Windows (?) Table Crash

Richard Kimberly Heck rikiheck at gmail.com
Sun Jun 2 17:59:02 UTC 2024


On 6/2/24 13:18, Udicoudco wrote:
> On Sun, Jun 2, 2024 at 7:53 PM Richard Kimberly Heck <rikiheck at gmail.com> wrote:
>> On 6/2/24 12:35, Udicoudco wrote:
>>> On Sun, Jun 2, 2024 at 7:32 PM Richard Kimberly Heck <rikiheck at gmail.com> wrote:
>>>> We've had a report of the following sort of crash, or maybe assertion.
>>>>
>>>> Create a table. Mark more than half the rows or columns. Delete those
>>>> (using the toolbar button, but I doubt that matters). Boom.
>>>>
>>>> I cannot reproduce on Linux, but Eugene was able to reproduce on
>>>> Windows. Anyone else?
>>> I can reproduce on Windows as well.
>> Can you get a backtrace?
> Here is the output when running with -dbg any from the point of
> clicking the delete rows button:
>
> Undo.cpp (23b): +++++++ Creating new group c for buffer 000002A164FFF720
> frontends\qt\GuiApplication.cpp (6d8): cmd:  action: 362
> [tabular-feature]  arg: 'delete-row' x: 0 y: 0
> BufferView.cpp (556): BufferView::dispatch: cmd:  action: 362
> [tabular-feature]  arg: 'delete-row' x: 0 y: 0
> Buffer.cpp (b55): Buffer::dispatch: cmd:  action: 362
> [tabular-feature]  arg: 'delete-row' x: 0 y: 0
> Cursor.cpp (30d): Cursor::dispatch: cmd:  action: 362
> [tabular-feature]  arg: 'delete-row' x: 0 y: 0
>
>   cursor:                                | anchor:
>   inset: 000002A163DE44B0 idx: 0 par: 0 pos: 0 | inset:
> 000002A163DE44B0 idx: 0 par: 0 pos: 0
>   inset: 000002A1640B77B0 idx: 12 par: 0 pos: 0 | inset:
> 000002A1640B77B0 idx: 5 par: 0 pos: 0
>   selection: 1 boundary: 0
>
> Cursor.cpp (32c): Cursor::dispatch: cmd:  action: 362
> [tabular-feature]  arg: 'delete-row' x: 0 y: 0
>
>   cursor:                                | anchor:
>   inset: 000002A163DE44B0 idx: 0 par: 0 pos: 0 | inset:
> 000002A163DE44B0 idx: 0 par: 0 pos: 0
>   inset: 000002A1640B77B0 idx: 12 par: 0 pos: 0 | inset:
> 000002A1640B77B0 idx: 5 par: 0 pos: 0
>   selection: 1 boundary: 0
>
> insets\InsetTabular.cpp (13bd): # InsetTabular::doDispatch: cmd:
> action: 362 [tabular-feature]  arg: 'delete-row' x: 0 y: 0
>    cur:
>   cursor:                                | anchor:
>   inset: 000002A163DE44B0 idx: 0 par: 0 pos: 0 | inset:
> 000002A163DE44B0 idx: 0 par: 0 pos: 0
>   inset: 000002A1640B77B0 idx: 12 par: 0 pos: 0 | inset:
> 000002A1640B77B0 idx: 5 par: 0 pos: 0
>   selection: 1 boundary: 0
>
> Undo.cpp (152): Create undo element of group c
> insets\InsetTabular.cpp (19d9): Feature: delete-row             value:
>   C:/Users/pc1/newfile14.lyx.emergency
> support/os_win32.cpp (149): <Win32 path correction>
> [~/newfile14.lyx.emergency]->>[~\newfile14.lyx.emergency]
>
> Is this what you meant (or is there a better way to backtrace)?

That's helpful, but what I had in mind is the call stack at the time of 
the crash.

Still, I think I see the problem now. This change:

          for (row_type r = sel_row_start; r <= sel_row_end; ++r)
-            tabular.deleteRow(sel_row_start);
+            tabular.deleteRow(r);
          if (sel_row_start >= tabular.nrows())
              --sel_row_start;
          cur.idx() = tabular.cellIndex(sel_row_start, column);

in InsetTabular, l. 6783, is the culprit. As rows are deleted, the 
variable r can point to an invalid row (and, in the recipe, will do so 
if we ask to delete more than half the rows, from the top). It would 
appear that, on my system, a request to delete beyond the end of the 
vector deletes the last element, so it 'just works', even though it 
should crash.

The old code didn't have this problem: It just kept deleting the 'same' 
row number, as they got moved up. It got changed to handle 
change-tracking. I think the solution is to do this in reverse:

for (row_type r = sel_row_end; r >= sel_row_start; --r)
     tabular.deleteRow(r);

And maybe put an assertion into Tabular::deleteRow to prevent this kind 
of crash.

The same issue exists in Tabular::DELETE_COLUMN.

Riki




More information about the lyx-devel mailing list