https://bugs.freedesktop.org/show_bug.cgi?id=86907
Bug ID: 86907
Summary: [Rollit fuzzer]: Calc crashes with invalid memory read
Product: LibreOffice
Version: 4.3.3.2 release
Hardware: x86-64 (AMD64)
OS: Linux (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Spreadsheet
Assignee: [email protected]
Reporter: [email protected]
Created attachment 110301
--> https://bugs.freedesktop.org/attachment.cgi?id=110301&action=edit
Fuzzed file causing the invalid read
The attached file causes Calc to crash after several invalid memory reads of
size 8. [1] shows the stack trace when attached to valgrind, and [2] when
attached to gdb.
Note that the fault is in an external library (MDDS) so LibreOffice might be
innocent depending on how the library is being used. I'm using MDDS 0.11.1,
which is the latest version.
To reproduce, open the file and click OK on the "This document contains macros"
pop up. The application will terminate with
terminate called after throwing an instance of 'std::out_of_range'
what(): multi_type_vector::get_block_position#673: block position not found!
(logical pos=18446744073709551615, block size=0, logical size=176)
This bug was found with the Rollit fuzzer.
[1]
testdebian@debian:~/tmp$ valgrind --vgdb=yes --vgdb-error=0
/usr/lib/libreoffice/program/soffice.bin ../842168558/invalid-read-fuzzed.xls
==3110== Memcheck, a memory error detector
==3110== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3110== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==3110== Command: /usr/lib/libreoffice/program/soffice.bin
../842168558/poss-safe-exception-fuzzed.xls
==3110==
==3110== (action at startup) vgdb me ...
==3110==
==3110== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==3110== /path/to/gdb /usr/lib/libreoffice/program/soffice.bin
==3110== and then give GDB the following command
==3110== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=3110
==3110== --pid is optional if only one valgrind process is running
==3110==
==3110== Warning: invalid file descriptor -1 in syscall close()
==3110== Invalid read of size 8
==3110== at 0x1F7744E8: __normal_iterator (stl_iterator.h:729)
==3110== by 0x1F7744E8: end (stl_vector.h:566)
==3110== by 0x1F7744E8: begin (multi_type_vector_def.inl:139)
==3110== by 0x1F7744E8: ScColumn::InterpretDirtyCells(int, int)
(column3.cxx:105)
==3110== by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int)
(table1.cxx:2244)
==3110== by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&)
[clone .part.95] (document.cxx:3650)
==3110== by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110== by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110== by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool)
(tabview3.cxx:1667)
==3110== by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110== by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*)
(dispatch.cxx:746)
==3110== by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*)
(viewfrm.cxx:1143)
==3110== by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*)
(app.cxx:344)
==3110== by 0x7C4F727: SfxViewFrame::MakeActive_Impl(bool)
(viewfrm.cxx:1784)
==3110== by 0x7C48414:
SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame)
(sfxbasecontroller.cxx:1316)
==3110== Address 0x1c6e7ff8 is 16 bytes after a block of size 104 alloc'd
==3110== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110== by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*)
(gcach_ftyp.cxx:354)
==3110== by 0x9BA5EDC:
FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const
(gcach_ftyp.cxx:416)
==3110== by 0x1640C18C:
X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110== by 0x99A8BF8: OutputDevice::ImplInitFontList() const
(font.cxx:1423)
==3110== by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110== by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int,
int, Point const&, long, int const*) const (text.cxx:1246)
==3110== by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString
const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*,
rtl::OUString*) (text.cxx:897)
==3110== by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle
const&) (splash.cxx:635)
==3110== by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus()
[clone .part.13] (splash.cxx:329)
==3110== by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110== by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int)
(splash.cxx:236)
==3110== by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110== by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110==
==3110== (action on error) vgdb me ...
==3110== Continuing ...
