Bug 149499

Summary: CRASH: inserting page break and undoing
Product: LibreOffice Reporter: Xisco Faulí <xiscofauli>
Component: WriterAssignee: Matt K <mattkse>
Status: REOPENED ---    
Severity: major CC: stephane.guillou, timur, xiscofauli
Priority: high    
Version: Inherited From OOo   
Hardware: All   
OS: All   
See Also: https://crashreport.libreoffice.org/stats/signature/SwHistoryBookmark::SetInDoc(SwDoc%20*,bool)
https://bugs.documentfoundation.org/show_bug.cgi?id=159546
Whiteboard: target:24.8.0
Crash report or crash signature: ["SwHistoryBookmark::SetInDoc(SwDoc *,bool)"] Regression By:
Bug Depends on:    
Bug Blocks: 105948, 108519, 133092    
Attachments: sample file

Description Xisco Faulí 2022-06-09 07:46:32 UTC 
Created attachment 180647 [details]
sample file

Steps to reproduce:
1. Open attached document
2. Insert a page break
3. Undo

-> Crash


Reproduced in

Version: 7.4.0.0.alpha1+ / LibreOffice Community
Build ID: d4123356c61db269651e950a0a2cc93e6d801c90
CPU threads: 8; OS: Linux 5.10; UI render: default; VCL: x11
Locale: es-ES (es_ES.UTF-8); UI: en-US
Calc: threaded

and

Version: 6.0.0.0.alpha1+
Build ID: 6eeac3539ea4cac32d126c5e24141f262eb5a4d9
CPU threads: 8; OS: Linux 5.10; UI render: default; VCL: x11; 
Locale: es-ES (es_ES.UTF-8); Calc: group threaded
Comment 1 Xisco Faulí 2022-06-09 13:47:55 UTC 
Also reproduced in

Version: 4.4.0.3
Build ID: de093506bcdc5fafd9023ee680b8c60e3e0645d7
Locale: es_ES

LibreOffice crashes at closing time
Comment 2 Rafael Lima 2022-06-09 14:39:37 UTC 
Repro with

Version: 7.4.0.0.alpha1+ / LibreOffice Community
Build ID: 118bafcfd1ce4a26ec9df912197ebd466d1bd497
CPU threads: 16; OS: Linux 5.13; UI render: default; VCL: kf5 (cairo+xcb)
Locale: pt-BR (pt_BR.UTF-8); UI: en-US
Calc: CL

As soon as I press Ctrl+Z after inserting the page break at the beginning of the document, Writer crashes.
Comment 3 Timur 2022-06-10 12:31:17 UTC 
Marked regression but repro also in 4.1, not consistently, but other time it doesn't crash it will on 2nd Insert. Also repro in 43all oldest. So I remove regression.
Comment 4 Xisco Faulí 2024-01-18 11:28:51 UTC 
Still reproducible in

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ef6083200a4f28e43198c7a0878da6f4b880725f
CPU threads: 8; OS: Linux 6.1; UI render: default; VCL: x11
Locale: es-ES (es_ES.UTF-8); UI: en-US
Calc: threaded
Comment 5 Matt K 2024-01-19 17:50:04 UTC 
Fix posted at: https://gerrit.libreoffice.org/c/core/+/162317
Comment 6 Stéphane Guillou (stragu) 2024-01-30 15:40:32 UTC 
(In reply to Timur from comment #3)
> Marked regression but repro also in 4.1, not consistently, but other time it
> doesn't crash it will on 2nd Insert. Also repro in 43all oldest. So I remove
> regression.
Also crashed on second insert, after undo, in OOo 3.3, let's mark as inherited.
Comment 7 Commit Notification 2024-02-02 15:41:30 UTC 
Matt K committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/05889c7fd814187aec3d88c056ece0cc33736868

tdf#149499 Prevent crash upon inserting page break and undoing

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Matt K 2024-02-04 00:30:09 UTC 
Filed follow up bug at https://bugs.documentfoundation.org/show_bug.cgi?id=159546
Comment 9 Stéphane Guillou (stragu) 2024-02-21 02:53:17 UTC 
Tested in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ef9e1116d1100af50d7b74dcee5155c81b7b50fb
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

I can still crash it by successively undoing a re-doing after inserting a page break once. It is quite inconsistent, once it crashed after 3 undo-redo cycles, once after 30+.

Do you see the same thing?
Comment 10 Matt K 2024-02-21 20:42:18 UTC 
(In reply to Stéphane Guillou (stragu) from comment #9)
> Do you see the same thing?

I don't repro a crash while the program is open on Windows.  However, I did repro a crash after closing the program.  I inserted a comment in the code before in sw\source\core\layout\ftnfrm.cxx (line 952) that a crash could happen there.  I think it's a heap-use-after-free error because the debugger didn't show what was wrong.  I will try investigating on Linux to see if I get any ASAN heap-use-after-frees.
Comment 11 Matt K 2024-02-22 00:43:12 UTC 
(In reply to Matt K from comment #10)

Confirmed heap-use-after-free ASAN error on Linux when doing undo.  It's not clear yet how to solve it...
Comment 12 Matt K 2024-03-22 23:19:44 UTC 
(In reply to Matt K from comment #11)
An attempt to fix this is at: https://gerrit.libreoffice.org/c/core/+/165197.  However, it still asserts in debug build.
Comment 13 John 2024-04-07 17:47:46 UTC 
I have confirmed that this bug is still present in version 24.2. When inserting a page break followed by undo in the sample document there is a crash.