Bug 765483 – segfault on array+scalar formula in chart Z data

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 765483 - segfault on array+scalar formula in chart Z data


Summary:	segfault on array+scalar formula in chart Z data


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	Charting
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jean Bréfort
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-04-23 22:53 UTC by John Denker
Modified:	2016-04-24 06:57 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
exhibit segfault with scalar offset (3.18 KB, application/x-gnumeric) 2016-04-23 22:53 UTC, John Denker	Details
stack trace of segfault (2.72 KB, text/plain) 2016-04-23 22:53 UTC, John Denker	Details

Description John Denker 2016-04-23 22:53:05 UTC

Created attachment 326611 [details]
exhibit segfault with scalar offset

Recipe:
Open attached .gnumeric file.
Click on chart -> Series 1 -> Data -> Z
Edit the Z data by _appending_ a +1
so that it reads 'timelike(2)'!$C$6:$G$11+1
Finalize by hitting <tab> or <enter>.

Observe core dump.
See attached stack trace.

I conjecture this has something to do with /surface/ plots.
I fairly routinely enter formulas of this general form (array+scalar)
into plain old two-dimensional plots without difficulty.

Workaround:  Compute the desired values on the sheet, not in the chart data popup.

This is not a new bug.  All the same symptoms are observed with gnumeric 1.12.29 as distributed by ubuntu ... and also with a freshly compiled git master.

================================

:; /usr/local/bin/gnumeric --version
gnumeric version '1.12.29'
datadir := '/usr/local/share/gnumeric/1.12.29'
libdir := '/usr/local/lib/gnumeric/1.12.29'


 :; uname -a
Linux asclepias 3.18.0+ #4 SMP Mon Jul 6 15:51:42 MST 2015 x86_64 x86_64 x86_64 GNU/Linux

:; lsb_release 
LSB Version:    core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch:core-4.1-amd64:core-4.1-noarch:cxx-3.0-amd64:cxx-3.0-noarch:cxx-3.1-amd64:cxx-3.1-noarch:cxx-3.2-amd64:cxx-3.2-noarch:cxx-4.0-amd64:cxx-4.0-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-3.1-amd64:desktop-3.1-noarch:desktop-3.2-amd64:desktop-3.2-noarch:desktop-4.0-amd64:desktop-4.0-noarch:desktop-4.1-amd64:desktop-4.1-noarch:graphics-2.0-amd64:graphics-2.0-noarch:graphics-3.0-amd64:graphics-3.0-noarch:graphics-3.1-amd64:graphics-3.1-noarch:graphics-3.2-amd64:graphics-3.2-noarch:graphics-4.0-amd64:graphics-4.0-noarch:graphics-4.1-amd64:graphics-4.1-noarch:languages-3.2-amd64:languages-3.2-noarch:languages-4.0-amd64:languages-4.0-noarch:languages-4.1-amd64:languages-4.1-noarch:multimedia-3.2-amd64:multimedia-3.2-noarch:multimedia-4.0-amd64:multimedia-4.0-noarch:multimedia-4.1-amd64:multimedia-4.1-noarch:printing-3.2-amd64:printing-3.2-noarch:printing-4.0-amd64:printing-4.0-noarch:printing-4.1-amd64:printing-4.1-noarch:qt4-3.1-amd64:qt4-3.1-noarch:security-4.0-amd64:security-4.0-noarch:security-4.1-amd64:security-4.1-noarch

Comment 1 John Denker 2016-04-23 22:53:37 UTC

Created attachment 326612 [details]
stack trace of segfault

Comment 2 Morten Welinder 2016-04-24 00:57:20 UTC

Confirmed.  Here's valgrind's view on the matter.

==12736== Invalid read of size 8
==12736==    at 0x4F0130A: gnm_go_data_matrix_load_values (graph.c:1332)
==12736==    by 0x543204B: go_data_matrix_get_values (go-data.c:1078)
==12736==    by 0x1487EB18: gog_xyz_series_update (gog-xyz.c:463)
==12736==    by 0x5435687: gog_object_update (gog-object.c:1611)
==12736==    by 0x5435627: gog_object_update (gog-object.c:1604)
==12736==    by 0x5435627: gog_object_update (gog-object.c:1604)
==12736==    by 0x5435627: gog_object_update (gog-object.c:1604)
==12736==    by 0x543CE25: cb_graph_idle (gog-graph.c:849)
==12736==    by 0x63BCCE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x63BD047: g_main_context_iterate.isra.24 (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x63BD309: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x590BE54: gtk_main (gtkmain.c:1158)
==12736==    by 0x40362F: main (main-application.c:401)
==12736==  Address 0x11500d48 is 0 bytes after a block of size 40 alloc'd
==12736==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12736==    by 0x63C2610: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x4F92BDD: value_new_array_non_init (value.c:428)
==12736==    by 0x4F92CB7: value_new_array_empty (value.c:450)
==12736==    by 0x4EE6750: bin_array_iter_a (expr.c:1049)
==12736==    by 0x4EEB202: gnm_expr_eval (expr.c:1315)
==12736==    by 0x4EEB6FE: gnm_expr_top_eval (expr.c:3124)
==12736==    by 0x4F01098: gnm_go_data_matrix_load_size (graph.c:1159)
==12736==    by 0x5431E9C: go_data_matrix_get_size (go-data.c:1026)
==12736==    by 0x4F011C8: gnm_go_data_matrix_load_values (graph.c:1279)
==12736==    by 0x543204B: go_data_matrix_get_values (go-data.c:1078)
==12736==    by 0x1487EB18: gog_xyz_series_update (gog-xyz.c:463)
==12736==    by 0x5435687: gog_object_update (gog-object.c:1611)
==12736==    by 0x5435627: gog_object_update (gog-object.c:1604)
==12736==    by 0x5435627: gog_object_update (gog-object.c:1604)
==12736==    by 0x5435627: gog_object_update (gog-object.c:1604)
==12736==    by 0x543CE25: cb_graph_idle (gog-graph.c:849)
==12736==    by 0x63BCCE4: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x63BD047: g_main_context_iterate.isra.24 (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x63BD309: g_main_loop_run (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==12736==    by 0x590BE54: gtk_main (gtkmain.c:1158)
==12736==    by 0x40362F: main (main-application.c:401)

Comment 3 Jean Bréfort 2016-04-24 06:57:31 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.