==3110== Invalid read of size 8
==3110== at 0x1F7744FF: __normal_iterator (stl_iterator.h:729)
==3110== by 0x1F7744FF: begin (stl_vector.h:548)
==3110== by 0x1F7744FF: begin (multi_type_vector_def.inl:139)
==3110== by 0x1F7744FF: ScColumn::InterpretDirtyCells(int, int)
(column3.cxx:105)
==3110== by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int)
(table1.cxx:2244)
==3110== by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&)
[clone .part.95] (document.cxx:3650)
==3110== by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110== by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110== by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool)
(tabview3.cxx:1667)
==3110== by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110== by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*)
(dispatch.cxx:746)
==3110== by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*)
(viewfrm.cxx:1143)
==3110== by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*)
(app.cxx:344)
==3110== by 0x7C4F727: SfxViewFrame::MakeActive_Impl(bool)
(viewfrm.cxx:1784)
==3110== by 0x7C48414:
SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame)
(sfxbasecontroller.cxx:1316)
==3110== Address 0x1c6e7ff0 is 8 bytes after a block of size 104 alloc'd
==3110== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110== by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*)
(gcach_ftyp.cxx:354)
==3110== by 0x9BA5EDC:
FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const
(gcach_ftyp.cxx:416)
==3110== by 0x1640C18C:
X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110== by 0x99A8BF8: OutputDevice::ImplInitFontList() const
(font.cxx:1423)
==3110== by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110== by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int,
int, Point const&, long, int const*) const (text.cxx:1246)
==3110== by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString
const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*,
rtl::OUString*) (text.cxx:897)
==3110== by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle
const&) (splash.cxx:635)
==3110== by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus()
[clone .part.13] (splash.cxx:329)
==3110== by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110== by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int)
(splash.cxx:236)
==3110== by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110== by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110==
==3110== (action on error) vgdb me ...
==3110== Continuing ...
==3110== Invalid read of size 8
==3110== at 0x1F71C734:
mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> >
>::get_block_position(mdds::__mtv::const_iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::const_iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> >,
mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> > > > const&, unsigned long, unsigned
long&, unsigned long&) const (multi_type_vector_def.inl:649)
==3110== by 0x1F74606B:
mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> >
>::position(mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> > > const&, unsigned long)
(multi_type_vector_def.inl:1324)
==3110== by 0x1F774582:
ProcessElements1<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell>, DirtyCellInterpreter, sc::FuncElseNoOp<long unsigned int> >
(mtvfunctions.hxx:327)
==3110== by 0x1F774582: ProcessFormula<DirtyCellInterpreter>
(mtvcellfunc.hxx:32)
==3110== by 0x1F774582: ScColumn::InterpretDirtyCells(int, int)
(column3.cxx:105)
==3110== by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int)
(table1.cxx:2244)
==3110== by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&)
[clone .part.95] (document.cxx:3650)
==3110== by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110== by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110== by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool)
(tabview3.cxx:1667)
==3110== by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110== by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*)
(dispatch.cxx:746)
==3110== by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*)
(viewfrm.cxx:1143)
==3110== by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*)
(app.cxx:344)
==3110== Address 0x1c6e7ff8 is 16 bytes after a block of size 104 alloc'd
==3110== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110== by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*)
(gcach_ftyp.cxx:354)
==3110== by 0x9BA5EDC:
FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const
(gcach_ftyp.cxx:416)
==3110== by 0x1640C18C:
X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110== by 0x99A8BF8: OutputDevice::ImplInitFontList() const
(font.cxx:1423)
==3110== by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110== by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int,
int, Point const&, long, int const*) const (text.cxx:1246)
==3110== by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString
const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*,
rtl::OUString*) (text.cxx:897)
==3110== by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle
const&) (splash.cxx:635)
==3110== by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus()
[clone .part.13] (splash.cxx:329)
==3110== by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110== by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int)
(splash.cxx:236)
==3110== by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110== by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110==
==3110== (action on error) vgdb me ...
==3110== Continuing ...
