Bug 76795 - Crash when asking subtotals on 2 groups with pre-sort area checked
Summary: Crash when asking subtotals on 2 groups with pre-sort area checked
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
(earliest affected) rc
Hardware: x86-64 (AMD64) All
: medium major
Assignee: Not Assigned
Keywords: haveBacktrace
Depends on:
Reported: 2014-03-30 13:34 UTC by Thierry Mallard
Modified: 2014-09-16 20:40 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:
Regression By:

Sample spreadsheet used to reproduce bug (64.25 KB, application/vnd.oasis.opendocument.spreadsheet)
2014-03-30 13:34 UTC, Thierry Mallard
bt with symbols (9.09 KB, text/plain)
2014-04-01 20:02 UTC, Julien Nabet

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Mallard 2014-03-30 13:34:38 UTC
Created attachment 96617 [details]
Sample spreadsheet used to reproduce bug

This is a spreadsheet containing some simple calculations.

I wanted to get subtotals like this :
"Data" -> "Subtotals"
1st Group : Group by "Planning" (no sums at this point)
2nd Group : Group by "Lot", and calculate subtotals for "Budget"
On the Options, the "Pre-sort area" is checked.

Hitting "OK" then makes LibreOffice crash.
Using gdb :
Program received signal SIGSEGV, Segmentation fault.
ScFormulaCell::IsShared (this=this@entry=0x71) at /build/buildd/libreoffice-4.2.3~rc2/sc/source/core/data/formulacell.cxx:4013

Also note that this test is done on Ubuntu 14.04 Beta 2 (Unity version)

Doing the same test while unchecking the "Pre-sort area" make LibreOffice works.
Comment 1 Julien Nabet 2014-03-30 14:52:14 UTC
Just for the record, on pc Debian x86-64 with master sources updated today, I can't reproduce this.
Comment 2 m.a.riosv 2014-03-31 00:22:20 UTC
I can reproduce with:
Versión: Id. de compilación: 7c5c769e412afd32da4d946d2cb0c8b0674e95e0
Version: Build ID: d6bc8ed3356d88231cca0306790f300517b7fae2
   TinderBox: Win-x86@42, Branch:libreoffice-4-2, Time: 2014-03-28_16:43:41
Version: Build ID: b6a43bcbbf9e9a5655fd36fd4c8ef72d585f67b0
   TinderBox: Win-x86@39, Branch:master, Time: 2014-03-30_06:16:21

What I can get from Windbg with
ModLoad: 59380000 59484000   C:\Users\MARV\Downloads\LibreOfficeMaster\program\scuilo.dll
(4b0.c88): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00b7cff8 ebx=00000000 ecx=0000001c edx=00b7cff8 esi=00b7d058 edi=00000000
eip=5a1022ed esp=00b7cfac ebp=00b7cfb0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
5a1022ed 8b11            mov     edx,dword ptr [ecx]  ds:002b:0000001c=????????
0:000> g
(4b0.c88): C++ EH exception - code e06d7363 (first chance)
eax=00000000 ebx=00fc0880 ecx=00000000 edx=00000000 esi=74321710 edi=74321710
eip=77dafcc2 esp=00b7beb8 ebp=00b7bf18 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
77dafcc2 83c404          add     esp,4
0:000> kjhkl
Couldn't resolve error at 'jhkl'
0:000> Version:
       ^ Syntax error in 'Version:'
0:000> Build ID: d6bc8ed3356d88231cca0306790f300517b7fae2
*** Bp expression 'ild ' contains symbols not qualified with module name.
Couldn't resolve error at 'ID: d6bc8ed3356d88231cca0306790f300517b7fae2'
0:000> TinderBox: Win-x86@42, Branch:libreoffice-4-2, Time: 2014-03-28_16:43:41
       ^ No runnable debuggees error in 'TinderBox: Win-x86@42, Branch:libreoffice-4-2, Time: 2014-03-28_16:43:41'
0:000> g
       ^ No runnable debuggees error in 'g'
Comment 3 Julien Nabet 2014-04-01 20:02:09 UTC
Created attachment 96744 [details]
bt with symbols

I'm really sorry, I had badly followed the steps to reproduce this.
I finally got the crash and so attached the bt.
Comment 4 Julien Nabet 2014-04-01 20:50:23 UTC
this patch:
diff --git a/sc/source/core/data/column.cxx b/sc/source/core/data/column.cxx
index f48a961..4db8499 100644
--- a/sc/source/core/data/column.cxx
+++ b/sc/source/core/data/column.cxx
@@ -2392,6 +2392,8 @@ public:
                 // the next cell in the next iteration.
                 size_t nOffsetToLast = pCell->GetSharedLength() - 1;
                 std::advance(it, nOffsetToLast);
+                if (it == itEnd)
+                    break;

brings another crash:
/usr/include/c++/4.8/debug/safe_iterator.h:360:error: attempt to advance a 
    dereferenceable iterator 7 steps, which falls outside its valid range.

