[Libreoffice] external references with OFFSET function cause a crash

Mon Feb 21 05:47:53 PST 2011

Hi Kohei,

I have encountered a crash of Calc (master branch built on my Debian box)
in a way related with a report at
http://listarchives.libreoffice.org/ja/discuss/msg00306.html

First, assume a simple spreadsheet saved as, say,
/home/tabe/20110221/x.ods
including a sheet 'Sheet1' in which cell $C$3 had value 'C3'.
Second, creating a new spreadsheet and insert
=OFFSET('file:///home/tabe/20110221/x.ods'#$Sheet1.$A$1,2,2)
at cell $A$1. It should looks like 'C3' and actually so.
But, third, inserting one more
=OFFSET('file:///home/tabe/20110221/x.ods'#$Sheet1.$A$1,2,2)
at cell $A$2 ended up with a crash.

gdb shows dereferencing a null pointer caused it as attached,
so I think the following barrier will deserve at least an option:

diff --git a/sc/source/ui/docshell/externalrefmgr.cxx b/sc/source/ui/docshell/externalrefmgr.cxx
index 3483895..bb5b4d7 100644
--- a/sc/source/ui/docshell/externalrefmgr.cxx
+++ b/sc/source/ui/docshell/externalrefmgr.cxx
@@ -1636,7 +1636,7 @@ ScExternalRefCache::TokenRef ScExternalRefManager::getSingleRefToken(
         // Now, insert the token into cache table but don't cache empty cells.
         if (pToken->GetType() != formula::svEmptyCell)
         {
-            sal_uInt32 nFmtIndex = pFmt->mbIsSet ? pFmt->mnIndex : 0;
+            sal_uInt32 nFmtIndex = (pFmt && pFmt->mbIsSet) ? pFmt->mnIndex : 0;
             maRefCache.setCellData(nFileId, rTabName, rCell.Col(), rCell.Row(), pToken, nFmtIndex);
         }

Any thought?

