Pcbnew: fill then move zone in modern canvases causes segfault

Bug #1834718 reported by Wayne Stambaugh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
KiCad
Fix Released
Critical
Jeff Young

Bug Description

I just stumbled across this beauty while testing another bug fix. The following steps cause the 5.1 branch of Pcbnew to segfault:

1. Open any board that has a filled zone on a copper layer.
2. Refill all zones (B hotkey).
3. Select any zone and move it (M hotkey).
4. Hitting the escape key to deselect the zone will cause a segfault.

This happens with both the accelerated and fallback modern canvases but not the legacy canvas. It does not appear to affect the master branch. What's really peculiar is that the gdb back trace complains about something being optimized out of the WX_PROGRESS_REPORTER dtor (see below). Running the gdb `bt` command causes gdb to spew an infinite loop of the same error.

Application: Pcbnew
Version: (5.1.2-169-g574473c48), debug build
Libraries:
    wxWidgets 3.0.4
    libcurl/7.65.1 OpenSSL/1.1.1c (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.1.1) nghttp2/1.39.1
Platform: Windows 8 (build 9200), 64-bit edition, 64 bit, Little endian, wxMSW
Build Info:
    wxWidgets: 3.0.4 (wchar_t,wx containers,compatible with 2.8)
    Boost: 1.70.0
    OpenCASCADE Community Edition: 6.9.1
    Curl: 7.65.1
    Compiler: GCC 9.1.0 with C++ ABI 1013

Build settings:
    USE_WX_GRAPHICS_CONTEXT=OFF
    USE_WX_OVERLAY=OFF
    KICAD_SCRIPTING=ON
    KICAD_SCRIPTING_MODULES=ON
    KICAD_SCRIPTING_PYTHON3=OFF
    KICAD_SCRIPTING_WXPYTHON=ON
    KICAD_SCRIPTING_WXPYTHON_PHOENIX=OFF
    KICAD_SCRIPTING_ACTION_MENU=ON
    BUILD_GITHUB_PLUGIN=ON
    KICAD_USE_OCE=ON
    KICAD_USE_OCC=OFF
    KICAD_SPICE=ON

(gdb) bt 20
#0 0x000000006d0cd392 in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#1 0x000000006d0cd6e9 in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#2 0x000000006d0ec8df in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#3 0x000000006d263ad7 in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#4 0x00000000806e8547 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:117
#5 0x00000000806e8585 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:118
#6 0x000000006d26fb1d in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#7 0x00000000806e8547 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:117
#8 0x00000000806e8585 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:118
#9 0x000000006d26fb1d in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#10 0x00000000806e8547 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:117
#11 0x00000000806e8585 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:118
#12 0x000000006d26fb1d in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#13 0x00000000806e8547 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:117
#14 0x00000000806e8585 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:118
#15 0x000000006d26fb1d in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#16 0x00000000806e8547 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:117
#17 0x00000000806e8585 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:118
#18 0x000000006d26fb1d in ?? ()
   from E:\msys64\mingw64\bin\wxmsw30u_core_gcc_custom.dll
#19 0x00000000806e8547 in WX_PROGRESS_REPORTER::~WX_PROGRESS_REPORTER (
    this=0x15083820, __in_chrg=<optimized out>)
    at E:/msys64/home/Wayne/src/kicad-5.1/common/widgets/progress_reporter.cpp:117

Tags: pcbnew
Revision history for this message
Seth Hillbrand (sethh) wrote :

I cannot recreate this on linux

Application: Pcbnew
Version: (5.1.2-171-g761725265-dirty), debug build
Libraries:
    wxWidgets 3.0.4
    libcurl/7.64.0 OpenSSL/1.1.1c zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Platform: Linux 4.19.0-5-amd64 x86_64, 64 bit, Little endian, wxGTK
Build Info:
    wxWidgets: 3.0.4 (wchar_t,wx containers,compatible with 2.8) GTK+ 3.24
    Boost: 1.67.0
    OpenCASCADE Community Edition: 6.9.1
    Curl: 7.64.0
    Compiler: GCC 8.3.0 with C++ ABI 1013

Build settings:
    USE_WX_GRAPHICS_CONTEXT=OFF
    USE_WX_OVERLAY=ON
    KICAD_SCRIPTING=ON
    KICAD_SCRIPTING_MODULES=ON
    KICAD_SCRIPTING_PYTHON3=ON
    KICAD_SCRIPTING_WXPYTHON=ON
    KICAD_SCRIPTING_WXPYTHON_PHOENIX=ON
    KICAD_SCRIPTING_ACTION_MENU=ON
    BUILD_GITHUB_PLUGIN=ON
    KICAD_USE_OCE=ON
    KICAD_USE_OCC=OFF
    KICAD_SPICE=ON

Revision history for this message
Seth Hillbrand (sethh) wrote :

@Wayne-

Is the loop actually infinite? It looks like the progress dialog gets a reference to itself and calls the destructor until it runs out of stack. The origin would be very far up the stack but might still be reachable in gdb.

tags: added: pcbnew
Revision history for this message
Jeff Young (jeyjey) wrote :

@Wayne, I've checked in a potential fix for this (only on master 'till I see if it works). Could you give it a spin for me?

Revision history for this message
KiCad Janitor (kicad-janitor) wrote :

Fixed in revision a991625f5610fbaec32b4776f621f523ffcc7e4f
https://git.launchpad.net/kicad/patch/?id=a991625f5610fbaec32b4776f621f523ffcc7e4f

Changed in kicad:
status: Triaged → Fix Committed
assignee: nobody → Jeff Young (jeyjey)
Jeff Young (jeyjey)
Changed in kicad:
status: Fix Committed → In Progress
Revision history for this message
Wayne Stambaugh (stambaughw) wrote :

@Jeff, I don't believe that the master branch had this issue. I took a look and the change you made to the master branch doesn't exist in the 5.1 branch.

Revision history for this message
Jeff Young (jeyjey) wrote :

Master has the bug (the zones don't need re-filling after cancelling the move); it just doesn't crash.

But you're right, the refill-on-move code wasn't put in until after 5.1, so the 6.0 fix isn't going to work for 5.1. Hmmm....

Revision history for this message
Jeff Young (jeyjey) wrote :

I must have been mis-reading my compare. That code /is/ in 5.1. It was committed by Orson on April 3, 2018 for https://bugs.launchpad.net/kicad/+bug/1760903.

In any case I've pushed the possible fix to 5.1, so you can test it there.

Revision history for this message
Wayne Stambaugh (stambaughw) wrote :

@Jeff, the caffeine must not have kicked in when I looked at this. I must have been looking at the master branch instead of the 5.1 branch. I did test your fix on 5.1 and it does resolve the issue.

Jeff Young (jeyjey)
Changed in kicad:
status: In Progress → Fix Committed
Changed in kicad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.