[Upstream] soffice.bin crashed with SIGSEGV in _SaveBox::CreateNew()

Created attachment 103543
Writer document which demonstrates the crash

Paste/undo actions in tables with merged cells cause document corruption and crashes

Observed on OSX with LO 4.2.5.2. Other platforms unknown

Steps to reproduce
1. Load the attached Writer document
(which contains a 3x3 table in which A2:A3 and B2:C2 are merged cells, and the letters "a" "b" and "c" are placed in cells C1, B2 and C3 respectively)
2. Select and cut the range C1:C3 (the three cells containing the "a" "b" and "c")
3. Place the cursor in cell B2
4. Repeatedly paste then undo

Result
Despite the fact that the selection is unchanged, and the cursor is not moved, the three charaters are placed differently in each paste-undo cycle. After a couple of cycles, the table structure is corrupted and LO crashes

Created attachment 103543
Writer document which demonstrates the crash

Paste/undo actions in tables with merged cells cause document corruption and crashes

Observed on OSX with LO 4.2.5.2. Other platforms unknown

Steps to reproduce
1. Load the attached Writer document
(which contains a 3x3 table in which A2:A3 and B2:C2 are merged cells, and the letters "a" "b" and "c" are placed in cells C1, B2 and C3 respectively)
2. Select and cut the range C1:C3 (the three cells containing the "a" "b" and "c")
3. Place the cursor in cell B2
4. Repeatedly paste then undo

Result
Despite the fact that the selection is unchanged, and the cursor is not moved, the three charaters are placed differently in each paste-undo cycle. After a couple of cycles, the table structure is corrupted and LO crashes

Created attachment 103544
Crash dump

Created attachment 103544
Crash dump

Still occurs in 4.3.0.4 release

Still occurs in 4.3.0.4 release

Open document https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/64295/+attachment/18400/+files/20061006_final_pres_handout.odt

1. Put cursor at box under "Joe Selects Option A"
1. Edit -> Select All (which should select the whole table)
2. Copy
3. Put cursor at box under "Joe Selects Option A"
4. Paste
5. Undo
6. Paste
7. Undo (note how items are left)
8. Paste
9. Undo (crashes)

The cursor might also move around during the above.

This might have the same root cause as this bug:https://bugs.freedesktop.org/show_bug.cgi?id=37156 (where I got the file from).

Stack trace available here; https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1350369

Test System:
Kubuntu 14.4 (KDE 4.13.2)
LibreOffice 4.2.0.2

I attempted to select just the text from the long cell below "Joe Selects Option A" by putting the cursor at the beginning of the cell text and using the cursor keys (down arrow) while holding the shift key. I was unable to select beyond "Sheila"

Starting with the cursor at the beginning of the cell, and using Ctrl+Shift+End, visually highlighted only the left justfied text, but not the lines with the right justified values.

However, The entire cell text went into the clipboard and I was able to paste all the cell text into the second column, second cell down. That text, I could then undo and paste and undo and paste repeatedly (I stopped after ten repetitions). No crash.

I am guessing that This kind of paste was the desired behavior. Pasting the whole table into one of the cells does not make sense to me. Could the issue then be one of trying to paste a whole table back into one cell with some kind of buffer problem resulting?

Bryan, Can you please attempt to confirm the intent of the copy/paste and see if your system works like mine?

There are likely a few bugs/odd behaviour here. Some are described in the other bug in the summary[37156].

That Select All selects the whole table as opposed to just what's in that cell. The crash is reproducible by just selecting the table with the Mouse/Shift.

>Can you please attempt to confirm the intent of the copy/paste and see if your system works like mine? / desired behavior
The intent/desire of my copy/paste was to try to find/reproduce a bug 37156. Instead it crashed for me. But yes, I do not have any issues if I actually copy the contents of single cells around.

Dear Matthew,

Thank you for submitting the bug. I can confirm that the bug is available in 3.3.0, 3.6.7, 4.2.5, and 4.3.1. It will crash between 2 to 4 paste and undo cycles.

Dear Matthew,

Thank you for submitting the bug. I can confirm that the bug is available in 3.3.0, 3.6.7, 4.2.5, and 4.3.1. It will crash between 2 to 4 paste and undo cycles.

Created attachment 103729
linux backtrace

Created attachment 103729
linux backtrace

Confirmed in 4.2.7 and master on Linux Mint. This reminds me of bug 81806.

Created attachment 104058
linux backtrace

(This is an automated message.)

LibreOffice development currently prioritizes bugs with the so called MAB (most annoying bugs) -- as this bug has not run through that process (including writing a short rationale for this bug being a candidate and other who are watching the tracker bug silently approving that rationale etc.) its priority is set to high. Note this is effectively no change in the urgency assigned to this bug, as we are currently not making a difference between high and highest and severity is untouched.

You can find out more about MABs and how the process works by contacting libreoffice qa on irc:

 http://webchat.freenode.net/?channels=libreoffice-qa

The QA wiki page also gives you hints on how to get in contact with the team (if IRC fails you, your next best choice is the mailing list):

 https://wiki.documentfoundation.org/QA

(This is an automated message.)

