Bug 572354 – Crash when adding series to bar chart

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 572354 - Crash when adding series to bar chart


Summary:	Crash when adding series to bar chart


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	Charting
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jean Bréfort
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-02-19 00:34 UTC by Stephen Guzik
Modified:	2009-02-19 19:29 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Test spreadsheet for reproducing the bug (3.21 KB, application/x-gnumeric) 2009-02-19 00:35 UTC, Stephen Guzik	Details

Description Stephen Guzik 2009-02-19 00:34:10 UTC

1) Double click chart in test case
2) Select PlotBarCol1
3) Add new series.

*** glibc detected *** gnumeric: free(): invalid next size (fast): 0x000000000203d9b0 ***

Same result in 1.8.3, 1.8.4, and 1.9.3.

Comment 1 Stephen Guzik 2009-02-19 00:35:38 UTC

Created attachment 129023 [details]
Test spreadsheet for reproducing the bug

Comment 2 Jody Goldberg 2009-02-19 00:56:15 UTC

==28734==
==28734== Invalid write of size 4
==28734==    at 0x6BEDD9C: gog_plot1_5d_update (gog-1.5d.c:239)
==28734==    by 0x46060A4: gog_object_update (gog-object.c:1481)
==28734==    by 0x460600B: gog_object_update (gog-object.c:1474)
==28734==    by 0x460600B: gog_object_update (gog-object.c:1474)
==28734==    by 0x460E83A: gog_graph_force_update (gog-graph.c:685)
==28734==    by 0x4605EC3: gog_object_get_editor (gog-object.c:1424)
==28734==    by 0x464A635: cb_attr_tree_selection_change (gog-guru.c:628)
==28734==    by 0x4B54CBD: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==28734==    by 0x4B46E3B: g_closure_invoke (gclosure.c:767)
==28734==    by 0x4B5E391: signal_emit_unlocked_R (gsignal.c:3244)
==28734==    by 0x4B5F8D6: g_signal_emit_valist (gsignal.c:2977)
==28734==    by 0x4B5FE0C: g_signal_emit (gsignal.c:3034)
==28734==  Address 0x684f4d8 is 0 bytes after a block of size 24 alloc'd
==28734==    at 0x40220D2: calloc (vg_replace_malloc.c:397)
==28734==    by 0x4BBDCDC: g_malloc0 (gmem.c:151)
==28734==    by 0x6BEDD52: gog_plot1_5d_update (gog-1.5d.c:232)
==28734==    by 0x46060A4: gog_object_update (gog-object.c:1481)
==28734==    by 0x460600B: gog_object_update (gog-object.c:1474)
==28734==    by 0x460600B: gog_object_update (gog-object.c:1474)
==28734==    by 0x460E83A: gog_graph_force_update (gog-graph.c:685)
==28734==    by 0x4605EC3: gog_object_get_editor (gog-object.c:1424)
==28734==    by 0x464A635: cb_attr_tree_selection_change (gog-guru.c:628)
==28734==    by 0x4B54CBD: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==28734==    by 0x4B46E3B: g_closure_invoke (gclosure.c:767)
==28734==    by 0x4B5E391: signal_emit_unlocked_R (gsignal.c:3244)

Comment 3 Jean Bréfort 2009-02-19 19:29:05 UTC

Fixed, both branches.