Created attachment 131772 [details] Contains data for demonstration of the bug In the attached file, select the range C13: C26, copy and paste it into a new document (default is cell A2). LibreOffice Calc crashed if you insert into rows 1 to 12 (-1 from the beginning of the selection) and to columns c A to C (not to the right of the selection) The problem occurs when a sheet name is specified in the formula.
Confirmed in Versión: 5.3.1.1 Id. de compilación: 72fee18f394a980128dc111963f2eefb05998eeb Subpr. de CPU: 1; SO: Windows 6.1; Repr. de IU: predet.; Motor de trazado: HarfBuzz; Configuración regional: es-ES (es_ES); Calc: group and Version: 5.4.0.0.alpha0+ Build ID: d3676ceeec55a41337ce5e6bc596f4f100d0638e CPU threads: 4; OS: Linux 4.8; UI render: default; VCL: gtk2; Locale: ca-ES (ca_ES.UTF-8); Calc: group Error message: multi_type_vector::get_block_position#795: block position not found! (logical pos=18446744073709551615, block size=5, logical size=1048576)
Reproduced in Version: 5.2.0.0.alpha1+ Build ID: 5b168b3fa568e48e795234dc5fa454bf24c9805e CPU Threads: 4; OS Version: Linux 4.8; UI Render: default; Locale: ca-ES (ca_ES.UTF-8) but not in Version: 5.0.0.0.alpha1+ Build ID: 0db96caf0fcce09b87621c11b584a6d81cc7df86 Locale: ca-ES (ca_ES.UTF-8)
Regression introduced in range: https://cgit.freedesktop.org/libreoffice/core/log/?id=fee2de9cb1f4763a0e4f7e0e3bae6858c3d458b4&qt=range&q=2966d57bdfdd40a55e31408f7da75b415e809d8e..1fccc616d205b7d7011d66d4e4c719b62876eec5
Created attachment 131776 [details] gdb backtrace
e9077931ccdae86f7653037f37768a75c43ed8d6 is the first bad commit commit e9077931ccdae86f7653037f37768a75c43ed8d6 Author: Norbert Thiebaud <nthiebaud@gmail.com> Date: Mon Feb 22 02:24:55 2016 -0800 source c8ad72703b74b7338c5f8dd1fe0275822b1e45f0 # bad: [8955562930c20a45d6a06ae6f63531addd503826] source 1fccc616d205b7d7011d66d4e4c719b62876eec5 # good: [aab6c3dc042083e4201ae4e31fce330f25e611ab] source 2966d57bdfdd40a55e31408f7da75b415e809d8e git bisect start '8955562930c20a45d6a06ae6f63531addd503826' 'aab6c3dc042083e4201ae4e31fce330f25e611ab' # bad: [ab655016dc935157830f7758bd4a0a35887e2997] source 39c8d40ddf85903d9ea2b81ae4ca924e91f89cb7 git bisect bad ab655016dc935157830f7758bd4a0a35887e2997 # bad: [8ac5562a44af31cbbd4931ee8bcd393d465ae5de] source 85c789be1f94777b582977e69b16665a47dc364f git bisect bad 8ac5562a44af31cbbd4931ee8bcd393d465ae5de # good: [d00937aa002cca73a3505a9175939e079d268344] source de669d714fa6f7d33d6df6e323c72710f470f77c git bisect good d00937aa002cca73a3505a9175939e079d268344 # bad: [349d023c1143f8b9c99819abb696156b343c2bb6] source a6e8910a3c5d33e671a13559438b7228596b8bca git bisect bad 349d023c1143f8b9c99819abb696156b343c2bb6 # bad: [651292f2aa1658898a1ea040c6ee63f20ef98ee9] source fa20b651d61edb7bf9487cb79140bb57fc668967 git bisect bad 651292f2aa1658898a1ea040c6ee63f20ef98ee9 # bad: [e9077931ccdae86f7653037f37768a75c43ed8d6] source c8ad72703b74b7338c5f8dd1fe0275822b1e45f0 git bisect bad e9077931ccdae86f7653037f37768a75c43ed8d6 # first bad commit: [e9077931ccdae86f7653037f37768a75c43ed8d6] source c8ad72703b74b7338c5f8dd1fe0275822b1e45f0
This crash started with Markus' commit referenced below. The crash is actually a Fatal Error with the message: "multi_type_vector::get_block_position#795: block position not found! (logical pos=4294967295, block size=5, logical size=1048576)" Maybe some kind of overflow? https://cgit.freedesktop.org/libreoffice/core/commit/?id=c8ad72703b74b7338c5f8dd1fe0275822b1e45f0 author Markus Mohrhard <markus.mohrhard@googlemail.com> 2016-02-18 05:03:11 (GMT) committer Markus Mohrhard <markus.mohrhard@googlemail.com> 2016-02-18 07:48:27 (GMT) "don't fill the matrix cell by cell, tdf#67071"
The direct cause of the crash is that in convertToTokenArray(...), nRow is -1, which is passed in through pSrcDoc->FillMatrix(...) all the way to the mdds function. The place of the first FillMatrix(...) call: http://opengrok.libreoffice.org/xref/core/sc/source/ui/docshell/externalrefmgr.cxx#1615 And this is where -1 becomes 4294967295 in an SCROW -> StoreT::size_type type conversion: http://opengrok.libreoffice.org/xref/core/sc/source/core/data/column2.cxx#2365
Aron/Xisco: how did you get the bt? Indeed, I got a popup error. If I Ctrl-C gdb, i got a bt from the code which manages popup then if I continue gdb, it stops without bt. popup may be useful but in this case, it prevents me to retrieve a bt.
(In reply to Julien Nabet from comment #8) > Aron/Xisco: how did you get the bt? I debugged in the code. The message contains the line number where the exception is triggered (but it's in the mdds source code, and a bit difficult to find). This is the line: https://gitlab.com/mdds/mdds/blob/master/include/mdds/multi_type_vector_def.inl#L795
My code is just exposing a bug in another place.
Markus Mohrhard committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=951fcc6556346e19a028443c70dea27d0cbc9c36 tdf#106456, don't try to use invalid ranges in external ref code It will be available in 5.4.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Markus Mohrhard committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=8137bcb9c2915b179c541154cee050a11c54ba59 add test for tdf#106456 It will be available in 5.4.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Markus Mohrhard committed a patch related to this issue. It has been pushed to "libreoffice-5-3": http://cgit.freedesktop.org/libreoffice/core/commit/?id=20bcaeb0f8509e4b12d72d4612b5f3c9bfde3489&h=libreoffice-5-3 tdf#106456, don't try to use invalid ranges in external ref code It will be available in 5.3.2. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
In the version 5.2.x (5.2.6) won't corrected?
The fix for 5.2 is in gerrit at the moment: https://gerrit.libreoffice.org/#/c/35188/ Once it's merged, it'll be part of the next 5.2 update (5.2.7 is planned to be the final one).
Markus Mohrhard committed a patch related to this issue. It has been pushed to "libreoffice-5-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=057889ab6daa159558f5a90bc03d987500d65b04&h=libreoffice-5-2 tdf#106456, don't try to use invalid ranges in external ref code It will be available in 5.2.7. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.