Created attachment 97818 [details] calc document Copying a range of cells with formulas and pasting it in Writer makes LibreOffice crash. I reduced the calc document to a minimal document with which the crash can be reproduced (calc document will be uploaded after creating the bug report). Steps to reproduce: -open a new writer document -open attached calc document -select cell range A17-A23 -copy (Ctrl-C) -go to writer document -paste (Ctrl-V) -LibreOffice crashes and restarts with recovery O/S: Windows 7 LibreOffice version: 4.2.3.3 and 4.2.4.1
MS windbg output of access violation plus !analyze -v: (translation of "De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt" is "The instruction at 0x%081x refers to memory at 0x%081x. A read or write operation in memory failed.") ----- (eb8.10f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>+0x3b: 57d88ceb 8b4a04 mov ecx,dword ptr [edx+4] ds:002b:00000005=???????? 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\LibreOffice 4\program\soffice.bin - FAULTING_IP: sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1+3b [c:\cygwin\home\buildslave\build\workdir\unpackedtarball\mdds\include\mdds\multi_type_vector_itr.hpp @ 152] 57d88ceb 8b4a04 mov ecx,dword ptr [edx+4] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000057d88ceb (sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>+0x000000000000003b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 0000000000000005 Attempt to read from address 0000000000000005 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00c1de08 ebx=00000007 ecx=14bcb894 edx=00000001 esi=14c00fb0 edi=14c00f88 eip=57d88ceb esp=00c1dde4 ebp=00c1dde4 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>+0x3b: 57d88ceb 8b4a04 mov ecx,dword ptr [edx+4] ds:002b:00000005=???????? FAULTING_THREAD: 00000000000010f0 PROCESS_NAME: soffice.bin ERROR_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt: %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt: %s. EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: 0000000000000005 READ_ADDRESS: 0000000000000005 FOLLOWUP_IP: sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1+3b [c:\cygwin\home\buildslave\build\workdir\unpackedtarball\mdds\include\mdds\multi_type_vector_itr.hpp @ 152] 57d88ceb 8b4a04 mov ecx,dword ptr [edx+4] NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: soffice.bin ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_READ_ZEROED_STACK PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_READ DEFAULT_BUCKET_ID: NULL_CLASS_PTR_READ LAST_CONTROL_TRANSFER: from 0000000057da063e to 0000000057d88ceb STACK_TEXT: 00c1dde4 57da063e 11671f5c 11671f60 00000000 sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>+0x3b 00c1de2c 57de28d9 00c1de4c 11671f48 00000007 sclo!mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::position+0x2e 00c1de6c 57f7555d 00c1df04 00000007 122c6120 sclo!ScColumn::EndListening+0x39 00c1de80 57e5c4bc 00c1df04 00000002 00000007 sclo!ScTable::EndListening+0x2d 00c1de9c 57f1aa64 00c1df04 00c1dedc 122c6120 sclo!ScDocument::EndListeningCell+0x2c 00c1dee8 57dd3c66 00c1df04 e5353362 122bde18 sclo!ScFormulaCell::EndListeningTo+0x124 00c1e83c 57dd4234 122bde18 00c1ea58 00c10000 sclo!