Inkscape

Operations in Fill/Stroke dialog results in SEGV (on a 64bit Mac)

Bug #672111 reported by Hideo TANIDA on 2010-11-07

This bug report is a duplicate of: Bug #629363: inkscape 0.48 crashes in sp_stroke_style_line_update() when drawing with opened "Fill and Stroke" dialog. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Inkscape	New	High	Unassigned

Bug Description

Operations in Fill/Stroke dialog results in segmentation faults (on 64bit Macs).

Here are steps to reproduce the situation. Segmentation faults are observed
while performing other operations such as those in "Stroke paint" tab, as well.
1. Draw a straight line.
2. Right-click on the line and click on "fill and stroke" item.
3. In "Fill and Stroke" pane, choose "Stroke style" tab.
4. Within the tab, click on "Start Makers:" pull-down menu and select one of
candidates.

Output of "inkscape --version" is "Inkscape 0.48.0 r9654 (Nov 6 2010)".

Operating System running on the system is Mac OS X 10.6 (Snow Leopard), and
output of "uname -a" (partially modified) is shown below.
Darwin * 10.4.0 Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386 i386

Parts of GDB output obtained with debug build of inkscape and glib-2.24.2
is shown below.

helvetica:~ tanida$ LANG=C DYLD_LIBRARY_PATH=/Users/tanida/src/glib-2.24.2/glib/.libs:/Users/tanida/src/glib-2.24.2/gobject/.libs gdb local/bin/inkscape
...
(gdb) r
...
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000000816f5b8
0x000000010026d2fe in Inkscape::Selection::isEmpty (this=0x816f5a0) at selection.h:188
188 bool isEmpty() const { return _objs == NULL; }
(gdb) where
#0 0x000000010026d2fe in Inkscape::Selection::isEmpty (this=0x816f5a0) at selection.h:188
#1 0x0000000100535a88 in sp_stroke_style_line_update (spw=0x108cd2980, sel=0x816f5a0) at widgets/stroke-style.cpp:1007
#2 0x00000001005360aa in sp_stroke_style_line_selection_modified (selection=0x816f5a0, flags=9, data=0x108cd2980) at widgets/stroke-style.cpp:890
#3 0x0000000103894fab in g_closure_invoke (closure=0x10d11d1d0, return_value=0x0, n_param_values=3, param_values=0x1091380a0, invocation_hint=0x7fff5fbfe670) at gclosure.c:767
#4 0x00000001038ae41e in signal_emit_unlocked_R (node=0x10b0aa550, detail=0, instance=0x10688ee30, emission_return=0x0, instance_and_params=0x1091380a0) at gsignal.c:3248
#5 0x00000001038ad195 in g_signal_emit_valist (instance=0x10688ee30, signal_id=238, detail=0, var_args=0x7fff5fbfe9e0) at gsignal.c:2981
#6 0x00000001038ad7a8 in g_signal_emit (instance=0x10688ee30, signal_id=238, detail=0) at gsignal.c:3038
#7 0x00000001005304b0 in sp_widget_modify_selection (selection=0x816f5a0, flags=9, spw=0x10688ee30) at widgets/sp-widget.cpp:250
#8 0x00000001038afda1 in g_cclosure_marshal_VOID__UINT_POINTER (closure=0x10d11c490, return_value=0x0, n_param_values=3, param_values=0x10cc24c00, invocation_hint=0x7fff5fbfee30, marshal_data=0x0) at gmarshal.c:672
#9 0x0000000103894fab in g_closure_invoke (closure=0x10d11c490, return_value=0x0, n_param_values=3, param_values=0x10cc24c00, invocation_hint=0x7fff5fbfee30) at gclosure.c:767
#10 0x00000001038ae41e in signal_emit_unlocked_R (node=0x104f79f30, detail=0, instance=0x105076660, emission_return=0x0, instance_and_params=0x10cc24c00) at gsignal.c:3248
#11 0x00000001038ad195 in g_signal_emit_valist (instance=0x105076660, signal_id=83, detail=0, var_args=0x7fff5fbff1a0) at gsignal.c:2981
#12 0x00000001038ad7a8 in g_signal_emit (instance=0x105076660, signal_id=83, detail=0) at gsignal.c:3038
#13 0x00000001000ebce1 in inkscape_selection_modified (selection=0x10816f5a0, flags=9) at inkscape.cpp:903
#14 0x0000000100160f5b in Inkscape::Selection::_emitModified (this=0x10816f5a0, flags=9) at selection.cpp:90
#15 0x0000000100160fb6 in Inkscape::Selection::_emit_modified (selection=0x10816f5a0) at selection.cpp:83
#16 0x000000010393a8f9 in g_idle_dispatch (source=0x10badb280, callback=0x100160f7e <Inkscape::Selection::_emit_modified(Inkscape::Selection*)>, user_data=0x10816f5a0) at gmain.c:4065
#17 0x0000000103936492 in g_main_dispatch (context=0x104f59b20) at gmain.c:1960
#18 0x0000000103937c9e in g_main_context_dispatch (context=0x104f59b20) at gmain.c:2513
#19 0x0000000103938273 in g_main_context_iterate (context=0x104f59b20, block=1, dispatch=1, self=0x104f264d0) at gmain.c:2591
#20 0x0000000103938ada in g_main_loop_run (loop=0x108bf33f0) at gmain.c:2799
#21 0x0000000102ec4c70 in gtk_main ()
#22 0x0000000100031087 in sp_main_gui (argc=1, argv=0x7fff5fbff8f0) at main.cpp:983
#23 0x0000000100272e68 in Inkscape::NSApplication::Application::run (this=0x7fff5fbff880) at application/application.cpp:114
#24 0x000000010003182d in main (argc=1, argv=0x7fff5fbff8f0) at main.cpp:719

