46568 – VALGRIND corruption ( and sometimes coredump )

Bug 46568 - VALGRIND corruption ( and sometimes coredump )

Summary: VALGRIND corruption ( and sometimes coredump )

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Calc (show other bugs)
Version: (earliest affected)	3.5.0 release
Hardware:	Other All

Importance:	medium critical
Assignee:	Noel Power

URL:
Whiteboard:	target:3.6.0 target:3.5.1
Keywords:

Depends on:
Blocks:	mab3.5
	Show dependency tree / graph

Reported:	2012-02-24 04:05 UTC by Noel Power
Modified:	2012-02-28 03:15 UTC (History)
CC List:	0 users

See Also:
Crash report or crash signature:

Attachments
test document (7.14 KB, application/vnd.oasis.opendocument.spreadsheet) 2012-02-24 04:19 UTC, Noel Power	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noel Power 2012-02-24 04:05:28 UTC

discovered that clicking on entries in the 'Manage Names' dialog in calc was sometimes causing a coredump. Got the following stack trace



(gdb) where
#0  0x00007fbbf0ab3cc2 in SvLBoxEntry::HasChildrenOnDemand (this=0x0) at /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/inc/svtools/svlbox.hxx:213
#1  0x00007fbbf0ad0240 in SvTreeListBox::FillAccessibleEntryStateSet (this=0x314b3b0, pEntry=0x0, rStateSet=...) at /media/FreeAgent-3/LibreOffice-onegit/core/svtools/source/contnr/svtreebx.cxx:2451
#2  0x00007fbbcf4ab40e in accessibility::AccessibleListBoxEntry::getAccessibleStateSet (this=0x3255800) at /media/FreeAgent-3/LibreOffice-onegit/core/accessibility/source/extended/accessiblelistboxentry.cxx:449
#3  0x00007fbbe6cde5cc in atk_object_wrapper_new (rxAccessible=..., parent=0x0) at /media/FreeAgent-3/LibreOffice-onegit/core/vcl/unx/gtk/a11y/atkwrapper.cxx:822
#4  0x00007fbbe6cde2ec in atk_object_wrapper_ref (rxAccessible=..., create=true) at /media/FreeAgent-3/LibreOffice-onegit/core/vcl/unx/gtk/a11y/atkwrapper.cxx:765
#5  0x00007fbbe6ccb186 in getObjFromAny (rAny=uno::Any {<com::sun::star::uno::XInterface> = {_vptr.XInterface = 0x3255860}, <No data fields>}) at /media/FreeAgent-3/LibreOffice-onegit/core/vcl/unx/gtk/a11y/atklistener.cxx:109
#6  0x00007fbbe6ccbc4f in AtkListener::notifyEvent (this=0x3254bf0, aEvent=...) at /media/FreeAgent-3/LibreOffice-onegit/core/vcl/unx/gtk/a11y/atklistener.cxx:356
#7  0x00007fbbf24540dc in comphelper::AccessibleEventNotifier::addEvent(unsigned int, com::sun::star::accessibility::AccessibleEventObject const&) () from /media/FreeAgent-3/LibreOffice-onegit/core/INSTALL_LINK/program/libcomphelpgcc3.so
#8  0x00007fbbf2452f83 in comphelper::OAccessibleContextHelper::NotifyAccessibleEvent(short, com::sun::star::uno::Any const&, com::sun::star::uno::Any const&) () from

in the second frame the pEntry being NULL of course was causing the core dump. The fact the core dump only happens ( for me ) when accessibility was turned on was a bit of a red herring as was this stack itself. It turns out that the core here is a side affect of other badness that happened earlier. Valgrind trace shows