`anonymous namespace'::UpdateRefOnNonCopy::updateRefOnMove+0x2e6 00c1e864 57dd54ff 00c1e8bc 122bde08 122bde28 sclo!std::_For_each<sc::FormulaGroupEntry *,`anonymous namespace'::UpdateRefOnNonCopy>+0xa4 00c1e8ec 57f5c99c 00c1e880 00000000 00c1ea58 sclo!ScColumn::UpdateReference+0x1ef 00c1e950 57e46709 00c1ea58 00000000 00000000 sclo!ScTable::UpdateReference+0xbc 00c1e9dc 57e77eb9 00000000 00000000 00000000 sclo!ScDocument::UpdateReference+0x2a9 00c1eabc 57e79501 00c1eb0c 00000000 00000010 sclo!ScDocument::CopyBlockFromClip+0x3f9 00c1eba0 581e9e7d 00000010 00c1ebe0 000008ff sclo!ScDocument::CopyFromClip+0x311 00c1ed78 581eaa1d 00000001 e5353436 72490590 sclo!ScTransferObj::InitDocShell+0x33d 00c1ef68 70e2a306 00c1f11c e78757d4 07f560dc sclo!ScTransferObj::GetData+0x38d 00c1f068 70e2642d 07f560dc 00c1f08c 00c1f11c svtlo!TransferableHelper::getTransferData+0x526 00c1f0bc 70e26962 00c1f0dc 00c1f11c e7875740 svtlo!TransferableDataHelper::GetAny+0x10d 00c1f0fc 70e27c79 00c1f11c 00c1f1f8 e7875688 svtlo!TransferableDataHelper::GetInputStream+0x82 00c1f134 54e19c90 00000055 00c1f1f8 e48dea48 svtlo!TransferableDataHelper::GetInputStream+0x89 00c1f3f0 54e1be9e 00c1f4fc 0cdcdaf0 00000055 swlo!SwTransferable::_PasteOLE+0x120 00c1f484 54e1d679 00c1f4fc 00dcdaf0 00002017 swlo!SwTransferable::PasteData+0x53e 00c1f4dc 54e93f89 0cdcdaf0 00c1f4fc e48decc8 swlo!SwTransferable::Paste+0x119 00c1f570 54e943bf 00c1f730 00c1f5cc 704ea923 swlo!SwBaseShell::ExecClpbrd+0x519 00c1f57c 704ea923 0d1f5528 00c1f730 e78752be swlo!SfxStubSwBaseShellExecClpbrd+0xf 00c1f5cc 704eaaa5 0d1f5528 5542ec24 00c1f730 sfxlo!SfxDispatcher::Call_Impl+0x253 00c1f600 702afea4 0d1f5528 5542ec24 00c1f730 sfxlo!SfxDispatcher::_Execute+0x65 00c1f654 702e80d9 00c1f730 5542ec24 0d1f5528 sfxlo!SfxBindings::Execute_Impl+0x324 00c1f77c 702e8e8d 0d1f5528 11a3c568 00c1f7e4 sfxlo!SfxDispatchController_Impl::dispatch+0x709 00c1f7c0 70df77da 07f58e8c 11a3c568 00c1f7e4 sfxlo!SfxOfficeDispatch::dispatch+0xfd 00c1f7fc 70df789f 00000000 00c1f818 72df1ab3 svtlo!svt::AsyncAccelExec::impl_ts_asyncCallback+0x5a 00c1f808 72df1ab3 11a3c558 00000000 00c1f824 svtlo!svt::AsyncAccelExec::LinkStubimpl_ts_asyncCallback+0xf 00c1f818 6fe5ed99 00000000 00c1f834 72df1ab3 tllo!Link::Call+0x13 00c1f824 72df1ab3 11a3c558 00000000 00c1f854 vcllo!vcl::EventPoster::LinkStubDoEvent_Impl+0x19 00c1f834 6ff2ece2 00000000 e7875e29 00000016 tllo!Link::Call+0x13 00c1f854 6ff30334 14b82a80 00000482 7019fd20 vcllo!ImplHandleUserEvent+0x72 00c1f8a0 6ff6935c 04acfd68 04acfeb8 00000016 vcllo!ImplWindowFrameProc+0x3f4 00c1f8b8 6ff71c0a 001a0b78 14b82a80 00000000 vcllo!ImplHandleUserEvent+0x2c 00c1f8f4 6ff721db 001a0b78 00000482 00000000 vcllo!SalFrameWndProc+0x81a 00c1f940 76ac62fa 001a0b78 00000482 00000000 vcllo!SalFrameWndProcW+0x5b 00c1f96c 76ac6d3a 6ff72180 001a0b78 00000482 USER32!InternalCallWinProc+0x23 00c1f9e4 76ac77c4 00000000 6ff72180 001a0b78 USER32!UserCallWinProcCheckWow+0x109 00c1fa44 76ac788a 6ff72180 00000000 00c1fa60 USER32!DispatchMessageWorker+0x3bc 00c1fa54 6ff34bed 00c1fa78 00c1fa94 6ff3ac30 USER32!DispatchMessageW+0xf 