GNOME Bugzilla – Bug 649851
assertion `style->link_count > 0' failed
Last modified: 2011-05-12 05:04:08 UTC
Created attachment 187543 [details] sample file start gnumeric load the attached file quit gnumeric On quit we see: ** (gnumeric:22004): CRITICAL **: gnm_style_unlink: assertion `style->link_count > 0' failed
Using exporter Gnumeric_stf:stf_assistant ==8981== Conditional jump or move depends on uninitialised value(s) ==8981== at 0xF022ABF: odf_control_property (openoffice-read.c:6939) ==8981== by 0x5A1C91A: lookup_child (gsf-libxml.c:643) ==8981== by 0x5A1CF27: gsf_xml_in_start_element (gsf-libxml.c:717) ==8981== by 0x5E9FE52: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.8) ==8981== by 0x5EAA767: xmlParseElement (in /usr/lib64/libxml2.so.2.7.8) ==8981== by 0x5EA9519: xmlParseContent (in /usr/lib64/libxml2.so.2.7.8) ==8981== by 0x5EAA662: xmlParseElement (in /usr/lib64/libxml2.so.2.7.8) ==8981== by 0x5EA9519: xmlParseContent (in /usr/lib64/libxml2.so.2.7.8)
Updated first (and now only) valgrind event: ==21996== Invalid read of size 4 ==21996== at 0x4F38912: gnm_style_unlink (mstyle.c:832) ==21996== by 0x4FB6802: cb_unlink (sheet-style.c:617) ==21996== by 0x8EF05DA: ??? (in /lib64/libglib-2.0.so.0.2800.0) ==21996== by 0x4FB695B: sheet_style_shutdown (sheet-style.c:650) ==21996== by 0x4F7CFEB: gnm_sheet_finalize (sheet.c:4256) ==21996== by 0x8669113: g_object_unref (in /lib64/libgobject-2.0.so.0.2800.0) ==21996== by 0x4FD3529: workbook_sheet_delete (workbook.c:981) ==21996== by 0x4FD0CAA: workbook_dispose (workbook.c:121) ==21996== by 0x8669089: g_object_unref (in /lib64/libgobject-2.0.so.0.2800.0) ==21996== by 0x40440E: convert (ssconvert.c:681) ==21996== by 0x40469E: main (ssconvert.c:743) ==21996== Address 0xe9ac6ac is 3,484 bytes inside a block of size 16,128 free'd ==21996== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==21996== by 0x54DEC47: go_mem_chunk_free (go-glib-extras.c:641) ==21996== by 0x4F3855A: gnm_style_unref (mstyle.c:678) ==21996== by 0x4F3897C: gnm_style_unlink (mstyle.c:838) ==21996== by 0x4FB5DAC: cell_tile_dtor (sheet-style.c:318) ==21996== by 0x4FB5D4E: cell_tile_dtor (sheet-style.c:312) ==21996== by 0x4FB5D4E: cell_tile_dtor (sheet-style.c:312) ==21996== by 0x4FB5D4E: cell_tile_dtor (sheet-style.c:312) ==21996== by 0x4FB6905: sheet_style_shutdown (sheet-style.c:638) ==21996== by 0x4F7CFEB: gnm_sheet_finalize (sheet.c:4256) ==21996== by 0x8669113: g_object_unref (in /lib64/libgobject-2.0.so.0.2800.0) ==21996== by 0x4FD3529: workbook_sheet_delete (workbook.c:981) ==21996== by 0x4FD0CAA: workbook_dispose (workbook.c:121) ==21996== by 0x8669089: g_object_unref (in /lib64/libgobject-2.0.so.0.2800.0) ==21996== by 0x40440E: convert (ssconvert.c:681) ==21996== by 0x40469E: main (ssconvert.c:743)
That has the feel of an extra gnm_style_unref somewhere.