SvTreeListBox::FillAccessibleEntryStateSet pEntry 0x2ec2d000
==27033== Invalid read of size 2
==27033==    at 0x2997DF5E: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27033==    by 0x29F844EF: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:273)
==27033==    by 0x29F84C91: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27033==    by 0x29F85876: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27033==    by 0x29F85F13: ScNameDlg::SelectionChangedHdl_Impl(void*) (namedlg.cxx:572)
==27033==    by 0x29F85EF4: ScNameDlg::LinkStubSelectionChangedHdl_Impl(void*, void*) (namedlg.cxx:570)
==27033==    by 0x7ABE65D: Link::Call(void*) const (link.hxx:140)
==27033==    by 0x7B2CB73: SvLBox::SelectHdl() (svlbox.cxx:843)
==27033==    by 0x7B3CC93: SvTreeListBox::Select(SvLBoxEntry*, unsigned char) (svtreebx.cxx:1013)
==27033==    by 0x7B1A6A1: SvImpLBox::SetCursor(SvLBoxEntry*, unsigned char) (svimpbox.cxx:661)
==27033==    by 0x7B21F10: ImpLBSelEng::SetCursorAtPoint(Point const&, unsigned char) (svimpbox.cxx:2773)
==27033==    by 0x93E781D: SelectionEngine::SelMouseButtonDown(MouseEvent const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==  Address 0x188c7780 is not stack'd, malloc'd or (recently) free'd
==27033== 
==27033== Invalid read of size 2
==27033==    at 0x2997DF5E: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27033==    by 0x29F84518: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:274)
==27033==    by 0x29F84C91: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27033==    by 0x29F85876: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27033==    by 0x29F85F13: ScNameDlg::SelectionChangedHdl_Impl(void*) (namedlg.cxx:572)
==27033==    by 0x29F85EF4: ScNameDlg::LinkStubSelectionChangedHdl_Impl(void*, void*) (namedlg.cxx:570)
==27033==    by 0x7ABE65D: Link::Call(void*) const (link.hxx:140)
==27033==    by 0x7B2CB73: SvLBox::SelectHdl() (svlbox.cxx:843)
==27033==    by 0x7B3CC93: SvTreeListBox::Select(SvLBoxEntry*, unsigned char) (svtreebx.cxx:1013)
==27033==    by 0x7B1A6A1: SvImpLBox::SetCursor(SvLBoxEntry*, unsigned char) (svimpbox.cxx:661)
==27033==    by 0x7B21F10: ImpLBSelEng::SetCursorAtPoint(Point const&, unsigned char) (svimpbox.cxx:2773)
==27033==    by 0x93E781D: SelectionEngine::SelMouseButtonDown(MouseEvent const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==  Address 0x188c7780 is not stack'd, malloc'd or (recently) free'd
==27033== 
==27033== Invalid read of size 2
==27033==    at 0x2997DF5E: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27033==    by 0x29F84541: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:275)
==27033==    by 0x29F84C91: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27033==    by 0x29F85876: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27033==    by 0x29F85F13: ScNameDlg::SelectionChangedHdl_Impl(void*) (namedlg.cxx:572)
==27033==    by 0x29F85EF4: ScNameDlg::LinkStubSelectionChangedHdl_Impl(void*, void*) (namedlg.cxx:570)
==27033==    by 0x7ABE65D: Link::Call(void*) const (link.hxx:140)
==27033==    by 0x7B2CB73: SvLBox::SelectHdl() (svlbox.cxx:843)
==27033==    by 0x7B3CC93: SvTreeListBox::Select(SvLBoxEntry*, unsigned char) (svtreebx.cxx:1013)
==27033==    by 0x7B1A6A1: SvImpLBox::SetCursor(SvLBoxEntry*, unsigned char) (svimpbox.cxx:661)
==27033==    by 0x7B21F10: ImpLBSelEng::SetCursorAtPoint(Point const&, unsigned char) (svimpbox.cxx:2773)
==27033==    by 0x93E781D: SelectionEngine::SelMouseButtonDown(MouseEvent const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==  Address 0x188c7780 is not stack'd, malloc'd or (recently) free'd
==27033== 
==27033== Invalid read of size 8
==27033==    at 0x7B25310: SvTreeList::GetParent(SvListEntry*) const (treelist.hxx:628)
==27033==    by 0x7B255FD: SvLBox::GetParent(SvLBoxEntry*) const (svlbox.hxx:434)
