Bug Hunting Session
Bug 81806 - EDITING: Document corruption and crash when editing tables
Summary: EDITING: Document corruption and crash when editing tables
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: Other All
: highest critical
Assignee: Caolán McNamara
URL:
Whiteboard: target:5.1.0 target:5.0.0.1 target:4...
Keywords: haveBacktrace
: 81923 (view as bug list)
Depends on:
Blocks: mab4.3
  Show dependency treegraph
 
Reported: 2014-07-27 13:10 UTC by Matthew Francis
Modified: 2016-10-25 19:24 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
Writer document which demonstrates the crash (9.31 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)
2014-07-27 13:10 UTC, Matthew Francis
Details
Crash dump (97.80 KB, text/plain)
2014-07-27 13:12 UTC, Matthew Francis
Details
linux backtrace (24.63 KB, text/plain)
2014-07-31 08:11 UTC, Yousuf Philips (jay) (retired)
Details
Linux dbg bt of TB45 dbg build with symbols and source refs (8.10 KB, text/plain)
2014-11-17 04:07 UTC, V Stuart Foote
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Francis 2014-07-27 13:10:48 UTC
Created attachment 103543 [details]
Writer document which demonstrates the crash

Paste/undo actions in tables with merged cells cause document corruption and crashes

Observed on OSX with LO 4.2.5.2. Other platforms unknown

Steps to reproduce
1. Load the attached Writer document
(which contains a 3x3 table in which A2:A3 and B2:C2 are merged cells, and the letters "a" "b" and "c" are placed in cells C1, B2 and C3 respectively)
2. Select and cut the range C1:C3 (the three cells containing the "a" "b" and "c")
3. Place the cursor in cell B2
4. Repeatedly paste then undo

Result
Despite the fact that the selection is unchanged, and the cursor is not moved, the three charaters are placed differently in each paste-undo cycle. After a couple of cycles, the table structure is corrupted and LO crashes
Comment 1 Matthew Francis 2014-07-27 13:12:07 UTC
Created attachment 103544 [details]
Crash dump
Comment 2 Matthew Francis 2014-07-30 14:12:28 UTC
Still occurs in 4.3.0.4 release
Comment 3 Yousuf Philips (jay) (retired) 2014-07-31 08:11:23 UTC
Dear Matthew,

Thank you for submitting the bug. I can confirm that the bug is available in 3.3.0, 3.6.7, 4.2.5, and 4.3.1. It will crash between 2 to 4 paste and undo cycles.
Comment 4 Yousuf Philips (jay) (retired) 2014-07-31 08:11:49 UTC
Created attachment 103729 [details]
linux backtrace
Comment 5 Björn Michaelsen 2014-08-21 12:21:06 UTC Comment hidden (obsolete)
Comment 6 V Stuart Foote 2014-11-17 04:07:22 UTC
Created attachment 109584 [details]
Linux dbg bt of TB45 dbg build with symbols and source refs

Backtrace with recent 32-bit Linux TB45-debug build
On Fedora 20, 32-bit en-US with debug build
Version: 4.4.0.0.alpha1+
Build ID: d59b9b4af36148e4d8df8f3e3492116d378642e2
TinderBox: Linux-rpm_deb-x86@45-TDF-dbg, Branch:master, Time: 2014-11-06_03:11:43

SIGABRT crash, assertion while finding pointer position

pBlock->pData[ nOffset... BigPtrEntry::GetPos()
Comment 7 Bryan Quigley 2014-11-20 03:25:48 UTC
You can reproduce the basic issue with an even simpler document:
1. Insert Table with 2 columns, 1 row
2. Type a in column 1, b in column 2
3. Highlight and cut
4. GO to column2, paste (note how it just shows a
5. Undo
6. Paste again (now it shows a and b!)

This simple case doesn't seem to crash, but does likely show the underlying bug.  A similar issue happens if you do 1 column, 2 rows.  The first paste adds a new row.  The undo removes it and then a and b are both pasted in the same 2nd row.
Comment 8 Bryan Quigley 2014-11-20 03:26:23 UTC
*** Bug 81923 has been marked as a duplicate of this bug. ***
Comment 9 Björn Michaelsen 2014-11-28 09:45:20 UTC Comment hidden (obsolete)
Comment 10 V Stuart Foote 2014-11-28 15:41:25 UTC
issue remains with 4.3 and 4.4 builds. Moving to mab4.3
Comment 11 V Stuart Foote 2014-11-28 15:42:24 UTC
try that with the correct bug id for mab4.3
Comment 12 Caolán McNamara 2015-06-16 14:07:07 UTC
What I see is that undo always leaves a pam that points to the start of the undone area and a mark to the end of the undone area, even if that area is empty. (In the normal where there is a selection this can be seen by selecting something, deleting it, and undoing and the newly undeleted stuff is again selected)

The table overwrite/paste thing looks to see if a mark is set and goes off to "do something very complex" if its set. So if after each undo cycle, you physically click at the point where the cursor is flashing (which clears the mark) and then paste, undo, *click*, paste you get a wonderfully stable experience.

So it seems reasonable to me to "do the simple thing" if there is no mark, or if the mark and point are the same, i.e. there is nothing actually selected by the PaM.
Comment 13 Commit Notification 2015-06-16 19:20:22 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e06905df15ff03c6d3c84f61bd67860a91416c2d

Resolves: tdf#81806 crash on certain table paste+undo+page cycles

It will be available in 5.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 14 Commit Notification 2015-06-16 19:25:13 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5fbf5b10ca45528a075aba5d5f8e3f6af08c287f&h=libreoffice-5-0

Resolves: tdf#81806 crash on certain table paste+undo+page cycles

It will be available in 5.0.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 15 Commit Notification 2015-06-18 20:38:34 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-4-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=ff6fb90179f1aa70e9d83bf4d90848fa13ff87db&h=libreoffice-4-4

Resolves: tdf#81806 crash on certain table paste+undo+page cycles

It will be available in 4.4.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.