Crash when draging a vanishing point of a 3D-Box onto another

This happens with version 0.91 under Windows 7 too so is likely an upstream bug

relevant bt:

#0 0x00007ffff6997b8c in Geom::Affine::operator[] (this=0x300000000258, i=0) at /home/mc/inkscape2/base/inkscape/src/2geom/affine.h:94
#1 0x00007ffff4238aa3 in Geom::Point::operator*= (this=0x7fffffffdd10, m=...) at /home/mc/inkscape2/base/inkscape/src/2geom/point.cpp:210
#2 0x00007ffff69993c2 in Geom::operator* (lhs=..., rhs=...) at /home/mc/inkscape2/base/inkscape/src/2geom/utils.h:59
#3 0x00007ffff71ca666 in SPDesktop::w2d (this=0x300000000000, p=...) at /home/mc/inkscape2/base/inkscape/src/desktop.cpp:1772
#4 0x00007ffff724d3da in sp_knot_handler_request_position (event=0x7279280, knot=0x3335f00) at /home/mc/inkscape2/base/inkscape/src/knot.cpp:366
#5 0x00007ffff6d6e824 in Inkscape::UI::Tools::sp_event_context_snap_watchdog_callback (data=0x73ea1b0) at /home/mc/inkscape2/base/inkscape/src/ui/tools/tool-base.cpp:1334

#0 to #4 have the problem that knot->desktop is an invalid pointer.

#5 calls check_if_knot_deleted(knot)
  which shows
  ** (inkscape:10081): WARNING **: Accessed knot after it was freed at 0x3335f00
... and proceeds to the crash (seriously, this should be an error, not a warning).

I did not find why the knot was considered freed.

Making check_if_knot_deleted return a boolean and putting in #5
---
if (check_if_knot_deleted(knot))
    break;
---
stops the node dragging process and prevents the crash but it's not a real fix.

Based on tests with archived builds (on OS X 10.7.5):
- not reproduced with Inkscape 0.48.5 [1]
- not reproduced with lp:inkscape rev <= 13222 [1]
- reproduced with lp:inkscape rev >= 13224
the crash seems to have been exposed with the changes in
* Revision 13223: First step of refactoring SPKnot.
https://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/13223

[1] the earlier builds produce console messages when 'SHIFT'-dragging a vanishing point (to fork it), but do not crash when merging two vanishing points which had been separated earlier:

(inkscape-13222:56584): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed

(inkscape-13222:56584): GLib-GObject-WARNING **: instance of invalid non-instantiatable type '(null)'

=== modified file 'src/vanishing-point.cpp'
--- src/vanishing-point.cpp 2016-08-03 14:56:48 +0000
+++ src/vanishing-point.cpp 2016-09-23 20:06:34 +0000
@@ -307,7 +307,7 @@
     this->_ungrabbed_connection.disconnect();

     /* unref should call destroy */
- knot_unref(this->knot);
+ //knot_unref(this->knot);
 }

 /**

prevents the crash but ends up in orphan knots (not ideal)

Hi - thanks for reporting this bug, it has also been reported at Inkscape's new bugtracker https://gitlab.com/inkscape/inkscape/issues/818, so closing it here.

Please feel free to file new bugs about the issues you're seeing at http://inkscape.org/report.

Closed by: https://gitlab.com/jhofinger