GNOME Bugzilla – Bug 491328
Gnumeric crashes on reading a file it previously saved
Last modified: 2007-10-29 14:43:51 UTC
Steps to reproduce: 1. I have now a collection of saved spreadsheets that generate a crash. Please email me - bryan@ozpolitics.info and I will email them to you. 2. I have almost identical files that work fine. 3. The problem appears very randomly Stack trace: Reading file:///home/bryan/Desktop/spreadsheets/abort/polls%20post%202004%20election%20v3.old.gnumeric *** glibc detected *** gnumeric: double free or corruption (out): 0x0000000002513dd0 *** ======= Backtrace: ========= /lib/libc.so.6[0x2b87f07b1b0a] /lib/libc.so.6(cfree+0x8c)[0x2b87f07b56fc] /usr/lib/goffice/0.5.1/plugins/smoothing/smoothing.so[0x2b87f6bed441] /usr/lib/libgoffice-0.5.so.5(gog_object_update+0x82)[0x2b87e97c7f32] /usr/lib/libgoffice-0.5.so.5(gog_object_update+0x20)[0x2b87e97c7ed0] /usr/lib/libgoffice-0.5.so.5(gog_object_update+0x20)[0x2b87e97c7ed0] /usr/lib/libgoffice-0.5.so.5(gog_object_update+0x20)[0x2b87e97c7ed0] /usr/lib/libgoffice-0.5.so.5(gog_object_update+0x20)[0x2b87e97c7ed0] /usr/lib/libgoffice-0.5.so.5[0x2b87e97d03b6] /usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x1c3)[0x2b87f0221fd3] /usr/lib/libglib-2.0.so.0[0x2b87f02252dd] /usr/lib/libglib-2.0.so.0(g_main_context_iteration+0x6e)[0x2b87f022580e] /usr/lib/libgtk-x11-2.0.so.0(gtk_main_iteration_do+0x1d)[0x2b87eafcc6dd] /usr/lib/libgoffice-0.5.so.5(io_progress_update+0xb7)[0x2b87e97c45c7] /usr/lib/libspreadsheet-1.7.13.so[0x2b87e93a051b] /usr/lib/libspreadsheet-1.7.13.so[0x2b87e93a2f96] /usr/lib/libgsf-1.so.114[0x2b87ee67d081] /usr/lib/libgsf-1.so.114[0x2b87ee67d613] /usr/lib/libxml2.so.2(xmlParseStartTag+0x49a)[0x2b87eedca02a] /usr/lib/libxml2.so.2(xmlParseElement+0x1db)[0x2b87eedd336b] /usr/lib/libxml2.so.2(xmlParseContent+0x158)[0x2b87eedcf268] /usr/lib/libxml2.so.2(xmlParseElement+0x30f)[0x2b87eedd349f] /usr/lib/libxml2.so.2(xmlParseContent+0x158)[0x2b87eedcf268] /usr/lib/libxml2.so.2(xmlParseElement+0x30f)[0x2b87eedd349f] /usr/lib/libxml2.so.2(xmlParseContent+0x158)[0x2b87eedcf268] /usr/lib/libxml2.so.2(xmlParseElement+0x30f)[0x2b87eedd349f] /usr/lib/libxml2.so.2(xmlParseContent+0x158)[0x2b87eedcf268] /usr/lib/libxml2.so.2(xmlParseElement+0x30f)[0x2b87eedd349f] /usr/lib/libxml2.so.2(xmlParseDocument+0x2cf)[0x2b87eedd38af] /usr/lib/libgsf-1.so.114(gsf_xml_in_doc_parse+0x7c)[0x2b87ee67dd6c] /usr/lib/libspreadsheet-1.7.13.so(gnm_xml_file_open+0x2f4)[0x2b87e93a2514] /usr/lib/libspreadsheet-1.7.13.so(wb_view_new_from_input+0x11e)[0x2b87e938839e] /usr/lib/libspreadsheet-1.7.13.so(wb_view_new_from_uri+0x6f)[0x2b87e93885df] gnumeric(main+0x472)[0x404cf2] /lib/libc.so.6(__libc_start_main+0xf4)[0x2b87f075db44] gnumeric[0x403a59] ======= Memory map: ======== 00400000-00454000 r-xp 00000000 08:02 595245 /usr/bin/gnumeric-1.7.13 00653000-00654000 rw-p 00053000 08:02 595245 /usr/bin/gnumeric-1.7.13 