GNOME Bugzilla – Bug 558100
ssconvert/ssindex/ssgrep segmentation fault
Last modified: 2008-10-28 19:32:16 UTC
In the next Ubuntu version (Intrepid), the included version programs ssconvert and ssindex cause a segmentation fault when you run them. The gnumeric version is 1.8.3. There are quit a few bug report about this in Ubuntu's Launchpad, for example: https://bugs.launchpad.net/ubuntu/+source/gnumeric/+bug/270351 I can reproduce this problem with the trunk version. The following patch will fix this.
This is mildly strange unless something has changed below us. ssconvert is the work horse of the test suite.
Created attachment 121431 [details] [review] Patch to stop ssconvert/ssindex segfault I am not sure the patch is correct, please review. The patch moves the unref of the fontmap, so it is only unref'd after the fonts are unref'd. This might be an indication that there is some problem with the ref/unreffing of the fonts, I don't know, I do not understand all this pango code. The patch stops the segfaults, so it is at least pointing to the problem.
hiberis:tmp> gdb --args /usr/bin/ssconvert -T Gnumeric_stf:stf_csv Book1.gnumeric GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (no debugging symbols found) (gdb) run Starting program: /usr/bin/ssconvert -T Gnumeric_stf:stf_csv Book1.gnumeric (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 0xb6a6a910 (LWP 20615)] Reading file:///tmp/Book1.gnumeric Selected exporter (Gnumeric_stf:stf_csv) does not support saving multiple sheets in one file. Only the current sheet will be saved. Writing file:///tmp/Book1.csv Program received signal SIGSEGV, Segmentation fault.
+ Trace 208778
Thread 3064375568 (LWP 20615)
hiberis:tmp> G_SLICE=always-malloc G_DEBUG=resident-modules valgrind --leak-check=full --freelist-vol=100000000 --num-callers=25 --leak-resolution=high --free-fill=0 /usr/bin/ssconvert -T Gnumeric_stf:stf_csv Book1.gnumeric ==24248== Memcheck, a memory error detector. ==24248== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==24248== Using LibVEX rev 1854, a library for dynamic binary translation. ==24248== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==24248== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==24248== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==24248== For more details, rerun with: -v ==24248== ** ERROR **: Failed to generate long double NaN/+Inf/-Inf. go_nanl=nan go_pinfl=inf go_ninfl=-inf Please report at http://bugzilla.gnome.org/enter_bug.cgi?product=libgoffice aborting... ==24248== ==24248== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 190 from 2) ==24248== malloc/free: in use at exit: 18,993 bytes in 658 blocks. ==24248== malloc/free: 1,047 allocs, 389 frees, 254,230 bytes allocated. ==24248== For counts of detected errors, rerun with: -v ==24248== searching for pointers to 658 not-freed blocks. ==24248== checked 645,916 bytes. ==24248== ==24248== 156 (36 direct, 120 indirect) bytes in 1 blocks are definitely lost in loss record 290 of 408 ==24248== at 0x4024D2E: malloc (vg_replace_malloc.c:207) ==24248== by 0x43E1C30: (within /lib/tls/i686/cmov/libc-2.8.90.so) ==24248== by 0x43E2565: __nss_database_lookup (in /lib/tls/i686/cmov/libc-2.8.90.so) ==24248== by 0x5A7BF5B: ??? ==24248== by 0x5A7CCBE: ??? ==24248== by 0x4388B61: getpwnam_r (in /lib/tls/i686/cmov/libc-2.8.90.so) ==24248== by 0x461F745: g_get_any_init_do (gutils.c:1596) ==24248== by 0x462123C: g_get_home_dir (gutils.c:1747) ==24248== by 0x40BB226: gutils_init (in /usr/lib/libspreadsheet-1.8.3.so) ==24248== by 0x40CBF91: gnm_pre_parse_init (in /usr/lib/libspreadsheet-1.8.3.so) ==24248== by 0x8049A2D: main (in /usr/bin/ssconvert) ==24248== ==24248== LEAK SUMMARY: ==24248== definitely lost: 36 bytes in 1 blocks. ==24248== indirectly lost: 120 bytes in 10 blocks. ==24248== possibly lost: 0 bytes in 0 blocks. ==24248== still reachable: 17,037 bytes in 602 blocks. ==24248== suppressed: 1,800 bytes in 45 blocks. ==24248== Reachable blocks (those to which a pointer was found) are not shown. ==24248== To see them, rerun with: --leak-check=full --show-reachable=yes Aborted
That valgrind run hit a bug in valgrind. (Gnumeric is pretty good at that, ;-) http://bugs.kde.org/show_bug.cgi?id=164298 In go_math_init, could you temporarily change that g_error to a g_warning and retry?