Cheers,
-- Takeshi Abe
-------------- next part --------------
#0  0xadc3034c in ScExternalRefManager::getSingleRefToken (this=0xad4f4938, nFileId=0, rTabName=..., rCell=..., 
    pCurPos=0x0, pTab=0xbfffa0de, pFmt=0x0)
    at /home/tabe/libo/clone/calc/sc/source/ui/docshell/externalrefmgr.cxx:1639
#1  0xadfd2321 in lcl_ScAddress_Parse_OOo (p=0xaf68a8fa, pDoc=<value optimized out>, rAddr=..., 
    pExtInfo=0xbfffa9c0, pRange=0x0) at /home/tabe/libo/clone/calc/sc/source/core/tool/address.cxx:1128
#2  0xadfd338b in lcl_ScAddress_Parse (this=0xbfffa9c8, r=..., pDoc=0x0, rDetails=..., pExtInfo=0xbfffa9c0, 
    pExternalLinks=0xbfffcc68) at /home/tabe/libo/clone/calc/sc/source/core/tool/address.cxx:1198
#3  ScAddress::Parse (this=0xbfffa9c8, r=..., pDoc=0x0, rDetails=..., pExtInfo=0xbfffa9c0, 
    pExternalLinks=0xbfffcc68) at /home/tabe/libo/clone/calc/sc/source/core/tool/address.cxx:1276
#4  0xadffe2fd in ScCompiler::IsSingleReference (this=0xbfffcbf4, rName=...)
    at /home/tabe/libo/clone/calc/sc/source/core/tool/compiler.cxx:2719
#5  0xadffe867 in ScCompiler::IsReference (this=0xbfffcbf4, rName=...)
    at /home/tabe/libo/clone/calc/sc/source/core/tool/compiler.cxx:2811
#6  0xadfff343 in ScCompiler::NextNewToken (this=0xbfffcbf4, bInArray=false)
    at /home/tabe/libo/clone/calc/sc/source/core/tool/compiler.cxx:3585
#7  0xadfffb23 in ScCompiler::CompileString (this=0xbfffcbf4, rFormula=...)
    at /home/tabe/libo/clone/calc/sc/source/core/tool/compiler.cxx:3709
#8  0xadfa0a4e in ScFormulaCell::Compile (this=0xad3db0a0, rFormula=..., bNoListening=1 '\001', 
    eGrammar=formula::FormulaGrammar::GRAM_NATIVE) at /home/tabe/libo/clone/calc/sc/source/core/data/cell.cxx:938
#9  0xadfa1adc in ScFormulaCell (this=0xad3db0a0, pDoc=0xb0dd5048, rPos=..., rFormula=..., 
    eGrammar=formula::FormulaGrammar::GRAM_NATIVE, cMatInd=0 '\000')
    at /home/tabe/libo/clone/calc/sc/source/core/data/cell.cxx:683
#10 0xadfaad7b in ScColumn::SetString (this=0xad8aa020, nRow=0, nTabP=0, rString=..., 
    eConv=formula::FormulaGrammar::CONV_OOO, pParam=0x0)
    at /home/tabe/libo/clone/calc/sc/source/core/data/column3.cxx:1310
#11 0xadf94450 in ScTable::SetString (this=0xad8aa008, nCol=<value optimized out>, nRow=0, nTabP=0, rString=..., 
    pParam=0x0) at /home/tabe/libo/clone/calc/sc/source/core/data/table2.cxx:997
#12 0xadf1b3e1 in ScDocument::SetString (this=0xb0dd5048, nCol=0, nRow=0, nTab=8240, rString=..., pParam=0x0)
    at /home/tabe/libo/clone/calc/sc/source/core/data/document.cxx:2745
#13 0xadc48580 in ScImportExport::Text2Doc (this=0xbfffe0f4, rStrm=...)
    at /home/tabe/libo/clone/calc/sc/source/ui/docshell/impex.cxx:833
#14 0xadc486a6 in ScImportExport::ExtText2Doc (this=0xbfffe0f4, rStrm=...)
    at /home/tabe/libo/clone/calc/sc/source/ui/docshell/impex.cxx:1138
#15 0xadc4ae78 in ScImportExport::ImportStream (this=0xbfffe0f4, rStrm=..., rBaseURL=..., nFmt=1)
    at /home/tabe/libo/clone/calc/sc/source/ui/docshell/impex.cxx:413
#16 0xadc4b01d in ScImportExport::ImportString (this=0xbfffe0f4, rText=..., nFmt=1)
    at /home/tabe/libo/clone/calc/sc/source/ui/docshell/impex.cxx:331
#17 0xadd1fd33 in ScViewFunc::PasteDataFormat (this=0xb12e9048, nFormatId=1, rxTransferable=..., nPosX=1, 
    nPosY=0, pLogicPos=0x0, bLink=0 '\000', bAllowDialogs=1 '\001')
    at /home/tabe/libo/clone/calc/sc/source/ui/view/viewfun5.cxx:367
#18 0xadd197a5 in ScViewFunc::PasteFromSystem (this=0xb12e9048, nFormatId=1, bApi=0 '\000')
    at /home/tabe/libo/clone/calc/sc/source/ui/view/viewfun3.cxx:835
#19 0xadd1a448 in ScViewFunc::PasteFromSystem (this=0xb12e9048)
    at /home/tabe/libo/clone/calc/sc/source/ui/view/viewfun3.cxx:701
#20 0xadc654c5 in ScCellShell::PasteFromClipboard (pViewData=0xb12e904c, pTabViewShell=0xb12e9008, 
    bShowDialog=true) at /home/tabe/libo/clone/calc/sc/source/ui/view/cellsh1.cxx:2176
#21 0xadc68747 in ScCellShell::ExecuteEdit (this=0xad7f6e10, rReq=...)
    at /home/tabe/libo/clone/calc/sc/source/ui/view/cellsh1.cxx:1161
#22 0xadc651e5 in SfxStubScCellShellExecuteEdit (pShell=0xad7f6e10, rReq=...)
