82183 – DDE()-related segfault (reproducible)

Bug 82183 - DDE()-related segfault (reproducible)

Summary: DDE()-related segfault (reproducible)

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Calc (show other bugs)
Version: (earliest affected)	4.2.0.0.alpha0+ Master
Hardware:	All All

Importance:	medium critical
Assignee:	Eike Rathke

URL:
Whiteboard:	target:4.4.0 target:4.3.2 target:4.2.7
Keywords:	haveBacktrace

Depends on:
Blocks:

Reported:	2014-08-05 09:39 UTC by Timo Buhrmester
Modified:	2014-09-05 15:52 UTC (History)
CC List:	6 users (show)

See Also:
Crash report or crash signature:

Attachments
Testcase input, required for reproducing (15.29 KB, application/vnd.oasis.opendocument.spreadsheet) 2014-08-05 09:39 UTC, Timo Buhrmester	Details
gdb log from 4.3 and 4.4 (5.21 KB, application/gzip) 2014-08-18 20:32 UTC, raal	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Timo Buhrmester 2014-08-05 09:39:21 UTC

Created attachment 104063 [details]
Testcase input, required for reproducing

Build-ID: 61cb170a04bb1f12e77c884eab9192be736ec5f5
(Backtrace and register dump below; core dump to follow in next post)

I can reproducibly cause Spreadsheet to crash with the following steps:

0. Save the given .ods-Attachment somewhere, say, /tmp/b.ods
1. Fire up a new, blank, Spreadsheet.
2. Click function wizard
3. Enter: =DDE("soffice";"/tmp/b.ods")
4. Now press left-arrow to move the cursor in front of the closing parenthesis, insert a semicolon there, so that it looks (syntactically wrong) like this: 
DDE("soffice";"/tmp/b.ods";) -- The program should rather immediately segfault

A core dump is attached, but for convenience I'll inline the call stack and reg dump anyway:

(gdb) info reg
eax            0xaeb34b88       -1363981432
ecx            0x6      6
edx            0xaeb34a90       -1363981680
ebx            0xad4cfdb4       -1387463244
esp            0xbfd517fc       0xbfd517fc
ebp            0xbfd51818       0xbfd51818
esi            0xaeb5fc88       -1363805048
edi            0xaeb5fe20       -1363804640
eip            0x0      0
eflags         0x210292 [ AF SF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

