GNOME Bugzilla – Bug 765155
segfault associated with XYColor chart ... assertion 'n < gog_series_num_elements (series)'
Last modified: 2016-04-17 08:52:14 UTC
Created attachment 326164 [details] demonstrate the segfault See attached .gnumeric file. Symptom #1: open the spreadsheet. Select a cell in column A. Then try to delete the column. Immediate segfault. Stack trace is attached. Symptom #2: open the spreadsheet. Try to enter a number (e.g. 1) into the highlighted cell D9. Immediate segfault. Stack trace is attached. The same symptoms were observed using 1.12.22 as distributed by ubuntu. However, the aforementioned traces were prepared using the latest version, freshly compiled from a fresh git-pull: commit 1a58d23634c58d58dec12300ed55f0d13d0e76b1 Author: Morten Welinder <terra@gnome.org> Date: Fri Apr 1 19:38:01 2016 -0400 gnumeric version '1.12.29' datadir := '/usr/local/share/gnumeric/1.12.29' libdir := '/usr/local/lib/gnumeric/1.12.29' uname -a Linux asclepias 3.18.0+ #4 SMP Mon Jul 6 15:51:42 MST 2015 x86_64 x86_64 x86_64 GNU/Linux lsb_release LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch:core-4.1-amd64:core-4.1-noarch:cxx-3.0-amd64:cxx-3.0-noarch:cxx-3.1-amd64:cxx-3.1-noarch:cxx-3.2-amd64:cxx-3.2-noarch:cxx-4.0-amd64:cxx-4.0-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-3.1-amd64:desktop-3.1-noarch:desktop-3.2-amd64:desktop-3.2-noarch:desktop-4.0-amd64:desktop-4.0-noarch:desktop-4.1-amd64:desktop-4.1-noarch:graphics-2.0-amd64:graphics-2.0-noarch:graphics-3.0-amd64:graphics-3.0-noarch:graphics-3.1-amd64:graphics-3.1-noarch:graphics-3.2-amd64:graphics-3.2-noarch:graphics-4.0-amd64:graphics-4.0-noarch:graphics-4.1-amd64:graphics-4.1-noarch:languages-3.2-amd64:languages-3.2-noarch:languages-4.0-amd64:languages-4.0-noarch:languages-4.1-amd64:languages-4.1-noarch:multimedia-3.2-amd64:multimedia-3.2-noarch:multimedia-4.0-amd64:multimedia-4.0-noarch:multimedia-4.1-amd64:multimedia-4.1-noarch:printing-3.2-amd64:printing-3.2-noarch:printing-4.0-amd64:printing-4.0-noarch:printing-4.1-amd64:printing-4.1-noarch:qt4-3.1-amd64:qt4-3.1-noarch:security-4.0-amd64:security-4.0-noarch:security-4.1-amd64:security-4.1-noarch
Created attachment 326165 [details] stack trace
Created attachment 326166 [details] another stack trace
Confirmed. Here's valgrind's idea of the situation. ==10540== Invalid read of size 8 ==10540== at 0x14481E81: gog_xy_view_render (gog-xy.c:1569) ==10540== by 0x544223E: gog_chart_view_render (gog-chart.c:1584) ==10540== by 0x543ECD9: gog_graph_view_render (gog-graph.c:1026) ==10540== by 0x543C541: gog_view_render (gog-view.c:892) ==10540== by 0x547BCEB: gog_renderer_update (gog-renderer.c:1429) ==10540== by 0x54263F8: goc_graph_draw (goc-graph.c:205) ==10540== by 0x5426FE6: goc_group_draw_region (goc-group.c:150) ==10540== by 0x5426FD3: goc_group_draw_region (goc-group.c:149) ==10540== by 0x5426FD3: goc_group_draw_region (goc-group.c:149) ==10540== by 0x54232DB: goc_canvas_draw (goc-canvas.c:119) ==10540== by 0x590CD6D: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:130) ==10540== by 0x5A326AC: gtk_widget_draw_marshallerv (gtkwidget.c:1009) ==10540== by 0x613355E: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x614C087: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x614CCE1: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x5A3FB95: _gtk_widget_draw_internal.part.62 (gtkwidget.c:6441) ==10540== by 0x5A411DE: _gtk_widget_draw_internal (gtkwidget.c:6420) ==10540== by 0x5A411DE: _gtk_widget_draw_windows (gtkwidget.c:6542) ==10540== by 0x5A41443: _gtk_widget_draw (gtkwidget.c:6613) ==10540== by 0x587A50C: gtk_container_propagate_draw (gtkcontainer.c:3528) ==10540== by 0x587A5D1: gtk_container_draw (gtkcontainer.c:3363) ==10540== by 0x58D2621: gtk_grid_draw (gtkgrid.c:1698) ==10540== by 0x590CD6D: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:130) ==10540== by 0x5A326AC: gtk_widget_draw_marshallerv (gtkwidget.c:1009) ==10540== by 0x613355E: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x614C087: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x614CCE1: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x5A3FB95: _gtk_widget_draw_internal.part.62 (gtkwidget.c:6441) ==10540== by 0x5A41572: _gtk_widget_draw_internal (gtkwidget.c:6573) ==10540== by 0x5A41572: _gtk_widget_draw (gtkwidget.c:6619) ==10540== by 0x587A50C: gtk_container_propagate_draw (gtkcontainer.c:3528) ==10540== by 0x5936EED: gtk_notebook_draw (gtknotebook.c:2599) ==10540== by 0x590CD6D: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:130) ==10540== by 0x5A326AC: gtk_widget_draw_marshallerv (gtkwidget.c:1009) ==10540== by 0x613355E: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x614C087: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x614CCE1: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4002.0) ==10540== by 0x5A3FB95: _gtk_widget_draw_internal.part.62 (gtkwidget.c:6441) ==10540== by 0x5A41572: _gtk_widget_draw_internal (gtkwidget.c:6573) ==10540== by 0x5A41572: _gtk_widget_draw (gtkwidget.c:6619) ==10540== by 0x587A50C: gtk_container_propagate_draw (gtkcontainer.c:3528) ==10540== by 0x587A5D1: gtk_container_draw (gtkcontainer.c:3363) ==10540== by 0x590CD6D: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:130) ==10540== Address 0x10 is not stack'd, malloc'd or (recently) free'd
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.