crash with negative number of dots for rests

• Jun 18, 2019 - 07:58
Reported version
3.1
Type
Functional
Frequency
Few
Severity
S1 - Blocker
Reproducibility
Always
Status
closed
Regression
No
Workaround
No
Project

The attached score crashes MuseScore 3.1 and the latest development build.

Stack trace:
1 Ms::Rest::checkDots rest.cpp 434 0x8e18b8
2 Ms::Rest::layoutDots rest.cpp 408 0x8e1681
3 Ms::Rest::layout rest.cpp 399 0x8e1650
4 Ms::layoutSegmentElements layout.cpp 96 0x87aa11
5 Ms::Score::layoutChords1 layout.cpp 573 0x87c2a7
6 Ms::Score::getNextMeasure layout.cpp 2753 0x885b7b
7 Ms::Score::collectSystem layout.cpp 3555 0x889cb2
8 Ms::LayoutContext::collectPage layout.cpp 4334 0x88e889
9 Ms::LayoutContext::layout layout.cpp 4644 0x8905c5
10 Ms::Score::doLayoutRange layout.cpp 4629 0x8904c6
11 Ms::Score::update cmd.cpp 221 0x99486f
12 Ms::readScore file.cpp 2348 0x649475
13 Ms::MuseScore::readScore file.cpp 349 0x63799e
14 Ms::MuseScore::openScore file.cpp 327 0x637864
15 Ms::MuseScore::loadFiles file.cpp 304 0x637512
16 Ms::MuseScore::cmd musescore.cpp 5950 0x4f622a
17 Ms::MuseScore::cmd musescore.cpp 5758 0x4f53e5
18 Ms::MuseScore::qt_static_metacall moc_musescore.cpp 855 0x40a1d6
19 ZN11QMetaObject8activateEP7QObjectiiPPv 0x68c82085
20 ZN12QActionGroup7hoveredEP7QAction 0x264b4ee5
...

void Rest::checkDots()
      {
      int n = dots() - int(_dots.size());
      for (int i = 0; i < n; ++i) {
            NoteDot* dot = new NoteDot(score());
            dot->setParent(this);
            dot->setVisible(visible());
            score()->undoAddElement(dot);
            }
      if (n < 0) {
            for (int i = 0; i < -n; ++i)
                  score()->undoRemoveElement(_dots.back()); // <<<<<< line of crash. n is -85 here, i is 0
            }
      }
Attachment Size
19._Transformation_Finale_0.mscz 85.32 KB

Comments

That is what happens if a program doesn't check an input that it reads...

That file contains some rests with <dots>-85</dots> tags inside them. MuseScore simply believes the file and assumes that there really is a rest with -85 dots. It is easy to add a check for this this case exactly but generally some form of user data validation should probably be considered if we want to avoid similar crashes in future.

Fix version
3.3.0