Okay, here a new valgrind run, working around the valgrind bug as explained in comment 5. This run is with trunk, and with if (fontmap) { g_object_unref (fontmap); fontmap = NULL; } added to the end of gnm_pango_context_get. hiberis:gnumeric> G_SLICE=always-malloc G_DEBUG=resident-modules valgrind --leak-check=full --freelist-vol=100000000 --num-callers=25 --leak-resolution=high --free-fill=0 ~/localgnumeric/bin/ssconvert -T Gnumeric_stf:stf_csv Book1.gnumeric ==17909== Memcheck, a memory error detector. ==17909== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==17909== Using LibVEX rev 1854, a library for dynamic binary translation. ==17909== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==17909== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==17909== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==17909== For more details, rerun with: -v ==17909== ** (/home/hib/localgnumeric/bin/ssconvert:17909): WARNING **: Running under buggy valgrind, see http://bugs.kde.org/show_bug.cgi?id=164298 Selected exporter (Gnumeric_stf:stf_csv) does not support saving multiple sheets in one file. Only the current sheet will be saved. ==17909== Invalid read of size 4 ==17909== at 0x49E04CA: _pango_fc_font_map_remove (pangofc-fontmap.c:592) ==17909== by 0x49DF87A: pango_fc_font_finalize (pangofc-font.c:153) ==17909== by 0x4A23E00: pango_cairo_fc_font_finalize (pangocairo-fcfont.c:95) ==17909== by 0x5096DB2: g_object_unref (gobject.c:2417) ==17909== by 0x412DFAF: gnm_font_unref (style.c:236) ==17909== by 0x412E0F6: gnm_font_shutdown (style.c:405) ==17909== by 0x40C9474: gnm_shutdown (libgnumeric.c:341) ==17909== by 0x8049D47: main (ssconvert.c:405) ==17909== Address 0x57b4a0c is 12 bytes inside a block of size 76 free'd ==17909== at 0x4023B4A: free (vg_replace_malloc.c:323) ==17909== by 0x5109C05: g_free (gmem.c:190) ==17909== by 0x50B4B88: g_type_free_instance (gtype.c:1717) ==17909== by 0x4C38B68: pango_context_finalize (pango-context.c:97) ==17909== by 0x5096DB2: g_object_unref (gobject.c:2417) ==17909== by 0x412E280: gnm_font_init (style.c:364) ==17909== by 0x40C95D1: gnm_init (libgnumeric.c:270) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== Invalid read of size 4 ==17909== at 0x49E0530: _pango_fc_font_map_remove (pangofc-fontmap.c:600) ==17909== by 0x49DF87A: pango_fc_font_finalize (pangofc-font.c:153) ==17909== by 0x4A23E00: pango_cairo_fc_font_finalize (pangocairo-fcfont.c:95) ==17909== by 0x5096DB2: g_object_unref (gobject.c:2417) ==17909== by 0x412DFAF: gnm_font_unref (style.c:236) ==17909== by 0x412E0F6: gnm_font_shutdown (style.c:405) ==17909== by 0x40C9474: gnm_shutdown (libgnumeric.c:341) ==17909== by 0x8049D47: main (ssconvert.c:405) ==17909== Address 0xc is not stack'd, malloc'd or (recently) free'd ==17909== ==17909== Process terminating with default action of signal 11 (SIGSEGV) ==17909== Access not within mapped region at address 0xC ==17909== at 0x49E0530: _pango_fc_font_map_remove (pangofc-fontmap.c:600) ==17909== by 0x49DF87A: pango_fc_font_finalize (pangofc-font.c:153) ==17909== by 0x4A23E00: pango_cairo_fc_font_finalize (pangocairo-fcfont.c:95) ==17909== by 0x5096DB2: g_object_unref (gobject.c:2417) ==17909== by 0x412DFAF: gnm_font_unref (style.c:236) ==17909== by 0x412E0F6: gnm_font_shutdown (style.c:405) ==17909== by 0x40C9474: gnm_shutdown (libgnumeric.c:341) ==17909== by 0x8049D47: main (ssconvert.c:405) ==17909== ==17909== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 227 from 2) ==17909== malloc/free: in use at exit: 2,020,758 bytes in 12,072 blocks. ==17909== malloc/free: 148,660 allocs, 136,588 frees, 26,684,317 bytes allocated. ==17909== For counts of detected errors, rerun with: -v ==17909== searching for pointers to 12,072 not-freed blocks. ==17909== checked 2,641,676 bytes. ==17909== ==17909== ==17909== 14 bytes in 1 blocks are possibly lost in loss record 1,233 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x4C3CC30: pango_language_from_string (pango-language.c:296) ==17909== by 0x4C3CF8D: pango_language_get_default (pango-language.c:247) ==17909== by 0x4C3930D: pango_context_init (pango-context.c:69) ==17909== by 0x50B61C2: g_type_create_instance (gtype.c:1674) ==17909== by 0x509A3D4: g_object_constructor (gobject.c:1334) ==17909== by 0x509AC05: g_object_newv (gobject.c:1211) ==17909== by 0x509B7D6: g_object_new_valist (gobject.c:1274) ==17909== by 0x509B94D: g_object_new (gobject.c:1056) ==17909== by 0x4C39286: pango_context_new (pango-context.c:131) ==17909== by 0x4C3A655: pango_font_map_create_context (pango-fontmap.c:71) ==17909== by 0x412DE81: gnm_pango_context_get (style.c:298) ==17909== by 0x412E1EB: gnm_font_init (style.c:330) ==17909== by 0x40C95D1: gnm_init (libgnumeric.c:270) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 20 bytes in 1 blocks are possibly lost in loss record 2,722 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x504850C: ORBit_alloc_tcval (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A78: ORBit_small_allocbuf (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50534D2: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50536FD: PortableServer_POA_servant_to_reference (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4DA5DB3: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F5C: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 28 bytes in 1 blocks are possibly lost in loss record 3,029 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x5048495: ORBit_alloc_by_tc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504350C: ORBit_small_alloc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504EE62: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504FD15: ORBit_demarshal_IOR (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50466E4: ORBit_demarshal_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504D122: ORBit_demarshal_value (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5043B59: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504484C: ORBit_small_invoke_stub (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A48: ORBit_small_invoke_stub_n (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50517A9: ORBit_c_stub_invoke (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4DB2DED: ConfigServer_get_default_database (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7089: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 28 bytes in 1 blocks are possibly lost in loss record 3,031 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x5048495: ORBit_alloc_by_tc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504350C: ORBit_small_alloc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x505428B: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5057AE1: ORBit_OAObject_object_to_objkey (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5050774: IOP_generate_profiles (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50469DE: ORBit_marshal_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504DCB3: ORBit_marshal_value (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5043204: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50447EE: ORBit_small_invoke_stub (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A48: ORBit_small_invoke_stub_n (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50517A9: ORBit_c_stub_invoke (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4DB2CF3: ConfigServer_add_client (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F72: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 28 bytes in 1 blocks are possibly lost in loss record 3,032 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x5048495: ORBit_alloc_by_tc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504350C: ORBit_small_alloc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50534AD: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50536FD: PortableServer_POA_servant_to_reference (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4DA5DB3: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F5C: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 28 bytes in 1 blocks are possibly lost in loss record 3,033 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x5048495: ORBit_alloc_by_tc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504350C: ORBit_small_alloc (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504EE62: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504FD15: ORBit_demarshal_IOR (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50466E4: ORBit_demarshal_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5041AEE: CORBA_ORB_string_to_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4D97768: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4D97963: gconf_activate_server (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F28: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 32 bytes in 1 blocks are possibly lost in loss record 3,068 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x504850C: ORBit_alloc_tcval (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A78: ORBit_small_allocbuf (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5057BCD: ORBit_adaptor_setup (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5054816: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x505619F: ORBit_POA_setup_root (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x503A8E5: ORBit_init_internals (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5042161: CORBA_ORB_init (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4D975BE: gconf_orb_get (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4D9774D: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4D97963: gconf_activate_server (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F28: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 156 (36 direct, 120 indirect) bytes in 1 blocks are definitely lost in loss record 3,210 of 4,575 ==17909== at 0x4024D2E: malloc (vg_replace_malloc.c:207) ==17909== by 0x52B2C30: (within /lib/tls/i686/cmov/libc-2.8.90.so) ==17909== by 0x52B3565: __nss_database_lookup (in /lib/tls/i686/cmov/libc-2.8.90.so) ==17909== by 0x5AA5F5B: ??? ==17909== by 0x5AA6CBE: ??? ==17909== by 