Created attachment 80908 [details] Document with some redline text that reproduces the crash when "bedankt" is selected. In the attached select_bedankt_crash.odt file try to select the text "bedankt" (by double clicking on it). It is in the middle of some redlined text. This triggers an assert when trying to count the words in the selection. With a debugrun I see: #0 0x000000327c4328a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x000000327c434085 in abort () at abort.c:92 #2 0x000000327c42ba1e in __assert_fail_base (fmt=<value optimized out>, assertion=0x7fffdce9d1a8 "index >= 0 && index < pData->length", file= 0x7fffdce9d160 "/home/mark/src/libreoffice/include/rtl/ustrbuf.hxx", line=<value optimized out>, function=<value optimized out>) at assert.c:96 #3 0x000000327c42bae0 in __assert_fail (assertion= 0x7fffdce9d1a8 "index >= 0 && index < pData->length", file= 0x7fffdce9d160 "/home/mark/src/libreoffice/include/rtl/ustrbuf.hxx", line= 382, function= 0x7fffdce9de80 "sal_Unicode& rtl::OUStringBuffer::operator[](sal_Int32)") at assert.c:105 #4 0x00007fffdc14d279 in rtl::OUStringBuffer::operator[] (this= 0x7fffffff5810, index=-21) at /home/mark/src/libreoffice/include/rtl/ustrbuf.hxx:382 #5 0x00007fffdc7be5b9 in SwScanner::SwScanner (this=0x7fffffff58c0, rNd=..., rTxt=..., pLang=0x0, rConvMap=..., nType=3, nStart=-21, nEnde=-14, bClp= 1 '\001') at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:674 #6 0x00007fffdc7c4c5c in SwTxtNode::CountWords (this=0x1af4af0, rStat=..., nStt=7, nEnd=14) at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:1984 #7 0x00007fffdc21e251 in SwDoc::CountWords (this=0x169ba80, rPaM= SwPaM = {...}, rStat=...) at /home/mark/src/libreoffice/sw/source/core/doc/docedt.cxx:2753 #8 0x00007fffdc4430bc in SwEditShell::CountWords (this=0x1b2e1d0, rStat=...) at /home/mark/src/libreoffice/sw/source/core/edit/editsh.cxx:1069 #9 0x00007fffdcd441ce in SwView::StateStatusLine (this=0x19da870, rSet=...) at /home/mark/src/libreoffice/sw/source/ui/uiview/view2.cxx:1271 #10 0x00007fffdcd3bec3 in SfxStubSwViewStateStatusLine (pShell=0x19da870, rSet= ...) at /home/mark/src/libreoffice/workdir/unxlngx6/SdiTarget/sw/sdi/swslots.hxx:12586 #11 0x00007ffff5f5ad6c in SfxShell::CallState (this=0x19da870, pFunc= 0x7fffdcd3bea0 <SfxStubSwViewStateStatusLine(SfxShell*, SfxItemSet&)>, rSet=...) at /home/mark/src/libreoffice/include/sfx2/shell.hxx:187 #12 0x00007ffff62f23da in SfxDispatcher::_FillState(SfxSlotServer const&, SfxItemSet&, SfxSlot const*) () from /home/mark/src/libreoffice/solver/unxlngx6/installation/opt/program/libsfxlo.so Note how SwScanner constructor is being passed negative values for nStart and nEnde. These come from: #6 0x00007fffdc7c4c5c in SwTxtNode::CountWords (this=0x1af4af0, rStat=..., nStt=7, nEnd=14) at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:1984 1984 nExpandBegin, nExpandEnd, true ); Note that nExpandBegin and nExpandEnd are unsigned values (and SwScanner takes signed values). They are very large: (gdb) print nExpandBegin $1 = 4294967275 (gdb) print nExpandEnd $2 = 4294967282 (gdb) print (sal_Int32) nExpandBegin $3 = -21 (gdb) print (sal_Int32) 4294967282 $4 = -14 These values come from a few lines up in txtedt.cxx: 1955 // ConversionMap to expand fields, remove invisible and redline deleted text for scanner 1956 const ModelToViewHelper aConversionMap(*this, EXPANDFIELDS | HIDEINVISIBLE | HIDEREDLINED); 1957 OUString aExpandText = aConversionMap.getViewText(); 1958 1959 // map start and end points onto the ConversionMap 1960 const sal_uInt32 nExpandBegin = aConversionMap.ConvertToViewPosition( nStt ); 1961 const sal_uInt32 nExpandEnd = aConversionMap.ConvertToViewPosition( nEnd ); 1962
