Summary: | Crash: "vector::_M_fill_insert" with large sumifs | ||
---|---|---|---|
Product: | LibreOffice | Reporter: | Chris McKenna <cmckenna> |
Component: | Calc | Assignee: | Dennis Francis <dennisfrancis.in> |
Status: | VERIFIED FIXED | ||
Severity: | major | CC: | 79045_79045, aron.budea, dennisfrancis.in, erack, l.lunak, miguelangelrv, serval2412, xiscofauli |
Priority: | high | Keywords: | bibisected, bisected, regression |
Version: | 6.2.0.3 release | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | target:7.1.0 target:7.0.0.1 target:6.4.5 target:7.3.0 | ||
Crash report or crash signature: | Regression By: | ||
Bug Depends on: | |||
Bug Blocks: | 108827, 133092 | ||
Attachments: | Spreadsheet in which I encountered the issue |
Description
Chris McKenna
2020-04-26 11:20:34 UTC
Confirmed Version: 6.4.3.2 (x64) Build ID: 747b5d0ebf89f41c860ec2a39efd7cb15b54f2d8 CPU threads: 4; OS: Windows 10.0 Build 19613; UI render: GL; VCL: win; Locale: es-ES (es_ES); UI-Language: en-US Calc: CL Version: 7.0.0.0.alpha0+ (x64) Build ID: 951b6a9570ae2665f7b6e7cdd6d24d1fc513ba90 CPU threads: 4; OS: Windows 10.0 Build 19613; UI render: Skia/Raster; VCL: win; Locale: es-ES (es_ES); UI-Language: en-US Calc: threaded I've just discovered the same result occurs using MAXIFS After some debugging on gdb I found a code pointer. 6056 // initialize temporary result matrix 6057 if (vConditions.empty()) 6058 vConditions.resize( nDimensionCols * nDimensionRows, 0); See https://opengrok.libreoffice.org/xref/core/sc/source/core/tool/interpr1.cxx?r=dbda099d#6058 nDimensionCols = -42 Before this block: nCol1=1 nCol2=1 6029 if (bRangeReduce) 6030 { 6031 nCol1 += nStartColDiff; 6032 nRow1 += nStartRowDiff; 6033 6034 nCol2 += nEndColDiff; 6035 nRow2 += nEndRowDiff; 6036 } After: nCol1=1 nCol2=-42 Eike: Following my last comment, I don't know if we must dig about why nEndColDiff is negative and so nCol2 then nDimensionCols is negative or if this straightforward patch would be sufficient: diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx index 03a8f46731a6..58d4fc2de725 100644 --- a/sc/source/core/tool/interpr1.cxx +++ b/sc/source/core/tool/interpr1.cxx @@ -6045,6 +6045,11 @@ void ScInterpreter::IterateParametersIfs( double(*ResultFunc)( const sc::ParamIf PushError ( FormulaError::IllegalArgument); return; } + if ( (nDimensionCols <= 0) || (nDimensionRows <= 0) ) + { + PushError ( FormulaError::IllegalArgument); + return; + } // recalculate matrix values if (nGlobalError != FormulaError::NONE) (It avoids crash and displays Err:502 for the cell) Any thoughts? No repro in 6.0 but repro in 6.2 on macOS => regression Bibisected to the libreoffice-6-2 backport of the following commit using repo bibisect-linux-64-6.2. Adding CC: to Dennis Francis. https://cgit.freedesktop.org/libreoffice/core/commit/?id=03b352b9599514e4e244e1907510713cf1331284 author Dennis Francis <dennis.francis@collabora.com> 2018-12-06 00:09:59 +0530 committer Dennis Francis <dennis.francis@collabora.com> 2018-12-10 16:25:16 +0100 Find actual data area inside the main-range... Luboš Luňák committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/21cff8d14e2396a964cf9f2e4af1d43efdadb5c1 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 7.1.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Verified in Version: 7.1.0.0.alpha0+ Build ID: 49ce4bf15c1769b7427dd4d828e586c1e896f928 CPU threads: 4; OS: Linux 4.19; UI render: default; VCL: gtk3 Locale: en-US (en_US.UTF-8); UI: en-US Calc: threaded @Luboš Luňák, thanks for fixing this issue! Luboš Luňák committed a patch related to this issue. It has been pushed to "libreoffice-7-0": https://git.libreoffice.org/core/commit/c6ee4036e40556dd79f99bf890786b3666cf9ee7 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 7.0.0.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Xisco Fauli committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/399f1f8e2458e672c6f78ad8775b4c73aece0e73 tdf#132431: sc: Add unittest It will be available in 7.1.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Luboš Luňák committed a patch related to this issue. It has been pushed to "libreoffice-6-4": https://git.libreoffice.org/core/commit/f86ba65165bdb208c55f847d35113dbbbe195301 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 6.4.6. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Luboš Luňák committed a patch related to this issue. It has been pushed to "libreoffice-6-4-5": https://git.libreoffice.org/core/commit/61b6a318c46116df07a97895ab55be35bb467902 detect inconsistent SUMIFS() ranges when range reducing (tdf#132431) It will be available in 6.4.5. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. Noel Grandin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/57a1d8d2c3ce8741c0bfbaa66160f6091a1c7f68 crash in tdf132431-1.ods --export-to xls It will be available in 7.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback. |