Crash when ungrouping a selection that contains a group and its clone

> Steps to reproduce:
> 1) Open attached file
> 2) Select all objects
> 3) Select ungroup from menu
> 4) Press ctrl+Z to undo
>
> Generates a segmentation fault.

Not reproduced with Inkscape 0.48.1, 0.48.2, 0.48.3.1 and Inkscape 0.48+devel r11386 on OS X 10.7.4.

> 3) Select ungroup from menu (note - many objects move - is this also a bug?)

Similar to (or same as)
Bug #659452 “Ungrouping objects causes translation in clones”
Bug #653574 “Ungrouping moves clones inside nested groups”

-> AFAICT another duplicate of Bug #479638 “file gets mangled due to Object->UnGroup”

> Not reproduced with Inkscape 0.48.1, 0.48.2, 0.48.3.1 and
> Inkscape 0.48+devel r11386 on OS X 10.7.4.

My mistake: I only used 'Ctrl+A' to select all (visible) objects without testing other methods of selection.

Crash reproduced if selecting all objects by dragging a selection frame around the visible objects, with Inkscape 0.48.2, 0.48.3.1 and Inkscape 0.48+devel r11386 on OS X 10.7.4

Also reproduced on Windows XP, Inkscape trunk revision 11430.
But not reproduced with 0.46 and 0.47.

Updated (and a bit more detailed) gdb trace (trunk revision 11621).

Reproduced again on Windows XP, Inkscape trunk revision 12511 and 0.48.4.

Even worse, r12688 now crashes when ungrouping the elements (step 3). Error message:
---
Program received signal SIGSEGV, Segmentation fault.
0x0053efe8 in SPDocument::getHeight() const ()

Ungrouping crash reproduced on Crunchbang Waldorf, Inkscape trunk revision 12849.
GDB trace attached.

When I add a breakpoint in GDB at selection-chemistry.cpp:810, the crash no longer occurs at the first try, but after ungrouping, then hitting Ctrl+Z twice there's a message about an unfinished undo transaction and sometimes a crash in a dynamic_cast inside box3d_extract_boxes_rec().

It looks like there's some kind of memory corruption going on, but it's hard to diagnose when the GObject type checks are no longer in place.

The new_select list normally seems to contain 16 elements, but during the crash it contains 18 elements, with the first two containing bogus pointers to something that looks like uninitialized memory.

I think I know the cause. When the selection contains both a group and its clone, and the group is after the clone in the selection, it is added to the new_select list; but after sp_item_group_ungroup() executes for the group, the clone is unlinked and no longer exists. This leaves a dangling pointer in the new_select list. I'm not sure yet how to fix this.

PS to the previous comment: "...and the group is after the clone in the selection, it is added to the new_select list" - naturally the clone is added to the list.

Partially fixed in r13063, but there are still problems with undo, which may be a separate bug.

New crash scenario:
1. Open the Undo History dialog
2. Select all
3. Ungroup
4. Click "[Unchanged]" in the dialog
5. Click "Ungroup" in the dialog
6. Crash

Before the crash, warnings about an incomplete undo transaction on ellipses are generated.

The crash in the Undo History dialog has been fixed in r13701, but the cause was unrelated to this bug.

In Comment #15 I meant r13071, of course.