==27033==    by 0x7B2DAB4: SvLBox::FillEntryPath(SvLBoxEntry*, std::deque<int, std::allocator<int> >&) const (svlbox.cxx:1281)
==27033==    by 0x23EB9402: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libacclo.so)
==27033==    by 0x23EB2977: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libacclo.so)
==27033==    by 0x82FBB68: VCLXAccessibleComponent::WindowEventListener(VclSimpleEvent*) (vclxaccessiblecomponent.cxx:147)
==27033==    by 0x82FBA8E: VCLXAccessibleComponent::LinkStubWindowEventListener(void*, void*) (vclxaccessiblecomponent.cxx:132)
==27033==    by 0x919DB51: VclEventListeners::Call(VclSimpleEvent*) const (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==    by 0x941AF29: Window::CallEventListeners(unsigned long, void*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==    by 0x7B41C6C: SvTreeListBox::CallImplEventListeners(unsigned long, void*) (svtreebx.cxx:2480)
==27033==    by 0x7B24AA7: SvImpLBox::CallEventListeners(unsigned long, void*) (svimpbox.cxx:3532)
==27033==    by 0x7B3CCAF: SvTreeListBox::Select(SvLBoxEntry*, unsigned char) (svtreebx.cxx:1014)
==27033==  Address 0x1fde78d8 is 8 bytes inside a block of size 72 free'd
==27033==    at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27033==    by 0x7B2BA13: SvLBoxEntry::~SvLBoxEntry() (svlbox.cxx:578)
==27033==    by 0x7B55CD2: SvTreeList::Remove(SvListEntry*) (treelist.cxx:1313)
==27033==    by 0x7B2D62A: SvLBox::RemoveSelection() (svlbox.cxx:1154)
==27033==    by 0x29F88809: ScRangeManagerTable::DeleteSelectedEntries() (namemgrtable.cxx:187)
==27033==    by 0x29F852B8: ScNameDlg::NameModified() (namedlg.cxx:420)
==27033==    by 0x29F85E71: ScNameDlg::EdModifyHdl(void*) (namedlg.cxx:560)
==27033==    by 0x29F85E52: ScNameDlg::LinkStubEdModifyHdl(void*, void*) (namedlg.cxx:558)
==27033==    by 0x91BB2AD: Control::ImplCallEventListenersAndHandler(unsigned long, Link const&, void*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==    by 0x29E11D0E: CheckBox::Check(unsigned char) (button.hxx:489)
==27033==    by 0x29F844DE: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:272)
==27033==    by 0x29F84C91: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27033== 
SvTreeListBox::FillAccessibleEntryStateSet pEntry (nil)
==27033== Invalid read of size 2
==27033==    at 0x7B253BE: SvLBoxEntry::HasChildrenOnDemand() const (svlbox.hxx:213)
==27033==    by 0x7B41A99: SvTreeListBox::FillAccessibleEntryStateSet(SvLBoxEntry*, utl::AccessibleStateSetHelper&) const (svtreebx.cxx:2451)
==27033==    by 0x23EBAA16: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libacclo.so)
==27033==    by 0x12954433: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so)
==27033==    by 0x12954153: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so)
==27033==    by 0x12940909: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so)
==27033==    by 0x129413D2: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvclplug_gtklo.so)
==27033==    by 0x62BD0DB: comphelper::AccessibleEventNotifier::addEvent(unsigned int, com::sun::star::accessibility::AccessibleEventObject const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libcomphelpgcc3.so)
==27033==    by 0x62BBF82: comphelper::OAccessibleContextHelper::NotifyAccessibleEvent(short, com::sun::star::uno::Any const&, com::sun::star::uno::Any const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libcomphelpgcc3.so)
==27033==    by 0x23EB2A23: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libacclo.so)
==27033==    by 0x82FBB68: VCLXAccessibleComponent::WindowEventListener(VclSimpleEvent*) (vclxaccessiblecomponent.cxx:147)
==27033==    by 0x82FBA8E: VCLXAccessibleComponent::LinkStubWindowEventListener(void*, void*) (vclxaccessiblecomponent.cxx:132)
==27033==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
==27033== 

