Bug 105858 - Pivot crashes Calc
Summary: Pivot crashes Calc
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
3.5 all versions
Hardware: All All
: highest critical
Assignee: Eike Rathke
QA Contact:
URL:
Whiteboard: target:5.4.0 target:5.3.1 target:5.2.6
Keywords: haveBacktrace
Depends on:
Blocks:
 
Reported: 2017-02-08 13:03 UTC by sealjosephson
Modified: 2017-02-28 20:48 UTC (History)
4 users (show)

See Also:
Crash report or crash signature: ["rtl_uString_assign"]


Attachments
screenshot (129.70 KB, image/jpeg)
2017-02-08 13:06 UTC, sealjosephson
Details

Note You need to log in before you can comment on or make changes to this bug.
Description sealjosephson 2017-02-08 13:03:12 UTC
Description:
after trying to add another column after IV (that is IW) in Pivot, it crashes Calc

Steps to Reproduce:
1. create a pivot that has columns till IV (even with a single line)
2. Try to add another item from Available Fields to Data Fields, to the bottom, so that supposed appear in column IW
3. Press OK
4. Crash

Actual Results:  
crash

Expected Results:
no crash, added IW column


Reproducible: Always

User Profile Reset: No

Additional Info:


User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Comment 1 sealjosephson 2017-02-08 13:06:17 UTC
Created attachment 131015 [details]
screenshot
Comment 2 Xisco Faulí 2017-02-08 13:17:04 UTC Comment hidden (obsolete)
Comment 3 Julien Nabet 2017-02-08 18:32:11 UTC
if you start from A column, IV column corresponds to 256th column and so IW corresponds to 257th column. So it could be due to a variable limited to value 256.
Comment 4 Julien Nabet 2017-02-08 20:01:38 UTC
bt:

rtl_uString_release (pThis=0x0) at /home/julien/lo/libreoffice/sal/rtl/strtmpl.cxx:1218
1218	    if (SAL_UNLIKELY(SAL_STRING_IS_STATIC (pThis)))
(gdb) bt
#0  rtl_uString_release (pThis=0x0) at /home/julien/lo/libreoffice/sal/rtl/strtmpl.cxx:1218
#1  0x00002aaad310ded8 in rtl::OUString::operator=(rtl::OUString&&) (this=this@entry=0x7fffffff3210, 
    str=str@entry=<unknown type in /home/julien/lo/libreoffice/instdir/program/../program/libsclo.so, CU 0x9693c, DIE 0xb7154>)
    at /home/julien/lo/libreoffice/include/rtl/ustring.hxx:451
#2  0x00002aaad33709d9 in (anonymous namespace)::lcl_FillNumberFormats (rFormats=@0x55555c3a3ef8: 0x0, rCount=@0x55555c3a3f08: 0, xLevRes=
    uno::Reference to (ScDPLevel *) 0x5555584416d8, xDims=uno::Reference to (ScNameToIndexAccess *) 0x555558439508)
    at /home/julien/lo/libreoffice/sc/source/core/data/dpoutput.cxx:363
#3  0x00002aaad3372e0b in ScDPOutput::ScDPOutput (this=0x55555c3a3ea0, pD=<optimized out>, xSrc=..., rPos=..., bFilter=<optimized out>)
    at /home/julien/lo/libreoffice/sc/source/core/data/dpoutput.cxx:679

(gdb) p nDataCount
$2 = 256

So the root cause is there:
http://opengrok.libreoffice.org/xref/core/sc/source/core/data/dpoutput.cxx#345
SC_DPOUT_MAXLEVELS = 256
see http://opengrok.libreoffice.org/xref/core/sc/source/core/data/dpoutput.cxx#SC_DPOUT_MAXLEVELS

Eike: should we increase SC_DPOUT_MAXLEVELS or should we use it as a limit in the loop and put a popup message?
Comment 5 Xisco Faulí 2017-02-08 20:05:50 UTC Comment hidden (obsolete)
Comment 6 Eike Rathke 2017-02-17 11:54:53 UTC
First let's prevent the crash..
Any kind of popup in that path would be quite disturbing and should be handled at some other place.
Comment 7 Commit Notification 2017-02-17 13:18:03 UTC
Eike Rathke committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=9bdf971b0202c6d55d88e61861b251459de9586b

Resolves: tdf#105858 check nDataCount<SC_DPOUT_MAXLEVELS to prevent crash

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Commit Notification 2017-02-17 13:18:08 UTC
Eike Rathke committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=7fbdd8b7d3741d55b229977f9e6d6213af5fa542

more counts<SC_DPOUT_MAXLEVELS to check, tdf#105858 related

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 9 Eike Rathke 2017-02-17 13:41:12 UTC
Pending review
https://gerrit.libreoffice.org/34369 for 5-3
https://gerrit.libreoffice.org/34370 for 5-2
https://gerrit.libreoffice.org/34372 for 5-2-6
Comment 10 Eike Rathke 2017-02-17 13:49:15 UTC
For further development, rather than using fixed fields of a larger size SC_DPOUT_MAXLEVELS for page, row, column and data, growing std::vector should be used. Such could support more entries without having unnecessarily large amounts preallocated that mostly aren't used anyway.
Comment 11 Commit Notification 2017-02-18 02:50:35 UTC
Eike Rathke committed a patch related to this issue.
It has been pushed to "libreoffice-5-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=cbba64225a2abfdd8b2437e8a06925b15fb15d26&h=libreoffice-5-2

Resolves: tdf#105858 check SC_DPOUT_MAXLEVELS to prevent crash

It will be available in 5.2.7.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 12 Commit Notification 2017-02-18 02:50:44 UTC
Eike Rathke committed a patch related to this issue.
It has been pushed to "libreoffice-5-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e38914af31b0150a383cc556e634da48eceb1dbc&h=libreoffice-5-3

Resolves: tdf#105858 check SC_DPOUT_MAXLEVELS to prevent crash

It will be available in 5.3.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 13 Commit Notification 2017-02-22 13:37:41 UTC
Eike Rathke committed a patch related to this issue.
It has been pushed to "libreoffice-5-2-6":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=092026853d073f7e24988e0cebe24e4312b45b9b&h=libreoffice-5-2-6

Resolves: tdf#105858 check SC_DPOUT_MAXLEVELS to prevent crash

It will be available in 5.2.6.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 14 Julien Nabet 2017-02-22 13:53:36 UTC
Simplify targets a bit
Comment 15 Julien Nabet 2017-02-28 20:48:06 UTC
Just for information, SC_DPOUT_MAXLEVELS limit has been removed on master branch:

author	Julien Nabet <serval2412@yahoo.fr>	2017-02-18 19:35:17 (GMT)
committer	Eike Rathke <erack@redhat.com>	2017-02-24 15:23:32 (GMT)
commit	41f95c4a35a6335e9edb2f51c11d136d88bd0749 (patch)
tree	caf167ab6f6777da38612b453703b08930fec5fd
parent	237685fdfad448ddb8493c6c8162f7db085ec45c (diff)
Remove SC_DPOUT_MAXLEVELS limit in Pivot
by using vectors instead of fixed arrays