(gdb) bt
#0  0x00000000 in ?? ()
#1  0xad067cb0 in ScFormulaDlg::IsRefInputMode() const () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#2  0xacfa9dad in ScModule::IsFormulaMode() () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#3  0xad22d535 in ScTabView::SetTabNo(short, bool, bool, bool) () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#4  0xad239b97 in ScTabViewShell::DoReadUserDataSequence(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#5  0xb7061f11 in SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#6  0xb7062e17 in SfxBaseController::attachFrame(com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#7  0xb705828b in SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#8  0xb705a9e3 in SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#9  0xb099b44c in framework::LoadEnv::impl_loadContent() () from /usr/opt/libreoffice4.2/program/../program/libfwklo.so
#10 0xb099c495 in framework::LoadEnv::startLoading() () from /usr/opt/libreoffice4.2/program/../program/libfwklo.so
#11 0xb099d9a6 in framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, long, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /usr/opt/libreoffice4.2/program/../program/libfwklo.so
#12 0xb09b645e in framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, long, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /usr/opt/libreoffice4.2/program/../program/libfwklo.so
#13 0xb6feb5bd in SfxObjectShell::CreateAndLoadComponent(SfxItemSet const&, SfxFrame*) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#14 0xb6eca282 in sfx2::SvxInternalLink::Connect(sfx2::SvBaseLink*) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#15 0xb6ecc8fa in sfx2::SvBaseLink::_GetRealObject(unsigned char) () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#16 0xb6ecca19 in sfx2::SvBaseLink::Update() () from /usr/opt/libreoffice4.2/program/libsfxlo.so
#17 0xace587fb in ScDdeLink::TryUpdate() () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#18 0xace85aa6 in ScInterpreter::ScDde() () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#19 0xacea1b3b in ScInterpreter::Interpret() () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#20 0xacdeaede in ScSimpleFormulaCalculator::Calculate() () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#21 0xacdeb03a in ScSimpleFormulaCalculator::GetErrCode() () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#22 0xad06833b in ScFormulaDlg::calculateValue(rtl::OUString const&, rtl::OUString&) () from /usr/opt/libreoffice4.2/program/../program/libsclo.so
#23 0xac89c1e1 in formula::FormulaDlg_Impl::CalcValue(rtl::OUString const&, rtl::OUString&) () from /usr/opt/libreoffice4.2/program/../program/libforuilo.so
#24 0xac89e54f in formula::FormulaDlg_Impl::FormulaHdl(void*) () from /usr/opt/libreoffice4.2/program/../program/libforuilo.so
#25 0xb6152924 in VclMultiLineEdit::Modify() () from /usr/opt/libreoffice4.2/program/libvcllo.so
#26 0xb615514f in ImpVclMEdit::Notify(SfxBroadcaster&, SfxHint const&) () from /usr/opt/libreoffice4.2/program/libvcllo.so
#27 0xb6d2a2c0 in SfxBroadcaster::Broadcast(SfxHint const&) () from /usr/opt/libreoffice4.2/program/libsvllo.so
#28 0xb616694d in TextView::KeyInput(KeyEvent const&) () from /usr/opt/libreoffice4.2/program/libvcllo.so
#29 0xb6153b2a in TextWindow::KeyInput(KeyEvent const&) () from /usr/opt/libreoffice4.2/program/libvcllo.so
#30 0xb635159d in ImplHandleKey(Window*, unsigned short, unsigned short, unsigned short, unsigned short, unsigned char) () from /usr/opt/libreoffice4.2/program/libvcllo.so
#31 0xb6353b5a in ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) () from /usr/opt/libreoffice4.2/program/libvcllo.so
#32 0xb2ddff95 in SalFrame::CallCallback(unsigned short, void const*) const () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#33 0xb2ddec59 in GtkSalFrame::doKeyCallback(unsigned int, unsigned int, unsigned short, unsigned char, unsigned int, unsigned short, bool, bool) () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#34 0xb2ddee17 in GtkSalFrame::IMHandler::signalIMCommit(_GtkIMContext*, char*, void*) () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#35 0xb559a478 in g_cclosure_marshal_VOID__STRING () from /usr/lib/libgobject-2.0.so.0
#36 0xb558d13a in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#37 0xb55a361d in ?? () from /usr/lib/libgobject-2.0.so.0
#38 0xb55a4bfc in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#39 0xb55a4ebd in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#40 0xb2a1c78e in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#41 0xb559a478 in g_cclosure_marshal_VOID__STRING () from /usr/lib/libgobject-2.0.so.0
#42 0xb558d13a in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#43 0xb55a361d in ?? () from /usr/lib/libgobject-2.0.so.0
#44 0xb55a4bfc in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#45 0xb55a4ebd in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#46 0xb2a1a18d in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#47 0xb2a1abf1 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#48 0xb2a1964c in gtk_im_context_filter_keypress () from /usr/lib/libgtk-x11-2.0.so.0
#49 0xb2a1d2a7 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#50 0xb2a1964c in gtk_im_context_filter_keypress () from /usr/lib/libgtk-x11-2.0.so.0
#51 0xb2dda4ab in GtkSalFrame::IMHandler::handleKeyEvent(_GdkEventKey*) () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#52 0xb2ddeef3 in GtkSalFrame::signalKey(_GtkWidget*, _GdkEventKey*, void*) () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#53 0xb2a3ae74 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#54 0xb558d13a in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#55 0xb55a361d in ?? () from /usr/lib/libgobject-2.0.so.0
#56 0xb55a4a7b in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#57 0xb55a5076 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#58 0xb2b67156 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#59 0xb2a335a3 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#60 0xb2a34857 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#61 0xb28bddda in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#62 0xb54f3305 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#63 0xb54f6fe8 in ?? () from /lib/libglib-2.0.so.0
#64 0xb54f71c8 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#65 0xb2dc7f2c in GtkData::Yield(bool, bool) () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#66 0xb2dc9c08 in GtkInstance::Yield(bool, bool) () from /usr/opt/libreoffice4.2/program/libvclplug_gtklo.so
#67 0xb60fa4e7 in ImplYield(bool, bool) () from /usr/opt/libreoffice4.2/program/libvcllo.so
#68 0xb60f9c19 in Application::Yield() () from /usr/opt/libreoffice4.2/program/libvcllo.so
#69 0xb60f9c44 in Application::Execute() () from /usr/opt/libreoffice4.2/program/libvcllo.so
#70 0xb76bc68e in desktop::Desktop::Main() () from /usr/opt/libreoffice4.2/program/libsofficeapp.so
#71 0xb60fe7ba in ImplSVMain() () from /usr/opt/libreoffice4.2/program/libvcllo.so
#72 0xb60fe894 in SVMain() () from /usr/opt/libreoffice4.2/program/libvcllo.so
#73 0xb76d493d in soffice_main () from /usr/opt/libreoffice4.2/program/libsofficeapp.so
#74 0x08048680 in main ()

Comment 1 Timo Buhrmester 2014-08-05 09:46:49 UTC

Here's a bz2'ed core dump (~7M, original file ~80M) of the segfaulted Spreadsheet: http://www.math.uni-bonn.de/~timo/calc_bug82183.core

Comment 2 penttila 2014-08-05 10:53:31 UTC

I can confirm the bug with LO 4.2.4.2 on LinuxMint 17 Cinnamon

Comment 3 raal 2014-08-07 17:51:16 UTC

I can reproduce with LO 4.2.4, but can not reproduce with LO 4.3. Please could you retest with newer version. Setting bug as worksforme, set as unconfirmed again if you are able to reproduce problem with LO 4.3

Comment 4 Timo Buhrmester 2014-08-11 13:08:33 UTC

I can still reproduce it in the same way on LO 4.3.0.4, Buld ID 62ad5818884a2fc2e5780dd45466868d41009ec0

Comment 5 Timo Buhrmester 2014-08-11 14:47:22 UTC

Update: x86-64 (amd64) is also affected, same version (LO 4.3.0.4, Buld ID 62ad5818884a2fc2e5780dd45466868d41009ec0) same steps to reproduce

Comment 6 raal 2014-08-13 06:15:48 UTC

Tested again, I can reproduce with Version: 4.3.0.3
Build ID: 08ebe52789a201dd7d38ef653ef7a48925e7f9f7

Comment 7 Julien Nabet 2014-08-17 21:31:18 UTC

On pc Debian x86-64 with LO Debian package 4.2.6, I could reproduce this.

