Bug 154016 - Libreoffice Math Crash when scrolling through "element categories"
Summary: Libreoffice Math Crash when scrolling through "element categories"
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Formula Editor (show other bugs)
Version:
(earliest affected)
7.4.6.2 release
Hardware: All Windows (All)
: medium critical
Assignee: Mike Kaganski
URL:
Whiteboard: target:7.6.0 target:7.4.7 target:7.5.3.2
Keywords: bibisected, bisected, regression
Depends on:
Blocks: Elements-Pane GDI-Limit Crash
  Show dependency treegraph
 
Reported: 2023-03-06 16:08 UTC by Gerard Taulats
Modified: 2023-05-04 08:21 UTC (History)
4 users (show)

See Also:
Crash report or crash signature: [" std::allocator<unsigned short>::deallocate(unsigned short * const,unsigned __int64)"," rtl::str::newFromStr_WithLength<_rtl_uString,char>(_rtl_uString * *,char const *,long,long)"]

Attachments
Example of how to reproduce the crash (766.91 KB, video/mp4)
2023-03-09 23:10 UTC, Gerard Taulats 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gerard Taulats 2023-03-06 16:08:03 UTC 
Description:
While hovering "element categories", scroll up and down quickly until crashing libreoffice.
It's the same whether Libreoffice Math or Formulas inside Libreoffice Writer is used.

Steps to Reproduce:
1.Open Libreoffice Math or a "Formula" in Libreoffice Writer
2.Hover over "Element categories"
3.Use the mouse wheel to scroll up and down quickly for ~5 seconds


Actual Results:
Crash

Expected Results:
Not to crash


Reproducible: Always


User Profile Reset: Yes

Additional Info:
Version: 7.5.1.2 (X86_64) / LibreOffice Community
Build ID: fcbaee479e84c6cd81291587d2ee68cba099e129
CPU threads: 16; OS: Windows 10.0 Build 19045; UI render: Skia/Raster; VCL: win
Locale: es-ES (ca_ES); UI: en-US
Calc: threaded

I noticed a memory usage increase at a rate of 40 MB/s, and a very high energy usage at the point of failure.
There may be other ways to prompt this crash, as it has failed on me several times. This method is one way I found to trigger it.
Comment 1 m_a_riosv 2023-03-08 02:18:12 UTC 
Looks like a duplicate.
https://bugs.documentfoundation.org/buglist.cgi?quicksearch=scroll%20crash&list_id=1570000

Could you test if it happens on Writer/Calc?
Comment 2 Gerard Taulats 2023-03-08 10:10:06 UTC 
> Looks like a duplicate.
> https://bugs.documentfoundation.org/buglist.
> cgi?quicksearch=scroll%20crash&list_id=1570000

It might be, but I'm unable to find it anywhere

> Could you test if it happens on Writer/Calc?

I retested it for math, writer, impress, calc and draw, and for all of them there's a crash. The error must be from the math module to generate the formulas.
Comment 3 QA Administrators 2023-03-09 03:26:48 UTC Comment hidden (noise)
Comment 4 raal 2023-03-09 20:18:13 UTC 
No repro with Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 288c0920a8475f9f2c537212e04aa7649192ad8c
CPU threads: 4; OS: Linux 5.15; UI render: default; VCL: gtk3
Locale: cs-CZ (cs_CZ.UTF-8); UI: en-US
Calc: threaded
Comment 5 Gerard Taulats 2023-03-09 23:10:24 UTC 
Created attachment 185876 [details]
Example of how to reproduce the crash
Comment 6 Gerard Taulats 2023-03-09 23:11:32 UTC 
(In reply to raal from comment #4)
> No repro with Version: 7.6.0.0.alpha0+ (X86_64) / LibreOffice Community
> Build ID: 288c0920a8475f9f2c537212e04aa7649192ad8c
> CPU threads: 4; OS: Linux 5.15; UI render: default; VCL: gtk3
> Locale: cs-CZ (cs_CZ.UTF-8); UI: en-US
> Calc: threaded
I'm afraid to say I can reproduce. See attached video for an example.