Objects involved in the operation:
iterator @ 0x0x7fffffff2020 {
type = N11__gnu_debug14_Safe_iteratorIN9__gnu_cxx17__normal_iteratorIPP13ScFormulaCellNSt9__cxx19986vectorIS4_SaIS4_EEEEENSt7__debug6vectorIS4_S8_EEEE (mutable iterator);
  state = dereferenceable;
  references sequence with type `NSt7__debug6vectorIP13ScFormulaCellSaIS2_EEE' @ 0x0x7fffffff2020

Program received signal SIGABRT, Aborted.
0x00002aaaab2893a9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  0x00002aaaab2893a9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00002aaaab28c4c8 in __GI_abort () at abort.c:89
#2  0x00002aaaabcd5815 in __gnu_debug::_Error_formatter::_M_error() const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00002aaac828b77a in __gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<ScFormulaCell**, std::__cxx1998::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, std::__debug::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >::operator+= (this=0x7fffffff2020, __n=@0x7fffffff1f70: 7)
    at /usr/include/c++/4.8/debug/safe_iterator.h:358
#4  0x00002aaac82a18ea in std::__advance<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<ScFormulaCell**, std::__cxx1998::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, std::__debug::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, long> (__i=..., __n=7) at /usr/include/c++/4.8/bits/stl_iterator_base_funcs.h:156
#5  0x00002aaac83903c9 in std::advance<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<ScFormulaCell**, std::__cxx1998::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, std::__debug::vector<ScFormulaCell*, std::allocator<ScFormulaCell*> > >, int> (__i=..., __n=7) at /usr/include/c++/4.8/bits/stl_iterator_base_funcs.h:177
#6  0x00002aaac8816022 in sc::SharedFormulaUtil::splitFormulaCellGroup (aPos=...) at /home/julien/compile-libreoffice/libo/sc/source/core/tool/sharedformula.cxx:71
#7  0x00002aaac88163a2 in sc::SharedFormulaUtil::splitFormulaCellGroups (rCells=..., rBounds=...)
    at /home/julien/compile-libreoffice/libo/sc/source/core/tool/sharedformula.cxx:95
#8  0x00002aaac82bd6b5 in ScColumn::UpdateReference (this=0x2aaada0265b0, rCxt=..., pUndoDoc=0x0) at /home/julien/compile-libreoffice/libo/sc/source/core/data/column.cxx:2758
#9  0x00002aaac86089da in ScTable::UpdateReference (this=0x2aaada026010, rCxt=..., pUndoDoc=0x0, bIncludeDraw=false, bUpdateNoteCaptionPos=true)
    at /home/julien/compile-libreoffice/libo/sc/source/core/data/table1.cxx:1493
#10 0x00002aaac8412a5d in ScDocument::UpdateReference (this=0x1ac5f18, rCxt=..., pUndoDoc=0x0, bIncludeDraw=false, bUpdateNoteCaptionPos=true)
    at /home/julien/compile-libreoffice/libo/sc/source/core/data/documen3.cxx:1042
#11 0x00002aaac844c1dc in ScDocument::InsertRow (this=0x1ac5f18, nStartCol=0, nStartTab=0, nEndCol=1023, nEndTab=0, nStartRow=33, nSize=1, pRefUndoDoc=0x0, pTabMark=0x0)
    at /home/julien/compile-libreoffice/libo/sc/source/core/data/document.cxx:1253
Comment 5 Julien Nabet 2014-04-01 21:24:59 UTC
Kohei/Markus/Eike: one for you?
Comment 6 Eike Rathke 2014-09-16 20:40:09 UTC
No crash on Linux with master, current 4-3 (to be 4.3.2) or 4-2 (to be 4.2.7)

I presume this was fixed with some other bug in the mean time.