Created attachment 96617 [details] Sample spreadsheet used to reproduce bug This is a spreadsheet containing some simple calculations. I wanted to get subtotals like this : "Data" -> "Subtotals" 1st Group : Group by "Planning" (no sums at this point) 2nd Group : Group by "Lot", and calculate subtotals for "Budget" On the Options, the "Pre-sort area" is checked. Hitting "OK" then makes LibreOffice crash. Using gdb : Program received signal SIGSEGV, Segmentation fault. ScFormulaCell::IsShared (this=this@entry=0x71) at /build/buildd/libreoffice-4.2.3~rc2/sc/source/core/data/formulacell.cxx:4013 Also note that this test is done on Ubuntu 14.04 Beta 2 (Unity version) Doing the same test while unchecking the "Pre-sort area" make LibreOffice works.
Just for the record, on pc Debian x86-64 with master sources updated today, I can't reproduce this.
I can reproduce with: Win7x64Ultimate Versión: 4.2.3.2 Id. de compilación: 7c5c769e412afd32da4d946d2cb0c8b0674e95e0 Version: 4.2.4.0.0+ Build ID: d6bc8ed3356d88231cca0306790f300517b7fae2 TinderBox: Win-x86@42, Branch:libreoffice-4-2, Time: 2014-03-28_16:43:41 Version: 4.3.0.0.alpha0+ Build ID: b6a43bcbbf9e9a5655fd36fd4c8ef72d585f67b0 TinderBox: Win-x86@39, Branch:master, Time: 2014-03-30_06:16:21 What I can get from Windbg with 4.3.0.0: ----------------------------------------------------------------------- ModLoad: 59380000 59484000 C:\Users\MARV\Downloads\LibreOfficeMaster\program\scuilo.dll (4b0.c88): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00b7cff8 ebx=00000000 ecx=0000001c edx=00b7cff8 esi=00b7d058 edi=00000000 eip=5a1022ed esp=00b7cfac ebp=00b7cfb0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 sclo!boost::intrusive_ptr<ScFormulaCellGroup>::intrusive_ptr<ScFormulaCellGroup>+0xd: 5a1022ed 8b11 mov edx,dword ptr [ecx] ds:002b:0000001c=???????? 0:000> g (4b0.c88): C++ EH exception - code e06d7363 (first chance) eax=00000000 ebx=00fc0880 ecx=00000000 edx=00000000 esi=74321710 edi=74321710 eip=77dafcc2 esp=00b7beb8 ebp=00b7bf18 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!ZwTerminateProcess+0x12: 77dafcc2 83c404 add esp,4 0:000> kjhkl Couldn't resolve error at 'jhkl' 0:000> 0:000> 0:000> 0:000> 0:000> 0:000> 0:000> 0:000> 0:000> 0:000> Version: 4.2.4.0.0+ ^ Syntax error in 'Version: 4.2.4.0.0+' 0:000> Build ID: d6bc8ed3356d88231cca0306790f300517b7fae2 *** Bp expression 'ild ' contains symbols not qualified with module name. Couldn't resolve error at 'ID: d6bc8ed3356d88231cca0306790f300517b7fae2' 0:000> TinderBox: Win-x86@42, Branch:libreoffice-4-2, Time: 2014-03-28_16:43:41 ^ No runnable debuggees error in 'TinderBox: Win-x86@42, Branch:libreoffice-4-2, Time: 2014-03-28_16:43:41' 0:000> g ^ No runnable debuggees error in 'g' -----------------------------------------------------------------------
Created attachment 96744 [details] bt with symbols I'm really sorry, I had badly followed the steps to reproduce this. I finally got the crash and so attached the bt.