LibreOffice development currently prioritizes bugs with the so called MAB (most annoying bugs) -- as this bug has not run through that process (including writing a short rationale for this bug being a candidate and other who are watching the tracker bug silently approving that rationale etc.) its priority is set to high. Note this is effectively no change in the urgency assigned to this bug, as we are currently not making a difference between high and highest and severity is untouched.

You can find out more about MABs and how the process works by contacting libreoffice qa on irc:

 http://webchat.freenode.net/?channels=libreoffice-qa

The QA wiki page also gives you hints on how to get in contact with the team (if IRC fails you, your next best choice is the mailing list):

 https://wiki.documentfoundation.org/QA

(This is an automated message.)

LibreOffice development currently prioritizes bugs with the so called MAB (most annoying bugs) -- as this bug has not run through that process (including writing a short rationale for this bug being a candidate and other who are watching the tracker bug silently approving that rationale etc.) its priority is set to high. Note this is effectively no change in the urgency assigned to this bug, as we are currently not making a difference between high and highest and severity is untouched.

You can find out more about MABs and how the process works by contacting libreoffice qa on irc:

 http://webchat.freenode.net/?channels=libreoffice-qa

The QA wiki page also gives you hints on how to get in contact with the team (if IRC fails you, your next best choice is the mailing list):

 https://wiki.documentfoundation.org/QA

Created attachment 109584
Linux dbg bt of TB45 dbg build with symbols and source refs

Backtrace with recent 32-bit Linux TB45-debug build
On Fedora 20, 32-bit en-US with debug build
Version: 4.4.0.0.alpha1+
Build ID: d59b9b4af36148e4d8df8f3e3492116d378642e2
TinderBox: Linux-rpm_deb-x86@45-TDF-dbg, Branch:master, Time: 2014-11-06_03:11:43

SIGABRT crash, assertion while finding pointer position

pBlock->pData[ nOffset... BigPtrEntry::GetPos()

Created attachment 109584
Linux dbg bt of TB45 dbg build with symbols and source refs

Backtrace with recent 32-bit Linux TB45-debug build
On Fedora 20, 32-bit en-US with debug build
Version: 4.4.0.0.alpha1+
Build ID: d59b9b4af36148e4d8df8f3e3492116d378642e2
TinderBox: Linux-rpm_deb-x86@45-TDF-dbg, Branch:master, Time: 2014-11-06_03:11:43

SIGABRT crash, assertion while finding pointer position

pBlock->pData[ nOffset... BigPtrEntry::GetPos()

You can reproduce the basic issue with an even simpler document:
1. Insert Table with 2 columns, 1 row
2. Type a in column 1, b in column 2
3. Highlight and cut
4. GO to column2, paste (note how it just shows a
5. Undo
6. Paste again (now it shows a and b!)

This simple case doesn't seem to crash, but does likely show the underlying bug. A similar issue happens if you do 1 column, 2 rows. The first paste adds a new row. The undo removes it and then a and b are both pasted in the same 2nd row.

You can reproduce the basic issue with an even simpler document:
1. Insert Table with 2 columns, 1 row
2. Type a in column 1, b in column 2
3. Highlight and cut
4. GO to column2, paste (note how it just shows a
5. Undo
6. Paste again (now it shows a and b!)

This simple case doesn't seem to crash, but does likely show the underlying bug. A similar issue happens if you do 1 column, 2 rows. The first paste adds a new row. The undo removes it and then a and b are both pasted in the same 2nd row.

*** This bug has been marked as a duplicate of bug 81806 ***

*** Bug 81923 has been marked as a duplicate of this bug. ***

*** Bug 81923 has been marked as a duplicate of this bug. ***

(This is an automated message.)

Setting priority to highest as this is a MAB. This is part of an effort to make the importance of MAB reflected in priority too.

(This is an automated message.)

Setting priority to highest as this is a MAB. This is part of an effort to make the importance of MAB reflected in priority too.

issue remains with 4.3 and 4.4 builds. Moving to mab4.3

issue remains with 4.3 and 4.4 builds. Moving to mab4.3

try that with the correct bug id for mab4.3

try that with the correct bug id for mab4.3

What I see is that undo always leaves a pam that points to the start of the undone area and a mark to the end of the undone area, even if that area is empty. (In the normal where there is a selection this can be seen by selecting something, deleting it, and undoing and the newly undeleted stuff is again selected)

The table overwrite/paste thing looks to see if a mark is set and goes off to "do something very complex" if its set. So if after each undo cycle, you physically click at the point where the cursor is flashing (which clears the mark) and then paste, undo, *click*, paste you get a wonderfully stable experience.

So it seems reasonable to me to "do the simple thing" if there is no mark, or if the mark and point are the same, i.e. there is nothing actually selected by the PaM.

Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e06905df15ff03c6d3c84f61bd67860a91416c2d

Resolves: tdf#81806 crash on certain table paste+undo+page cycles

It will be available in 5.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5fbf5b10ca45528a075aba5d5f8e3f6af08c287f&h=libreoffice-5-0

Resolves: tdf#81806 crash on certain table paste+undo+page cycles

It will be available in 5.0.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-4-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=ff6fb90179f1aa70e9d83bf4d90848fa13ff87db&h=libreoffice-4-4

Resolves: tdf#81806 crash on certain table paste+undo+page cycles

It will be available in 4.4.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.