GNOME Bugzilla – Bug 730466
Gnumeric crashes after deleting link text and then pressing Ctrl+Z
Last modified: 2014-05-23 07:03:17 UTC
Created attachment 276889 [details] backtrace Hi, I found another bug related to hyperlinks. Steps to reproduce (hopefully): 1. Start gnumeric and open a new sheet. 2. Make a hyperlink (or other kind of link) in a EMPTY! cell. The cell has to be empty because then the name of the link destination is automatically added when the link is made. 3. Goto the cell with the link and press the delete key to delete the automatically added text. 4. Press two times Ctrl+Z, this should crash gnumeric. I tested with gnumeric 1.12.14. A backtrace is attached.
Confirmed. Valgrind report for step 4: ==6030== Invalid read of size 8 ==6030== at 0x4ECA2E9: gnm_cell_is_nonsingleton_array (cell.c:523) ==6030== by 0x4ECA451: gnm_cell_set_value (cell.c:154) ==6030== by 0x4F4E528: sheet_cell_set_value (sheet.c:3062) ==6030== by 0x4ED91D2: cmd_hyperlink_undo (commands.c:7229) ==6030== by 0x4EDB3E3: command_undo (commands.c:396) ==6030== by 0x4F9F687: cb_undo_activated (wbc-gtk.c:3349) ==6030== by 0x88CF317: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E0CAC: ??? (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E89B8: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8C71: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x6E4D8EF: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6E4DE88: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x88CF317: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E0CAC: ??? (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8688: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8C71: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x6E7FDDC: gtk_accel_group_activate (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6E8152C: gtk_accel_groups_activate (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x70BC405: gtk_window_activate_key (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x70BC490: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6F73B4B: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x88CF317: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E0A6A: ??? (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8688: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8C71: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x709C483: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6F720EE: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6F73819: gtk_main_do_event (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x752C9D1: ??? (in /usr/lib64/libgdk-3.so.0.1000.4) ==6030== by 0x8B5A315: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) ==6030== by 0x8B5A667: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) ==6030== by 0x8B5AA69: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) ==6030== by 0x6F72D64: gtk_main (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x403BF5: main (main-application.c:392) ==6030== Address 0x23bb6290 is 16 bytes inside a block of size 56 free'd ==6030== at 0x4C28ADC: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==6030== by 0x4F4E9AC: cb_empty_cell (sheet.c:4704) ==6030== by 0x4F4FA06: sheet_foreach_cell_in_range (sheet.c:4086) ==6030== by 0x4F507A7: sheet_clear_region (sheet.c:4771) ==6030== by 0x4F50857: sheet_clear_region_cb (sheet.c:4799) ==6030== by 0x4ED8D6A: cmd_generic_redo (commands.c:6642) ==6030== by 0x4EDC0F4: gnm_command_push_undo (commands.c:717) ==6030== by 0x4EE0FD9: cmd_selection_clear (commands.c:1659) ==6030== by 0x4EFCD16: gnm_pane_key_press (gnm-pane.c:399) ==6030== by 0x6F73B4B: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x88CF291: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E0A6A: ??? (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8688: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8C71: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x709C483: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x70B984A: gtk_window_propagate_key_event (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x70BC4AA: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6F73B4B: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x88CF317: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E0A6A: ??? (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8688: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x88E8C71: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.3800.2) ==6030== by 0x709C483: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6F720EE: ??? (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x6F73819: gtk_main_do_event (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x752C9D1: ??? (in /usr/lib64/libgdk-3.so.0.1000.4) ==6030== by 0x8B5A315: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) ==6030== by 0x8B5A667: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) ==6030== by 0x8B5AA69: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) ==6030== by 0x6F72D64: gtk_main (in /usr/lib64/libgtk-3.so.0.1000.4) ==6030== by 0x403BF5: main (main-application.c:392)
The issue here is that the command object holds a list of cells. That is not a safe practice. Due to the Delete at step 3, the cell pointers are no longer valid when we want to undo the hyperlink and things go downhill. (Some other Cell* now exists.)
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.