CRASH on close score after deleting all segment of a spanner

• Apr 13, 2016 - 09:43
Reported version
2.1
Type
Functional
Severity
S2 - Critical
Status
closed
Project
MuseScore

OP: https://musescore.org/en/node/105941

Reproduction steps:

  1. open slures.mscz
  2. right click slur
  3. select all similar elements
  4. delete
  5. close score (don't need to bother saving)

Result: SIGSEGV with call stack:

1	??				
2	Ms::Element::name	element.cpp	245	0x11c24d5	
3	Ms::RemoveElement::cleanup	undo.cpp	1655	0x1363ca6	
4	Ms::UndoCommand::cleanup	undo.cpp	131	0x135c3f6	
5	Ms::UndoStack::~UndoStack	undo.cpp	198	0x135c63e	
6	Ms::Score::~Score	score.cpp	433	0x127d7d1	
7	Ms::Score::~Score	score.cpp	437	0x127da74	
8	Ms::MuseScore::removeTab	musescore.cpp	2066	0xbf1534	
9	Ms::MuseScore::qt_static_metacall	moc_musescore.cpp	798	0x1031238	
10	QMetaObject::activate	qobject.cpp	3730	0x7fffef483870	
11	Ms::ScoreTab::tabCloseRequested	moc_scoretab.cpp	172	0x10384ae	
12	Ms::ScoreTab::qt_static_metacall	moc_scoretab.cpp	94	0x10381c1	
13	QMetaObject::activate	qobject.cpp	3730	0x7fffef483870	
14	QMetaObject::activate	qobject.cpp	3595	0x7fffef484147	
15	QTabBar::tabCloseRequested	moc_qtabbar.cpp	339	0x7ffff031c781	
16	QMetaObject::activate	qobject.cpp	3730	0x7fffef483870	
17	QMetaObject::activate	qobject.cpp	3595	0x7fffef484147	
18	QAbstractButton::clicked	moc_qabstractbutton.cpp	307	0x7ffff05072f2	
19	QAbstractButtonPrivate::emitClicked	qabstractbutton.cpp	533	0x7ffff0275484	
20	QAbstractButtonPrivate::click	qabstractbutton.cpp	526	0x7ffff0276937	
...

Stopped at this line:

const char* Element::name() const
      {
      return name(type());

Happens on Win 8.1 x86-64 2.0.3 and Arch Linux x86-64 latest master. And Jojo says on Win 7. And original reporter say win10 32bit.

Comments

Apr 13, 2016 - 10:00

that Element::name() method is called from a qDebug() in RemoveElement::cleanup(), meaning if won't be in the RELEASEd version, but that crashes too.

So I commented that line out, and sure enough it now crashes in the next line, `delete element;`

Reply

Apr 13, 2016 - 21:25

I've created a minimal test case which will produce the crash, consisting of two measures with line break inbetween, and either a Tie or a Slur in between...here's steps:

  1. Open this score:
    tie-across-linebreak.mscx
  2. right click the slur
  3. select "All similar elements of same type"
  4. delete
  5. close the score (doesn't matter if save or not when closing)

Result: CRASH.

I believe the source of the error is the extra little carry over slur bit that is generated before the next system when there is a line break between a slur/tie. It is possible that the select all is selecting both of these elements, and deleting them both, and this double-delete is probably somehow related to the crash on close. Solution might lie in only deleting the real slur/tie, and letting the generated carry-over bit be naturally un-generated on next layout.

Reply

Apr 13, 2016 - 22:49

I suspect your analysis is correct. There is a Slur (which is the whole thing) and the SlurSegment (which are the two separate parts of the slur). When you select a slur, there is very often confusion between which of the two should really be selected, and which should actually be operated on internally. We've been bitten by many bugs having to do with this over the years.

Reply

Apr 13, 2016 - 23:01
Title CRASH on close score after deleting all slurs/ties if any slur/tie crosses line break CRASH on close score after deleting all of a type of spanner{slurs/ties/glissando/hairpins} if any cross line break

Thanks. I've also checked the same thing with Hairpins & glissando, and they both crash. So I believe this bug generalizes to possibly all Spanner elements which cross a linebreak.

Attachment Size
gliss-across-linebreak.mscx 4.15 KB
hairpin-across-linebreak.mscz 2.9 KB

Reply

Feb 23, 2017 - 10:38
Title CRASH on close score after deleting all of a type of spanner{slurs/ties/glissando/hairpins} if any cross line break CRASH on close score after deleting all segment of a spanner

Reply