I guess the problem is in handling of 64bit address in Inkscape or Glib.
While "selection" pointer variable has longer-than-32bit value of 0x10816f5a0
at #13, it is truncated to 32bit value of 0x816f5a0 at #7.
The problem may reproduce on other 64bit operating systems which frequently
uses higher-than-32bit virtual addresses, while this seems not to be the case
in Linux.

Tags:

Revision history for this message

su_v (suv-lp) wrote on 2010-11-07:

Did you build Inkscape yourself or are you using the official package from sf.net?

Seems like a duplicate of
Bug #629363 “inkscape 0.48 crashes in sp_stroke_style_line_update() when drawing with opened "Fill and Stroke" dialog”:
<https://bugs.launchpad.net/inkscape/+bug/629363>

tags:	added: crash
Changed in inkscape:
importance:	Undecided → High

Revision history for this message

Hideo TANIDA (nida-hid) wrote on 2010-11-07: Re: [Bug 672111] Re: Operations in Fill/Stroke dialog results in SEGV (on a 64bit Mac)

Download full text (6.4 KiB)

I've built inkscape myself, using the source archive which can be obtained
via MacPorts. I've confirmed the bug reproduces, after fetching and installing
inkscape by running "port install inkscape", and running inkscape binary
installed. To obtain the stack trace, I've built glib and inkscape form
source archive which was left as cache of MacPorts, which can be found
under /opt/local/var/macports/distfiles.

However, I think my friend who has reported the problem for the first was
using official package from sf. net. I will ask about the detail tomorrow JST.

I have no idea so far the problem is close to what is reported in
https://bugs.launchpad.net/inkscape/+bug/629363 , but I think
the problem is quite different, considering the changes
happening on address of "selection" etc...

Thanks,
Hideo

On Sun, 07 Nov 2010 14:48:21 -0000
~suv <email address hidden> wrote:

However, I think my friend who has reported the problem for the first was
using official package from sf. net. I will ask about the detail tomorrow JST.