==3110== Invalid read of size 8
==3110== at 0x1F71C758:
mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> >
>::get_block_position(mdds::__mtv::const_iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::const_iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> >,
mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> > > > const&, unsigned long, unsigned
long&, unsigned long&) const (multi_type_vector_def.inl:665)
==3110== by 0x1F74606B:
mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> >
>::position(mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> > > const&, unsigned long)
(multi_type_vector_def.inl:1324)
==3110== by 0x1F774582:
ProcessElements1<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell>, DirtyCellInterpreter, sc::FuncElseNoOp<long unsigned int> >
(mtvfunctions.hxx:327)
==3110== by 0x1F774582: ProcessFormula<DirtyCellInterpreter>
(mtvcellfunc.hxx:32)
==3110== by 0x1F774582: ScColumn::InterpretDirtyCells(int, int)
(column3.cxx:105)
==3110== by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int)
(table1.cxx:2244)
==3110== by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&)
[clone .part.95] (document.cxx:3650)
==3110== by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110== by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110== by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool)
(tabview3.cxx:1667)
==3110== by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110== by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*)
(dispatch.cxx:746)
==3110== by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*)
(viewfrm.cxx:1143)
==3110== by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*)
(app.cxx:344)
==3110== Address 0x1c6e7ff0 is 8 bytes after a block of size 104 alloc'd
==3110== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==3110== by 0x9BA5BC3: FtFontInfo::AnnounceFont(PhysicalFontCollection*)
(gcach_ftyp.cxx:354)
==3110== by 0x9BA5EDC:
FreetypeManager::AnnounceFonts(PhysicalFontCollection*) const
(gcach_ftyp.cxx:416)
==3110== by 0x1640C18C:
X11SalGraphics::GetDevFontList(PhysicalFontCollection*) (salgdi3.cxx:543)
==3110== by 0x99A8BF8: OutputDevice::ImplInitFontList() const
(font.cxx:1423)
==3110== by 0x99AC83F: OutputDevice::ImplNewFont() const (font.cxx:1484)
==3110== by 0x99AF0FF: OutputDevice::ImplLayout(rtl::OUString const&, int,
int, Point const&, long, int const*) const (text.cxx:1246)
==3110== by 0x99B5F53: OutputDevice::DrawText(Point const&, rtl::OUString
const&, int, int, std::vector<Rectangle, std::allocator<Rectangle> >*,
rtl::OUString*) (text.cxx:897)
==3110== by 0x1BD50AF4: (anonymous namespace)::SplashScreen::Paint(Rectangle
const&) (splash.cxx:635)
==3110== by 0x1BD50F35: (anonymous namespace)::SplashScreen::updateStatus()
[clone .part.13] (splash.cxx:329)
==3110== by 0x1BD51F37: updateStatus (svapp.hxx:1570)
==3110== by 0x1BD51F37: (anonymous namespace)::SplashScreen::setValue(int)
(splash.cxx:236)
==3110== by 0x50AD603: SetSplashScreenProgress (app.cxx:2787)
==3110== by 0x50AD603: desktop::Desktop::Main() (app.cxx:1397)
==3110==
==3110== (action on error) vgdb me ...
==3110== Continuing ...
