GNOME Bugzilla – Bug 128874
Crash / assertion failure recipe
Last modified: 2004-12-22 21:47:04 UTC
[Originally reported as http://bugs.debian.org/223402] Subject: Bug#223402: gnumeric: Crashes while playing with chart values and labels Date: Mon, 08 Dec 2003 19:51:56 -0500 Package: gnumeric Version: 1.2.2-1 Severity: normal So I can convince gnumeric to seg fault, like so: 1. Open gnumeric with no arguments. 2. Enter 1 in A1 and 2 in B1. 3. Click the "chart guru" button, choose the middle "column" option (minor categories stacked in vertical columns), and drag a location for the chart. 4. Right-click the chart and select "properties". 5. Click "Series1", and specify "Sheet1!$A$1" for both "Values" and "Labels". 6. Click "PlotBarCol1". 7. Click "Series1" again, and specify "Sheet1!$B$1" for both "Values" and "Labels". 8. Click "Y-Axis1". 9. Boom. This isn't 100% reproducible (more like 50%), so I assume that the exact crash depends on something more specific than I've listed here, but any similar toying with "Values" and "Labels", mixed with clicking away from "Series1" and back again, pretty reliably crashes the thing as well. A typical stack trace from the crash looks like this: Program received signal SIGSEGV, Segmentation fault.
+ Trace 42457
Thread 1090942656 (LWP 18276)
valgrind shows the first sign of trouble as being here: ==18321== Invalid read of size 1 ==18321== at 0x81FB08A: go_data_vector_get_len (go-data.c:223) ==18321== by 0x81EE5A8: gog_axis_num_markers (gog-axis.c:906) ==18321== by 0x81EEA0F: gog_axis_view_size_request (gog-axis.c:983) ==18321== by 0x820AA49: gog_view_size_request (gog-view.c:419) ==18321== by 0x81EBCE2: gog_chart_view_size_allocate (gog-chart.c:519) ==18321== by 0x820AB75: gog_view_size_allocate (gog-view.c:446) ==18321== by 0x81EA58F: gog_graph_view_size_allocate (gog-graph.c:557) ==18321== by 0x820AB75: gog_view_size_allocate (gog-view.c:446) ==18321== by 0x820AD10: gog_view_update_sizes (gog-view.c:461) ==18321== by 0x8201E86: gog_renderer_pixbuf_update +(gog-renderer-pixbuf.c:681) ==18321== by 0x82025B7: gog_control_foocanvas_update +(gog-control-foocanvas.c:197) ==18321== by 0x8221501: foo_canvas_item_invoke_update (foo-canvas.c:433) ==18321== by 0x82232D8: foo_canvas_group_update (foo-canvas.c:1383) ==18321== by 0x8221501: foo_canvas_item_invoke_update (foo-canvas.c:433) ==18321== by 0x8225D7D: do_update (foo-canvas.c:2916) ==18321== by 0x8225E69: idle_handler (foo-canvas.c:2951) ==18321== Address 0x471ED118 is 12 bytes inside a block of size 88 free'd ==18321== at 0x4002CD67: free (vg_replace_malloc.c:231) ==18321== by 0x408AD902: (within /usr/X11R6/lib/libX11.so.6.2) ==18321== by 0x412A11A5: XftGlyphSpecCore (in /usr/lib/libXft.so.2.1.1) ==18321== by 0x412A3EF1: XftDrawGlyphSpec (in /usr/lib/libXft.so.2.1.1) ==18321== by 0x40CDC57F: (within /usr/lib/libpangoxft-1.0.so.0.200.5) ==18321== by 0x40CDCA5C: pango_xft_render (in +/usr/lib/libpangoxft-1.0.so.0.200.5) ==18321== by 0x40C7813D: (within /usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C544BB: gdk_draw_glyphs (in +/usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C5DF34: (within /usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C544BB: gdk_draw_glyphs (in +/usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C6A353: (within /usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C544BB: gdk_draw_glyphs (in +/usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C5A027: gdk_draw_layout_line_with_colors (in +/usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C5A6FD: gdk_draw_layout_with_colors (in +/usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40C5A9B0: gdk_draw_layout (in +/usr/lib/libgdk-x11-2.0.so.0.200.4) ==18321== by 0x40B12EED: (within /usr/lib/libgtk-x11-2.0.so.0.200.4) ==18321== -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux pogo.intelio.com 2.6.0-test7 #1 Wed Oct 8 19:02:06 EDT 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages gnumeric depends on: ii gconf2 2.4.0.1-2 GNOME configuration database