Summary: | Crash swlo!SwDrawTextInfo::GetSperren+1069 scrolling DOCX to bottom | ||
---|---|---|---|
Product: | LibreOffice | Reporter: | Telesto <telesto> |
Component: | Writer | Assignee: | Not Assigned <libreoffice-bugs> |
Status: | VERIFIED FIXED | ||
Severity: | critical | CC: | aron.budea, buzea.bogdan, jryan.daniels, noelgrandin, suokunlong, xiscofauli |
Priority: | highest | Keywords: | bibisected, bisected, haveBacktrace, regression |
Version: | 7.3.0.0 alpha0+ | ||
Hardware: | All | ||
OS: | All | ||
See Also: | https://bugs.documentfoundation.org/show_bug.cgi?id=148336 | ||
Whiteboard: | target:7.4.0 target:7.3.1 target:7.3.0 | ||
Crash report or crash signature: | Regression By: | ||
Bug Depends on: | |||
Bug Blocks: | 133092 | ||
Attachments: |
Example file
BT without symbols gdb bt Valgrind trace minimized reproducer |
Description
Telesto
2021-10-26 13:09:51 UTC
Created attachment 175922 [details]
Example file
Created attachment 175923 [details]
BT without symbols
No crash with Version: 7.0.0.0.beta1+ (x64) Build ID: 2891e91a513520d68ea2b8c59c14335861a15253 CPU threads: 4; OS: Windows 6.3 Build 9600; UI render: Skia/Raster; VCL: win Locale: nl-NL (nl_NL); UI: en-US Calc: CL Bug 135091 mentions a pre-existing assert.. Created attachment 175939 [details]
gdb bt
On pc Debian x86-64 with master sources updated today, I got a crash.
Extra info: (gdb) p rInf.GetText() $3 = "" (gdb) p rInf.GetIdx() $4 = {m_value = 0} (gdb) p rInf.GetLen() $5 = {m_value = 1} Noel: noticing https://cgit.freedesktop.org/libreoffice/core/commit/?id=d4dc6b5cfdb02ad00a06ad32650948648abe010d use std::vector for fetching DX array data because I'm trying to track down a related heap corruption, and that is much easier if the access to the array is checked by the std::vector debug runtime thought you might be interested in this one. Perhaps this document with your patch revealed a bug? >Extra info:
>(gdb) p rInf.GetText()
>$3 = ""
>(gdb) p rInf.GetIdx()
>$4 = {m_value = 0}
>(gdb) p rInf.GetLen()
>$5 = {m_value = 1}
This means that rInf has become corrupt somehow because the length does not match the string.
Created attachment 176037 [details]
Valgrind trace
Here's a Valgrind trace retrieved on pc Debian x86-64 with master sources updated today + gen rendering
The whole mechanism involved here is too complicated for me. I understand nothing about TextFrameIndex and layout features. Can't help here => uncc myself Bibisected using bibisect-linux-64-7.3-CN repo, to the following range: 9a58ec3f6f65da27e3b26e1173b6661b743e66a4..426930d0c4bd6f782a04a92e8a36e92cd65e186f 426930d0c4bd (speedup dynamic_cast to SwTextFrame, 2021-08-28, Noel Grandin) 69e0567e118f (tdf#135683 speed up layout of large writer tables, 2021-08-28, Noel Grandin) 9ca9faabd400 (vcl: move TextLayoutCache to own module header, 2021-03-07, Chris Sherlock) *** Bug 145929 has been marked as a duplicate of this bug. *** (In reply to Kevin Suo from comment #9) > Bibisected using bibisect-linux-64-7.3-CN repo, to the following range: > 9a58ec3f6f65da27e3b26e1173b6661b743e66a4.. > 426930d0c4bd6f782a04a92e8a36e92cd65e186f > > 426930d0c4bd (speedup dynamic_cast to SwTextFrame, 2021-08-28, Noel Grandin) > 69e0567e118f (tdf#135683 speed up layout of large writer tables, 2021-08-28, > Noel Grandin) > 9ca9faabd400 (vcl: move TextLayoutCache to own module header, 2021-03-07, > Chris Sherlock) Actually it can be bisected with SAL_USE_VCLPLUGIN=gen Regression introduced by: author Noel Grandin <noel.grandin@collabora.co.uk> 2021-09-02 20:05:09 +0200 committer Noel Grandin <noel.grandin@collabora.co.uk> 2021-09-04 08:17:06 +0200 commit d4dc6b5cfdb02ad00a06ad32650948648abe010d (patch) tree 02446cd93e68aba9b78db6eb7fc902e782c6faf9 parent 86fa9c907387e96c9c93f1e17239730271fedbfd (diff) use std::vector for fetching DX array data Bisected with: bibisect-linux64-7.3 Adding Cc: to Noel Grandin Created attachment 177549 [details]
minimized reproducer
Steps to reproduce:
1. Open minimized reproduced
2. Page down to the bottom
3. Page up to the top
-> Crash
*** Bug 146749 has been marked as a duplicate of this bug. *** *** Bug 146749 has been marked as a duplicate of this bug. *** Noel Grandin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/0e4bcbb67dda204ba78f99df68a63458c29e7470 tdf#145321 Crash scrolling DOCX to bottom It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-7-3": https://git.libreoffice.org/core/commit/68fa037b8f1300ffb950cc3ba4be4347f976eb83 tdf#145321 Crash scrolling DOCX to bottom It will be available in 7.3.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Noel Grandin committed a patch related to this issue. It has been pushed to "libreoffice-7-3-0": https://git.libreoffice.org/core/commit/6ae00fc24786eac379e6e64ac3e6d83c6a057b24 tdf#145321 Crash scrolling DOCX to bottom It will be available in 7.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/1103240cb3e884ea6024a690eeed743934662a12 tdf#145321: sw_uiwriter3: Add unittest It will be available in 7.4.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Verified. No crash in Version: 7.3.1.0.0+ / LibreOffice Community Build ID: 216ad305810d1d36cf5874fd9842111d426899a8 CPU threads: 4; OS: Linux 5.13; UI render: default; VCL: gtk3 Locale: ro-RO (ro_RO.UTF-8); UI: en-US Calc: threaded |