it appears the 

==27033== Invalid read of size 2
==27033==    at 0x2997DF5E: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27033==    by 0x29F84518: ScNameDlg::UpdateChecks(ScRangeData*) 

is saying that the ScRangeData* has been changed under the hood


this part from the bottom of the valgrind log 

==27033==  Address 0x1fde78d8 is 8 bytes inside a block of size 72 free'd
==27033==    at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27033==    by 0x7B2BA13: SvLBoxEntry::~SvLBoxEntry() (svlbox.cxx:578)
==27033==    by 0x7B55CD2: SvTreeList::Remove(SvListEntry*) (treelist.cxx:1313)
==27033==    by 0x7B2D62A: SvLBox::RemoveSelection() (svlbox.cxx:1154)
==27033==    by 0x29F88809: ScRangeManagerTable::DeleteSelectedEntries() (namemgrtable.cxx:187)
==27033==    by 0x29F852B8: ScNameDlg::NameModified() (namedlg.cxx:420)
==27033==    by 0x29F85E71: ScNameDlg::EdModifyHdl(void*) (namedlg.cxx:560)
==27033==    by 0x29F85E52: ScNameDlg::LinkStubEdModifyHdl(void*, void*) (namedlg.cxx:558)
==27033==    by 0x91BB2AD: Control::ImplCallEventListenersAndHandler(unsigned long, Link const&, void*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27033==    by 0x29E11D0E: CheckBox::Check(unsigned char) (button.hxx:489)
==27033==    by 0x29F844DE: ScNameDlg::UpdateChecks(ScRangeData*) 


gives the real hint, the selection changed event calls somewhere down it's stack 'ScNameDlg::UpdateChecks' which in turn modifies a checkbox ( which triggers another handler ) as these handlers are asynchronous and the SelectionHandler can call code the modifies the internal structures that both handlers use we get problems. Afaict 'ScNameDlg::UpdateChecks' should never trigger the event handlers for the checkboxes whose state it modifes as it is just syncing the state controls with that of the internal model.

Comment 1 Noel Power 2012-02-24 04:19:35 UTC

Created attachment 57583 [details]
test document

this document demonstrates the problem, however it doesn't show exactly the same valgrind trace as above. The document I was using when I was investigating this is a customer document ( I don't think it is confidential but I am not sure ) but.. actually what prompted me to create a new test document was that it took valgrind about 15 mins to load it. In anycase the valgrind trace happens when you open 'Insert|Names|Manage Names' ( and not when clicking on the entries ) This is maybe due to the number or spread of the types of name references in this document vrs the other one. Note: the customer document had hundreds of name references, additionally the customer document is an xlsm one so maybe how the data is populated goes through a different path or something ( honestly I don't know ) The new valgrind trace is below and although not the same it clearly points to the same problem


