Created attachment 159957 [details] Spreadsheet in which I encountered the issue See the attached spreadsheet. On the "Increasing Distance" sheet (third last tab) go to cell H220 The formula is =SUMIFS($H$2:$H$198,B$2:B$198,G220) Change the range from $H$2:$H$198 to $H$2:$BD$198 This reliably (3 times now) crashes LibreOffice. A dialog box with the title "LibreOffice 6.4 - Fatal error" appears. The message is "vector::_M_fill_insert". When this acknowledged the entire application is closed. Info from About: Version: 6.4.3.2 Build ID: 747b5d0ebf89f41c860ec2a39efd7cb15b54f2d8 CPU threads: 4; OS: Linux 4.15; UI render: default; VCL: gtk3; Locale: en-GB (en_GB.UTF-8); UI-Language: en-US Calc: threaded I'm running on Xubuntu 18.04 LTS I don't have time currently to do any more testing and don't have any other versions of LO installed or other OSes available.
Confirmed Version: 6.4.3.2 (x64) Build ID: 747b5d0ebf89f41c860ec2a39efd7cb15b54f2d8 CPU threads: 4; OS: Windows 10.0 Build 19613; UI render: GL; VCL: win; Locale: es-ES (es_ES); UI-Language: en-US Calc: CL Version: 7.0.0.0.alpha0+ (x64) Build ID: 951b6a9570ae2665f7b6e7cdd6d24d1fc513ba90 CPU threads: 4; OS: Windows 10.0 Build 19613; UI render: Skia/Raster; VCL: win; Locale: es-ES (es_ES); UI-Language: en-US Calc: threaded
I've just discovered the same result occurs using MAXIFS
After some debugging on gdb I found a code pointer. 6056 // initialize temporary result matrix 6057 if (vConditions.empty()) 6058 vConditions.resize( nDimensionCols * nDimensionRows, 0); See https://opengrok.libreoffice.org/xref/core/sc/source/core/tool/interpr1.cxx?r=dbda099d#6058 nDimensionCols = -42 Before this block: nCol1=1 nCol2=1 6029 if (bRangeReduce) 6030 { 6031 nCol1 += nStartColDiff; 6032 nRow1 += nStartRowDiff; 6033 6034 nCol2 += nEndColDiff; 6035 nRow2 += nEndRowDiff; 6036 } After: nCol1=1 nCol2=-42
Eike: Following my last comment, I don't know if we must dig about why nEndColDiff is negative and so nCol2 then nDimensionCols is negative or if this straightforward patch would be sufficient: diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx index 03a8f46731a6..58d4fc2de725 100644 --- a/sc/source/core/tool/interpr1.cxx +++ b/sc/source/core/tool/interpr1.cxx @@ -6045,6 +6045,11 @@ void ScInterpreter::IterateParametersIfs( double(*ResultFunc)( const sc::ParamIf PushError ( FormulaError::IllegalArgument); return; } + if ( (nDimensionCols <= 0) || (nDimensionRows <= 0) ) + { + PushError ( FormulaError::IllegalArgument); + return; + } // recalculate matrix values if (nGlobalError != FormulaError::NONE) (It avoids crash and displays Err:502 for the cell) Any thoughts?
No repro in 6.0 but repro in 6.2 on macOS => regression
Bibisected to the libreoffice-6-2 backport of the following commit using repo bibisect-linux-64-6.2. Adding CC: to Dennis Francis. https://cgit.freedesktop.org/libreoffice/core/commit/?id=03b352b9599514e4e244e1907510713cf1331284 author Dennis Francis <dennis.francis@collabora.com> 2018-12-06 00:09:59 +0530 committer Dennis Francis <dennis.francis@collabora.com> 2018-12-10 16:25:16 +0100 Find actual data area inside the main-range...
Luboš Luňák committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/21cff8d14e2396a964cf9f2e4af1d43efdadb5c1 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 7.1.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Verified in Version: 7.1.0.0.alpha0+ Build ID: 49ce4bf15c1769b7427dd4d828e586c1e896f928 CPU threads: 4; OS: Linux 4.19; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded @Luboš Luňák, thanks for fixing this issue!
Luboš Luňák committed a patch related to this issue. It has been pushed to "libreoffice-7-0": https://git.libreoffice.org/core/commit/c6ee4036e40556dd79f99bf890786b3666cf9ee7 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 7.0.0.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/399f1f8e2458e672c6f78ad8775b4c73aece0e73 tdf#132431: sc: Add unittest It will be available in 7.1.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Luboš Luňák committed a patch related to this issue. It has been pushed to "libreoffice-6-4": https://git.libreoffice.org/core/commit/f86ba65165bdb208c55f847d35113dbbbe195301 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 6.4.6. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Luboš Luňák committed a patch related to this issue. It has been pushed to "libreoffice-6-4-5": https://git.libreoffice.org/core/commit/61b6a318c46116df07a97895ab55be35bb467902 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 6.4.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Noel Grandin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/57a1d8d2c3ce8741c0bfbaa66160f6091a1c7f68 crash in tdf132431-1.ods --export-to xls It will be available in 7.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.