Opened 5 years ago

Closed 5 years ago

#15186 closed defect (fixed)

Undoing a particular series of wxRichTextTable column changes reproducibly segfaults

Reported by: dghart Owned by:
Priority: normal Milestone: 3.0.0
Component: wxRichText Version: stable-latest
Keywords: wxRichTextTable undo crash Cc:
Blocked By: Blocking:
Patch: yes


The preceding wxRichTextTable patch series made it possible to undo and redo adding/deleting columns and rows to a table. In normal use this works reliably. However the following scenario (shown in the attached patch to the richtext sample) reliably segfaults:

Create a table with e.g. 1 cell. In that cell create another 1-cell table. Add a column (or row) to the inner table. Now delete the containing column of the original table.

Undo the column deletion. Now undoing the inner-table column addition will crash in wxRichTextCtrl::LayoutContent.

Though the details vary with the precise situation, the immediate cause of the crash is accessing an object with an invalid refcount. This object is the parent paragraph of the inner table, which should still exist.

This only happens with a child table; and only when undoing something in it, so swapping old-for-new table objects. Failed fix attempts include storing the parent paragraph in the wxRichTextAction instead of the table itself; parking it in m_newParagraphs; and altering or removing the InvalidateHierarchy() call.

I expect the problem is because of one or more bugs in #15184, or perhaps #15185, but my wxRichTextCtrl understanding is insufficient to be certain.

Attachments (2)

richtext.diff download (12.6 KB) - added by dghart 5 years ago.
richtextbuffer.diff download (1.6 KB) - added by dghart 5 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 5 years ago by juliansmart

  • Milestone changed from 2.9.5 to 3.0

comment:2 Changed 5 years ago by dghart

  • Patch set

Having exhausted all other possibilities, I finally put debug statements in the _right_ places and found the cause is incorrect parentage of m_object, the inner table. It it previously retained its original parent, which would be correct in most situations but not all.

Using instead the current object's parent fixes the crash without causing any other problems that I can find, and richtextbuffer.diff implements this.

Changed 5 years ago by dghart

Changed 5 years ago by dghart

comment:3 Changed 5 years ago by VZ

  • Resolution set to fixed
  • Status changed from new to closed

(In [74154]) Fix crash when undoing the deletion of a nested table column in wxRTC.

Fix the object parent when applying the actions.

Closes #15186.

Note: See TracTickets for help on using tickets.