3585 0x7fffc94ffb34 22 SwRootFrame::PaintSwFrame paintfrm.cxx 3294 0x7fffc94fe825 23 SwViewShell::ImplEndAction viewsh.cxx 427 0x7fffc9b43208 24 SwViewShell::EndAction viewsh.hxx 603 0x7fffc8de1cc8 25 SwCursorShell::EndAction crsrsh.cxx 265 0x7fffc8dceed8 26 SwEditShell::EndAllAction edws.cxx 102 0x7fffc933d6b5 27 (anonymous namespace)::SwTrnsfrActionAndUndo::~SwTrnsfrActionAndUndo swdtflvr.cxx 249 0x7fffc9e72c90 28 o3tl::default_delete<(anonymous namespace)::SwTrnsfrActionAndUndo>::operator() deleter.hxx 46 0x7fffc9e87552 29 std::__uniq_ptr_impl<(anonymous namespace)::SwTrnsfrActionAndUndo, o3tl::default_delete<(anonymous namespace)::SwTrnsfrActionAndUndo>>::reset unique_ptr.h 182 0x7fffc9e875c2 30 std::unique_ptr<(anonymous namespace)::SwTrnsfrActionAndUndo, o3tl::default_delete<(anonymous namespace)::SwTrnsfrActionAndUndo>>::reset unique_ptr.h 456 0x7fffc9e874c7 31 SwTransferable::PasteData swdtflvr.cxx 2053 0x7fffc9e7b237 32 SwTransferable::Paste swdtflvr.cxx 1667 0x7fffc9e7a026 33 SwBaseShell::ExecClpbrd basesh.cxx 356 0x7fffc9ffe9a3 34 SfxStubSwBaseShellExecClpbrd swslots.hxx 2167 0x7fffc9ffd5c9 35 SfxDispatcher::Call_Impl dispatch.cxx 254 0x7ffff48406d6 36 SfxDispatcher::Execute_ dispatch.cxx 753 0x7ffff4843a6d 37 SfxBindings::Execute_Impl bindings.cxx 1060 0x7ffff482f497 38 SfxDispatchController_Impl::dispatch unoctitm.cxx 700 0x7ffff4901058 39 SfxOfficeDispatch::dispatch unoctitm.cxx 262 0x7ffff48fef0a 40 svt::(anonymous namespace)::AsyncAccelExec::impl_ts_asyncCallback acceleratorexecute.cxx 480 0x7ffff1d29054 41 svt::(anonymous namespace)::AsyncAccelExec::LinkStubimpl_ts_asyncCallback acceleratorexecute.cxx 472 0x7ffff1d28f71 42 Link<LinkParamNone *, void>::Call link.hxx 111 0x7fffeed4ae3d 43 vcl::EventPoster::DoEvent_Impl evntpost.cxx 52 0x7fffef6143a5 44 vcl::EventPoster::LinkStubDoEvent_Impl evntpost.cxx 48 0x7fffef614369 45 Link<void *, void>::Call link.hxx 111 0x7fffeefe0475 46 ImplHandleUserEvent winproc.cxx 2232 0x7fffeefdd4f7 47 ImplWindowFrameProc winproc.cxx 2802 0x7fffeefdf38c 48 SalFrame::CallCallback salframe.hxx 308 0x7fffefa1aad0 49 SalGenericDisplay::ProcessEvent gendisp.cxx 66 0x7fffefa4102d 50 operator() salusereventlist.cxx 119 0x7fffef6258c8 51 SalUserEventList::DispatchUserEvents salusereventlist.cxx 120 0x7fffef625ba1 52 SalGenericDisplay::DispatchInternalEvent gendisp.cxx 51 0x7fffefa40f99 53 SalX11Display::Yield saldisp.cxx 1889 0x7fffe4ebe379 54 DisplayYield saldisp.cxx 381 0x7fffe4eb62eb 55 (anonymous namespace)::YieldEntry::HandleNextEvent saldata.cxx 562 0x7fffe4eb11b3 56 SalXLib::Yield saldata.cxx 658 0x7fffe4eb19f7 57 X11SalInstance::DoYield salinst.cxx 192 0x7fffe4ed3a3b 58 ImplYield svapp.cxx 474 0x7fffef6df085 59 Application::Yield svapp.cxx 558 0x7fffef6dfc1d 60 Application::Execute svapp.cxx 452 0x7fffef6ded79 61 desktop::Desktop::Main app.cxx 1604 0x7ffff7c30dc2 62 ImplSVMain svmain.cxx 202 0x7fffef6fe40e 63 SVMain svmain.cxx 234 0x7fffef6fe537 64 soffice_main sofficemain.cxx 98 0x7ffff7c970db 65 sal_main main.c 51 0x5555555549ed 66 main main.c 49 0x5555555549cf
Repro with pasting in dbgutil build Arch Linux 64-bit Version: 7.4.0.0.alpha0+ / LibreOffice Community Build ID: 71b952340726190d1f178ef0dadfa89677f2c1dd CPU threads: 8; OS: Linux 5.16; UI render: default; VCL: kf5 (cairo+xcb) Locale: fi-FI (fi_FI.UTF-8); UI: en-US Calc: threaded Jumbo Built on 17 March 2022
Created attachment 178947 [details] gdb bt On pc Debian x86-64 with master sources updated today, I could reproduce this. I attached bt + console logs.
Just for the record, I don't reproduce this with LO Debian package 7.3.1
Caolán/Luboš: thought you might be interested in this one. (meanwhile, crash + regression => let's increase importance)
It is possible https://gerrit.libreoffice.org/c/core/+/131712 addresses this because that backtrace looks like one seen in crashtesting that the above fixes
I think it was the follow up patch of https://gerrit.libreoffice.org/c/core/+/131713 so adapted the commit message of that to mention this
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/d64ba1048716767db6fd3daedb637df193c7071b Related: tdf#148053 fix a crash in out of range dx array It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
well, one of the other or both seems to solve the issue IIUC
Verified Arch Linux 64-bit Version: 7.4.0.0.alpha0+ / LibreOffice Community Build ID: 9074f5602a9b0b51349647f29d8537256217ebe7 CPU threads: 8; OS: Linux 5.16; UI render: default; VCL: kf5 (cairo+xcb) Locale: fi-FI (fi_FI.UTF-8); UI: en-US Calc: threaded Jumbo Built on 18 March 2022
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-3": https://git.libreoffice.org/core/commit/29e996bd5e364e1b6b22d88d56d28dac7d3c97d6 Resolves: tdf#148053 fix a crash in out of range dx array It will be available in 7.3.3. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Hi Hossein, if you have time, could you please create a unittest for this issue? I can't reproduce it on my end
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-3-2": https://git.libreoffice.org/core/commit/423c3f2cf385549c25c2b5e564f195466f135083 Resolves: tdf#148053 fix a crash in out of range dx array It will be available in 7.3.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.