After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 518939 - Chart-related valgrind errors
Chart-related valgrind errors
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: Charting
git master
Other All
: Normal normal
: ---
Assigned To: Emmanuel Pacaud
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2008-02-26 22:26 UTC by sum1
Modified: 2008-02-29 16:43 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
fuzzed chart-tests-excel.xls (173.50 KB, application/vnd.ms-excel)
2008-02-26 22:27 UTC, sum1
  Details
fixes the crash, at least (729 bytes, patch)
2008-02-27 07:04 UTC, Jean Bréfort
rejected Details | Review
removes almost all criticals (1.30 KB, patch)
2008-02-28 16:52 UTC, Jean Bréfort
none Details | Review
my last proposal (2.11 KB, patch)
2008-02-29 09:56 UTC, Jean Bréfort
none Details | Review

Description sum1 2008-02-26 22:26:00 UTC
Version: r16411 (gnumeric), r2037 (goffice)
OS: Ubuntu Gutsy

The upcoming sample is a fuzzed version of chart-tests-excel.xls.

Steps to reproduce:
- Load the upcoming attachment in Gnumeric to trigger a crash


Partial valgrind output:

==6120== Invalid read of size 4
==6120==    at 0x45E83EE: gog_chart_get_axes (gog-chart.c:734)
==6120==    by 0x6E633D7: set_radial_axes (ms-chart.c:1657)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120==    by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==    by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==    by 0x6E2C6DB: ms_escher_read_SpgrContainer (ms-escher.c:1933)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==  Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd
==6120==    at 0x402237F: free (vg_replace_malloc.c:233)
==6120==    by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD399: gog_object_add_by_role (gog-object.c:1669)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E633A3: set_radial_axes (ms-chart.c:1652)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120== 
==6120== Invalid read of size 4
==6120==    at 0x4C832F4: g_type_check_instance_is_a (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45E841A: gog_chart_get_axes (gog-chart.c:734)
==6120==    by 0x6E633D7: set_radial_axes (ms-chart.c:1657)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120==    by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==    by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==    by 0x6E2C6DB: ms_escher_read_SpgrContainer (ms-escher.c:1933)
==6120==  Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd
==6120==    at 0x402237F: free (vg_replace_malloc.c:233)
==6120==    by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD399: gog_object_add_by_role (gog-object.c:1669)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E633A3: set_radial_axes (ms-chart.c:1652)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120== 
==6120== Invalid read of size 4
==6120==    at 0x4C857F2: g_type_check_instance_cast (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD0D2: gog_object_set_parent (gog-object.c:1610)
==6120==    by 0x45DD382: gog_object_add_by_role (gog-object.c:1667)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E63489: set_radial_axes (ms-chart.c:1662)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120==    by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==    by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507)
==6120==  Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd
==6120==    at 0x402237F: free (vg_replace_malloc.c:233)
==6120==    by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD399: gog_object_add_by_role (gog-object.c:1669)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E633A3: set_radial_axes (ms-chart.c:1652)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)

(lt-gnumeric:6120): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GogObject'
==6120== 
==6120== Invalid read of size 4
==6120==    at 0x45DD0D3: gog_object_set_parent (gog-object.c:1610)
==6120==    by 0x45DD382: gog_object_add_by_role (gog-object.c:1667)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E63489: set_radial_axes (ms-chart.c:1662)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120==    by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==    by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==  Address 0x905BA00 is 24 bytes inside a block of size 340 free'd
==6120==    at 0x402237F: free (vg_replace_malloc.c:233)
==6120==    by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD399: gog_object_add_by_role (gog-object.c:1669)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E633A3: set_radial_axes (ms-chart.c:1652)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120== 
==6120== Invalid read of size 4
==6120==    at 0x4C857F2: g_type_check_instance_cast (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DB542: gog_object_generate_id (gog-object.c:926)
==6120==    by 0x45DD128: gog_object_set_parent (gog-object.c:1618)
==6120==    by 0x45DD382: gog_object_add_by_role (gog-object.c:1667)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E63489: set_radial_axes (ms-chart.c:1662)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120==    by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==  Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd
==6120==    at 0x402237F: free (vg_replace_malloc.c:233)
==6120==    by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD399: gog_object_add_by_role (gog-object.c:1669)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E633A3: set_radial_axes (ms-chart.c:1652)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)