    at ../../../unxlngi6.pro/inc/scslots.hxx:6223
#23 0xb766c1c8 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) ()
   from /home/tabe/opt/LibreOffice/program/../basis-link/program/libsfxli.so
#24 0xb7664dd0 in SfxDispatcher::Call_Impl (this=0xad55fdb0, rShell=..., rSlot=..., rReq=..., bRecord=1 '\001')
    at /home/tabe/libo/clone/libs-core/sfx2/source/control/dispatch.cxx:276
#25 0xb766683f in SfxDispatcher::_Execute (this=0xad55fdb0, rShell=..., rSlot=..., rReq=..., eCallMode=4)
    at /home/tabe/libo/clone/libs-core/sfx2/source/control/dispatch.cxx:1039
#26 0xb765c324 in SfxBindings::Execute_Impl (this=0xad7f1770, aReq=..., pSlot=0xae2f3ea8, pShell=0xad7f6e10)
    at /home/tabe/libo/clone/libs-core/sfx2/source/control/bindings.cxx:1331
#27 0xb7686d93 in SfxDispatchController_Impl::dispatch (this=0xb2b84cc8, aURL=..., aArgs=..., rListener=...)
    at /home/tabe/libo/clone/libs-core/sfx2/source/control/unoctitm.cxx:783
#28 0xb7684b89 in SfxOfficeDispatch::dispatch (this=0xb1315924, aURL=..., aArgs=...)
    at /home/tabe/libo/clone/libs-core/sfx2/source/control/unoctitm.cxx:395
#29 0xb7231d67 in svt::AsyncAccelExec::impl_ts_asyncCallback (this=0xb136a604)
    at /home/tabe/libo/clone/libs-gui/svtools/source/misc/acceleratorexecute.cxx:503
#30 0xb69e2e7c in Link::Call (pThis=0xabb62030, pCaller=0x0)
    at /home/tabe/libo/solver/330/unxlngi6.pro/inc/tools/link.hxx:140
#31 vcl::EventPoster::DoEvent_Impl (pThis=0xabb62030, pCaller=0x0)
    at /home/tabe/libo/clone/libs-gui/vcl/source/helper/evntpost.cxx:61
#32 vcl::EventPoster::LinkStubDoEvent_Impl (pThis=0xabb62030, pCaller=0x0)
    at /home/tabe/libo/clone/libs-gui/vcl/source/helper/evntpost.cxx:64
#33 0xb698b27c in Link::Call (pWindow=0xb2b62b90, nEvent=<value optimized out>, pEvent=0xb1362a48)
    at /home/tabe/libo/solver/330/unxlngi6.pro/inc/tools/link.hxx:140
#34 ImplHandleUserEvent (pWindow=0xb2b62b90, nEvent=<value optimized out>, pEvent=0xb1362a48)
    at /home/tabe/libo/clone/libs-gui/vcl/source/window/winproc.cxx:1994
#35 ImplWindowFrameProc (pWindow=0xb2b62b90, nEvent=<value optimized out>, pEvent=0xb1362a48)
    at /home/tabe/libo/clone/libs-gui/vcl/source/window/winproc.cxx:2566
#36 0xb304b195 in SalFrame::CallCallback (this=0xb4839508) at ../../../inc/vcl/salframe.hxx:294
#37 SalDisplay::DispatchInternalEvent (this=0xb4839508)
    at /home/tabe/libo/clone/libs-gui/vcl/unx/source/app/saldisp.cxx:2344
#38 0xb3806337 in GtkXLib::userEventFn (data=0xb387d00c)
    at /home/tabe/libo/clone/libs-gui/vcl/unx/gtk/app/gtkdata.cxx:806
#39 0xb30c0381 in ?? () from /lib/libglib-2.0.so.0
#40 0xb30c2305 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#41 0xb30c5fe8 in ?? () from /lib/libglib-2.0.so.0
#42 0xb30c61c8 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#43 0xb38060e4 in GtkXLib::Yield (this=0x1, bWait=true, bHandleAllCurrentEvents=false)
    at /home/tabe/libo/clone/libs-gui/vcl/unx/gtk/app/gtkdata.cxx:858
#44 0xb30519b7 in X11SalInstance::Yield (this=0xb4764f10, bWait=false, 
    bHandleAllCurrentEvents=<value optimized out>)
    at /home/tabe/libo/clone/libs-gui/vcl/unx/source/app/salinst.cxx:265
#45 0xb67eaa68 in ImplYield (i_bWait=true, i_bAllEvents=false)
    at /home/tabe/libo/clone/libs-gui/vcl/source/app/svapp.cxx:459
#46 0xb67e9eda in Application::Yield (i_bAllEvents=48)
    at /home/tabe/libo/clone/libs-gui/vcl/source/app/svapp.cxx:493
#47 0xb67e9f0b in Application::Execute () at /home/tabe/libo/clone/libs-gui/vcl/source/app/svapp.cxx:436
#48 0xb7dee028 in desktop::Desktop::Main (this=0xbffff2d4)
    at /home/tabe/libo/clone/libs-core/desktop/source/app/app.cxx:1858
#49 0xb67edeff in ImplSVMain () at /home/tabe/libo/clone/libs-gui/vcl/source/app/svmain.cxx:178
#50 0xb67ee06e in SVMain () at /home/tabe/libo/clone/libs-gui/vcl/source/app/svmain.cxx:219
#51 0xb7e08a98 in soffice_main () at /home/tabe/libo/clone/libs-core/desktop/source/app/sofficemain.cxx:68
#52 0x08048cd4 in sal_main (argc=2, argv=0xbffff414) at main.c:36
#53 main (argc=2, argv=0xbffff414) at main.c:35
