[Libreoffice] [REVIEW][3-5] Prevent excessvie references to formula result tokens

Kohei Yoshida kohei.yoshida at suse.com
Mon Jan 30 13:35:46 PST 2012


Hi,

I'd like

http://cgit.freedesktop.org/libreoffice/core/commit/?id=e2b11f4fd79dce4116badb0ecf6477546ca5d0d4

cherry-picked to the 3-5 branch.  It is probably too late for change
like this to be in the 3-5-0 branch so I won't even try.

To reproduce the problem, open the following file in Calc

http://people.freedesktop.org/~kohei/test-formula-fill-crash.ods

then

1. select B1:B65536 (or just hit ctrl-shift-up)
2. fill down (or ctrl-D if you use the default key binding).

That will currently either crash, or do a totally wrong thing.  If it
doesn't crash, try undo and redo and it will eventually crash.

The reason is that, during the fill, the formula token instance inside
ScFormulaResult gets "copied" i.e. it re-uses the existing instance and
increases its reference counter by one.  The problem is, this counter is
unsigned 16-bit integer, and as soon as it goes above 65535 it rolls
back to zero, and eventually the token instance gets deleted
prematurely.

The above change ensures that the formula result is cleared after each
formula cell instance gets copied.  We don't need to copy the formula
result during fill because they get re-interpreted once the copying is
complete.

As an aside, although it's not necessary for this fix, on master we
should probably use unsigned 32-bit integer to store reference counter
for this just to future-proof ourselves.  16-bit integer seems a bit too
small for this purpose.

Regards,

Kohei

-- 
Kohei Yoshida, LibreOffice hacker, Calc



More information about the LibreOffice mailing list