syste ii gsfonts 6.0-2.1 Fonts for the ghostscript interpre ii libart-2.0-2 2.3.16-1 Library of functions for 2D graphi ii libatk1.0-0 1.4.1-1 The ATK accessibility toolkit ii libaudiofile0 0.2.3-4 The Audiofile Library ii libbonobo2-0 2.4.2-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.4.0-4 The Bonobo UI library ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an ii libesd0 0.2.29-1 Enlightened Sound Daemon - Shared ii libfontconfig1 2.2.1-13 generic font configuration library ii libfreetype6 2.1.7-1 FreeType 2 font engine, shared lib ii libgconf2-4 2.4.0.1-2 GNOME configuration database syste ii libgcrypt1 1.1.12-4 LGPL Crypto library - runtime libr ii libglade2-0 2.0.1-6 Library to load .glade files at ru ii libglib2.0-0 2.2.3-1 The GLib library of C routines ii libgnome2-0 2.4.0-4 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.4.0-1 A powerful object-oriented display ii libgnomeprint2.2-0 2.4.2-1 The GNOME 2.2 print architecture - ii libgnomeprintui2.2-0 2.4.2-1 The GNOME 2.2 print architecture U ii libgnomeui-0 2.4.0.1-5 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.4.1-4 The GNOME virtual file-system libr ii libgnomevfs2-common 2.4.1-4 The GNOME virtual file-system libr ii libgnutls7 0.8.12-3 GNU TLS library - runtime library ii libgsf-1 1.8.2-5 Structured File Library - runtime ii libgsf-gnome-1 1.8.2-5 Structured File Library - runtime ii libgtk2.0-0 2.2.4-2 The GTK+ graphical user interface ii libjpeg62 6b-9 The Independent JPEG Group's JPEG ii liborbit2 1:2.8.2-1.1 Libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.2.5-2.1 Layout and rendering of internatio ii libpopt0 1.7-3 lib for parsing cmdline parameters ii libtasn1-0 0.1.2-1 Manage ASN.1 structures (runtime) ii libxml2 2.6.2-1 GNOME XML library ii xlibs 4.3.0-0ds4 X Window System client libraries ii zlib1g 1:1.2.1-2 compression library - runtime -- no debconf information
I've not yet been able to reproduce the crash, but the recipe does reliably trigger an assertion failure "** (gnumeric:13766): CRITICAL **: file ../../src/graph.c: line 573 (gnm_go_data_vector_get_str): assertion `vec->val != NULL' failed".
No crash here, but... ** (pgn:13731): WARNING **: Hmm, nothing to worry about, but this should not happen. How did a style change externally while it was visible ? No purify events.
Apart from a set of large leaks: MLK: 40600 bytes leaked in 25 blocks This memory was allocated from: malloc [rtlib.o pc=0x69988] g_malloc [gmem.c:136 pc=0xf9fd1c64] gdk_pixdata_serialize [gdk-pixdata.c:121 pc=0xfaf53994] go_pattern_selector [go-pattern.c:252 pc=0x32c508] populate_pattern_combo [gog-style.c:316 pc=0x302420] fill_pattern_init [gog-style.c:392 pc=0x302ce8] fill_init [gog-style.c:725 pc=0x304470] gog_style_editor [gog-style.c:967 pc=0x305574] gog_series_editor [gog-series.c:134 pc=0x30fc80] gog_object_get_editor [gog-object.c:569 pc=0x2eed4c] cb_attr_tree_selection_change [gog-guru.c:751 pc=0x317784] g_cclosure_marshal_VOID__VOID [gmarshal.c:77 pc=0xfa448bbc] g_closure_invoke [gclosure.c:437 pc=0xfa4106e0] signal_emit_unlocked_R [gsignal.c:2436 pc=0xfa446780] g_signal_emit_valist [gsignal.c:2195 pc=0xfa4436d0] g_signal_emit [gsignal.c:2239 pc=0xfa443b84] _gtk_tree_selection_internal_select_node [gtktreeselection.c:1435 pc=0xfab9ec34] gtk_tree_view_real_set_cursor [gtktreeview.c:10168 pc=0xfabd65f4] gtk_tree_view_button_press [gtktreeview.c:2171 pc=0xfabb6358] _gtk_marshal_BOOLEAN__BOXED [gtkmarshalers.c:82 pc=0xfa9eb36c] g_type_class_meta_marshal [gclosure.c:514 pc=0xfa410d98] g_closure_invoke [gclosure.c:437 pc=0xfa4106e0] signal_emit_unlocked_R [gsignal.c:2474 pc=0xfa4470ac] g_signal_emit_valist [gsignal.c:2205 pc=0xfa443754] g_signal_emit [gsignal.c:2239 pc=0xfa443b84] Block of 1624 bytes (25 times); last block at 0x15ae610
I can replicate the crash. It would have been nice to get purify confirmation so that we could see who is unrefing the GOData
Ahh, I see. Simple to fix the crash. The leak isn't too bad either. I'll tweak the other selectors to be clearer too.