Bug 85032 - Crash on 4.4 master loading a particular file
Summary: Crash on 4.4 master loading a particular file
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
(earliest affected) Master
Hardware: Other All
: high major
Assignee: Caolán McNamara
Whiteboard: BSA target:4.4.0
Keywords: haveBacktrace
Depends on:
Reported: 2014-10-15 07:25 UTC by Matthew Francis
Modified: 2014-10-15 12:52 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

OSX backtrace (91.04 KB, text/plain)
2014-10-15 07:25 UTC, Matthew Francis
Linux backtrace (1.52 KB, text/plain)
2014-10-15 07:35 UTC, Matthew Francis
Linux memcheck log (2.82 MB, text/plain)
2014-10-15 07:50 UTC, Matthew Francis

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Francis 2014-10-15 07:25:04 UTC
Loading https://www.libreoffice.org/bugzilla/attachment.cgi?id=107496 (from bug 84752) on 4.4 master leads to a crash. This appears to be a separate issue to the performance regression on the aforementioned bug

The same backtrace was observed on:
- OSX just from loading the file
- Linux when running under valgrind, but not otherwise
Comment 1 Matthew Francis 2014-10-15 07:25:59 UTC
Created attachment 107852 [details]
OSX backtrace
Comment 2 Matthew Francis 2014-10-15 07:35:35 UTC
Created attachment 107854 [details]
Linux backtrace

Annoyingly I can't yet reproduce this on Linux under memcheck - but callgrind did abort with the attached backtrace which is clearly the same as the OSX crash
Comment 3 Matthew Francis 2014-10-15 07:50:48 UTC
Created attachment 107855 [details]
Linux memcheck log

Not sure how I failed to get this to work the first time, but here's a nice clear memcheck trace showing a bunch of invalid reads which relate to the backtrace of the crash
Comment 4 Caolán McNamara 2014-10-15 12:38:45 UTC
I think this is going wrong in Edit::ImplDelete at the maText.remove line
Comment 5 Caolán McNamara 2014-10-15 12:43:44 UTC
hmm, setting a SetMaxTextLen of -1, these used to be unsigned shorts, so that would have meant "max length" in the old days