120706 – CRASH - navigating tables containing NULL timestamps in DataSourceBrowser using mysql JDBC connector causes AOO to crash

Issue 120706 - CRASH - navigating tables containing NULL timestamps in DataSourceBrowser using mysql JDBC connector causes AOO to crash

Summary: CRASH - navigating tables containing NULL timestamps in DataSourceBrowser usi...

Status:	CLOSED FIXED

Alias:	None

Product:	Base
Classification:	Application
Component:	code (show other issues)
Version:	3.4.0
Hardware:	All All

Importance:	P2 Critical (vote)
Target Milestone:	4.1.2
Assignee:	AOO issues mailing list
QA Contact:

URL:
Keywords:	crash

Depends on:
Blocks:

Reported:	2012-08-24 13:51 UTC by iplaw67
Modified:	2019-10-12 17:34 UTC (History)
CC List:	3 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	4.2.0-dev
Developer Difficulty:	---

Flags:	knmc: 4.1.2_release_blocker?

Attachments
Apple crash trace (75.05 KB, text/plain) 2012-08-24 13:51 UTC, iplaw67	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description iplaw67 2012-08-24 13:51:36 UTC

Created attachment 79131 [details]
Apple crash trace

Using AOO 341 Rev 1372282 (13/08/2012)

OS : Mac OSX 10.8 Mountain Lion
Mysql ConnectorJ : 5.1.21

1) Create an ODB file configured to connect to a mysql server using the JDBC connector.

2) Register the ODB file with the Office.

3) The mysql database contains at least 4 tables, some of which contain NULL value timestamps, i.e. "0000-00-00 00:00:00"

4) Now, start AOO, open a new Writer Text Document

5) Press F4 (fn+F4 on Macbook), to open the DataSourceBrowser (DSB)

6) Select the registered database from the list in the left window pane, and enter any id/password details as necessary to establish a connection to the mysql database. 

7) Now, click on the Tables entry in the tree hierarchy and select the first table.

8) If this table contains NULL timestamp values, an error message appears saying that the table can't be displayed. Click on 'OK'

9) Use the navigation arrow "down" to move down to the next table. Click on 'OK' each time the error message appears.

10) When you get to the fourth table, AOO will crash without warning.

Crash trace attached.



Alex

Comment 1 iplaw67 2012-08-25 09:12:24 UTC

See also :
https://bugs.freedesktop.org/show_bug.cgi?id=37529

Comment 2 iplaw67 2012-08-25 09:16:54 UTC

Tables to reproduce bug :

First table :
CREATE TABLE `action_type` (
  `type` varchar(15) NOT NULL DEFAULT '',
  `comments` varchar(40) DEFAULT NULL,
  `action_type_id` tinyint(3) unsigned NOT NULL AUTO_INCREMENT,
  `chg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`action_type_id`)
) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=latin1


Second table :
CREATE TABLE `address` (
  `address_id` int(11) NOT NULL AUTO_INCREMENT,
  `LNAME` varchar(35) DEFAULT NULL,
  `FNAME` varchar(35) DEFAULT NULL,
  `TITLE` varchar(35) DEFAULT NULL,
  `COMPANY` varchar(35) DEFAULT NULL,
  `COADDR1` varchar(50) NOT NULL DEFAULT '',
  `COADDR2` varchar(50) DEFAULT NULL,
  `COADDR3` varchar(50) DEFAULT NULL,
  `COCITY` varchar(35) NOT NULL DEFAULT '',
  `COSTATE` varchar(35) DEFAULT NULL,
  `COZIP` varchar(12) DEFAULT NULL,
  `COCOUNTRY` varchar(35) NOT NULL DEFAULT '',
  `SALUT` varchar(20) DEFAULT NULL,
  `CUSTOM3` varchar(35) DEFAULT NULL,
  `TEL1` varchar(40) DEFAULT NULL,
  `FAX1` varchar(40) DEFAULT NULL,
  `FAX2` varchar(40) DEFAULT NULL,
  `MOBILE` varchar(40) DEFAULT NULL,
  `EMAIL` varchar(75) DEFAULT NULL,
  `WEBSITE` varchar(75) DEFAULT NULL,
  `NOTES` mediumtext,
  `chg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`address_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1