00654000-02605000 rw-p 00654000 00:00 0 [heap] 2b87e9053000-2b87e9070000 r-xp 00000000 08:02 2959731 /lib/ld-2.6.1.so 2b87e9070000-2b87e9073000 rw-p 2b87e9070000 00:00 0 2b87e9073000-2b87e9074000 r--p 00000000 08:02 654564 /usr/lib/locale/en_AU.utf8/LC_IDENTIFICATION 2b87e9074000-2b87e907b000 r--s 00000000 08:02 592615 /usr/lib/gconv/gconv-modules.cache 2b87e907b000-2b87e907c000 r--p 00000000 08:02 654565 /usr/lib/locale/en_AU.utf8/LC_MEASUREMENT 2b87e907c000-2b87e907d000 r--p 00000000 08:02 654570 /usr/lib/locale/en_AU.utf8/LC_TELEPHONE 2b87e907d000-2b87e907e000 r--p 00000000 08:02 654561 /usr/lib/locale/en_AU.utf8/LC_ADDRESS 2b87e907e000-2b87e907f000 r--p 00000000 08:02 654567 /usr/lib/locale/en_AU.utf8/LC_NAME 2b87e907f000-2b87e9080000 r--p 00000000 08:02 654569 /usr/lib/locale/en_AU.utf8/LC_PAPER 2b87e9080000-2b87e9081000 r--p 00000000 08:02 654572 /usr/lib/locale/en_AU.utf8/LC_MESSAGES/SYS_LC_MESSAGES 2b87e9081000-2b87e9082000 r--p 00000000 08:02 654566 /usr/lib/locale/en_AU.utf8/LC_MONETARY 2b87e9082000-2b87e9162000 r--p 00000000 08:02 654562 /usr/lib/locale/en_AU.utf8/LC_COLLATE 2b87e9162000-2b87e9163000 r--p 00000000 08:02 654571 /usr/lib/locale/en_AU.utf8/LC_TIME 2b87e9163000-2b87e9164000 r--p 00000000 08:02 654568 /usr/lib/locale/en_AU.utf8/LC_NUMERIC 2b87e9164000-2b87e91a3000 r--p 00000000 08:02 654563 /usr/lib/locale/en_AU.utf8/LC_CTYPE 2b87e91a3000-2b87e91d6000 r--p 00000000 08:02 985039 /usr/share/locale-langpack/en_AU/LC_MESSAGES/gnumeric.mo 2b87e91d6000-2b87e91dd000 r--p 00000000 08:02 985059 /usr/share/locale-langpack/en_AU/LC_MESSAGES/libgnome-2.0.mo 2b87e91dd000-2b87e91e2000 r--p 00000000 08:02 985047 /usr/share/locale-langpack/en_AU/LC_MESSAGES/gtk20-properties.mo 2b87e91e2000-2b87e91f1000 r--p 00000000 08:02 985048 /usr/share/locale-langpack/en_AU/LC_MESSAGES/gtk20.mo 2b87e926f000-2b87e9271000 rw-p 0001c000 08:02 2959731 /lib/ld-2.6.1.so 2b87e9271000-2b87e9549000 r-xp 00000000 08:02 595242 /usr/lib/libspreadsheet-1.7.13.so 2b87e9549000-2b87e9749000 ---p 002d8000 08:02 595242 /usr/lib/libspreadsheet-1.7.13.so 2b87e9749000-2b87e975d000 rw-p 002d8000 08:02 595242 /usr/lib/libspreadsheet-1.7.13.so 2b87e975d000-2b87e9760000 rw-p 2b87e975d000 00:00 0 2b87e9760000-2b87e9871000 r-xp 00000000 08:02 596377 /usr/lib/libgoffice-0.5.so.5.0.1 2b87e9871000-2b87e9a71000 ---p 00111000 08:02 596377 /usr/lib/libgoffice-0.5.so.5.0.1 2b87e9a71000-2b87e9a7f000 rw-p 00111000 08:02 596377 /usr/lib/libgoffice-0.5.so.5.0.1 2b87e9a7f000-2b87e9aa4000 r-xp 00000000 08:02 590886 /usr/lib/libpcre.so.3.12.1 2b87e9aa4000-2b87e9ca4000 ---p 00025000 08:02 590886 /usr/lib/libpcre.so.3.12.1 2b87e9ca4000-2b87e9ca5000 rw-p 00025000 08:02 590886 /usr/lib/libpcre.so.3.12.1 2b87e9ca5000-2b87e9cd6000 r-xp 00000000 08:02 590873 /usr/lib/libpangoft2-1.0.so.0.1800.2 2b87e9cd6000-2b87e9ed6000 ---p 00031000 08:02 590873 /usr/lib/libpangoft2-1.0.so.0.1800.2 2b87e9ed6000-2b87e9ed7000 rw-p 