==3110== Invalid read of size 8
==3110== at 0x1F71C798:
mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> >
>::get_block_position(mdds::__mtv::const_iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::const_iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> >,
mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> > > > const&, unsigned long, unsigned
long&, unsigned long&) const (multi_type_vector_def.inl:673)
==3110== by 0x1F74606B:
mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> >
>::position(mdds::__mtv::iterator_base<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >::iterator_trait,
mdds::__mtv::private_data_forward_update<mdds::__mtv::iterator_value_node<unsigned
long, mdds::mtv::base_element_block> > > const&, unsigned long)
(multi_type_vector_def.inl:1324)
==3110== by 0x1F774582:
ProcessElements1<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv::default_element_block<52,
svl::SharedString>, mdds::mtv::noncopyable_managed_element_block<53,
EditTextObject>, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell> > >, mdds::mtv::noncopyable_managed_element_block<54,
ScFormulaCell>, DirtyCellInterpreter, sc::FuncElseNoOp<long unsigned int> >
(mtvfunctions.hxx:327)
==3110== by 0x1F774582: ProcessFormula<DirtyCellInterpreter>
(mtvcellfunc.hxx:32)
==3110== by 0x1F774582: ScColumn::InterpretDirtyCells(int, int)
(column3.cxx:105)
==3110== by 0x1F8ADF8E: ScTable::InterpretDirtyCells(short, int, short, int)
(table1.cxx:2244)
==3110== by 0x1F7DD350: ScDocument::InterpretDirtyCells(ScRangeList const&)
[clone .part.95] (document.cxx:3650)
==3110== by 0x1FEC74B6: ScTabView::InterpretVisible() (tabview4.cxx:491)
==3110== by 0x1FEC477D: ScTabView::ZoomChanged() (tabview3.cxx:2620)
==3110== by 0x1FEC3CF8: ScTabView::SetTabNo(short, bool, bool, bool)
(tabview3.cxx:1667)
==3110== by 0x1FED0AFB: ScTabViewShell::Activate(bool) (tabvwsh4.cxx:177)
==3110== by 0x7C7AC7A: SfxDispatcher::DoActivate_Impl(bool, SfxViewFrame*)
(dispatch.cxx:746)
==3110== by 0x7C4E053: SfxViewFrame::DoActivate(bool, SfxViewFrame*)
(viewfrm.cxx:1143)
==3110== by 0x792C996: SfxApplication::SetViewFrame_Impl(SfxViewFrame*)
(app.cxx:344)
==3110== Address 0x1c6e8008 is 24 bytes after a block of size 112 in arena
"client"
==3110==
==3110== (action on error) vgdb me ...
==3110== Continuing ...
terminate called after throwing an instance of 'std::out_of_range'
what(): multi_type_vector::get_block_position#673: block position not found!
(logical pos=18446744073709551615, block size=1, logical size=1048576)
==3110==
==3110== HEAP SUMMARY:
==3110== in use at exit: 17,223,039 bytes in 265,343 blocks
==3110== total heap usage: 1,090,893 allocs, 825,550 frees, 119,699,214 bytes
allocated
==3110==
==3110== LEAK SUMMARY:
==3110== definitely lost: 14,352 bytes in 23 blocks
==3110== indirectly lost: 26,877 bytes in 852 blocks
==3110== possibly lost: 3,635,161 bytes in 64,863 blocks
==3110== still reachable: 13,546,649 bytes in 199,605 blocks
==3110== suppressed: 0 bytes in 0 blocks
==3110== Rerun with --leak-check=full to see details of leaked memory
==3110==
==3110== For counts of detected and suppressed errors, rerun with: -v
==3110== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
[2]
#0 iterator_common_base (block_index=0, start_pos=0, end=..., pos=...,
this=0x7fffffffbde0) at /usr/include/mdds/multi_type_vector_itr.hpp:152
#1 iterator_base (block_index=0, start_pos=0, end=..., pos=...,
this=0x7fffffffbde0) at /usr/include/mdds/multi_type_vector_itr.hpp:271
#2 begin (this=0x14afc30) at /usr/include/mdds/multi_type_vector_def.inl:139
#3 ScColumn::InterpretDirtyCells (this=0x14afbd0, nRow1=nRow1@entry=-1,
nRow2=nRow2@entry=45)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/column3.cxx:105
#4 0x00007fffd34dff8f in ScTable::InterpretDirtyCells (this=0x14afc70,
nCol1=<optimized out>, nRow1=-1, nCol2=-1, nRow2=45)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/table1.cxx:2244