Third table :
CREATE TABLE `applicant` (
  `applicant_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `applicant_short` char(3) NOT NULL DEFAULT '',
  `applicant_long` varchar(30) NOT NULL DEFAULT '',
  `address_id` int(11) unsigned DEFAULT NULL,
  `chg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`applicant_id`)
) ENGINE=MyISAM AUTO_INCREMENT=972 DEFAULT CHARSET=latin1



Fourth table :
CREATE TABLE `assistant` (
  `assistant_id` tinyint(3) unsigned NOT NULL AUTO_INCREMENT,
  `assistant` varchar(7) NOT NULL DEFAULT '',
  `chg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`assistant_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1

Comment 3 damjan 2015-08-14 18:22:41 UTC

Confirming on FreeBSD with those tables.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 80cc06400 (LWP 100446/soffice.bin)]
0x0000000823936572 in dbaccess::ORowSet::impl_restoreDataColumnsWriteable_throw (this=0x81ef18a00) at RowSet.cxx:1270
1270	        (*aIter)->setPropertyValue(PROPERTY_ISREADONLY,makeAny((sal_Bool)*aReadIter ));
Current language:  auto; currently c++
(gdb) bt
#0  0x0000000823936572 in dbaccess::ORowSet::impl_restoreDataColumnsWriteable_throw (this=0x81ef18a00) at RowSet.cxx:1270
#1  0x0000000823939f95 in dbaccess::ORowSet::impl_setDataColumnsWriteable_throw (this=0x81ef18a00) at RowSet.cxx:1250
#2  0x0000000823939de5 in dbaccess::ORowSet::moveToInsertRow (this=0x81ef18a00) at RowSet.cxx:1226
#3  0x000000082393a4ec in non-virtual thunk to dbaccess::ORowSet::moveToInsertRow() (this=0x81ef18a90) at RowSet.cxx:1246
#4  0x000000082408eb55 in frm::ODatabaseForm::executeRowSet (this=0x81edb7700, _rClearForNotifies=@0x7fffffff9558, bMoveToFirst=1 '\001', _rxCompletionHandler=@0x7fffffff95b0) at DatabaseForm.cxx:1303
#5  0x0000000824099b4f in frm::ODatabaseForm::reload_impl (this=0x81edb7700, bMoveToFirst=1 '\001', _rxCompletionHandler=@0x7fffffff95b0) at DatabaseForm.cxx:3018
#6  0x000000082409b6e3 in frm::ODatabaseForm::reload (this=0x81edb7700) at DatabaseForm.cxx:2983
#7  0x000000082409b77c in non-virtual thunk to frm::ODatabaseForm::reload() (this=0x81edb7940) at DatabaseForm.cxx:2984
#8  0x0000000822e83995 in dbaui::SbaXDataBrowserController::reloadForm (this=0x81edd3e00, _rxLoadable=@0x7fffffff9c48) at brwctrlr.cxx:727
#9  0x0000000822ecd13d in dbaui::SbaTableQueryBrowser::implLoadAnything (this=0x81edd3e00, _rDataSourceName=@0x7fffffffa1c0, _rCommand=@0x7fffffffa3e8, _nCommandType=0, _bEscapeProcessing=1 '\001', _rxConnection=@0x81efad718)
    at unodatbr.cxx:2468
#10 0x0000000822ec958d in dbaui::SbaTableQueryBrowser::implSelect (this=0x81edd3e00, _pEntry=0x8bd90cb68) at unodatbr.cxx:2760
#11 0x0000000822ece558 in dbaui::SbaTableQueryBrowser::OnSelectionChange (this=0x81edd3e00) at unodatbr.cxx:2562
#12 0x0000000822eac328 in dbaui::SbaTableQueryBrowser::LinkStubOnSelectionChange (pThis=0x81edd3e00, pCaller=0x0) at unodatbr.cxx:2560
#13 0x0000000822c11c87 in Link::Call (this=0x81ed9dd40, pCaller=0x0) at link.hxx:135
#14 0x0000000822fbbc4a in dbaui::DBTreeListBox::OnTimeOut (this=0x81ed9d808) at dbtreelistbox.cxx:743
#15 0x0000000822fb84c8 in dbaui::DBTreeListBox::LinkStubOnTimeOut (pThis=0x81ed9d808, pCaller=0x81ed9dcc0) at dbtreelistbox.cxx:739
#16 0x000000080500b0e5 in Timer::ImplTimerCallbackProc () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#17 0x000000080d0264dd in GtkXLib::timeoutFn () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvclplug_gtk.so
#18 0x000000080d026476 in call_timeoutFn () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvclplug_gtk.so
#19 0x000000080e585d04 in g_list_sort_with_data () from /usr/local/lib/libglib-2.0.so.0
#20 0x000000080e589592 in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.0
#21 0x000000080e5898e7 in g_main_context_pending () from /usr/local/lib/libglib-2.0.so.0
#22 0x000000080e589974 in g_main_context_iteration () from /usr/local/lib/libglib-2.0.so.0
#23 0x000000080d0267e3 in GtkXLib::Yield () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvclplug_gtk.so
#24 0x0000000805007348 in ImplYield () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#25 0x0000000805004a20 in Application::Execute () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#26 0x0000000800c84c76 in desktop::Desktop::Main (this=0x7fffffffb238) at app.cxx:2232
#27 0x0000000805009da6 in ImplSVMain () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#28 0x000000080500ac4e in SVMain () from AOO/main/instsetoo_native/unxfbsdx/Apache_OpenOffice/installed/install/en-US/openoffice4/program/libvcl.so
#29 0x0000000800cce2c8 in soffice_main () at sofficemain.cxx:45
#30 0x00000000004011d9 in sal_main () at main.c:31
#31 0x00000000004011b7 in main (argc=1, argv=0x7fffffffb330) at main.c:30


