Inkscape

trunk: crash when resizing page

Bug #1344217 reported by Liam P. White on 2014-07-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Inkscape	Fix Released	High	Liam P. White	Inkscape 0.91 "0.91"

Bug Description

When resizing the page of this image (enter various numbers into the either of the page size spinboxes) several times (often in combination with undoing that action), Inkscape crashes. The backtraces of these crashes are not consistent, nor are they consistently reproducible, but the issue always occurs after some amount of resizing the page.

If one manages to resize the page without Inkscape crashing, watch what happens to the canvas. Calligraphic strokes deform into unrecognizable blobs and other odd behaviour occurs.

See original description

Tags:

Related branches

lp:~inkscape.dev/inkscape/trunk

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-18:

the_background.svg Edit (346.8 KiB, image/svg+xml)

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-18:

trunk-13447-1.log Edit (15.0 KiB, text/plain)

Attaching three backtraces.

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-18:

trunk-13447-2.log Edit (14.9 KiB, text/plain)

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-18:

trunk-13447-3.log Edit (15.4 KiB, text/plain)

description:

updated

Liam P. White (liampwhite) on 2014-07-18

description:

updated

Revision history for this message

ScislaC (scislac) wrote on 2014-07-18:

trunk-r13454-bt.log Edit (7.7 KiB, text/plain)

Reproduced with r13454 by doing the following with your test file:

1) Resize to selection or drawing
2) Undo
3) Resize to selection or drawing
4) Undo

On the second undo it crashes reliably here.

Changed in inkscape:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

ScislaC (scislac) wrote on 2014-07-18:

Nevermind the reliability of exact steps... by doing somewhere between 1-3 patterns of the first two steps it seems to hit every time. This is now 15 attempts and all crashed after the first time which just did hang as opposed to crash.

Revision history for this message

su_v (suv-lp) wrote on 2014-07-19:

Trunk 0.48+devel r13454 (64bit, OS X 10.7.5):
Crash reproduced based on steps in comment 5 (though higher number of repeats required)

Stable 0.48.5 (64bit, OS X 10.7.5):
Hangs on quit after having repeated the steps to reproduce many times (without crash)

Changed in inkscape:
status:	Confirmed → Triaged

Revision history for this message

Tavmjong Bah (tavmjong-free) wrote on 2014-07-22:

Could it be related to threading? It has the same symptoms as bugs:

https://bugs.launchpad.net/inkscape/+bug/967416
https://bugs.launchpad.net/inkscape/+bug/1333445

i.e., random crashes on large files.

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-22:

I don't know if it's a threading-related issue; but all of the crashes seem to involve something happening during the document update loop, which to my knowledge runs only on the main thread (but potentially could create others if GTK functions are called).

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-28:

#10

I believe this has been fixed in lp:inkscape r13474.

Changed in inkscape:
status:	Triaged → Fix Committed
assignee:	nobody → Liam P. White (inkscapebrony)

su_v (suv-lp) on 2014-07-29

Changed in inkscape:
milestone:	none → 0.91

Revision history for this message

Liam P. White (liampwhite) wrote on 2014-07-30:

#11

@Tav:

Not a threading issue.

The manual call to the destructors of those sigc::connection objects was actually the problem here.

If you take a look at the sigc++ code here, you may or may not see the problem:
https://stardictproject.googlecode.com/svn-history/r2/trunk/src/sigc++/functors/slot_base.cc
https://stardictproject.googlecode.com/svn-history/r2/trunk/src/sigc++/functors/slot_base.h
https://stardictproject.googlecode.com/svn-history/r2/trunk/src/sigc++/connection.cc

By destroying the connections early, the slot it is connected to will end up calling notify(), then as it is no longer referenced, it will be freed.
sigc++ assumes that client code is smart enough not to call the destructor manually (a relatively safe assumption) and therefore does not bother with setting pointers to NULL during destruction.

Once the destructor has been called once, the slot_base object had been freed and the connection fully destroyed. Calling it again did this:

- found slot_base::remove_destroy_notify_callback
- called it against two freed pointers (this and a stored pointer used to call against)
- memory written to after it is freed!
- sigc::connection::notify() called
- more heap memory overwritten

During time-critical situations such as these where SPObjects are being modified very quickly, dlmalloc() needs to be very aggressive about reclaiming freed memory. The problem with said free memory is that it will be allocated, and then sometimes the heap block header will have been overwritten, which dlmalloc detects upon the next free and raises SIGABRT.

Revision history for this message

jazzynico (jazzynico) wrote on 2014-08-01:

#12

Fix confirmed on Windows XP, Inkscape trunk revision 13484.

tags:

added: undo

Bryce Harrington (bryce) on 2015-02-21

Changed in inkscape:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.