I cannot reproduce the crash with the latest master. I am double clicking on the word "bedankt", but nothing happens. OS X 10.7.5
I tried with an official beta2 build and it does indeed not crash. LibreOfficeDev_4.1.0.0.beta2_Linux_x86-64_rpm.tar.gz Version: 4.1.0.0.beta2 Build ID: 33224f4f11a05cfad2249e812fcc2975fbb61f6 Apparently asserts are not triggered on release builds, but they are in my debug build. There is definitely an issue though. When running with --valgrind you will see the following when selecting "bedankt": ==18656== Invalid read of size 2 ==18656== at 0x2D4DD963: SwScanner::SwScanner(SwTxtNode const&, rtl::OUString const&, unsigned short const*, ModelToViewHelper const&, unsigned short, int, int, unsigned char) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libswlo.so) ==18656== by 0x2D4E1D3C: SwTxtNode::CountWords(SwDocStat&, unsigned short, unsigned short) const (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libswlo.so) ==18656== by 0x2D1D9561: SwDoc::CountWords(SwPaM const&, SwDocStat&) const (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libswlo.so) ==18656== by 0x2D2E082D: SwEditShell::CountWords(SwDocStat&) const (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libswlo.so) ==18656== by 0x2D93460C: SwView::StateStatusLine(SfxItemSet&) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libswlo.so) ==18656== by 0x6522FF9: SfxShell::CallState(void (*)(SfxShell*, SfxItemSet&), SfxItemSet&) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libsfxlo.so) ==18656== by 0x651CBC3: SfxDispatcher::_FillState(SfxSlotServer const&, SfxItemSet&, SfxSlot const*) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libsfxlo.so) ==18656== by 0x627F232: SfxBindings::Update_Impl(SfxStateCache*) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libsfxlo.so) ==18656== by 0x6280FA7: SfxBindings::NextJob_Impl(Timer*) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libsfxlo.so) ==18656== by 0x81AC564: Timer::ImplTimerCallbackProc() (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvcllo.so) ==18656== by 0x153AE0F2: sal_gtk_timeout_dispatch (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvclplug_gtklo.so) ==18656== by 0x327DC38F0D: g_main_context_dispatch (gmain.c:1960) ==18656== by 0x327DC3C937: g_main_context_iterate (gmain.c:2591) ==18656== by 0x327DC3CA39: g_main_context_iteration (gmain.c:2654) ==18656== by 0x153AE329: GtkData::Yield(bool, bool) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvclplug_gtklo.so) ==18656== by 0x81A49F0: Application::Yield(bool) (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvcllo.so) ==18656== by 0x81A4AA6: Application::Execute() (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvcllo.so) ==18656== by 0x4E943D1: desktop::Desktop::Main() (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libsofficeapp.so) ==18656== by 0x81AAEA7: ImplSVMain() (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvcllo.so) ==18656== by 0x81AAEDF: SVMain() (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libvcllo.so) ==18656== by 0x4EBF719: soffice_main (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/libsofficeapp.so) ==18656== by 0x4007CA: main (in /home/mark/libreoffice-4.1.0.0.beta2/opt/libreofficedev4.1/program/soffice.bin) ==18656== Address 0x1ef4293e is not stack'd, malloc'd or (recently) free'd ==18656==
I can confirm the crash with ~current master (6934312f617ccd86d0467e38129c2e5d861241b5, dbgutil, Linux, x86_64).
I do not reproduce the crash with 4.2.0.0.beta1 under Ubuntu 13.10 x86-64. Mark, Miklos, can we close this bug or you still reproduce the crash ? Best regards. JBF
http://cgit.freedesktop.org/libreoffice/core/commit/?id=d7418f8831acdff907d404c1701870b00e974df6