Bug 604223 – Reproducible crash in chart prefs when changing series names

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 604223 - Reproducible crash in chart prefs when changing series names


Summary:	Reproducible crash in chart prefs when changing series names


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	Charting
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jean Bréfort
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Duplicates:	604228 (view as bug list)
Depends on:
Blocks:

Reported:	2009-12-09 23:30 UTC by Luke Hutchison
Modified:	2009-12-10 00:29 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Luke Hutchison 2009-12-09 23:30:49 UTC

Gnumeric crashes with 100% reproducibility if the following actions are taken.

1) Select a 2D block of cells and create a multi-series line chart.
2) Double-click on the chart to bring up the prefs window.
3) Click on the first series in the treeview and change its name
4) Without pressing Enter or clicking Apply, click on another series in the treeview.
5) Gnumeric crashes.

Versions:

gnumeric-1.9.16-1.fc13.x86_64
goffice-0.7.16-2.fc13.x86_64

Debugger output:

(/usr/bin/gnumeric:6637): GLib-GObject-CRITICAL **: Object class GnmExprEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'

** (/usr/bin/gnumeric:6637): WARNING **: There are more columns of data than there is room for in the sheet.  Extra columns will be ignored.

** (/usr/bin/gnumeric:6637): WARNING **: Some data did not fit on the sheet and was dropped.

Program received signal SIGSEGV, Segmentation fault.
0x000000314042ab94 in g_type_check_instance_cast () from /lib64/libgobject-2.0.so.0
Missing separate debuginfos, use: debuginfo-install GConf2-2.28.0-2.fc12.x86_64 ORBit2-2.14.17-3.fc12.x86_64 PackageKit-gtk-module-0.5.4-0.4.20091029git.fc12.x86_64 atk-1.29.3-2.fc13.x86_64 bzip2-libs-1.0.5-6.fc12.x86_64 cairo-1.8.8-3.fc12.x86_64 dbus-glib-0.82-2.fc12.x86_64 dbus-libs-1.2.16-8.fc12.x86_64 expat-2.0.1-7.x86_64 fontconfig-2.7.3-1.fc12.x86_64 freetype-2.3.11-1.fc13.x86_64 gamin-0.1.10-5.fc12.x86_64 glib2-2.23.0-1.fc13.x86_64 glibc-2.11.90-3.x86_64 goffice-0.7.16-2.fc13.x86_64 gtk2-2.19.1-1.fc13.x86_64 gtk2-engines-2.18.4-4.fc12.x86_64 gvfs-1.5.1-2.fc13.x86_64 ibus-gtk-1.2.0.20091124-1.fc13.x86_64 ibus-libs-1.2.0.20091124-1.fc13.x86_64 libX11-1.3.1-2.fc13.x86_64 libXau-1.0.5-1.fc12.x86_64 libXcomposite-0.4.1-2.fc13.x86_64 libXcursor-1.1.10-3.fc13.x86_64 libXdamage-1.1.2-2.fc13.x86_64 libXext-1.1-1.fc13.x86_64 libXfixes-4.0.4-2.fc13.x86_64 libXi-1.3-1.fc13.x86_64 libXinerama-1.1-1.fc13.x86_64 libXrandr-1.3.0-5.fc13.x86_64 libXrender-0.9.5-1.fc13.x86_64 libcanberra-0.22-1.fc13.x86_64 libcanberra-gtk2-0.22-1.fc13.x86_64 libcap-ng-0.6.2-3.fc12.x86_64 libglade2-2.6.4-3.fc12.x86_64 libgsf-1.14.16-1.fc13.x86_64 libogg-1.1.4-3.fc13.x86_64 libpng-1.2.39-1.fc12.x86_64 libselinux-2.0.90-1.fc13.x86_64 libtool-ltdl-2.2.6-17.fc13.x86_64 libudev-147-2.fc13.x86_64 libvorbis-1.2.3-4.fc13.x86_64 libxcb-1.4-2.fc13.x86_64 libxml2-2.7.6-1.fc13.x86_64 pango-1.26.0-1.fc12.x86_64 pixman-0.17.2-1.fc13.x86_64 zlib-1.2.3-23.fc12.x86_64
(gdb) thread apply all bt

+ Trace 219531

Thread 1 (Thread 0x7ffff7fc67c0 (LWP 6637))

#0 g_type_check_instance_cast
from /lib64/libgobject-2.0.so.0
#1 cb_graph_dim_editor_update
at wbc-gtk.c line 4684
#2 cb_update_idle
at wbc-gtk.c line 4741
#3 g_main_context_dispatch
from /lib64/libglib-2.0.so.0
#4 ??
from /lib64/libglib-2.0.so.0
#5 g_main_loop_run
from /lib64/libglib-2.0.so.0
#6 gtk_main
from /usr/lib64/libgtk-x11-2.0.so.0
#7 main
at main-application.c line 457

Comment 1 Morten Welinder 2009-12-09 23:55:35 UTC

==15970== Invalid read of size 4
==15970==    at 0x41641A5: cb_update_idle (wbc-gtk.c:4741)
==15970==    by 0x4E0B68F: g_idle_dispatch (gmain.c:4065)
==15970==    by 0x4E0D4C1: g_main_context_dispatch (gmain.c:1960)
==15970==    by 0x4E10D97: g_main_context_iterate (gmain.c:2591)
==15970==    by 0x4E111EE: g_main_loop_run (gmain.c:2799)
==15970==    by 0x474F8E8: gtk_main (gtkmain.c:1216)
==15970==    by 0x804BFC1: main (main-application.c:457)
==15970==  Address 0x773c3f8 is 0 bytes inside a block of size 32 free'd
==15970==    at 0x40268A6: free (vg_replace_malloc.c:325)
==15970==    by 0x4E15885: g_free (gmem.c:190)
==15970==    by 0x4163EB0: graph_dim_editor_free (wbc-gtk.c:4805)
==15970==    by 0x4DF69A1: g_datalist_clear (gdataset.c:120)
==15970==    by 0x4D9969D: g_object_finalize (gobject.c:747)
==15970==    by 0x477B348: gtk_object_finalize (gtkobject.c:450)
==15970==    by 0x4872A98: gtk_widget_finalize (gtkwidget.c:8417)
==15970==    by 0x4208CA3: gee_finalize (gnumeric-expr-entry.c:782)
==15970==    by 0x4D97417: g_object_unref (gobject.c:2421)
==15970==    by 0x477B10D: gtk_object_destroy (gtkobject.c:406)
==15970==    by 0x47DFAF8: gtk_table_forall (gtktable.c:907)

Comment 2 Morten Welinder 2009-12-10 00:26:55 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.

Comment 3 Morten Welinder 2009-12-10 00:29:36 UTC

*** Bug 604228 has been marked as a duplicate of this bug. ***