Bug 65823 - Crash in debug mode when selecting word in redlined text
Summary: Crash in debug mode when selecting word in redlined text
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
(earliest affected) Master
Hardware: Other All
: medium normal
Assignee: Caolán McNamara
Whiteboard: BSA target:4.4.0
Depends on:
Reported: 2013-06-16 12:57 UTC by Mark Wielaard
Modified: 2014-10-09 15:17 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:

Document with some redline text that reproduces the crash when "bedankt" is selected. (13.41 KB, application/vnd.oasis.opendocument.text)
2013-06-16 12:57 UTC, Mark Wielaard

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Wielaard 2013-06-16 12:57:27 UTC
Created attachment 80908 [details]
Document with some redline text that reproduces the crash when "bedankt" is selected.

In the attached select_bedankt_crash.odt file try to select the text "bedankt" (by double clicking on it). It is in the middle of some redlined text. This triggers an assert when trying to count the words in the selection. With a debugrun I see:

#0  0x000000327c4328a5 in raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x000000327c434085 in abort () at abort.c:92
#2  0x000000327c42ba1e in __assert_fail_base (fmt=<value optimized out>, 
    assertion=0x7fffdce9d1a8 "index >= 0 && index < pData->length", file=
    0x7fffdce9d160 "/home/mark/src/libreoffice/include/rtl/ustrbuf.hxx", 
    line=<value optimized out>, function=<value optimized out>) at assert.c:96
#3  0x000000327c42bae0 in __assert_fail (assertion=
    0x7fffdce9d1a8 "index >= 0 && index < pData->length", file=
    0x7fffdce9d160 "/home/mark/src/libreoffice/include/rtl/ustrbuf.hxx", line=
    382, function=
    0x7fffdce9de80 "sal_Unicode& rtl::OUStringBuffer::operator[](sal_Int32)")
    at assert.c:105
#4  0x00007fffdc14d279 in rtl::OUStringBuffer::operator[] (this=
    0x7fffffff5810, index=-21)
    at /home/mark/src/libreoffice/include/rtl/ustrbuf.hxx:382
#5  0x00007fffdc7be5b9 in SwScanner::SwScanner (this=0x7fffffff58c0, rNd=..., 
    rTxt=..., pLang=0x0, rConvMap=..., nType=3, nStart=-21, nEnde=-14, bClp=
    1 '\001')
    at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:674
#6  0x00007fffdc7c4c5c in SwTxtNode::CountWords (this=0x1af4af0, rStat=..., 
    nStt=7, nEnd=14)
    at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:1984
#7  0x00007fffdc21e251 in SwDoc::CountWords (this=0x169ba80, rPaM=
    SwPaM = {...}, rStat=...)
    at /home/mark/src/libreoffice/sw/source/core/doc/docedt.cxx:2753
#8  0x00007fffdc4430bc in SwEditShell::CountWords (this=0x1b2e1d0, rStat=...)
    at /home/mark/src/libreoffice/sw/source/core/edit/editsh.cxx:1069
#9  0x00007fffdcd441ce in SwView::StateStatusLine (this=0x19da870, rSet=...)
    at /home/mark/src/libreoffice/sw/source/ui/uiview/view2.cxx:1271
#10 0x00007fffdcd3bec3 in SfxStubSwViewStateStatusLine (pShell=0x19da870, rSet=
    at /home/mark/src/libreoffice/workdir/unxlngx6/SdiTarget/sw/sdi/swslots.hxx:12586
#11 0x00007ffff5f5ad6c in SfxShell::CallState (this=0x19da870, pFunc=
    0x7fffdcd3bea0 <SfxStubSwViewStateStatusLine(SfxShell*, SfxItemSet&)>, 
    rSet=...) at /home/mark/src/libreoffice/include/sfx2/shell.hxx:187
#12 0x00007ffff62f23da in SfxDispatcher::_FillState(SfxSlotServer const&, SfxItemSet&, SfxSlot const*) ()
   from /home/mark/src/libreoffice/solver/unxlngx6/installation/opt/program/libsfxlo.so

Note how SwScanner constructor is being passed negative values for nStart and nEnde. These come from:

#6  0x00007fffdc7c4c5c in SwTxtNode::CountWords (this=0x1af4af0, rStat=..., 
    nStt=7, nEnd=14)
    at /home/mark/src/libreoffice/sw/source/core/txtnode/txtedt.cxx:1984
1984	                                nExpandBegin, nExpandEnd, true );

Note that nExpandBegin and nExpandEnd are unsigned values (and SwScanner takes signed values). They are very large:

