https://bugs.freedesktop.org/show_bug.cgi?id=80813
--- Comment #8 from Michael Meeks <[email protected]> --- Valgrind shows this guy ... ==30310== Invalid read of size 4 ==30310== at 0x10517A4D: ScPatternAttr::GetItem(unsigned short) const (patattr.hxx:71) ==30310== by 0x1054B325: ScColumn::GetNeededSize(long, OutputDevice*, double, double, Fraction const&, Fraction const&, bool, ScNeededSizeOptions const&) const (column2.cxx:145) ==30310== by 0x1061FA71: ScTable::GetNeededSize(short, long, OutputDevice*, double, double, Fraction const&, Fraction const&, bool, bool) (table1.cxx:452) ==30310== by 0x1059C35F: ScDocument::GetNeededSize(short, long, short, OutputDevice*, double, double, Fraction const&, Fraction const&, bool, bool) (document.cxx:3937) ==30310== by 0x10596FF8: ScDocument::IdleCalcTextWidth() (documen8.cxx:644) ==30310== by 0x107BAD78: ScModule::IdleHandler(void*) (scmod.cxx:1951) ==30310== by 0x51A21F3: Timer::Timeout() (link.hxx:123) ==30310== by 0x51A22A6: Timer::ImplTimerCallbackProc() (timer.cxx:121) ==30310== by 0x94723CF: sal_gtk_timeout_dispatch (saltimer.hxx:53) ... ==30310== Address 0xfbe3ddc is 12 bytes inside a block of size 24 free'd ==30310== at 0x402B6AD: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==30310== by 0x49DDB53: SfxItemPool::Remove(SfxPoolItem const&) (itempool.cxx:886) ==30310== by 0x1057DBE6: ScDocumentPool::Remove(SfxPoolItem const&) (docpool.cxx:637) ==30310== by 0x10514060: ScAttrArray::SetPatternArea(long, long, ScPatternAttr const*, bool, ScEditDataArray*) (attarray.cxx:505) ==30310== by 0x105141F4: ScAttrArray::SetPattern(long, ScPatternAttr const*, bool) (attarray.cxx:349) ==30310== by 0x10523A7E: ScColumn::ApplyAttr(long, SfxPoolItem const&) (column.cxx:747) ==30310== by 0x1054A62C: ScColumn::SetNumberFormat(long, unsigned long) (column2.cxx:2927) ==30310== by 0x10625D29: ScTable::SetNumberFormat(short, long, unsigned long) (table2.cxx:1871) ==30310== by 0x1059B4AB: ScDocument::SetNumberFormat(ScAddress const&, unsigned long) (document.cxx:3403) ==30310== by 0x105FDE96: ScFormulaCell::InterpretTail(ScFormulaCell::ScInterpretTailParameter) (formulacell.cxx:1686) ==30310== by 0x10600C40: ScFormulaCell::Interpret() (formulacell.cxx:1337) ==30310== by 0x1060114E: ScFormulaCell::MaybeInterpret() (formulacell.cxx:2165) ==30310== by 0x10601282: ScFormulaCell::IsValue() (formulacell.cxx:2196) ==30310== by 0x10570059: lcl_GetCellContent(ScRefCellValue&, bool, double&, rtl::OUString&, ScDocument const*) (conditio.cxx:742) ==30310== by 0x105735E0: ScConditionEntry::IsCellValid(ScRefCellValue&, ScAddress const&) const (conditio.cxx:1262) ==30310== by 0x10573674: ScConditionalFormat::GetCellStyle(ScRefCellValue&, ScAddress const&) const (conditio.cxx:1906) ==30310== by 0x1058BE41: ScDocument::GetCondResult(ScRefCellValue&, ScAddress const&, ScConditionalFormatList const&, std::vector<unsigned long, std::allocator<unsigned long> > const&) const (documen4.cxx:816) ==30310== by 0x1058C1EC: ScDocument::GetCondResult(short, long, short) const (documen4.cxx:802) ==30310== by 0x1054B054: ScColumn::GetNeededSize(long, OutputDevice*, double, double, Fraction const&, Fraction const&, bool, ScNeededSizeOptions const&) const (column2.cxx:134) ==30310== by 0x1061FA71: ScTable::GetNeededSize(short, long, OutputDevice*, double, double, Fraction const&, Fraction const&, bool, bool) (table1.cxx:452) ==30310== by 0x1059C35F: ScDocument::GetNeededSize(short, long, short, OutputDevice*, double, double, Fraction const&, Fraction const&, bool, bool) (document.cxx:3937) ==30310== by 0x10596FF8: ScDocument::IdleCalcTextWidth() (documen8.cxx:644) ==30310== by 0x107BAD78: ScModule::IdleHandler(void*) (scmod.cxx:1951) ==30310== by 0x51A21F3: Timer::Timeout() (link.hxx:123) ==30310== by 0x51A22A6: Timer::ImplTimerCallbackProc() (timer.cxx:121) ... It seems that calling: const SfxItemSet* pCondSet = pDocument->GetCondResult( nCol, nRow, nTab ); can delete the pPattern we are relying on - which is rather unfortunate. Since the code is the same for 4.3 and 4.4 - it is somewhat unclear why this doesn't fail there too - presumably well worth investigating that =) Ideally all these pointers would have fast intrusive references on them I suppose. -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