00c1fa60 6ff3ac30 00c1fa78 00f1dd30 00000001 vcllo!ImplDispatchMessage+0xd 00c1fa94 6ff3ad40 00000001 00000000 7019fd20 vcllo!ImplSalYield+0x60 00c1fab8 6fbd5c89 00000001 00000000 7374c268 vcllo!WinSalInstance::Yield+0xb0 00c1facc 736df549 e78754bd 011c3378 7019fd20 vcllo!Application::Execute+0x69 00c1fc14 6fbe1987 e7875a39 011c3378 00000000 sofficeapp!desktop::Desktop::Main+0xdd9 00c1fc44 6fbe1a49 00e86120 00c1fcac 736fb90c vcllo!ImplSVMain+0x57 00c1fc50 736fb90c e7875405 00cc4049 7372b298 vcllo!SVMain+0x29 00c1fcac 011c1061 00cc4049 011c1224 011c0000 sofficeapp!soffice_main+0x7c WARNING: Stack unwind information not available. Following frames may be wrong. 00c1fd48 74f4336a 7efde000 00c1fd94 77679f72 soffice!main+0x51 00c1fd54 77679f72 7efde000 71d7f833 00000000 KERNEL32!BaseThreadInitThunk+0xe 00c1fd94 77679f45 011c13ae 7efde000 00000000 ntdll_77640000!__RtlUserThreadStart+0x70 00c1fdac 00000000 011c13ae 7efde000 00000000 ntdll_77640000!_RtlUserThreadStart+0x1b STACK_COMMAND: .cxr 0x0 ; kb FAULTING_SOURCE_LINE: c:\cygwin\home\buildslave\build\workdir\unpackedtarball\mdds\include\mdds\multi_type_vector_itr.hpp FAULTING_SOURCE_FILE: c:\cygwin\home\buildslave\build\workdir\unpackedtarball\mdds\include\mdds\multi_type_vector_itr.hpp FAULTING_SOURCE_LINE_NUMBER: 152 FAULTING_SOURCE_CODE: No source found for 'c:\cygwin\home\buildslave\build\workdir\unpackedtarball\mdds\include\mdds\multi_type_vector_itr.hpp' SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: sclo!mdds::__mtv::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1<mdds::mtv::noncopyable_managed_element_block<50,SvtBroadcaster> > >::const_iterator_trait>::iterator_common_base<mdds::multi_type_vector<mdds::mtv::custom_block_func1+3b FOLLOWUP_NAME: MachineOwner MODULE_NAME: sclo IMAGE_NAME: sclo.dll DEBUG_FLR_IMAGE_TIMESTAMP: 534e72d1 BUCKET_ID: X64_APPLICATION_FAULT_NULL_CLASS_PTR_READ_ZEROED_STACK_sclo!mdds::__mtv::iterator_common_base_mdds::multi_type_vector_mdds::mtv::custom_block_func1_mdds::mtv::noncopyable_managed_element_block_50,SvtBroadcaster_____::const_iterator_trait_::iterator_common_bas FAILURE_BUCKET_ID: NULL_CLASS_PTR_READ_c0000005_sclo.dll!mdds::__mtv::iterator_common_base_mdds::multi_type_vector_mdds::mtv::custom_block_func1_mdds::mtv::noncopyable_managed_element_block_50,SvtBroadcaster_____::const_iterator_trait_::iterator_common_base_mdds::multi_type_vector_mdds::mtv::custom_block_func1 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:null_class_ptr_read_c0000005_sclo.dll!mdds::__mtv::iterator_common_base_mdds::multi_type_vector_mdds::mtv::custom_block_func1_mdds::mtv::noncopyable_managed_element_block_50,svtbroadcaster_____::const_iterator_trait_::iterator_common_base_mdds::multi_type_vector_mdds::mtv::custom_block_func1 FAILURE_ID_HASH: {c35db09c-3511-7e31-e83e-56223c6626ba} Followup: MachineOwner ---------
Cannot reproduce crash on version 4.1.5.3 Added keyword regression
Same problem here. LibreOffice version: 4.2.3.3 build id 420m0 (Build:3) shipped with Ubuntu 14.04 LTS
@Kohei: any relation with your massive ScColumn changes? (Feel free to remove yourself from CC, I incuded you merely to reach you.)
