Bug 154463 - Typing dots in Text Form Field crashes Writer
Summary: Typing dots in Text Form Field crashes Writer
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
6.4.0.3 release
Hardware: All All
: high critical
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: bibisected, bisected, haveBacktrace, regression
Depends on:
Blocks: DOCX-ActiveX-Legacy Crash-Assert
  Show dependency treegraph
 
Reported: 2023-03-30 03:50 UTC by Aron Budea
Modified: 2024-09-26 16:39 UTC (History)
5 users (show)

See Also:
Crash report or crash signature: ["SwNodeIndex::SwNodeIndex(SwNodeIndex const &,o3tl::strong_int<long,Tag_SwNodeOffset>)","sw::mark::FindFieldSep(sw::mark::IFieldmark const&)","SwNodeIndex::SwNodeIndex(SwNode *)"]

Attachments
Sample DOCX (4.35 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)
2023-03-30 03:50 UTC, Aron Budea 		Details
Backtrace (20.58 KB, text/plain)
2023-03-30 03:51 UTC, Aron Budea 		Details
bt with debug symbols (8.97 KB, text/plain)
2023-03-30 19:20 UTC, Julien Nabet 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aron Budea 2023-03-30 03:50:48 UTC 
Created attachment 186306 [details]
Sample DOCX

The attached document was created in Writer by:
- first enabling "Reorganize Form menu for Microsoft compatibility" in Tools -> Options..., LibreOffice Writer -> Compatibility,
- adding a Form -> Legacy Form Fields -> Text Form Field,
- saving as DOCX.

Another prerequisite is that Tools -> AutoCorrect is enabled.

Open the sample, click into the field, and type a bunch of dots (about 4-6).

=> Crash.

Crash report:
https://crashreport.libreoffice.org/stats/crash_details/0a8cc30e-d1ba-409b-b2d8-33e8b581e6c7
(a crash report taken on Win with LO 7.5.0.3 should be here, but it isn't for some reason, Xisco, do you know if something is wrong with the crash report server?)

A debug build fails with the following assertion:
sw/source/core/crsr/bookmark.cxx:89: SwPosition sw::mark::FindFieldSep(const sw::mark::IFieldmark&): Assertion `0 <= nFields' failed

Observed in LO 7.6.0.0.alpha0+ (7a7eb4aa21ca0c83db825fe8d5a5278611b391d8) / Ubuntu.

This is a regression from the following commit, bibisected using repo bibisect-linux-64-6.4:

https://cgit.freedesktop.org/libreoffice/core/commit/?id=b522fc0646915d4da94df38dd249c88b28f25be7
author		Michael Stahl <Michael.Stahl@cib.de>	2019-09-24 18:11:45 +0200
committer	Michael Stahl <michael.stahl@cib.de>	2019-10-23 12:47:40 +0200

sw: maintain fieldmarks in DeleteRange()/DeleteAndJoin()/ReplaceRange()
Comment 1 Aron Budea 2023-03-30 03:51:27 UTC 
Created attachment 186307 [details]
Backtrace
Comment 2 Stéphane Guillou (stragu) 2023-03-30 06:41:55 UTC 
Thanks Aron. Reproduced with example document on Linux in 7.2 and recent master build.
Crash report:

https://crashreport.libreoffice.org/stats/crash_details/c6e84de2-8484-4a07-b1dc-2a3526c9e960
Comment 3 Xisco Faulí 2023-03-30 08:36:37 UTC 
(In reply to Aron Budea from comment #0)
> Crash report:
> https://crashreport.libreoffice.org/stats/crash_details/0a8cc30e-d1ba-409b-
> b2d8-33e8b581e6c7
> (a crash report taken on Win with LO 7.5.0.3 should be here, but it isn't
> for some reason, Xisco, do you know if something is wrong with the crash
> report server?)

it just takes a while to process the report. The link works now.
FYI, infra is planning to migrate it to another bot, so it should be faster once migrated.
Comment 4 Julien Nabet 2023-03-30 19:20:12 UTC 
Created attachment 186333 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I had an assertion.
Comment 5 Julien Nabet 2023-09-08 20:12:42 UTC 
Just for info, at the beginning when typing the fourth ".", I got:
"\a\003   ....  \b"
     69         for (SwNodeOffset n = nEndNode; nStartNode <= n; --n)
     70         {
     71             SwNode *const pNode(rNodes[n]);
     72             if (pNode->IsTextNode())
     73             {
     74                 SwTextNode & rTextNode(*pNode->GetTextNode());
when doing in gdb:
p rTextNode.GetText()
and everything is ok but LO reenters the same location (I suppose because of autocorrect mechanism) and the string becomes:
"\a\003\a   ….  \b"
Notice both \a (which correspond to CH_TXT_ATR_FIELDSTART)

LO analyzes the string from end to start and when encounters CH_TXT_ATR_FIELDSTART:
     87                         case CH_TXT_ATR_FIELDSTART:
     88                             --nFields;
     89                             assert(0 <= nFields);
     90                             break;

whereas in the first case when it's ok, it got there:
     96                         case CH_TXT_ATR_FIELDSEP:
     97                             if (nFields == 0)
     98                             {
     99                                 assert(!ret); // one per field
    100                                 ret.emplace(rTextNode, i - 1);
    101 #ifndef DBG_UTIL
    102                                 return *ret;
    103 #endif
    104                             }
Comment 6 Thorsten Behrens (allotropia) 2024-05-13 13:41:09 UTC 
Un-CCing developer, unclear if we have time to investigate this.
Comment 7 Stéphane Guillou (stragu) 2024-05-14 02:51:27 UTC 
Reproduced in recent trunk build:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 0dcaff6043e1f24ce0fa354dff80a86e40622247
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: CL threaded

For LO 7.2 on Linux, from comment 2, signature was "sw::CalcBreaks(std::vector<std::pair<unsigned long, int>, std::allocator<std::pair<unsigned long, int> > >&, SwPaM const&, bool)".

Different crash signatures in currently maintained branches:
- 7.6.6.3, "sw::mark::FindFieldSep(sw::mark::IFieldmark const&)": https://crashreport.libreoffice.org/stats/crash_details/81d71af2-6023-4587-8f0a-2c99e82716e8
- 24.2.3.2, pesky "<name omitted>" on Linux: https://crashreport.libreoffice.org/stats/crash_details/1f47136c-e9bc-4b6c-8fba-bd0d054aa47f
   - "SwNodeIndex::SwNodeIndex(SwNode *)" on Windows: https://crashreport.libreoffice.org/stats/crash_details/0291707b-0649-48d3-93a8-04a9475ecbb6

(In reply to Thorsten Behrens (allotropia) from comment #6)
> Un-CCing developer, unclear if we have time to investigate this.
Upping priority then.