The style in question is (at some earlier time): (gdb) p *style $1 = {changed = 0, set = 2147483647, hash_key = 2715766525, hash_key_xl = 359250594, ref_count = 3, link_count = 9, linked_sheet = 0x820a450, pango_attrs = 0x0, pango_attrs_zoom = 0, pango_attrs_height = 0, font = 0x0, font_context = 0x0, color = { font = 0x8210270, back = 0x881e3e8, pattern = 0x8210270}, borders = { 0x823fbc0, 0x823fbc0, 0x823fbc0, 0x823fbc0, 0x823fbc0, 0x823fbc0}, pattern = 1, font_detail = {name = 0x87e0370, bold = 0, italic = 0, underline = UNDERLINE_NONE, strikethrough = 0, script = GO_FONT_SCRIPT_STANDARD, size = 10}, format = 0x8219908, h_align = HALIGN_CENTER, v_align = VALIGN_TOP, indent = 0, rotation = 0, text_dir = 0, wrap_text = 1, shrink_to_fit = 0, contents_locked = 0, contents_hidden = 0, validation = 0x89d5578, hlink = 0x0, input_msg = 0x0, conditions = 0x0, cond_styles = 0x0} (gdb) p style->linked_sheet->name_unquoted $2 = 0x8835b70 "GENERAL" (gdb) p style->font_detail.name $3 = (GOString *) 0x87e0370 (gdb) p style->font_detail.name->str $4 = 0x881e2b0 "Times New Roman" (gdb) p style->format $5 = (const GOFormat *) 0x8219908 (gdb) p *style->format $6 = {typ = 2, ref_count = 309, color = 0, has_fill = 0 '\000', magic = GO_FORMAT_MAGIC_NONE, format = 0x823caa8 "General", u = {cond = { n = 136434552, conditions = 0x3000}, number = {program = 0x821d378 "\a", E_format = 0, use_markup = 0, has_date = 0, date_ybm = 0, date_mbd = 0, date_dbm = 0, has_time = 0, has_hour = 0, has_minute = 0, has_elapsed = 0, fraction = 0, scale_is_2 = 0, has_general = 1, is_general = 1}, text = {program = 0x821d378 "\a"}, markup = 0x821d378}}
Created attachment 187608 [details] reduced sample file This file is much smaller than the previous one but shows the same problem
Created attachment 187610 [details] even smaller sample file an even smaller sample file (by deleting some hidden sheets)
I am wondering whether it is significant that the style at issuehas been duplicated in mstyle.c about 787/788. This is especially strange since there only seems to be a single sheet in the file, so how can the style be linked to two sheets???
I obviously don't understand the purpose of mstyle.c 787/788 since: Breakpoint 1, gnm_style_link_sheet (style=0x82256e0, sheet=0x821f468) at mstyle.c:787 787 style = gnm_style_dup (style); (gdb) p *style $1 = {changed = 0, set = 2147483647, hash_key = 4074929722, hash_key_xl = 643487775, ref_count = 3, link_count = 1, linked_sheet = 0x821f468, pango_attrs = 0x0, pango_attrs_zoom = 0, pango_attrs_height = 0, font = 0x0, font_context = 0x0, color = {font = 0x8213e58, back = 0x881d150, pattern = 0x8213e58}, borders = {0x820eff0, 0x820eff0, 0x820eff0, 0x820eff0, 0x820eff0, 0x820eff0}, pattern = 1, font_detail = {name = 0x87cfe50, bold = 0, italic = 0, underline = UNDERLINE_NONE, strikethrough = 0, script = GO_FONT_SCRIPT_STANDARD, size = 10}, format = 0x81ff558, h_align = HALIGN_CENTER, v_align = VALIGN_TOP, indent = 0, rotation = 0, text_dir = 0, wrap_text = 1, shrink_to_fit = 0, contents_locked = 0, contents_hidden = 0, validation = 0x87d3bb0, hlink = 0x0, input_msg = 0x0, conditions = 0x0, cond_styles = 0x0} (gdb) so: sheet == linked_sheet. Why are we duplicating the sheet? What is this "safety test" about? Duplication sets the linked_sheet to NULL.
Created attachment 187627 [details] Even smaller file Manually edited ods file that still displays the issue.
Created attachment 187633 [details] Even smaller file There really isn't much left in the file. Most of it is now xmlns attributes.
Created attachment 187634 [details] Even smaller file This butchers styles.xml too
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.