libreoffice writer crashes when edit the page break

Created attachment 180647
sample file

Steps to reproduce:
1. Open attached document
2. Insert a page break
3. Undo

-> Crash

Reproduced in

Version: 7.4.0.0.alpha1+ / LibreOffice Community
Build ID: d4123356c61db269651e950a0a2cc93e6d801c90
CPU threads: 8; OS: Linux 5.10; UI render: default; VCL: x11
Locale: es-ES (es_ES.UTF-8); UI: en-US
Calc: threaded

and

Version: 6.0.0.0.alpha1+
Build ID: 6eeac3539ea4cac32d126c5e24141f262eb5a4d9
CPU threads: 8; OS: Linux 5.10; UI render: default; VCL: x11;
Locale: es-ES (es_ES.UTF-8); Calc: group threaded

Also reproduced in

Version: 4.4.0.3
Build ID: de093506bcdc5fafd9023ee680b8c60e3e0645d7
Locale: es_ES

LibreOffice crashes at closing time

Repro with

Version: 7.4.0.0.alpha1+ / LibreOffice Community
Build ID: 118bafcfd1ce4a26ec9df912197ebd466d1bd497
CPU threads: 16; OS: Linux 5.13; UI render: default; VCL: kf5 (cairo+xcb)
Locale: pt-BR (pt_BR.UTF-8); UI: en-US
Calc: CL

As soon as I press Ctrl+Z after inserting the page break at the beginning of the document, Writer crashes.

Marked regression but repro also in 4.1, not consistently, but other time it doesn't crash it will on 2nd Insert. Also repro in 43all oldest. So I remove regression.

Still reproducible in

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ef6083200a4f28e43198c7a0878da6f4b880725f
CPU threads: 8; OS: Linux 6.1; UI render: default; VCL: x11
Locale: es-ES (es_ES.UTF-8); UI: en-US
Calc: threaded

Fix posted at: https://gerrit.libreoffice.org/c/core/+/162317

(In reply to Timur from comment #3)
> Marked regression but repro also in 4.1, not consistently, but other time it
> doesn't crash it will on 2nd Insert. Also repro in 43all oldest. So I remove
> regression.
Also crashed on second insert, after undo, in OOo 3.3, let's mark as inherited.

Matt K committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/05889c7fd814187aec3d88c056ece0cc33736868

tdf#149499 Prevent crash upon inserting page break and undoing

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Filed follow up bug at https://bugs.documentfoundation.org/show_bug.cgi?id=159546

Tested in:

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: ef9e1116d1100af50d7b74dcee5155c81b7b50fb
CPU threads: 8; OS: Linux 6.5; UI render: default; VCL: gtk3
Locale: en-AU (en_AU.UTF-8); UI: en-US
Calc: threaded

I can still crash it by successively undoing a re-doing after inserting a page break once. It is quite inconsistent, once it crashed after 3 undo-redo cycles, once after 30+.

Do you see the same thing?

(In reply to Stéphane Guillou (stragu) from comment #9)
> Do you see the same thing?

I don't repro a crash while the program is open on Windows. However, I did repro a crash after closing the program. I inserted a comment in the code before in sw\source\core\layout\ftnfrm.cxx (line 952) that a crash could happen there. I think it's a heap-use-after-free error because the debugger didn't show what was wrong. I will try investigating on Linux to see if I get any ASAN heap-use-after-frees.

(In reply to Matt K from comment #10)

Confirmed heap-use-after-free ASAN error on Linux when doing undo. It's not clear yet how to solve it...

(In reply to Matt K from comment #11)
An attempt to fix this is at: https://gerrit.libreoffice.org/c/core/+/165197. However, it still asserts in debug build.

I have confirmed that this bug is still present in version 24.2. When inserting a page break followed by undo in the sample document there is a crash.