I've filled a bug report also at libreoffice bug tracking system, so if you wanna take a look or grab the attachment I used to get the bug, you can do it... https://www.libreoffice.org/bugzilla/show_bug.cgi?id=77883
*** Bug 77883 has been marked as a duplicate of this bug. ***
*** Bug 78108 has been marked as a duplicate of this bug. ***
*** Bug 78136 has been marked as a duplicate of this bug. ***
Created attachment 98287 [details] backtrace of crash in mdds Crashes on the calc side, not the writer side
Looking.
Found the source of invalid iterator generation (which ultimately caused the crash you saw). Also found unnecessary listener restart on basically references that haven't been moved. The latter one is not strictly necessary to fix the crasher but it's a waste of CPU cycle so I'll fix that as well.
Kohei Yoshida committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=7fbe0f56192f7e106c560646d37fbb93b69b0446 fdo#77806: Use the common block position set for start and end listening. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
4.2 backport: https://gerrit.libreoffice.org/9225
Kohei Yoshida committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a7699355d355a1817fc16b4832f96a3a9e17d5df&h=libreoffice-4-2 fdo#77806: Use the common block position set for start and end listening. It will be available in LibreOffice 4.2.5. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Fixed in 4.2.5.
(In reply to comment #15) > Fixed in 4.2.5. Thank you very much Kohei. Verified fixed in LibO 4.2.5.0.0+ under Ubuntu 14.04 x86-64 Best regards. JBF
Check in the "2014-05-01_08.58.33" (4.2.5.0.0+) under Ubuntu 14.04 and unfortunately, the crash is still there. Do I wait for a more recent version ?
(In reply to comment #17) > Check in the "2014-05-01_08.58.33" (4.2.5.0.0+) under Ubuntu 14.04 and > unfortunately, the crash is still there. > > Do I wait for a more recent version ? @Philippe: The patch for version 4.2.5 is from May 1, 20:01UTC, your daily build is from before that moment. I think you have to wait for the next build.
Damned! something broke your patch. I get the crash again, both on the master (Build ID: 07f14bac2d62cc6dfbb62f8f4f6ba4b7ffea0c6c) and LO 4.2.5.0.0+ (Build ID: 6a1c8a0b53c8ec1c822e60913c1ccdfd2eaa21ce) after complete rebuild and with a clean new user profile. Will do bisection later in the day if necessary. Best regards. JBF
JBF, Are you absolutely sure? I can't reproduce it at all using the latest master.
Same with 4.2. No crash here.
(In reply to comment #20) > Will do bisection later in the day if necessary. Can you get a stack trace first?
Nevermind I can get the crash. I was thinking of a different crasher bug. Too many crappy bugs to deal with. more than my brain can handle.
And yes, please go ahead with bibisect. I have no clue & don't have time to investigate at the moment.
Created attachment 98761 [details] stack trace Here is a stacktrace for LO 4.2.5.0.0+ at commit http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-2&id=325f51e94639f1a9e0d0c60159bfcf3070409640 Reproduced the crash at commits 610a6a4e262868381677838fdd3571e22adee12e and d91899f612fddd70425d1170248ed1a29cc02209 Best regards. JBF
Created attachment 98762 [details] backtrace of the crash backtrace for the same commit. Best regards. JBF
Kohei Yoshida committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=cd87cd92b95861e5cacb111dc33a809a9db884e3 fdo#77806: Write test for this. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Kohei Yoshida committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=a45973a90625f4b9e0f603154194f357ff2418d4 fdo#77806: Check the boundaries before accessing an array.... The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
4.2: https://gerrit.libreoffice.org/9292
Kohei Yoshida committed a patch related to this issue. It has been pushed to "libreoffice-4-2": http://cgit.freedesktop.org/libreoffice/core/commit/?id=3cf9916a38975ea7f9a815b35de47ee1b82fa919&h=libreoffice-4-2 fdo#77806: Check the boundaries before accessing an array.... It will be available in LibreOffice 4.2.5. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
*sigh*
Too fast for me :-) No crash in LO 4.2.5.0.0+ at commit 3efb6e5c35bb1129a78726b163f8fbf9bd94734a But crash with the commit just after: b26b9606efa30c0a44e20dcf638fbd1e27f05089 Building with the last fix. Best regards. JBF
Verified fixed again on LO 4.5.2.0.0+. Thank you very much for the quick fix. :-) Best regards. JBF
*** Bug 78597 has been marked as a duplicate of this bug. ***