00031000 08:02 590873 /usr/lib/libpangoft2-1.0.so.0.1800.2 2b87e9ed7000-2b87e9ed8000 rw-p 2b87e9ed7000 00:00 0 2b87e9ed8000-2b87e9ef1000 r-xp 00000000 08:02 590566 /usr/lib/libglade-2.0.so.0.0.7 2b87e9ef1000-2b87ea0f0000 ---p 00019000 08:02 590566 /usr/lib/libglade-2.0.so.0.0.7 2b87ea0f0000-2b87ea0f2000 rw-p 00018000 08:02 590566 /usr/lib/libglade-2.0.so.0.0.7 2b87ea0f2000-2b87ea18c000 r-xp 00000000 08:02 590608 /usr/lib/libgnomeui-2.so.0.2000.0 2b87ea18c000-2b87ea38b000 ---p 0009a000 08:02 590608 /usr/lib/libgnomeui-2.so.0.2000.0 2b87ea38b000-2b87ea391000 rw-p 00099000 08:02 590608 /usr/lib/libgnomeui-2.so.0.2000.0 2b87ea391000-2b87ea399000 r-xp 00000000 08:02 590264 /usr/lib/libSM.so.6.0.0 2b87ea399000-2b87ea598000 ---p 00008000 08:02 590264 /usr/lib/libSM.so.6.0.0 2b87ea598000-2b87ea599000 rw-p 00007000 08:02 590264 /usr/lib/libSM.so.6.0.0 2b87ea599000-2b87ea59a000 rw-p 2b87ea599000 00:00 0 2b87ea59a000-2b87ea5b1000 r-xp 00000000 08:02 590246 /usr/lib/libICE.so.6.3.0 2b87ea5b1000-2b87ea7b1000 ---p 00017000 08:02 590246 /usr/lib/libICE.so.6.3.0 2b87ea7b1000-2b87ea7b2000 rw-p 00Aborted (core dumped) ----------------------------- GNU gdb 6.6-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"... /usr/lib/gnumeric: No such file or directory. Core was generated by `gnumeric polls post 2004 election v3.old.gnumeric'. Program terminated with signal 11, Segmentation fault.
+ Trace 173628
Other information:
Created attachment 98088 [details] The killer file
Created attachment 98089 [details] This file is similar - but it works
Confirmed. ==11396== ==11396== Invalid write of size 8 ==11396== at 0x1E44E5E0: gog_moving_avg_update (gog-moving-avg.c:147) ==11396== by 0x4F6906C: gog_object_update (gog-object.c:1484) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F715A5: cb_graph_idle (gog-graph.c:622) ==11396== by 0x88B7E52: g_main_context_dispatch (gmain.c:2061) ==11396== by 0x88BB14C: g_main_context_iterate (gmain.c:2694) ==11396== by 0x88BB67D: g_main_context_iteration (gmain.c:2753) ==11396== by 0x5B16E4C: gtk_main_iteration_do (gtkmain.c:1245) ==11396== by 0x4F65716: io_progress_update (io-context.c:287) ==11396== Address 0xD5CCD10 is 8 bytes after a block of size 80 alloc'd ==11396== at 0x4A20619: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==11396== by 0x88BF22A: g_malloc (gmem.c:131) ==11396== by 0x4BC706E: gnm_go_data_vector_load_values (graph.c:491) ==11396== by 0x4F6667D: go_data_vector_get_values (go-data.c:280) ==11396== by 0x4F9114F: gog_series_get_data (gog-series.c:995) ==11396== by 0x4F912CE: gog_series_get_xy_data (gog-series.c:1034) ==11396== by 0x1E44E533: gog_moving_avg_update (gog-moving-avg.c:136) ==11396== by 0x4F6906C: gog_object_update (gog-object.c:1484) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477) ==11396== by 0x4F6900F: gog_object_update (gog-object.c:1477)
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.