this patch: diff --git a/sc/source/core/data/column.cxx b/sc/source/core/data/column.cxx index f48a961..4db8499 100644 --- a/sc/source/core/data/column.cxx +++ b/sc/source/core/data/column.cxx @@ -2392,6 +2392,8 @@ public: // the next cell in the next iteration. size_t nOffsetToLast = pCell->GetSharedLength() - 1; std::advance(it, nOffsetToLast); + if (it == itEnd) + break; } } } brings another crash: /usr/include/c++/4.8/debug/safe_iterator.h:360:error: attempt to advance a dereferenceable iterator 7 steps, which falls outside its valid range. Objects involved in the operation: iterator @ 0x0x7fffffff2020 { type = N11__gnu_debug14_Safe_iteratorIN9__gnu_cxx17__normal_iteratorIPP13ScFormulaCellNSt9__cxx19986vectorIS4_SaIS4_EEEEENSt7__debug6vectorIS4_S8_EEEE (mutable iterator); state = dereferenceable; references sequence with type `NSt7__debug6vectorIP13ScFormulaCellSaIS2_EEE' @ 0x0x7fffffff2020 } Program received signal SIGABRT, Aborted. 0x00002aaaab2893a9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: Aucun fichier ou dossier de ce type. (gdb) bt #0 0x00002aaaab2893a9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00002aaaab28c4c8 in __GI_abort () at abort.c:89 #2 0x00002aaaabcd5815 in __gnu_debug::_Error_formatter::_M_error() const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #3 0x00002aaac828b77a in __gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<ScFormulaCell**, std::__cxx1998::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, std::__debug::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >::operator+= (this=0x7fffffff2020, __n=@0x7fffffff1f70: 7) at /usr/include/c++/4.8/debug/safe_iterator.h:358 #4 0x00002aaac82a18ea in std::__advance<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<ScFormulaCell**, std::__cxx1998::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, std::__debug::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, long> (__i=..., __n=7) at /usr/include/c++/4.8/bits/stl_iterator_base_funcs.h:156 #5 0x00002aaac83903c9 in std::advance<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<ScFormulaCell**, std::__cxx1998::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, std::__debug::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, int> (__i=..., __n=7) at /usr/include/c++/4.8/bits/stl_iterator_base_funcs.h:177 #6 0x00002aaac8816022 in sc::SharedFormulaUtil::splitFormulaCellGroup (aPos=...) at /home/julien/compile-libreoffice/libo/sc/source/core/tool/sharedformula.cxx:71 #7 0x00002aaac88163a2 in sc::SharedFormulaUtil::splitFormulaCellGroups (rCells=..., rBounds=...) at /home/julien/compile-libreoffice/libo/sc/source/core/tool/sharedformula.cxx:95 #8 0x00002aaac82bd6b5 in ScColumn::UpdateReference (this=0x2aaada0265b0, rCxt=..., pUndoDoc=0x0) at /home/julien/compile-libreoffice/libo/sc/source/core/data/column.cxx:2758 #9 0x00002aaac86089da in ScTable::UpdateReference (this=0x2aaada026010, rCxt=..., pUndoDoc=0x0, bIncludeDraw=false, bUpdateNoteCaptionPos=true) at /home/julien/compile-libreoffice/libo/sc/source/core/data/table1.cxx:1493 #10 0x00002aaac8412a5d in ScDocument::UpdateReference (this=0x1ac5f18, rCxt=..., pUndoDoc=0x0, bIncludeDraw=false, bUpdateNoteCaptionPos=true) at /home/julien/compile-libreoffice/libo/sc/source/core/data/documen3.cxx:1042 #11 0x00002aaac844c1dc in ScDocument::InsertRow (this=0x1ac5f18, nStartCol=0, nStartTab=0, nEndCol=1023, nEndTab=0, nStartRow=33, nSize=1, pRefUndoDoc=0x0, pTabMark=0x0) at /home/julien/compile-libreoffice/libo/sc/source/core/data/document.cxx:1253
Kohei/Markus/Eike: one for you?
No crash on Linux with master, current 4-3 (to be 4.3.2) or 4-2 (to be 4.2.7) I presume this was fixed with some other bug in the mean time.