GNOME Bugzilla – Bug 587428
Failure to detect invalid printarea
Last modified: 2009-07-01 04:25:17 UTC
Steps to reproduce: - Download Attachment 100476 [details] (.xls file from Bug 502206) - ssconvert attachment.xls /tmp/foo.pdf Valgrind log: ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_col_get: assertion `pos >= 0' failed ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_row_get: assertion `pos >= 0' failed ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_row_get_distance_pts: assertion `from >= 0' failed ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_col_get_distance_pts: assertion `from >= 0' failed ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_col_get: assertion `pos >= 0' failed ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_row_get: assertion `pos >= 0' failed ==20353== Conditional jump or move depends on uninitialised value(s) ==20353== at 0x417884B: style_row (sheet-style.c:1371) ==20353== by 0x41785AF: get_style_row (sheet-style.c:1428) ==20353== by 0x4178635: get_style_row (sheet-style.c:1436) ==20353== by 0x4178635: get_style_row (sheet-style.c:1436) ==20353== by 0x4178635: get_style_row (sheet-style.c:1436) ==20353== by 0x4178B12: sheet_style_get_row (sheet-style.c:1463) ==20353== by 0x41CBF45: gnm_gtk_print_cell_range (print-cell.c:327) ==20353== by 0x41C6DB6: print_page_cells (print.c:196) ==20353== by 0x41C7EDF: print_page (print.c:574) ==20353== by 0x41C9969: gnm_draw_page_cb (print.c:1288) ==20353== by 0x490DA02: (within /usr/lib/libgtk-x11-2.0.so.0.1600.1) ==20353== by 0x4E73C7A: g_closure_invoke (gclosure.c:767) ==20353== ==20353== Conditional jump or move depends on uninitialised value(s) ==20353== at 0x4178860: style_row (sheet-style.c:1371) ==20353== by 0x41785AF: get_style_row (sheet-style.c:1428) ==20353== by 0x4178635: get_style_row (sheet-style.c:1436) ==20353== by 0x4178635: get_style_row (sheet-style.c:1436) ==20353== by 0x4178635: get_style_row (sheet-style.c:1436) ==20353== by 0x4178B12: sheet_style_get_row (sheet-style.c:1463) ==20353== by 0x41CBF45: gnm_gtk_print_cell_range (print-cell.c:327) ==20353== by 0x41C6DB6: print_page_cells (print.c:196) ==20353== by 0x41C7EDF: print_page (print.c:574) ==20353== by 0x41C9969: gnm_draw_page_cb (print.c:1288) ==20353== by 0x490DA02: (within /usr/lib/libgtk-x11-2.0.so.0.1600.1) ==20353== by 0x4E73C7A: g_closure_invoke (gclosure.c:767) ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_col_get: assertion `pos >= 0' failed ** (/home/s/cvs/gnumeric/src/.libs/lt-ssconvert:20353): CRITICAL **: sheet_row_get: assertion `pos >= 0' failed ==20353== ==20353== Conditional jump or move depends on uninitialised value(s) ==20353== at 0x4121E60: gnm_style_get_pattern (mstyle.c:1110) ==20353== by 0x412F467: gnumeric_background_set_gtk (pattern.c:183) ==20353== by 0x41CB620: print_cell_background_gtk (print-cell.c:166) ==20353== by 0x41CC4BB: gnm_gtk_print_cell_range (print-cell.c:476) ==20353== by 0x41C6DB6: print_page_cells (print.c:196) ==20353== by 0x41C7EDF: print_page (print.c:574) ==20353== by 0x41C9969: gnm_draw_page_cb (print.c:1288) ==20353== by 0x490DA02: (within /usr/lib/libgtk-x11-2.0.so.0.1600.1) ==20353== by 0x4E73C7A: g_closure_invoke (gclosure.c:767) ==20353== by 0x4E89E56: signal_emit_unlocked_R (gsignal.c:3247) ==20353== by 0x4E8B4B8: g_signal_emit_valist (gsignal.c:2980) ==20353== by 0x4E8B935: g_signal_emit (gsignal.c:3037) ==20353== ==20353== Use of uninitialised value of size 4 ==20353== at 0x4121E8E: gnm_style_get_pattern (mstyle.c:1111) ==20353== by 0x412F467: gnumeric_background_set_gtk (pattern.c:183) ==20353== by 0x41CB620: print_cell_background_gtk (print-cell.c:166) ==20353== by 0x41CC4BB: gnm_gtk_print_cell_range (print-cell.c:476) ==20353== by 0x41C6DB6: print_page_cells (print.c:196) ==20353== by 0x41C7EDF: print_page (print.c:574) ==20353== by 0x41C9969: gnm_draw_page_cb (print.c:1288) ==20353== by 0x490DA02: (within /usr/lib/libgtk-x11-2.0.so.0.1600.1) ==20353== by 0x4E73C7A: g_closure_invoke (gclosure.c:767) ==20353== by 0x4E89E56: signal_emit_unlocked_R (gsignal.c:3247) ==20353== by 0x4E8B4B8: g_signal_emit_valist (gsignal.c:2980) ==20353== by 0x4E8B935: g_signal_emit (gsignal.c:3037) ==20353== ==20353== Process terminating with default action of signal 11 (SIGSEGV) ==20353== Access not within mapped region at address 0x7 ==20353== at 0x4121E8E: gnm_style_get_pattern (mstyle.c:1111) ==20353== by 0x412F467: gnumeric_background_set_gtk (pattern.c:183) ==20353== by 0x41CB620: print_cell_background_gtk (print-cell.c:166) ==20353== by 0x41CC4BB: gnm_gtk_print_cell_range (print-cell.c:476) ==20353== by 0x41C6DB6: print_page_cells (print.c:196) ==20353== by 0x41C7EDF: print_page (print.c:574) ==20353== by 0x41C9969: gnm_draw_page_cb (print.c:1288) ==20353== by 0x490DA02: (within /usr/lib/libgtk-x11-2.0.so.0.1600.1) ==20353== by 0x4E73C7A: g_closure_invoke (gclosure.c:767) ==20353== by 0x4E89E56: signal_emit_unlocked_R (gsignal.c:3247) ==20353== by 0x4E8B4B8: g_signal_emit_valist (gsignal.c:2980) ==20353== by 0x4E8B935: g_signal_emit (gsignal.c:3037) ==20353== If you believe this happened as a result of a stack overflow in your ==20353== program's main thread (unlikely but possible), you can try to increase ==20353== the size of the main thread stack using the --main-stacksize= flag. ==20353== The main thread stack size used in this run was 67108864. Segmentation fault
We fail to catch an invalid printarea: Breakpoint 1, sheet_get_nominal_printarea (sheet=0x8e67078) at sheet.c:2059 2059 g_return_val_if_fail (IS_SHEET (sheet), NULL); (gdb) n 2061 parse_pos_init_sheet (&pos, sheet); (gdb) 2062 nexpr = expr_name_lookup (&pos, "Print_Area"); (gdb) p pos $1 = {eval = {col = 0, row = 0}, sheet = 0x8e67078, wb = 0x8e60418} (gdb) n 2063 if (nexpr == NULL) (gdb) p nexpr $2 = (GnmNamedExpr *) 0x8e5ae28 (gdb) n 2066 val = gnm_expr_top_get_range (nexpr->texpr); (gdb) 2067 if (val == NULL) (gdb) p val $3 = (GnmValue *) 0x8e5e118 (gdb) p *val $4 = {type = VALUE_CELLRANGE, v_any = {type = VALUE_CELLRANGE, fmt = 0x0}, v_bool = {type = VALUE_CELLRANGE, fmt = 0x0, val = 149319800}, v_float = { type = VALUE_CELLRANGE, fmt = 0x0, val = -nan(0xfffff08e67078)}, v_err = { type = VALUE_CELLRANGE, fmt = 0x0, mesg = 0x8e67078}, v_str = { type = VALUE_CELLRANGE, fmt = 0x0, val = 0x8e67078}, v_range = { type = VALUE_CELLRANGE, fmt = 0x0, cell = {a = {sheet = 0x8e67078, col = -1, row = -1, col_relative = 1 '\001', row_relative = 1 '\001'}, b = {sheet = 0x8e67078, col = 0, row = 0, col_relative = 0 '\0', row_relative = 0 '\0'}}}, v_array = {type = VALUE_CELLRANGE, fmt = 0x0, x = 149319800, y = -1, vals = 0xffffffff}} (gdb) n 2070 r_ref = value_get_rangeref (val); (gdb) 2071 value_release (val); (gdb) p r_ref $5 = (const GnmRangeRef *) 0x8e5e120 (gdb) p *r_ref $6 = {a = {sheet = 0x8e67078, col = -1, row = -1, col_relative = 1 '\001', row_relative = 1 '\001'}, b = {sheet = 0x8e67078, col = 0, row = 0, col_relative = 0 '\0', row_relative = 0 '\0'}} (gdb)
I have fixed the criticals. Please verify whether the valgrind problems have dissappeared too. This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.