I also made some research. I think it was introduced with the 7.4 series of libreoffice, since for earlier releases I can't reproduce it.
Comment 7 Stéphane Guillou (stragu) 2023-03-20 17:51:11 UTC 
I can reproduce in 7.5.1.2 on Windows 10.

Version: 7.5.1.2 (X86_64) / LibreOffice Community
Build ID: fcbaee479e84c6cd81291587d2ee68cba099e129
CPU threads: 4; OS: Windows 10.0 Build 19045; UI render: Skia/Raster; VCL: win
Locale: ja-JP (en_GB); UI: en-GB
Calc: threaded

No crash in 7.3.0.3, but 7.4.6.1 does crash, so I think you are right -> Regression.


Crash reports:
- 7.5.1.2: https://crashreport.libreoffice.org/stats/crash_details/a443cb17-5ff7-49f9-a153-6b638733fb78
- 7.4.6.1: https://crashreport.libreoffice.org/stats/crash_details/557c4e94-328a-46e0-ac03-d3a14b8d925f

I couldn't crash it with gen VCL on Linux (and GTK doesn't let me scroll the elements)
I couldn't crash it with other selection lists like "Navigate By" in the Navigator deck, or "Size" in the Page deck (Writer).

Keeping it as Windows-only for now.
Comment 8 Stéphane Guillou (stragu) 2023-03-20 21:10:35 UTC 
The two crash signatures I got are Windows-only an started with 7.4.0.3, one of them totalling more than 1700 crashes.
Comment 9 Stéphane Guillou (stragu) 2023-04-13 21:36:27 UTC Comment hidden (off-topic)
Comment 10 raal 2023-04-17 14:21:41 UTC 
This seems to have begun at the below commit in bibisect repository/OS /win64-7.4.
Adding Cc: to Mike Kaganski ; Could you possibly take a look at this one?
Thanks
 c278ef2cde35544df264a8bdbc0132fcf40ecdd6 is the first bad commit
commit c278ef2cde35544df264a8bdbc0132fcf40ecdd6
Author: Norbert Thiebaud <nthiebaud@gmail.com>
Date:   Thu Jun 2 04:02:00 2022 -0700

    source d79c527c2a599c7821d27cf03b95cb79e2abe685

134761: Use IconView in SmElementsControl | https://gerrit.libreoffice.org/c/core/+/134761
Comment 11 Mike Kaganski 2023-04-17 15:32:06 UTC 
https://gerrit.libreoffice.org/c/core/+/150523
Comment 12 Commit Notification 2023-04-17 17:56:36 UTC 
Mike Kaganski committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/c11463cdc5415707d05ab6da08736ff7212db4a0

tdf#154016: use ScopedVclPtr

It will be available in 7.6.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 13 Commit Notification 2023-04-18 03:18:25 UTC 
Mike Kaganski committed a patch related to this issue.
It has been pushed to "libreoffice-7-5":

https://git.libreoffice.org/core/commit/069fcbe6531ad7e22c368c1a3994528ea30c8195

tdf#154016: use ScopedVclPtr

It will be available in 7.5.4.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 14 Commit Notification 2023-04-18 03:18:28 UTC 
Mike Kaganski committed a patch related to this issue.
It has been pushed to "libreoffice-7-4":

https://git.libreoffice.org/core/commit/73e4009dc2a645b1bf9f06ce34711e135c147082

tdf#154016: use ScopedVclPtr

It will be available in 7.4.7.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 15 Commit Notification 2023-04-25 08:17:56 UTC 
Mike Kaganski committed a patch related to this issue.
It has been pushed to "libreoffice-7-5-3":

https://git.libreoffice.org/core/commit/4349d55f8bf68be8e59b2913b93c054bb1a151ac

tdf#154016: use ScopedVclPtr

It will be available in 7.5.3.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.