(gdb) print nExpandBegin
$1 = 4294967275
(gdb) print nExpandEnd
$2 = 4294967282
(gdb) print (sal_Int32) nExpandBegin
$3 = -21
(gdb) print (sal_Int32) 4294967282
$4 = -14

These values come from a few lines up in txtedt.cxx:

1955	    // ConversionMap to expand fields, remove invisible and redline deleted text for scanner
1956	    const ModelToViewHelper aConversionMap(*this, EXPANDFIELDS | HIDEINVISIBLE | HIDEREDLINED);
1957	    OUString aExpandText = aConversionMap.getViewText();
1959	    // map start and end points onto the ConversionMap
1960	    const sal_uInt32 nExpandBegin = aConversionMap.ConvertToViewPosition( nStt );
1961	    const sal_uInt32 nExpandEnd   = aConversionMap.ConvertToViewPosition( nEnd );
Comment 1 Emir Sarı 2013-06-16 13:37:42 UTC
I cannot reproduce the crash with the latest master. 

I am double clicking on the word "bedankt", but nothing happens. 

OS X 10.7.5
Comment 2 Mark Wielaard 2013-06-16 15:53:19 UTC
I tried with an official beta2 build and it does indeed not crash.
Build ID: 33224f4f11a05cfad2249e812fcc2975fbb61f6

Apparently asserts are not triggered on release builds, but they are in my debug build. There is definitely an issue though. When running with --valgrind you will see the following when selecting "bedankt":

==18656== Invalid read of size 2
==18656==    at 0x2D4DD963: SwScanner::SwScanner(SwTxtNode const&, rtl::OUString const&, unsigned short const*, ModelToViewHelper const&, unsigned short, int, int, unsigned char) (in /home/mark/libreoffice-
==18656==    by 0x2D4E1D3C: SwTxtNode::CountWords(SwDocStat&, unsigned short, unsigned short) const (in /home/mark/libreoffice-
==18656==    by 0x2D1D9561: SwDoc::CountWords(SwPaM const&, SwDocStat&) const (in /home/mark/libreoffice-
==18656==    by 0x2D2E082D: SwEditShell::CountWords(SwDocStat&) const (in /home/mark/libreoffice-
==18656==    by 0x2D93460C: SwView::StateStatusLine(SfxItemSet&) (in /home/mark/libreoffice-
==18656==    by 0x6522FF9: SfxShell::CallState(void (*)(SfxShell*, SfxItemSet&), SfxItemSet&) (in /home/mark/libreoffice-
==18656==    by 0x651CBC3: SfxDispatcher::_FillState(SfxSlotServer const&, SfxItemSet&, SfxSlot const*) (in /home/mark/libreoffice-
==18656==    by 0x627F232: SfxBindings::Update_Impl(SfxStateCache*) (in /home/mark/libreoffice-
==18656==    by 0x6280FA7: SfxBindings::NextJob_Impl(Timer*) (in /home/mark/libreoffice-
==18656==    by 0x81AC564: Timer::ImplTimerCallbackProc() (in /home/mark/libreoffice-
==18656==    by 0x153AE0F2: sal_gtk_timeout_dispatch (in /home/mark/libreoffice-
==18656==    by 0x327DC38F0D: g_main_context_dispatch (gmain.c:1960)
==18656==    by 0x327DC3C937: g_main_context_iterate (gmain.c:2591)
==18656==    by 0x327DC3CA39: g_main_context_iteration (gmain.c:2654)
==18656==    by 0x153AE329: GtkData::Yield(bool, bool) (in /home/mark/libreoffice-
==18656==    by 0x81A49F0: Application::Yield(bool) (in /home/mark/libreoffice-
==18656==    by 0x81A4AA6: Application::Execute() (in /home/mark/libreoffice-
==18656==    by 0x4E943D1: desktop::Desktop::Main() (in /home/mark/libreoffice-
==18656==    by 0x81AAEA7: ImplSVMain() (in /home/mark/libreoffice-
==18656==    by 0x81AAEDF: SVMain() (in /home/mark/libreoffice-
==18656==    by 0x4EBF719: soffice_main (in /home/mark/libreoffice-
==18656==    by 0x4007CA: main (in /home/mark/libreoffice-
==18656==  Address 0x1ef4293e is not stack'd, malloc'd or (recently) free'd
Comment 3 Miklos Vajna 2013-06-16 16:12:31 UTC
I can confirm the crash with ~current master (6934312f617ccd86d0467e38129c2e5d861241b5, dbgutil, Linux, x86_64).
Comment 4 Jean-Baptiste Faure 2013-11-27 21:02:44 UTC
I do not reproduce the crash with under Ubuntu 13.10 x86-64.
Mark, Miklos, can we close this bug or you still reproduce the crash ?

Best regards. JBF