GNOME Bugzilla – Bug 518939
Chart-related valgrind errors
Last modified: 2008-02-29 16:43:23 UTC
Version: r16411 (gnumeric), r2037 (goffice) OS: Ubuntu Gutsy The upcoming sample is a fuzzed version of chart-tests-excel.xls. Steps to reproduce: - Load the upcoming attachment in Gnumeric to trigger a crash Partial valgrind output: ==6120== Invalid read of size 4 ==6120== at 0x45E83EE: gog_chart_get_axes (gog-chart.c:734) ==6120== by 0x6E633D7: set_radial_axes (ms-chart.c:1657) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== by 0x6E2C6DB: ms_escher_read_SpgrContainer (ms-escher.c:1933) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd ==6120== at 0x402237F: free (vg_replace_malloc.c:233) ==6120== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD399: gog_object_add_by_role (gog-object.c:1669) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E633A3: set_radial_axes (ms-chart.c:1652) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== ==6120== Invalid read of size 4 ==6120== at 0x4C832F4: g_type_check_instance_is_a (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45E841A: gog_chart_get_axes (gog-chart.c:734) ==6120== by 0x6E633D7: set_radial_axes (ms-chart.c:1657) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== by 0x6E2C6DB: ms_escher_read_SpgrContainer (ms-escher.c:1933) ==6120== Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd ==6120== at 0x402237F: free (vg_replace_malloc.c:233) ==6120== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD399: gog_object_add_by_role (gog-object.c:1669) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E633A3: set_radial_axes (ms-chart.c:1652) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== ==6120== Invalid read of size 4 ==6120== at 0x4C857F2: g_type_check_instance_cast (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD0D2: gog_object_set_parent (gog-object.c:1610) ==6120== by 0x45DD382: gog_object_add_by_role (gog-object.c:1667) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E63489: set_radial_axes (ms-chart.c:1662) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507) ==6120== Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd ==6120== at 0x402237F: free (vg_replace_malloc.c:233) ==6120== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD399: gog_object_add_by_role (gog-object.c:1669) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E633A3: set_radial_axes (ms-chart.c:1652) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) (lt-gnumeric:6120): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GogObject' ==6120== ==6120== Invalid read of size 4 ==6120== at 0x45DD0D3: gog_object_set_parent (gog-object.c:1610) ==6120== by 0x45DD382: gog_object_add_by_role (gog-object.c:1667) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E63489: set_radial_axes (ms-chart.c:1662) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== by 0x6E2AC2D: ms_escher_read_SpContainer (ms-escher.c:507) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== Address 0x905BA00 is 24 bytes inside a block of size 340 free'd ==6120== at 0x402237F: free (vg_replace_malloc.c:233) ==6120== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD399: gog_object_add_by_role (gog-object.c:1669) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E633A3: set_radial_axes (ms-chart.c:1652) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== ==6120== Invalid read of size 4 ==6120== at 0x4C857F2: g_type_check_instance_cast (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DB542: gog_object_generate_id (gog-object.c:926) ==6120== by 0x45DD128: gog_object_set_parent (gog-object.c:1618) ==6120== by 0x45DD382: gog_object_add_by_role (gog-object.c:1667) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E63489: set_radial_axes (ms-chart.c:1662) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== Address 0x905B9E8 is 0 bytes inside a block of size 340 free'd ==6120== at 0x402237F: free (vg_replace_malloc.c:233) ==6120== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD399: gog_object_add_by_role (gog-object.c:1669) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E633A3: set_radial_axes (ms-chart.c:1652) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) (lt-gnumeric:6120): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GogObject' ==6120== ==6120== Invalid read of size 4 ==6120== at 0x45DB1ED: gog_object_is_same_type (gog-object.c:860) ==6120== by 0x45DB557: gog_object_generate_id (gog-object.c:927) ==6120== by 0x45DD128: gog_object_set_parent (gog-object.c:1618) ==6120== by 0x45DD382: gog_object_add_by_role (gog-object.c:1667) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E63489: set_radial_axes (ms-chart.c:1662) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272) ==6120== by 0x6E2CAB5: ms_escher_read_ClientData (ms-escher.c:1993) ==6120== by 0x6E2D076: ms_escher_read_container (ms-escher.c:2099) ==6120== Address 0x905BA00 is 24 bytes inside a block of size 340 free'd ==6120== at 0x402237F: free (vg_replace_malloc.c:233) ==6120== by 0x4CD0960: g_free (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4CE5196: g_slice_free1 (in /usr/lib/libglib-2.0.so.0.1400.1) ==6120== by 0x4C86DF6: g_type_free_instance (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x4C6AAF3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1400.1) ==6120== by 0x45DD399: gog_object_add_by_role (gog-object.c:1669) ==6120== by 0x45DD45C: gog_object_add_by_name (gog-object.c:1688) ==6120== by 0x6E633A3: set_radial_axes (ms-chart.c:1652) ==6120== by 0x6E635CE: xl_chart_read_radararea (ms-chart.c:1696) ==6120== by 0x6E693CC: ms_excel_chart_read (ms-chart.c:3451) ==6120== by 0x6E69E09: ms_excel_chart_read_BOF (ms-chart.c:3667) ==6120== by 0x6E5E9FE: ms_read_OBJ (ms-obj.c:1272)
Created attachment 106030 [details] fuzzed chart-tests-excel.xls
Created attachment 106048 [details] [review] fixes the crash, at least
That looks like a hack, at best. Why do we even need tmp? The underlying problem appears to be that gog_object_add_by_role is killing the object without unlinking it right.
I have fixed the crash, but during display I now see: ** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed ** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed ** (gnumeric:28876): CRITICAL **: gog_rt_view_render: assertion `r_axis != NULL && c_axis != NULL' failed ** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed ** (gnumeric:28876): CRITICAL **: xy_process: assertion `axis_type == GOG_AXIS_X || axis_type == GOG_AXIS_Y' failed
Not surprising, we are missing the end of one chart and the beginning of another one, so we end with a chart containing both xy and radar axes, which is not supported. There are several options: - accept the situation, and consider it is enough to survive; - check what is returned by read_fn at ms-chat.c:3458, and it it is TRUE, clean what can (should?) be cleaned and return. - do not create the plot if the axes are not compatible with the current set.
Created attachment 106172 [details] [review] removes almost all criticals Just two CRITICALS remain related to go_font_free. Probably these can't be avoided (may be we should have warnings instead there).
I committed the first and second parts as-is. I changed the four part to a simple "if" with no message since we surely already complained over something else at that point. The third, I do not like. What it does it to bail out when we see the first record with an error. Imagine that record taken out of the file -- we still need to be able to deal with that file, i.e., with the exact same records following. Bailing out, therefore, does not solve the underlying trouble.
well, we'll have to live with criticals, the only possible thing is to drop the second plot if the axis set is not the same. In all cas we loose something, but it is not so important since the file is really fuzzed. I'd be curious to see what xl would do with this file ;)
Created attachment 106236 [details] [review] my last proposal This removes all criticals except the go_font_free related one. May be we can add a warning when an axis can't be deleted in set_radial_axes.
Committed. We're down to ** (gnumeric:30288): CRITICAL **: go_font_free: assertion `font->ref_count == 1' failed which is probably a leak (and probably should not issue a critical).
Fixed that leak too, nothing remains.