0x5259B61: getpwnam_r (in /lib/tls/i686/cmov/libc-2.8.90.so) ==17909== by 0x5136745: g_get_any_init_do (gutils.c:1596) ==17909== by 0x513823C: g_get_home_dir (gutils.c:1747) ==17909== by 0x40B8854: gutils_init (gutils.c:82) ==17909== by 0x40C9751: gnm_pre_parse_init (libgnumeric.c:215) ==17909== by 0x8049B9D: main (ssconvert.c:359) ==17909== ==17909== ==17909== 40 bytes in 1 blocks are possibly lost in loss record 3,343 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x504850C: ORBit_alloc_tcval (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A78: ORBit_small_allocbuf (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504EE7E: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504FD15: ORBit_demarshal_IOR (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50466E4: ORBit_demarshal_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504D122: ORBit_demarshal_value (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5043B59: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504484C: ORBit_small_invoke_stub (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A48: ORBit_small_invoke_stub_n (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50517A9: ORBit_c_stub_invoke (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4DB2DED: ConfigServer_get_default_database (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7089: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 40 bytes in 1 blocks are possibly lost in loss record 3,344 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x504850C: ORBit_alloc_tcval (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A78: ORBit_small_allocbuf (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50542AD: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5057AE1: ORBit_OAObject_object_to_objkey (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5050774: IOP_generate_profiles (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50469DE: ORBit_marshal_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504DCB3: ORBit_marshal_value (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5043204: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50447EE: ORBit_small_invoke_stub (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A48: ORBit_small_invoke_stub_n (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50517A9: ORBit_c_stub_invoke (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4DB2CF3: ConfigServer_add_client (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F72: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 40 bytes in 1 blocks are possibly lost in loss record 3,359 of 4,575 ==17909== at 0x4022DE2: calloc (vg_replace_malloc.c:397) ==17909== by 0x5109CEB: g_malloc0 (gmem.c:151) ==17909== by 0x504850C: ORBit_alloc_tcval (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5044A78: ORBit_small_allocbuf (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504EE7E: (within /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x504FD15: ORBit_demarshal_IOR (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x50466E4: ORBit_demarshal_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x5041AEE: CORBA_ORB_string_to_object (in /usr/lib/libORBit-2.so.0.1.0) ==17909== by 0x4D97768: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4D97963: gconf_activate_server (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA5F28: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA6E65: (within /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DA7E33: gconf_engine_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x4DAF797: gconf_client_get_default (in /usr/lib/libgconf-2.so.4.1.5) ==17909== by 0x43562BC: go_conf_init (go-conf-gconf.c:16) ==17909== by 0x432B403: libgoffice_init (goffice.c:119) ==17909== by 0x40C954B: gnm_init (libgnumeric.c:256) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== ==17909== 148 (128 direct, 20 indirect) bytes in 1 blocks are definitely lost in loss record 4,312 of 4,575 ==17909== at 0x4024D2E: malloc (vg_replace_malloc.c:207) ==17909== by 0x4CF39F6: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CF43E7: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CF44FE: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CF9FDE: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x5379EC3: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537AC10: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537C5EE: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537CCE6: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537368B: XML_ParseBuffer (in /usr/lib/libexpat.so.1.5.2) ==17909== by 0x4CF7F1D: FcConfigParseAndLoad (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CF8265: FcConfigParseAndLoad (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CF954E: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x5379EC3: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537AC10: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537C5EE: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537CCE6: (within /usr/lib/libexpat.so.1.5.2) ==17909== by 0x537368B: