GNOME Bugzilla – Bug 691796
CRASH when modifying a chart
Last modified: 2013-01-16 13:46:10 UTC
- Open the following file (in order and by the "Open" dialog since they have cross-references): https://docs.google.com/file/d/0BzX8dPORePBsbmdNbkd0Q1ZKX28/edit https://docs.google.com/file/d/0BzX8dPORePBsdzlJc3pQVWYyRk0/edit https://docs.google.com/file/d/0BzX8dPORePBseUt1TmR2dExURTA/edit - Go to TI.gnumeric, sheet 'aCO2' and modify the first appearing chart - remove PlotXY6 and apply => CRASH
+ Trace 231384
Weird, and my machines are not powerful enough to run under valgrind with large files like those
After simplifying the files I still get the crash and could run valgrind. I get: ==4300== Invalid read of size 8 ==4300== at 0x54200A9: cb_dataset_dim_changed (gog-data-set.c:160) ==4300== by 0x7CB39A6: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7CCC005: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject- 2.0.so.0.3200.4) ==4300== by 0x7CCC851: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so. 0.3200.4) ==4300== by 0x4EE4091: dependent_eval (dependent.c:1593) ==4300== by 0x4EE8168: workbook_recalc (dependent.c:2696) ==4300== by 0x4EC659F: gnm_app_recalc (application.c:1070) ==4300== by 0x4ED1D52: update_after_action (commands.c:350) ==4300== by 0x4ED97ED: gnm_command_push_undo (commands.c:718) ==4300== by 0x7CB36DF: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0. so.0.3200.4) ==4300== by 0x5472AAF: cb_graph_guru_clicked (gog-guru.c:1113) ==4300== by 0x7CB36DF: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0. so.0.3200.4) ==4300== by 0x7CC474F: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7CCC6BB: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject- 2.0.so.0.3200.4) ==4300== by 0x7CCC851: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so. 0.3200.4) ==4300== by 0x63684E7: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.400.2) ==4300== by 0x7CB36DF: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0. so.0.3200.4) ==4300== by 0x7CC4072: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7CCC6BB: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject- 2.0.so.0.3200.4) ==4300== by 0x7CCC851: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so. 0.3200.4) ==4300== by 0x6366802: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.400.2) ==4300== by 0x642747E: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.400.2) ==4300== by 0x7CB39A6: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7CCC005: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7CCC851: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== Address 0x22856528 is 8 bytes inside a block of size 32 free'd ==4300== at 0x4C28F5C: free (vg_replace_malloc.c:446) ==4300== by 0x541B5C1: gog_smoothed_curve_finalize (gog-smoothed-curve.c:81) ==4300== by 0x7CB8637: g_object_unref (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7F5778C: g_slist_foreach (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4) ==4300== by 0x53E0CDF: gog_object_finalize (gog-object.c:236) ==4300== by 0x7CB8637: g_object_unref (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7F5778C: g_slist_foreach (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4) ==4300== by 0x53E0CDF: gog_object_finalize (gog-object.c:236) ==4300== by 0x7CB8637: g_object_unref (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x5472D0C: cb_graph_guru_delete_item (gog-guru.c:550) ==4300== by 0x7CB39A6: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3200.4) ==4300== by 0x7CCC005: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-
Actually just removing the named smoothed curve fires the bug. If the name is cleared before removing the smoothed curve, there is no crash. Looks like the dataset is finalized but the name is not
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.