RowSet.cxx:1270 is the line inside the for loop:

    TDataColumns::iterator aIter = m_aDataColumns.begin();
    ::std::bit_vector::iterator aReadIter = m_aReadOnlyDataColumns.begin();
    for(;aReadIter != m_aReadOnlyDataColumns.end();++aIter,++aReadIter)
    {
        (*aIter)->setPropertyValue(PROPERTY_ISREADONLY,makeAny((sal_Bool)*aReadIter ));
    }

Since the for loops checks aReadIter but not aIter, when aIter is smaller, aIter loops beyond m_DataColumns.end(), so the (*aIter) accesses invalid memory.

m_aReadOnlyDataColumns is resized in ORowSet::impl_setDataColumnsWriteable_throw() to match m_aDataColumns, but ORowSet::impl_restoreDataColumnsWriteable_throw() can also be called directly, without going through that method first. Clearly, they need to be kept in sync. Since m_aDataColumns is cleared in ORowSet::freeResources(), m_aReadOnlyDataColumns need to be cleared there too. ORowSet::execute_NoApprove_NoNewConn() grows m_aDataColumns, but ORowSet::freeResources() is always called before it, and m_aDataColumns.size() > m_aReadOnlyDataColumns.size() won't crash, so patching ORowSet::freeResources() is sufficient.

Comment 4 SVN Robot 2015-08-14 19:17:47 UTC

"damjan" committed SVN revision 1695962 into trunk:
#i120706# CRASH - navigating tables containing NULL timestamps in DataSourceB...

Comment 5 damjan 2015-08-14 19:22:23 UTC

Fixed by commit 120706, resolving FIXED.

Comment 6 Keith N. McKenna 2015-08-29 17:23:32 UTC

As this issue causes a crash and there is a fix for it, I would nominate it as a 4.1.2 release blocker.

Comment 7 SVN Robot 2015-09-25 07:13:12 UTC

"pescetti" committed SVN revision 1705230 into branches/AOO410:
#i120706# CRASH - navigating tables containing NULL timestamps in DataSourceB...