https://bugs.documentfoundation.org/show_bug.cgi?id=148143
--- Comment #15 from Kohei Yoshida <ko...@libreoffice.org> --- It's probably caused by this: https://cgit.freedesktop.org/libreoffice/core/commit/?id=99cd1d8834bb708afc81c825ff2b7992b7acb37d Prior to that commit, ColumnSpanSet::ColumnType was stored wrapped inside std::unique_ptr as a dynamically allocated memory, so when the std::vector reallocated its internal buffer and copied the stored values it would just copy the pointer values, and the ColumnType objects were still valid. But since that commit, ColumnType is now stored wrapped inside std::optional which stores the object as part of the std::optional's memory footprint, not as a dynamically allocated memory. So, when the std::vector store reallocates its buffer it now invokes ColumnType's copy constructor which copies both maSpans and miPos. miPos is used as a position hint into flat_segment_tree (maSpans) which stores a pointer to a node. And after the copy construction, that pointer may point to a node object that may have been deleted, which would certainly cause an invalid memory access and the crash would follow... I have my local fix, and now I cannot reproduce the crash after repeating the paste 10+ times. No idea why your bisecting ended up pointing to my commit, but that one is unrelated as far as I can tell. It may have just made the underlying issue easier to surface. -- You are receiving this mail because: You are the assignee for the bug.
