Internal error on closing or saving

Thread 1 "inkscape" received signal SIGSEGV, Segmentation fault.
0x00000000006c8645 in Inkscape::CompositeUndoStackObserver::notifyClearUndoEvent() ()

Please check the attachment for details.

Trying to review but couldent reproduce the error. (Dont undertand the steps too well)
Im using Debian Stretch.
Cheers, Jabier.

Reproduced on 64-bit WIN 7. The error does not happen every time though.

1. start Inkscape
2. open $INKSCAPE_DIR/doc/architecture.svg
3. draw a rectangle somewhere
4. press CTRL-W and click "close without saving"
Repeat step 2-4 several times and Inkscape occasionally crashes.

Also reproduced on Windows 7 (64-bit) with lp:inkscape 32 and 64-bit versions rev. 15583 (experimentally built with MSYS2).

The 64-bit version doesn't give any GDB trace, but the 32-bit version crashes in Inkscape::ObjectSet::clear().

Patch from the attached branch tested successfully on Windows 7 (64-bit) with lp:inkscape 32 and 64-bit versions rev. 15590 (experimentally built with MSYS2).

No obvious regression found for now, but I'm not expert in that part of the code. So I would be nice if someone else could review it.

@Minglangjun Li - Thanks for working on it!

@jazzynico Thanks for testing the patch on Windows. I haven't set up the development environment on Windows, so I just tested it on Linux. Neither am I 100% sure about the cause of the bug. I just followed the call stack and found an undefined behavior. The bug is strange and doesn't always happen.

I've tested the patch with r15592 on Linux. No crash anymore.

This report (https://bugs.launchpad.net/inkscape/+bug/1667622) could be related to the bug.

There's also a remaining reported bug (https://bugs.launchpad.net/inkscape/+bug/1071082) related to it. It has been there for 4 years. I will look into the code later and see if I can shed any light on this issue then.

Through debugging, I can confirm that this bug is caused by accessing a
deleted pointer which is an undefined behaviour. The reason that it does
not happen every time is we immediately allocate a new EventLog after
deleting an older one. And for most of the time, the new EventLog is
allocated from the same address where the deleted one resided. Thus
accessing that address in the destructor of the replaced document doesn't
trigger SIGSEGV. I've tested it by deleting the older pointer after
allocating the new one and Inkscape crashes every time now. I've attached
the modified code for your review.

The line "doc->removeUndoObserver(*event_log);" has no effect now because
bug lp:1071082 has been fixed in rev.13127. I'll update the branch later.

On Tue, Mar 14, 2017 at 4:38 AM, Eman Modnar <email address hidden>
wrote:

> I've tested the patch with r15592 on Linux. No crash anymore.
>
> This report (https://bugs.launchpad.net/inkscape/+bug/1667622) could be
> related to the bug.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1670688
>
> Title:
> Internal error on closing or saving
>
> Status in Inkscape:
> In Progress
>
> Bug description:
> Version: 0.92.1-1 (actually it happens with versions start from 0.92.0-3)
> Platform: 64-bit Arch, kernel version is 4.9.11
> Locale: en_US
>
> Steps to reproduce:
> Start Inkscape, leave the untitled window as it is and opens another
> file (any file is OK). Draw something in the opened window and try to save
> or close it w/o saving. Inkscape will crash afterwards. However, if
> multiple files are opened, the error will not be triggered unless the last
> opened file gets saved/closed.
>
> Downgrading to 0.91 r13725 eliminates the error.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/inkscape/+bug/1670688/+subscriptions
>

Approved and Merged in r15608.
Thanks for the fix!

Backported to 0.92.x in
https://gitlab.com/inkscape/inkscape/commit/2d45dcefe917b6a5518e5faef30ad1fb97287214