https://bugs.documentfoundation.org/show_bug.cgi?id=140061
--- Comment #19 from Patrick Luby (volunteer) <[email protected]> --- Update: the crash is due to a "use after free" of an SwCharFormat instance. In my macOS crash log in attachment #195701, the crash occurs in SwClient::SwClient(SwModify*) because the SwModify* parameter is an already deleted pointer. In this particular case, the SwModify* parameter is an SwCharFormat instance stored in SwEndNoteInfo::m_pAnchorFormat. Essentially, the SwEndNoteInfo::m_pAnchorFormat pointer is getting deleted out from underneath the SwEndNoteInfo instance. Using the debug patch in attachment #195717, I was able to set a break in lldb and get a backtrace of where the SwCharFormat that matches the pointer in SwEndNoteInfo::m_pAnchorFormat gets deleted. My lldb backtrace in attachment #195718 shows the SwCharFormat instance that matched the pointer in SwEndNoteInfo::m_pAnchorFormat is deleted when undoing (step 6 in comment #0). I am not familiar with the inner workings of the Writer code so hopefully someone might have an idea what needs to be changed to fix this bug. Does the SwCharFormat instance need to stay alive longer? Or does the SwCharFormat destructor need to somehow notify the SwEndNotInfo instance? -- You are receiving this mail because: You are the assignee for the bug.