#5 0x00007fffd340f351 in ScDocument::InterpretDirtyCells (this=0x1387980,
rRanges=...)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/document.cxx:3650
#6 0x00007fffd3410c95 in ScDocument::InterpretDirtyCells (this=<optimized
out>, rRanges=...)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/core/data/document.cxx:3635
#7 0x00007fffd3af94b7 in ScTabView::InterpretVisible
(this=this@entry=0x15bcc08)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview4.cxx:491
#8 0x00007fffd3af677e in ScTabView::ZoomChanged (this=this@entry=0x15bcc08)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview3.cxx:2620
#9 0x00007fffd3af9df7 in ScTabView::RefreshZoom (this=this@entry=0x15bcc08)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview5.cxx:387
#10 0x00007fffd3af5cf9 in ScTabView::SetTabNo (this=this@entry=0x15bcc08,
nTab=1, bNew=bNew@entry=true, bExtendSelection=<optimized out>,
bExtendSelection@entry=false,
bSameTabButMoved=bSameTabButMoved@entry=false)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabview3.cxx:1667
#11 0x00007fffd3b02afc in ScTabViewShell::Activate (this=0x15bcb40,
bMDI=<optimized out>)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sc/source/ui/view/tabvwsh4.cxx:177
#12 0x00007ffff510ac7b in SfxDispatcher::DoActivate_Impl (this=0x17c5be0,
bMDI=true)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/control/dispatch.cxx:746
#13 0x00007ffff50de054 in SfxViewFrame::DoActivate (this=this@entry=0x1644df0,
bUI=bUI@entry=true, pOldFrame=pOldFrame@entry=0x0)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/viewfrm.cxx:1143
#14 0x00007ffff4dbc997 in SfxApplication::SetViewFrame_Impl (this=0x10ca770,
pFrame=pFrame@entry=0x1644df0)
at /build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/appl/app.cxx:344
#15 0x00007ffff50df5c5 in SfxViewFrame::SetViewFrame
(pFrame=pFrame@entry=0x1644df0)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/viewfrm.cxx:3285
#16 0x00007ffff50df728 in SfxViewFrame::MakeActive_Impl (this=0x1644df0,
bGrabFocus=<optimized out>)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/viewfrm.cxx:1784
#17 0x00007ffff50d8415 in SfxBaseController::ConnectSfxFrame_Impl
(this=0x15c08a0, i_eConnect=(unknown: 4294951968))
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/sfxbasecontroller.cxx:1316
#18 0x00007ffff50da040 in SfxBaseController::attachFrame (this=0x15c08a0,
xFrame=uno::Reference to ((anonymous namespace)::Frame *) 0x12a20e8)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/sfxbasecontroller.cxx:570
#19 0x00007ffff50c7e19 in impl_createDocumentView (this=<optimized out>,
i_rViewName=..., i_rViewFactoryArgs=..., i_rFrame=..., i_rModel=...)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/frmload.cxx:608
#20 (anonymous namespace)::SfxFrameLoader_Impl::load (this=0x15c08c8,
rArgs=uno::Sequence of length 32767 = {...},
_rTargetFrame=<error reading variable: Cannot access memory at address
0x2d>)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/sfx2/source/view/frmload.cxx:726
#21 0x00007fffe1c9a985 in framework::LoadEnv::impl_loadContent (this=0x121bdf0)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/loadenv/loadenv.cxx:1125
#22 0x00007fffe1c9b1ae in framework::LoadEnv::startLoading
(this=this@entry=0x121bdf0)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/loadenv/loadenv.cxx:386
#23 0x00007fffe1c1aea8 in framework::LoadDispatcher::impl_dispatch
(this=0x121bd90, rURL=..., lArguments=uno::Sequence of length 4 = {...},
xListener=empty uno::Reference) at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/dispatch/loaddispatcher.cxx:115
#24 0x00007fffe1c1bcd8 in framework::LoadDispatcher::dispatchWithReturnValue
(this=<optimized out>, rURL=..., lArguments=...)
at
/build/libreoffice-q3uN_D/libreoffice-4.3.3/framework/source/dispatch/loaddispatcher.cxx:62
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