However, I don't reproduce this with master or 4.3 sources updated today + 4.2 updated some days ago.

Perhaps it's already fixed on 4.3.1RC1 (see http://www.libreoffice.org/download/pre-releases/) If not, would it be possible someone gives a try to some 4.2 or 4.3 daily build?

Comment 8 raal 2014-08-18 06:41:13 UTC

(In reply to comment #7)
> On pc Debian x86-64 with LO Debian package 4.2.6, I could reproduce this.
> 
> However, I don't reproduce this with master or 4.3 sources updated today +
> 4.2 updated some days ago.
> 
> Perhaps it's already fixed on 4.3.1RC1 (see
> http://www.libreoffice.org/download/pre-releases/) If not, would it be
> possible someone gives a try to some 4.2 or 4.3 daily build?

I can reproduce with Version: 4.3.2.0.0+
Build ID: 25459cb0c9afdf46c3d90ae8ba0b6ffb375f67da
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:libreoffice-4-3, Time: 2014-08-17_22:48:01

Comment 9 Julien Nabet 2014-08-18 07:11:35 UTC

Thank you for your feedback, put it back to NEW.

Comment 10 Timo Buhrmester 2014-08-18 13:30:02 UTC

I can /not/ reproduce it anymore with the devel version 4.3.2.0.0+ (Build-ID: d2eec11f0a6f27e13a4a834942f8acf20ae62cec)

Comment 11 Julien Nabet 2014-08-18 18:26:36 UTC

Except if there's a regression between the Tim's used version (which is 10 days ago) and Raal's used version (less than 1 day ago), results are quite strange.

Comment 12 Timo Buhrmester 2014-08-18 20:15:43 UTC

> Except if there's a regression between the Tim's used version (which is 10 days
> ago) and Raal's used version (less than 1 day ago), results are quite strange.
Maybe it's a 32/64bit thing, as I tried on a 32bit machine, while Raal apparently used a 64bit platform.  I will give it another try on a 64bit host tomorrow.

Comment 13 raal 2014-08-18 20:32:17 UTC

Created attachment 104842 [details]
gdb log from 4.3 and 4.4

Comment 14 Julien Nabet 2014-08-19 06:18:00 UTC

Kohei/Markus/Eike: Any idea for this one? (Could the triggering of the bug depend on UI language?)

Comment 15 Timo Buhrmester 2014-08-19 11:29:21 UTC

Tested again, can't reproduce with both the following versions:
(32 bit) Version: 4.3.2.0.0+
Build ID: d2eec11f0a6f27e13a4a834942f8acf20ae62cec
TinderBox: Linux-rpm_deb-x86@45-TDF, Branch:libreoffice-4-3, Time: 2014-08-09_04:20:14

(64 bit) Version: 4.3.2.0.0+
Build ID: 25459cb0c9afdf46c3d90ae8ba0b6ffb375f67da
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:libreoffice-4-3, Time: 2014-08-17_22:48:01

Comment 16 Eike Rathke 2014-08-20 12:32:07 UTC

Could also reproduce in current master, I'll take a look.

Comment 17 Commit Notification 2014-08-21 23:15:06 UTC

Eike Rathke committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c0aba5007b6e468336b41138f099914c32f4b0cf

fdo#82183 do not reset globals while loading a document



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Comment 18 Commit Notification 2014-08-22 02:34:33 UTC

Eike Rathke committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=10b6bda51c9da5429ca562c70ce75ee03e5f4e56

init formula options once, fdo#82183



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Comment 19 Eike Rathke 2014-08-22 03:05:13 UTC

Pending review
https://gerrit.libreoffice.org/11063 for 4-3
https://gerrit.libreoffice.org/11064 for 4-2

Comment 20 Commit Notification 2014-09-04 12:46:30 UTC

Eike Rathke committed a patch related to this issue.
It has been pushed to "libreoffice-4-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=a9969503d7a95bf266099466ca08f732f1251c03&h=libreoffice-4-3

fdo#82183 do not reset globals while loading a document


It will be available in LibreOffice 4.3.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Comment 21 Commit Notification 2014-09-05 15:52:25 UTC

Eike Rathke committed a patch related to this issue.
It has been pushed to "libreoffice-4-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=fef72d750ea29dd3368f2e5f3099bb81e22ab07c&h=libreoffice-4-2

fdo#82183 do not reset globals while loading a document


It will be available in LibreOffice 4.2.7.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.