Created attachment 138678 [details] Sample Document with source Steps how to reproduce with Version: 5.4.4.2 (x64) Build-ID: 2524958677847fb3bb44820e40380acbe820f960 CPU-Threads: 4; BS: Windows 6.1; UI-Render: Standard; Gebietsschema: de-DE (de_DE); Calc: group, my default user profile, Tango theme: 1. Open attached SampleSource_crash_002.ods 2. Using Mouse _select (highlight) A1:O7 → <ctrl+c> for COPY' 3. Open new Writer document 'File → New → Text Document' 4. Click into Writer Document 5. In Standard Toolbar 'click Paste▼ (for paste special) → GDI Metafile Bug: CRASH :-( Crash Reason = EXCEPTION_ACCESS_VIOLATION_READ a) also crashes with step 5 in DRAW or Presentation document b) also crashes with new User Profile created for this test c) Still REPRODUCIBLE with Version: 6.1.0.0.alpha0+ (x64) Build ID: c926a1e34672afaa5b7de0e3b08b1537e88fbb6f CPU threads: 4; OS: Windows 6.1; UI render: default; TinderBox: Win-x86_64@42, Branch:master, Time: 2017-12-24_01:10:03 Locale: de-DE (de_DE); Calc: CL d) Was still ok with Release 4.2.4.2 (2014-06-09) own user profile Build ID 63150712c6d317d27ce2db16eb94c2f3d7b699f8 e) I only found 1 possible DUP "Bug 79905 - EDITING: Crash when copy paste cell range as GDI Metafile to Draw or Writer " But that crash is not reproducible for me with 5.4.4.2 f) No crash if I do 'Paste Special' for all other possible formats before I try GDI in Step 5 g) Some Crash-ID: <http://crashreport.libreoffice.org/stats/crash_details/47788c77-99b3-42dd-9e26-bbdb97bed4cd> c3ac7302-dcd3-47d9-8bb1-20253f102d48 0f07579d-6764-4975-b652-35c017bd24ab 077ccfe0-552e-4f64-aaca-77f4c9be9e0c b9c111ae-1dba-4802-806e-112b0c490a9a 6c85458a-68e8-490f-bc47-f39407b5cfb8 7b559977-896e-48d9-bbba-7fa16b5428dc
(f) 'Paste Special as calc8' does the trick. Afterwards (after having undone the paste special as calc8) I can paste as GDI Metafile without problems.
Regression introduced by: author Kohei Yoshida <kohei.yoshida@collabora.com> 2014-03-08 17:40:32 -0500 committer Kohei Yoshida <kohei.yoshida@collabora.com> 2014-03-08 18:09:51 -0500 commit 3cea6bb57757ce085f01f0b86b000cfc0592dca7 (patch) tree b490e8d8f4cea61a85e2da27314f509307b7b06a parent 5d2e7cbf6433ecced0ecac46b3abdaf97b82880b (diff) More consistent number format inheritence policy. The new policy is to always inherit number format of a formula cell from its reference unless the cell already has an explicit number format set. Also to avoid recalculating formula cells on load just because they have the 'General' number format. This leads to excessive re-calculation of formula cells upon load even when the cells already have results cached. Bisected with: bibisect-43max Adding Cc: to Kohei Yoshida
Created attachment 138702 [details] bt with debug symbols On pc Debian x86-64 with master sources updated today, I could reproduce this. I attached a bt with symbols.
Yep, could not reproduce on a x64 Linux box with a fresh master build.
Yep, could reproduce on a x64 Linux box with a fresh master build.
Sorry for the typo. I *could* indeed reproduce.
Valgrind output: > ==9144== Invalid read of size 8 > ==9144== at 0x3DF8A485: std::__uniq_ptr_impl<SfxItemSet, std::default_delete<SfxItemSet> >::_M_ptr() const (unique_ptr.h:147) > ==9144== by 0x3DF8A404: std::unique_ptr<SfxItemSet, std::default_delete<SfxItemSet> >::get() const (unique_ptr.h:337) > ==9144== by 0x3DF856FC: std::unique_ptr<SfxItemSet, std::default_delete<SfxItemSet> >::operator*() const (unique_ptr.h:322) > ==9144== by 0x3DF83328: SfxSetItem::GetItemSet() const (poolitem.hxx:296) > ==9144== by 0x3E5C972A: ScPatternAttr::GetItem(unsigned short, SfxItemSet const*) const (patattr.cxx:1290) > ==9144== by 0x3E1B7297: SfxBoolItem const& ScPatternAttr::GetItem<SfxBoolItem>(TypedWhichId<SfxBoolItem>, SfxItemSet const*) const (patattr.hxx:81) > ==9144== by 0x3F566C35: ScOutputData::LayoutStrings(bool, bool, ScAddress const&) (output2.cxx:1645) > ==9144== by 0x3F5657AB: ScOutputData::DrawStrings(bool) (output2.cxx:1440) > ==9144== by 0x3F5A8864: ScPrintFunc::DrawToDev(ScDocument*, OutputDevice*, double, tools::Rectangle const&, ScViewData*, bool) (printfun.cxx:598) > ==9144== by 0x3EF6C19F: ScDocShell::Draw(OutputDevice*, JobSetup const&, unsigned short) (docsh4.cxx:2029) > ==9144== by 0xAD1F6EA: SfxObjectShell::DoDraw_Impl(OutputDevice*, Point const&, Fraction const&, Fraction const&, JobSetup const&, unsigned short) (objembed.cxx:232) > ==9144== by 0xAD1F0F8: SfxObjectShell::DoDraw(OutputDevice*, Point const&, Size const&, JobSetup const&, unsigned