XML_ParseBuffer (in /usr/lib/libexpat.so.1.5.2) ==17909== by 0x4CF7F1D: FcConfigParseAndLoad (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CED3D1: FcInitLoadConfig (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CED4EB: FcInitLoadConfigAndFonts (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CED5FC: FcInit (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CE459E: FcConfigGetCurrent (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CE4D44: FcConfigSubstituteWithPat (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CE4D86: FcConfigSubstitute (in /usr/lib/libfontconfig.so.1.3.0) ==17909== ==17909== ==17909== 1,052 (384 direct, 668 indirect) bytes in 1 blocks are definitely lost in loss record 4,483 of 4,575 ==17909== at 0x4024E4C: realloc (vg_replace_malloc.c:429) ==17909== by 0x4CF3971: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CE36B1: (within /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CE4B7D: FcConfigSubstituteWithPat (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x4CF0A28: FcFontRenderPrepare (in /usr/lib/libfontconfig.so.1.3.0) ==17909== by 0x49E1E9A: pango_fc_font_map_load_fontset (pangofc-fontmap.c:1095) ==17909== by 0x4C3A569: pango_font_map_load_fontset (pango-fontmap.c:138) ==17909== by 0x49E24D4: pango_fc_font_map_load_font (pangofc-fontmap.c:1154) ==17909== by 0x4C3A5F2: pango_font_map_load_font (pango-fontmap.c:95) ==17909== by 0x4C389B2: pango_context_load_font (pango-context.c:291) ==17909== by 0x412DCC3: style_font_new_simple (style.c:127) ==17909== by 0x412E232: gnm_font_init (style.c:332) ==17909== by 0x40C95D1: gnm_init (libgnumeric.c:270) ==17909== by 0x8049C88: main (ssconvert.c:380) ==17909== ==17909== LEAK SUMMARY: ==17909== definitely lost: 548 bytes in 3 blocks. ==17909== indirectly lost: 808 bytes in 44 blocks. ==17909== possibly lost: 298 bytes in 10 blocks. ==17909== still reachable: 2,003,160 bytes in 11,686 blocks. ==17909== suppressed: 15,944 bytes in 329 blocks. ==17909== Reachable blocks (those to which a pointer was found) are not shown. ==17909== To see them, rerun with: --leak-check=full --show-reachable=yes Segmentation fault
Backtrace for a build from trunk: (this one is using different pange functions than the default Ubuntu 1.8.3 version in comment 3) hiberis:gnumeric> gdb --args ~/localgnumeric/bin/ssconvert -T Gnumeric_stf:stf_csv GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) run Starting program: /home/hib/localgnumeric/bin/ssconvert -T Gnumeric_stf:stf_csv [Thread debugging using libthread_db enabled] [New Thread 0xb69d3700 (LWP 18765)] Usage: /home/hib/localgnumeric/bin/ssconvert [OPTION...] INFILE [OUTFILE] Program received signal SIGSEGV, Segmentation fault.
+ Trace 208781
Thread 3063756544 (LWP 18765)
Behdad, could you please have a look at this fragment from comment 6? Basically, we are unref-ing a PangoFont at a time where we have long since unref'd the fontmap and the context. This used to be just fine, but now it appears that something in pango is using the context without owning a reference. Only the current sheet will be saved. ==17909== Invalid read of size 4 ==17909== at 0x49E04CA: _pango_fc_font_map_remove (pangofc-fontmap.c:592) ==17909== by 0x49DF87A: pango_fc_font_finalize (pangofc-font.c:153) ==17909== by 0x4A23E00: pango_cairo_fc_font_finalize (pangocairo-fcfont.c:95) ==17909== by 0x5096DB2: g_object_unref (gobject.c:2417) ==17909== by 0x412DFAF: gnm_font_unref (style.c:236) ==17909== by 0x412E0F6: gnm_font_shutdown (style.c:405) ==17909== by 0x40C9474: gnm_shutdown (libgnumeric.c:341) ==17909== by 0x8049D47: main (ssconvert.c:405) ==17909== Address 0x57b4a0c is 12 bytes inside a block of size 76 free'd ==17909== at 0x4023B4A: free (vg_replace_malloc.c:323) ==17909== by 0x5109C05: g_free (gmem.c:190) ==17909== by 0x50B4B88: g_type_free_instance (gtype.c:1717) ==17909== by 0x4C38B68: pango_context_finalize (pango-context.c:97) ==17909== by 0x5096DB2: g_object_unref (gobject.c:2417) ==17909== by 0x412E280: gnm_font_init (style.c:364) ==17909== by 0x40C95D1: gnm_init (libgnumeric.c:270) ==17909== by 0x8049C88: main (ssconvert.c:380)
When I downgrade to libpango1.0-0_1.20.5-0ubuntu1_i386, the problem goes away... so the bug is most likely in pango 1.22.
For the record: this bug is in Ubuntu's Intrepid, with libpango1.0-0_1.22.1-0ubuntu1_i386.deb
Behdad, I think this bug might be caused by http://svn.gnome.org/viewvc/pango?view=revision&revision=2704
Created attachment 121480 [details] A simple example program showing the bug in pango. The attached program does what happens in Gnumeric/ssconvert to cause a segmentation fault with pango 2.22.
Pango bug 558254 filed to get this on their radar. Note, that the Gnumeric binary ought to be affected too. I am guessing that we have a lucky leak. I will install a workaround, but that will not help deployed binaries.
Ack. It's a bug. Debugging.
Work-around committed to both branches. Hib: you might want to poke the right Ubuntu people to get the fix from bug 558254 into Ubuntu's build.
pango-1.22.2 will be hitting an ftp mirror near you soon.