==27707== Invalid read of size 2
==27707==    at 0x217703E0: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27707==    by 0x2176E15B: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:273)
==27707==    by 0x2176E8FD: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27707==    by 0x2176F4E2: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27707==    by 0x2176DB9E: ScNameDlg::Init() (namedlg.cxx:185)
==27707==    by 0x2176CD3A: ScNameDlg::ScNameDlg(SfxBindings*, SfxChildWindow*, Window*, ScViewData*, ScAddress const&, boost::ptr_map<rtl::OUString, ScRangeName, std::less<rtl::OUString>, boost::heap_clone_allocator, std::allocator<std::pair<rtl::OUString const, void*> > >*) (namedlg.cxx:129)
==27707==    by 0x2198D651: ScTabViewShell::CreateRefDialog(SfxBindings*, SfxChildWindow*, SfxChildWinInfo*, Window*, unsigned short) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2195F17D: ScNameDlgWrapper::ScNameDlgWrapper(Window*, unsigned short, SfxBindings*, SfxChildWinInfo*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2195F27A: ScNameDlgWrapper::CreateImpl(Window*, unsigned short, SfxBindings*, SfxChildWinInfo*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x701CD77: SfxChildWindow::CreateChildWindow(unsigned short, Window*, SfxBindings*, SfxChildWinInfo&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==    by 0x7064BB8: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==    by 0x7065CE6: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==  Address 0x290c27b0 is 32 bytes inside a block of size 64 free'd
==27707==    at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27707==    by 0x2151B387: ScRangeName::erase(boost::ptr_map_iterator<std::_Rb_tree_iterator<std::pair<rtl::OUString const, void*> >, rtl::OUString, ScRangeData* const> const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2151CC64: ScRangeName::erase(rtl::OUString const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2176EF00: ScNameDlg::NameModified() (namedlg.cxx:418)
==27707==    by 0x2176FADD: ScNameDlg::EdModifyHdl(void*) (namedlg.cxx:560)
==27707==    by 0x2176FABE: ScNameDlg::LinkStubEdModifyHdl(void*, void*) (namedlg.cxx:558)
==27707==    by 0x91BB2AD: Control::ImplCallEventListenersAndHandler(unsigned long, Link const&, void*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27707==    by 0x2177032C: CheckBox::Check(unsigned char) (button.hxx:489)
==27707==    by 0x2176E14A: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:272)
==27707==    by 0x2176E8FD: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27707==    by 0x2176F4E2: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27707==    by 0x2176DB9E: ScNameDlg::Init() (namedlg.cxx:185)
==27707== 
==27707== Invalid read of size 2
==27707==    at 0x217703E0: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27707==    by 0x2176E184: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:274)
==27707==    by 0x2176E8FD: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27707==    by 0x2176F4E2: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27707==    by 0x2176DB9E: ScNameDlg::Init() (namedlg.cxx:185)
==27707==    by 0x2176CD3A: ScNameDlg::ScNameDlg(SfxBindings*, SfxChildWindow*, Window*, ScViewData*, ScAddress const&, boost::ptr_map<rtl::OUString, ScRangeName, std::less<rtl::OUString>, boost::heap_clone_allocator, std::allocator<std::pair<rtl::OUString const, void*> > >*) (namedlg.cxx:129)
==27707==    by 0x2198D651: ScTabViewShell::CreateRefDialog(SfxBindings*, SfxChildWindow*, SfxChildWinInfo*, Window*, unsigned short) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2195F17D: ScNameDlgWrapper::ScNameDlgWrapper(Window*, unsigned short, SfxBindings*, SfxChildWinInfo*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2195F27A: ScNameDlgWrapper::CreateImpl(Window*, unsigned short, SfxBindings*, SfxChildWinInfo*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x701CD77: SfxChildWindow::CreateChildWindow(unsigned short, Window*, SfxBindings*, SfxChildWinInfo&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==    by 0x7064BB8: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==    by 0x7065CE6: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==  Address 0x290c27b0 is 32 bytes inside a block of size 64 free'd
==27707==    at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27707==    by 0x2151B387: ScRangeName::erase(boost::ptr_map_iterator<std::_Rb_tree_iterator<std::pair<rtl::OUString const, void*> >, rtl::OUString, ScRangeData* const> const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2151CC64: ScRangeName::erase(rtl::OUString const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2176EF00: ScNameDlg::NameModified() (namedlg.cxx:418)
==27707==    by 0x2176FADD: ScNameDlg::EdModifyHdl(void*) (namedlg.cxx:560)
==27707==    by 0x2176FABE: ScNameDlg::LinkStubEdModifyHdl(void*, void*) (namedlg.cxx:558)
==27707==    by 0x91BB2AD: Control::ImplCallEventListenersAndHandler(unsigned long, Link const&, void*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27707==    by 0x2177032C: CheckBox::Check(unsigned char) (button.hxx:489)
==27707==    by 0x2176E14A: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:272)
==27707==    by 0x2176E8FD: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27707==    by 0x2176F4E2: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27707==    by 0x2176DB9E: ScNameDlg::Init() (namedlg.cxx:185)
==27707== 
==27707== Invalid read of size 2
==27707==    at 0x217703E0: ScRangeData::HasType(unsigned short) const (rangenam.hxx:175)
==27707==    by 0x2176E1AD: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:275)
==27707==    by 0x2176E8FD: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27707==    by 0x2176F4E2: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27707==    by 0x2176DB9E: ScNameDlg::Init() (namedlg.cxx:185)
==27707==    by 0x2176CD3A: ScNameDlg::ScNameDlg(SfxBindings*, SfxChildWindow*, Window*, ScViewData*, ScAddress const&, boost::ptr_map<rtl::OUString, ScRangeName, std::less<rtl::OUString>, boost::heap_clone_allocator, std::allocator<std::pair<rtl::OUString const, void*> > >*) (namedlg.cxx:129)
==27707==    by 0x2198D651: ScTabViewShell::CreateRefDialog(SfxBindings*, SfxChildWindow*, SfxChildWinInfo*, Window*, unsigned short) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2195F17D: ScNameDlgWrapper::ScNameDlgWrapper(Window*, unsigned short, SfxBindings*, SfxChildWinInfo*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2195F27A: ScNameDlgWrapper::CreateImpl(Window*, unsigned short, SfxBindings*, SfxChildWinInfo*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x701CD77: SfxChildWindow::CreateChildWindow(unsigned short, Window*, SfxBindings*, SfxChildWinInfo&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==    by 0x7064BB8: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==    by 0x7065CE6: ??? (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsfxlo.so)
==27707==  Address 0x290c27b0 is 32 bytes inside a block of size 64 free'd
==27707==    at 0x4C2562E: operator delete(void*) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27707==    by 0x2151B387: ScRangeName::erase(boost::ptr_map_iterator<std::_Rb_tree_iterator<std::pair<rtl::OUString const, void*> >, rtl::OUString, ScRangeData* const> const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2151CC64: ScRangeName::erase(rtl::OUString const&) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libsclo.so)
==27707==    by 0x2176EF00: ScNameDlg::NameModified() (namedlg.cxx:418)
==27707==    by 0x2176FADD: ScNameDlg::EdModifyHdl(void*) (namedlg.cxx:560)
==27707==    by 0x2176FABE: ScNameDlg::LinkStubEdModifyHdl(void*, void*) (namedlg.cxx:558)
==27707==    by 0x91BB2AD: Control::ImplCallEventListenersAndHandler(unsigned long, Link const&, void*) (in /media/FreeAgent-3/LibreOffice-onegit/core/solver/unxlngx6.pro/lib/libvcllo.so)
==27707==    by 0x2177032C: CheckBox::Check(unsigned char) (button.hxx:489)
==27707==    by 0x2176E14A: ScNameDlg::UpdateChecks(ScRangeData*) (namedlg.cxx:272)
==27707==    by 0x2176E8FD: ScNameDlg::ShowOptions(ScRangeNameLine const&) (namedlg.cxx:337)
==27707==    by 0x2176F4E2: ScNameDlg::SelectionChanged() (namedlg.cxx:470)
==27707==    by 0x2176DB9E: ScNameDlg::Init() (namedlg.cxx:185)
==27707==

