Issue 122922 - Writer crashes when deleting a row from a table after copying a text from a cell in the same row
Summary: Writer crashes when deleting a row from a table after copying a text from a c...
Status: CLOSED FIXED
Alias: None
Product: Writer
Classification: Application
Component: editing (show other issues)
Version: 4.0.0
Hardware: All All
: P2 Critical (vote)
Target Milestone: 4.0.1
Assignee: Oliver-Rainer Wittmann
QA Contact:
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2013-08-01 04:38 UTC by Heriska
Modified: 2017-05-20 10:35 UTC (History)
6 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: 4.0.0
Developer Difficulty: ---


Attachments
Example of the copied text from one cell to another in a different row but same table (38.05 KB, image/jpeg)
2013-08-01 04:38 UTC, Heriska
no flags Details
Sample to reproduce the error (37.57 KB, image/jpeg)
2013-08-01 07:02 UTC, Heriska
no flags Details
crash stack (10.00 KB, text/plain)
2013-08-02 08:58 UTC, hdu@apache.org
no flags Details
reverse the iteration to keep the iterators valid after an erase (858 bytes, patch)
2013-08-02 11:58 UTC, hdu@apache.org
orw: review-
Details | Diff

Note You need to log in before you can comment on or make changes to this issue.
Description Heriska 2013-08-01 04:38:32 UTC
Created attachment 81224 [details]
Example of the copied text from one cell to another in a different row but same table

Whenever I tried to delete a row after copy-pasting a text from a cell to a different cell that is in a different row, the program would always crashes with the following detail error:

Problem signature:
  Problem Event Name:	BEX
  Application Name:	soffice.bin
  Application Version:	4.0.9702.500
  Application Timestamp:	51de9766
  Fault Module Name:	MSVCR90.dll
  Fault Module Version:	9.0.30729.6161
  Fault Module Timestamp:	4dace5b9
  Exception Offset:	0006ccd5
  Exception Code:	c0000417
  Exception Data:	00000000
  OS Version:	6.1.7601.2.1.0.256.1
  Locale ID:	1033
  Additional Information 1:	5718
  Additional Information 2:	57183f5ab2e27e7416d1aeb718001530
  Additional Information 3:	776b
  Additional Information 4:	776be9e331ef26208ace915897ad1a05

In order to reproduce the error, these are the following steps that I took:
1) Create a table with at least 2 rows (I created a 2x3 table)
2) Fill in the cells with text (I wrote Cell 1 to Cell 6)
3) Copy the text from 1 cell paste the value to a different cell in a different row (I copied the text "Cell 6" from the 2nd row and pasted to "Cell 3" from the 1st row - see attached file)
4) Delete the row where you copied the text from by using Right-Click => Row => Delete (I tried to delete the 2nd row)
5) The program will crashes

NOTE: This looks like because the text is still in a clipboard or something because if I copied a different text NOT from the same row (ie. a different row or anywhere else not from the table), it will not crash when I try to delete the row
Comment 1 Edwin Sharp 2013-08-01 05:02:41 UTC
No crash with Rev. 1507307 Win 7.
Comment 2 Heriska 2013-08-01 07:02:05 UTC
Created attachment 81225 [details]
Sample to reproduce the error

Tried it in 3 different computers and they all crashes. All of them has the following version of Apache Open Office:

AOO400m3(Build:9702)  -  Rev. 1503704
2013-07-16 14:54:56 (Di, 16 Jul 2013)

I am not sure how to get Rev. 1507307 but the one that I got is from the download link. Maybe the issue has been resolved in a newer version.

In order to reproduce the error, you need to make sure delete the row right after you copy and paste the text to another cell and row
Comment 3 hdu@apache.org 2013-08-02 08:58:04 UTC
Created attachment 81237 [details]
crash stack
Comment 4 hdu@apache.org 2013-08-02 09:02:31 UTC
Confirming. Thanks for the reproduction steps. The stack above shows that it can be triggered on other platforms too.
Comment 5 hdu@apache.org 2013-08-02 11:48:58 UTC
Looking through the stack I found the frames 29 and 30 to be most suspicious:
Frame 30 is walking through MarkManager's vector container and frame 29 is erasing from just that container. That is a classic recipe for working with invalid iterators.
Comment 6 hdu@apache.org 2013-08-02 11:58:32 UTC
Created attachment 81239 [details]
reverse the iteration to keep the iterators valid after an erase

When erasing in a vector the iterators before the erasing point remain valid whereas the iterators after it become invalid. The idea behind the patch is to use the order that prevents the use of invalid iterators.

With my patch suggestion applied I can no longer reproduce the crash.
Comment 7 Oliver-Rainer Wittmann 2013-08-02 14:40:21 UTC
taking over for deeper investigations
Comment 8 Oliver-Rainer Wittmann 2013-08-12 14:28:33 UTC
same root cause as bug 122902 and also fixed by the same patch
Comment 9 Oliver-Rainer Wittmann 2013-08-19 08:25:31 UTC
Comment on attachment 81239 [details]
reverse the iteration to keep the iterators valid after an erase

see bug 122902 for the root cause and an improved solution
Comment 10 Oliver-Rainer Wittmann 2013-08-19 08:51:19 UTC
fixed on trunk and AOO401 branch - see bug 122902 for the corresponding commits.
Comment 11 Adriana Luca 2014-07-05 14:57:29 UTC
Was able to reproduce with Windows XP and Open Office 4.0.0.
Verified fixed by not reproducing after upgrading to Open Office 4.1.0: AOO410m18(Build:9764)  -  Rev. 1589052
2014-04-22 11:43:54 (Di, 22 Apr 2014)