(lt-gnumeric:6120): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GogObject'
==6120== 
==6120== Invalid read of size 4
==6120==    at 0x45DB1ED: gog_object_is_same_type (gog-object.c:860)
==6120==    by 0x45DB557: gog_object_generate_id (gog-object.c:927)
==6120==    by 0x45DD128: gog_object_set_parent (gog-object.c:1618)
==6120==    by 0x45DD382: gog_object_add_by_role (gog-object.c:1667)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E63489: set_radial_axes (ms-chart.c:1662)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
==6120==    by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993)
==6120==    by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099)
==6120==  Address 0x905BA00 is 24 bytes inside a block of size 340 free'd
==6120==    at 0x402237F: free (vg_replace_malloc.c:233)
==6120==    by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1)
==6120==    by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1)
==6120==    by 0x45DD399: gog_object_add_by_role (gog-object.c:1669)
==6120==    by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688)
==6120==    by 0x6E633A3: set_radial_axes (ms-chart.c:1652)
==6120==    by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696)
==6120==    by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451)
==6120==    by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667)
==6120==    by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
Comment 1 sum1 2008-02-26 22:27:18 UTC
Created attachment 106030 [details]
fuzzed chart-tests-excel.xls
Comment 2 Jean Bréfort 2008-02-27 07:04:48 UTC
Created attachment 106048 [details] [review]
fixes the crash, at least
Comment 3 Morten Welinder 2008-02-27 15:58:38 UTC
That looks like a hack, at best.  Why do we even need tmp?

The underlying problem appears to be that gog_object_add_by_role is killing
the object without unlinking it right.
Comment 4 Morten Welinder 2008-02-27 16:31:16 UTC
I have fixed the crash, but during display I now see:

** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed

** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed

** (gnumeric:28876): CRITICAL **: gog_rt_view_render: assertion `r_axis != NULL && c_axis != NULL' failed

** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed

** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed
Comment 5 Jean Bréfort 2008-02-28 09:01:18 UTC
Not surprising, we are missing the end of one chart and the beginning of another one, so we end with a chart containing both xy and radar axes, which is not supported.
There are several options:
- accept the situation, and consider it is enough to survive;
- check what is returned by read_fn at ms-chat.c:3458, and it it is TRUE, clean what can (should?) be cleaned and return.
- do not create the plot if the axes are not compatible with the current set.
Comment 6 Jean Bréfort 2008-02-28 16:52:05 UTC
Created attachment 106172 [details] [review]
removes almost all criticals

Just two CRITICALS remain related to go_font_free. Probably these can't be avoided (may be we should have warnings instead there).
Comment 7 Morten Welinder 2008-02-28 18:22:47 UTC
I committed the first and second parts as-is.  I changed the four part to
a simple "if" with no message since we surely already complained over
something else at that point.

The third, I do not like.  What it does it to bail out when we see the first
record with an error.  Imagine that record taken out of the file -- we still
need to be able to deal with that file, i.e., with the exact same records
following.  Bailing out, therefore, does not solve the underlying trouble.
Comment 8 Jean Bréfort 2008-02-28 21:25:54 UTC
well, we'll have to live with criticals, the only possible thing is to drop the second plot if the axis set is not the same. In all cas we loose something, but it is not so important since the file is really fuzzed. I'd be curious to see what xl would do with this file ;)
Comment 9 Jean Bréfort 2008-02-29 09:56:28 UTC
Created attachment 106236 [details] [review]
my last proposal

This removes all criticals except the go_font_free related one. May be we can add a warning when an axis can't be deleted in set_radial_axes.
Comment 10 Morten Welinder 2008-02-29 14:33:39 UTC
Committed.

We're down to
** (gnumeric:30288): CRITICAL **: go_font_free: assertion `font->ref_count == 1' failed

which is probably a leak (and probably should not issue a critical).
Comment 11 Jean Bréfort 2008-02-29 16:43:23 UTC
Fixed that leak too, nothing remains.