Crash when deleting title frame

• Jul 19, 2018 - 13:34
Reported version
3.0
Type
Functional
Severity
S2 - Critical
Status
closed
Project
MuseScore
Tags
layout
  1. Open attached score (produced in 2.x).
  2. Click on title frame.
  3. 'Delete'.

Result: Crash (see attached log).

Using MuseScore 3.0 Nightly cad046a - Mac 10.11.6.

Attachment Size
Crash.mscz 4.78 KB
Crash [Log].txt 74.65 KB

Comments

Jul 19, 2018 - 13:39

Apologies for the vague title, but developers can determine, as I don't know the cause (perhaps related to layout?). Couldn't immediately see whether an issue existed either.

I originally encountered it by pasting notes or navigating via keyboard. Sometimes a different log appeared (attached).

Attachment Size
Crash [Log 2].txt 80.79 KB

Reply

Jul 19, 2018 - 15:59

I think I was able to reproduce with different steps (aforementioned pasting and navigation, rather than deleting the title frame), but possibly with a similar log. This is why I was not specific in the title - I'm assuming more investigation will reveal the root problem/cause.

Reply

Jul 19, 2018 - 16:23

I do not think it was the same crash. The logs look completely different to me. Are you sure you are able to reproduce this crash with the steps you provided? I get no crash when I try.

Reply

Jul 19, 2018 - 18:08

I will say that I have encountered what appears to be a race condition where one thread is trying to access a certain object while another thread is deleting that same object. Unfortunately, a characteristic of race conditions is that they can be very difficult to reproduce.

Reply

Jul 24, 2018 - 16:51

I am able to reproduce this on macOS 10.11.6. As you say, it crashes sometimes, but not always. The crash can be prevented by forcing a complete relayout every time a vertical frame is deleted, but I really don't want to do that. I'm not even completely happy with my solution to related issue #274446: Crash by deleting vertical(s) frame(s) in first page of large scores, which is to force a complete relayout if the page is empty after a vertical frame is deleted.

Reply

Jul 24, 2018 - 18:39

Thanks for your investigation.

Is the core issue about the frame? I can reproduce another way without deleting it (how I found the issue originally, incidentally):

  1. Open attached score.
  2. Click first note in bar 1 of Percussion 3.
  3. Hold Shift and click the last note in the bar.
  4. 'Edit'>'Copy'.
  5. 'Right'.
  6. 'Edit'>'Paste'.
  7. Repeat steps 5-6.

Result: Crash (see attached log).

Note: Sometimes not all steps (namely 6 or 7) may be needed to reproduce.

Using MuseScore 3.0 Nightly 6a015b8 - Mac 10.11.6.

Attachment Size
Crash when pasting and or navigating notes.mscz 17.66 KB
Crash when pasting and or navigating notes [Log].txt 80.07 KB

Reply

Jul 24, 2018 - 22:32

I don't think I can reproduce, but I'll take your word for it, as I encountered something similar weeks ago when scrolling; perhaps that was it.

Reply

Jul 26, 2018 - 10:24

I could reproduce the bug only under Mac (not under Linux), but I found, thanks to AddressSanitizer (which can be enabled in clang), that it is related to the presence of ledger lines.
Indeed, if in file "Crash.mscz" from the first post the notes in the final measure are transposed so that no ledger lines are used, deleting the title frame does not lead to a crash.
Attached the log files from AddressSanitizer for both example files of this issue thread. It shows that in both cases the program is somehow trying, during a paint event, to access an address which was previously referring to a ledger line.

Attachment Size
second_case_crash.txt 14.24 KB
title_frame_crash.txt 14.19 KB

Reply

Jul 27, 2018 - 15:10

The reason I was not experiencing a crash earlier had nothing to do with the version of macOS that I was running. It was because the page in question was entirely offscreen, and thus not affected by the paint event.

Reply