Crash on select on score with slur ending on rest

• Dec 4, 2014 - 15:14
S2 - Critical

Ubuntu 14.04, GIT commit: 6bba0d4

I've seen a coupple variations on what appears to be the same crash today. Here is an easy-to-reproduce case.

1) load attached score (created in 1.3, downloaded from
2) select all

Result: crash

The crash occurs in Spanner::endChord(), and it's an assert failure - the endElement in this case is a rest, not a chord. But I've also seen cases where it is 0 as a result of the assignment of nullptr a couple of lines above (meaning it had been a rest up until then). Those cases happened when I wasexperimenting with things in the code so maybe I was doing something incorrectly. But the crash as described above should happen without my code.

In all cases, this is being called from Selection::updateSelectedElements(), which is called from at the end of Score::pasteStaff().


FWIW, I can reproduce on both my Linux systems, with the very latest sources (built a few minutes agi) as well as builds from a few days ago. Also crashes for me on Windows with the most recent build I have there (also from a few days ago).

Well, I tried on a few nightlies including the latest, and I still see no crash (under Windows7 and Windows8) after opening the file and select all.
I'm going to drop!
This issue is it reproducible from scratch?

Title Crash on select on score with slur with no end element Crash on select on score with slur ending on rest

It crashes in debug mode only. The crash is on Q_ASSERT() and they are ignored in release mode.
It easily reproducible from scratch in a68454ece6 if built in debug mode.

  1. Create a score with a quarter note and a quarter rest
  2. add a slur to the first note
  3. Select all

Doh! I should have thought of that. I even knew it was an assert failure.

I would say we could just remove the assert, then, but I still see a potential crash or two here. A couple of lines above the assert, we do a conditional assignment of _endElement, but then we dereference it without checking for null, And we potentially return null, yet the calling code doesn't check for that before dereferencing it. Hoepfully, _endElement is just never null in the first place.