short) (objembed.cxx:179) > ==9144== Address 0x4aff5420 is 16 bytes inside a block of size 48 free'd > ==9144== at 0x4C311E8: operator delete(void*) (vg_replace_malloc.c:576) > ==9144== by 0x3E5BF451: ScPatternAttr::~ScPatternAttr() (patattr.cxx:105) > ==9144== by 0xB62A8F9: SfxItemPool::Remove(SfxPoolItem const&) (itempool.cxx:769) > ==9144== by 0x3DF77EFB: ScAttrArray::SetPatternArea(int, int, ScPatternAttr const*, bool, ScEditDataArray*) (attarray.cxx:561) > ==9144== by 0x3DF78AEA: ScAttrArray::SetPattern(int, ScPatternAttr const*, bool) (attarray.cxx:378) > ==9144== by 0x3E109069: ScColumn::ApplyAttr(int, SfxPoolItem const&) (column.cxx:720) > ==9144== by 0x3E1A9BDF: ScColumn::SetNumberFormat(int, unsigned int) (column2.cxx:2941) > ==9144== by 0x3E62461A: ScTable::SetNumberFormat(short, int, unsigned int) (table2.cxx:1954) > ==9144== by 0x3E347A6D: ScDocument::SetNumberFormat(ScAddress const&, unsigned int) (document.cxx:3716) > ==9144== by 0x3E547FFD: ScFormulaCell::InterpretTail(ScInterpreterContext&, ScFormulaCell::ScInterpretTailParameter) (formulacell.cxx:1997) > ==9144== by 0x3E543F84: ScFormulaCell::Interpret() (formulacell.cxx:1536) > ==9144== by 0x3E541A84: ScFormulaCell::MaybeInterpret() (formulacell.cxx:2583) > ==9144== Block was alloc'd at > ==9144== at 0x4C301CA: operator new(unsigned long) (vg_replace_malloc.c:334) > ==9144== by 0x3E5BF493: ScPatternAttr::Clone(SfxItemPool*) const (patattr.cxx:110) > ==9144== by 0xB629B28: SfxItemPool::Put(SfxPoolItem const&, unsigned short) (itempool.cxx:686) > ==9144== by 0x3E2A677B: ScDocumentPool::Put(SfxPoolItem const&, unsigned short) (docpool.cxx:335) > ==9144== by 0x3E5C8099: ScPatternAttr::PutInPool(ScDocument*, ScDocument*) const (patattr.cxx:1071) > ==9144== by 0x3DF8220F: ScAttrArray::CopyArea(int, int, long, ScAttrArray&, ScMF) const (attarray.cxx:2433) > ==9144== by 0x3DF8243A: ScAttrArray::CopyAreaSafe(int, int, long, ScAttrArray&) (attarray.cxx:2460) > ==9144== by 0x3E1D10B9: ScColumn::CopyFromClip(sc::CopyFromClipContext&, int, int, long, ScColumn&) (column3.cxx:1134) > ==9144== by 0x3E61D204: ScTable::CopyFromClip(sc::CopyFromClipContext&, short, int, short, int, short, int, ScTable*) (table2.cxx:675) > ==9144== by 0x3E3411C9: ScDocument::CopyBlockFromClip(sc::CopyFromClipContext&, short, int, short, int, ScMarkData const&, short, int) (document.cxx:2646) > ==9144== by 0x3E342E3B: ScDocument::CopyFromClip(ScRange const&, ScMarkData const&, InsertDeleteFlags, ScDocument*, ScDocument*, bool, bool, bool, bool, ScRangeList const*) (document.cxx:2954) > ==9144== by 0x3EDD6B6C: ScTransferObj::InitDocShell(bool) (transobj.cxx:698) >
Confirmed in Windows 10 x64 Home Version 1803 and sent crash report to https://crashreport.libreoffice.org which noted: Bug reports for SfxItemSet::Get(unsigned short,bool): tdf#103073 tdf#104266 tdf#106557 tdf#107959 tdf#114710 Version: 6.0.4.2 (x64) Build ID: 9b0d9b32d5dcda91d2f1a96dc04c645c450872bf CPU threads: 8; OS: Windows 10.0; UI render: GL; Locale: en-US (en_US); Calc: group
I'll give it a try.
Dennis Francis committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=37f6e5de1e72d209b0892734f4de5c4d8a849885 tdf#114710 : Fixes crash when pasting as GDI metafile It will be available in 6.2.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
The fix is in master, backport to 6.1 is going on ( https://gerrit.libreoffice.org/55618 )
Verified in Version: 6.2.0.0.alpha0+ Build ID: 4c6e11886a9d396bf7be18e9e3209a73c6e303ad CPU threads: 4; OS: Linux 4.13; UI render: default; VCL: gtk3; Locale: ca-ES (ca_ES.UTF-8); Calc: group threaded @Dennis, Thanks for fixing this!! Should it be backported to 6.0 as well ?
Dennis Francis committed a patch related to this issue. It has been pushed to "libreoffice-6-0": http://cgit.freedesktop.org/libreoffice/core/commit/?id=5ddeed368855eb1bde1d9e972896bb774c71f277&h=libreoffice-6-0 tdf#114710 : Fixes crash when pasting as GDI metafile It will be available in 6.0.6. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Dennis Francis committed a patch related to this issue. It has been pushed to "libreoffice-6-1": http://cgit.freedesktop.org/libreoffice/core/commit/?id=b87791384558c970707c6b24656779be88f2de17&h=libreoffice-6-1 tdf#114710 : Fixes crash when pasting as GDI metafile It will be available in 6.1.0.1. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/2dbc9266ec2207c2719c0104168cfcad9f6948da tdf#114710: sc: Add UItest It will be available in 7.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.