GNOME Bugzilla – Bug 323811
Crash pasting ref to array after source has been closed
Last modified: 2006-10-10 17:50:28 UTC
Steps to reproduce: 1. Open the attached spreadsheet 2. Select Sheet1:A1:A2 3. Edit/Copy 4. File/New 5. Close the first spreadsheet window 6. Edit/Paste in the remainding spreadsheet window Stack trace:
+ Trace 64539
Other information:
Created attachment 55868 [details] Example spreadsheet
In the backtrace, 'deps' is the deps of sheet 2, which has already been finalized.
The problems start at the time the first sheet is closed: FMR: Free memory read (3 times) This is occurring while in: x_clipboard_get_cb [gui-clipboard.c:734 pc=0xfb4bf0ec] selection_get_cb [gtkclipboard.c:326 pc=0xfa4b4260] _gtk_marshal_VOID__BOXED_UINT_UINT [gtkmarshalers.c:1338 pc=0xfa5e886c] g_closure_invoke [gclosure.c:490 pc=0xf9a9f8d0] signal_emit_unlocked_R [gsignal.c:2449 pc=0xf9ac8030] g_signal_emit_valist [gsignal.c:2208 pc=0xf9ac4cf4] g_signal_emit_by_name [gsignal.c:2276 pc=0xf9ac5de4] gtk_selection_invoke_handler [gtkselection.c:2476 pc=0xfa663734] _gtk_selection_request [gtkselection.c:1873 pc=0xfa662060] _gtk_marshal_BOOLEAN__BOXED [gtkmarshalers.c:83 pc=0xfa5e6588] g_type_class_meta_marshal [gclosure.c:567 pc=0xf9a9fd48] g_closure_invoke [gclosure.c:490 pc=0xf9a9f8d0] signal_emit_unlocked_R [gsignal.c:2487 pc=0xf9ac8b0c] g_signal_emit_valist [gsignal.c:2218 pc=0xf9ac4d78] g_signal_emit [gsignal.c:2252 pc=0xf9ac5228] gtk_widget_event_internal [gtkwidget.c:3649 pc=0xfa79fcf0] gtk_widget_event [gtkwidget.c:3437 pc=0xfa79f6c0] gtk_main_do_event [gtkmain.c:1417 pc=0xfa5e2c64] gdk_event_dispatch [gdkevents-x11.c:2259 pc=0xfa9ebe10] g_main_dispatch [gmain.c:1913 pc=0xf99bbebc] g_main_context_dispatch [gmain.c:2463 pc=0xf99bdea0] g_main_context_iterate [gmain.c:2544 pc=0xf99be5c4] g_main_loop_run [gmain.c:2748 pc=0xf99bf180] bonobo_main [bonobo-main.c:297 pc=0xfa0a866c] main [main-application.c:466 pc=0x5c870] Reading 4 bytes from 0x761628 in the heap. Address 0x761628 is 16 bytes into a freed block at 0x761618 of 296 bytes. This block was allocated from: malloc [rtlib.o pc=0x2d6f0] calloc [rtlib.o pc=0x2e874] g_malloc0 [gmem.c:154 pc=0xf99c7cc4] g_type_create_instance [gtype.c:1550 pc=0xf9ad0d5c] g_object_constructor [gobject.c:1021 pc=0xf9aa57f8] g_object_newv [gobject.c:918 pc=0xf9aa479c] g_object_new_valist [gobject.c:1002 pc=0xf9aa5770] g_object_new [gobject.c:789 pc=0xf9aa3ebc] sheet_new_with_type [sheet.c:723 pc=0xfb532d38] sheet_new [sheet.c:761 pc=0xfb532e7c] xml_sheet_create [xml-io.c:2246 pc=0xfb5bb8f8] xml_workbook_read [xml-io.c:2361 pc=0xfb5bbea4] gnumeric_xml_read_workbook [xml-io.c:2694 pc=0xfb5bcfa0] go_file_opener_open_real [file.c:83 pc=0xfbb7cfac] go_file_opener_open [file.c:289 pc=0xfbb7da80] wb_view_new_from_input [workbook-view.c:976 pc=0xfb59df58] wb_view_new_from_uri [workbook-view.c:1027 pc=0xfb59e0a4] main [main-application.c:410 pc=0x5c630] _start [crt1.o pc=0x254d0] There have been 32517 frees since this block was freed.
gmorten, could you make sure that this stacktrace is for pasting into another window of the same process? This is more like what I'd expect between different gnumeric processes or between gnumeric and something else.
One process only, but this is not from pasting [item 6], but from the simple act of closing [item 5].
The crash and the FMR are probably unrelated. I tested with current CVS, and still get the segfault when following steps 1-6. I suspect gmorten did 1-3 and 5. Valgrind didn't show an FMR for this case.
I think bug 323762 is closely related. In both cases, the clipboard refers to a sheet in a workbook which has been destroyed.
Fixed in the development version. The fix will be available in the next major release. Thank you for your bug report.