Comment 2 Noel Power 2012-02-24 04:38:12 UTC

I can't reproduce the core 3.4 not sure whether to call this a regression as the 'Manage Names' dialog doesn't exist ( but one with similar functionality 'Define Names' does )

Comment 3 Not Assigned 2012-02-24 05:13:03 UTC

Noel Power committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=22871f1af3be444e747f7adaad5221b9c8b0bebf

fix core when clicking on entries in Manage Names dialog in calc fdo#46568

Comment 4 Not Assigned 2012-02-26 04:37:55 UTC

Noel Power committed a patch related to this issue.
It has been pushed to "libreoffice-3-5":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=393bd0eebe09230ef90c5b343c93338526f3f4b7&g=libreoffice-3-5

fix core when clicking on entries in Manage Names dialog in calc fdo#46568


It will be available in LibreOffice 3.5.2.

Comment 5 Not Assigned 2012-02-28 03:04:59 UTC

Noel Power committed a patch related to this issue.
It has been pushed to "libreoffice-3-5-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=da7235196c138eed21065c94e2a855d6c3f217e0&g=libreoffice-3-5-1

fix core when clicking on entries in Manage Names dialog in calc fdo#46568


It will be available already in LibreOffice 3.5.1.

Comment 6 Noel Power 2012-02-28 03:15:46 UTC

marking as resolved