Steps to reproduce: 1. Create a new spreadsheet. 2. Type to A1 some Chinese text, like 中国 3. Ctrl+Alt+C to add a comment, put some text there 4. Having the A1 selected, chose menu Tools->Language->Chinese Conversion...->Simplified Chinese to traditional Chinese->OK. 5. Ctrl+Z to Undo once. 6. Drag the lower-right corner cell mark of A1 to copy the cell to A2 and release the mouse button. Expected result: the cell A1 contents should be copied to A2. Actual result: LO crashes. The problem started in version 4.2.0.4. It was OK in 4.2.0.3 -> regression.
Suspecting possible cause by commit aa94b17208a5512a344301345f26a9418f943a00 Author: Kohei Yoshida <kohei.yoshida at collabora.com> Date: Fri Jan 24 21:29:54 2014 -0500 Stop leaking all ScPostIt instances. And re-implement correct swapping of two ScPostIt instances during sort. (cherry picked from commit ab05317c79f665bcf9d5cff7b8312ce6963ff969)
I can confirm crash with LO 4.4.3, win7
Has anyone tested this bug in Linux to confirm that it's Windows only?
Created attachment 126036 [details] bt with symbols On pc Debian x86-64 with master sources updated today, I could reproduce this. I attached a bt.
Created attachment 126037 [details] Another bt but with slight changes in step by step process I followed the step by step process except I haven't done the "Undo" part. The drag and drop was ok but when trying to close LO without saving, it crashed. Thought it might help to add this bt here. Perhaps both problems are related.
Created attachment 126038 [details] Valgrind trace I wanted to retrieve a Valgrind trace but had a crash when doing first step (copy-paste Chinese symbols from bugtracker to Calc). Anyway, there's perhaps some interesting thing here, eg: 33423 ==29535== Invalid read of size 8 33424 ==29535== at 0x839C43A: rtl::OUString::getLength() const (ustring.hxx:542) 33425 ==29535== by 0x83DD02B: ContentNode::Len() const (editdoc.cxx:1671) 33426 ==29535== by 0x848278A: ImpEditEngine::SelectWord(EditSelection const&, short, bool) (impedit2.cxx:1511) 33427 ==29535== by 0x84885EF: ImpEditEngine::ImpInsertText(EditSelection const&, rtl::OUString const&) (impedit2.cxx:2659) 33428 ==29535== by 0x848CD45: ImpEditEngine::InsertText(com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable>&, rtl::OUString const&, EditPaM const&, bool) (impedit2.cxx:3525) 33429 ==29535== by 0x840DE9B: EditEngine::InsertText(com::sun::star::uno::Reference<com::sun::star::datatransfer::XTransferable>&, rtl::OUString const&, EditPaM const&, bool) (editeng.cxx:798) 33430 ==29535== by 0x847268F: ImpEditView::Paste(com::sun::star::uno::Reference<com::sun::star::datatransfer::clipboard::XClipboard>&, bool) (impedit.cxx:1495)
I looked at this, saw that the transliterate code was similar to the spellchecking code and so checked with an equivalent spelling demo. And that crashes in the same way, so the actual "chinese conversion" is innocent. Its a generic problem with spell-checking replacement and transliteration/hanga-hangul replacement and undo
Created attachment 126065 [details] easier demo load, use spellchecking, say convert all, close document, dismiss save, crash
bug #99255 seems similar
*** Bug 89226 has been marked as a duplicate of this bug. ***
https://gerrit.libreoffice.org/#/c/26913/ for my effort
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=7566851d653ec052e9b7baa98ec2a993328f84e4 Resolves: tdf#91995 copying cells to undo doc shallow copied note pointer It will be available in 5.3.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-5-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=da2aad871bfccd28b47d8ddf47dd6b5b1f834220&h=libreoffice-5-2 Resolves: tdf#91995 copying cells to undo doc shallow copied note pointer It will be available in 5.2.0.2. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-5-1": http://cgit.freedesktop.org/libreoffice/core/commit/?id=7bcd59241495fe474387abb176185d8775aa104c&h=libreoffice-5-1 Resolves: tdf#91995 copying cells to undo doc shallow copied note pointer It will be available in 5.1.5. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.