Thanks,
Hideo

On Sun, 07 Nov 2010 14:48:21 -0000
~suv <672111@bugs.launchpad.net> wrote:

> Did you build Inkscape yourself or are you using the official package
> from sf.net?
> 
> Seems like a duplicate of 
> Bug #629363 “inkscape 0.48 crashes in sp_stroke_style_line_update() when drawing with opened "Fill and Stroke" dialog”:
> <https://bugs.launchpad.net/inkscape/+bug/629363>
> 
> ** Tags added: crash
> 
> ** Changed in: inkscape
>    Importance: Undecided => High
> 
> -- 
> Operations in Fill/Stroke dialog results in SEGV  (on a 64bit Mac)
> https://bugs.launchpad.net/bugs/672111
> You received this bug notification because you are a direct subscriber
> of the bug.
> 
> Status in Inkscape: A Vector Drawing Tool: New
> 
> Bug description:
> Operations in Fill/Stroke dialog results in segmentation faults (on 64bit Macs).
> 
> Here are steps to reproduce the situation. Segmentation faults are observed
> while performing other operations such as those in "Stroke paint" tab, as well.
> 1. Draw a straight line.
> 2. Right-click on the line and click on "fill and stroke" item.
> 3. In "Fill and Stroke" pane, choose "Stroke style" tab.
> 4. Within the tab, click on "Start Makers:" pull-down menu and select one of
> candidates. 
> 
> Output of "inkscape --version" is "Inkscape 0.48.0 r9654 (Nov  6 2010)".
> 
> Operating System running on the system is Mac OS X 10.6 (Snow Leopard), and
> output of "uname -a" (partially modified) is shown below.
> Darwin * 10.4.0 Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386 i386
> 
> Parts of GDB output obtained with debug build of inkscape and glib-2.24.2
> is shown below.
> 
> helvetica:~ tanida$ LANG=C DYLD_LIBRARY_PATH=/Users/tanida/src/glib-2.24.2/glib/.libs:/Users/tanida/src/glib-2.24.2/gobject/.libs gdb local/bin/inkscape
> ...
> (gdb) r
> ...
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_INVALID_ADDRESS at address: 0x000000000816f5b8
> 0x000000010026d2fe in Inkscape::Selection::isEmpty (this=0x816f5a0) at selection.h:188
> 188	    bool isEmpty() const { return _objs == NULL; }
> (gdb) where
> #0  0x000000010026d2fe in Inkscape::Selection::isEmpty (this=0x816f5a0) at selection.h:188
> #1  0x0000000100535a88 in sp_stroke_style_line_update (spw=0x108cd2980, sel=0x816f5a0) at widgets/stroke-style.cpp:1007
> #2  0x00000001005360aa in sp_stroke_style_line_selection_modified (selection=0x816f5a0, flags=9, data=0x108cd2980) at widgets/stroke-style.cpp:890
> #3  0x0000000103894fab in g_closure_invoke (closure=0x10d11d1d0, return_value=0x0, n_param_values=3, param_values=0x1091380a0, invocation_hint=0x7fff5fbfe670) at gclosure.c:767
> #4  0x00000001038ae41e in signal_emit_unlocked_R (node=0x10b0aa550, detail=0, instance=0x10688ee30, emission_return=0x0, instance_and_params=0x1091380a0) at gsignal.c:3248
> #5  0x00000001038ad195 in g_signal_emit_valist (instance=0x10688ee30, signal_id=238, detail=0, var_args=0x7fff5fbfe9e0) at gsignal.c:2981
> #6  0x00000001038ad7a8 in g_signal_emit (instance=0x10688ee30, signal_id=238, detail=0) at gsignal.c:3038
> #7  0x00000001005304b0 in sp_widget_modify_selection (selection=0x816f5a0, flags=9, spw=0x10688ee30) at widgets/sp-widget.cpp:250
> #8  0x00000001038afda1 in g_cclosure_marshal_VOID__UINT_POINTER (closure=0x10d11c490, return_value=0x0, n_param_values=3, param_values=0x10cc24c00, invocation_hint=0x7fff5fbfee30, marshal_data=0x0) at gmarshal.c:672
> #9  0x0000000103894fab in g_closure_invoke (closure=0x10d11c490, return_value=0x0, n_param_values=3, param_values=0x10cc24c00, invocation_hint=0x7fff5fbfee30) at gclosure.c:767
> #10 0x00000001038ae41e in signal_emit_unlocked_R (node=0x104f79f30, detail=0, instance=0x105076660, emission_return=0x0, instance_and_params=0x10cc24c00) at gsignal.c:3248
> #11 0x00000001038ad195 in g_signal_emit_valist (instance=0x105076660, signal_id=83, detail=0, var_args=0x7fff5fbff1a0) at gsignal.c:2981
> #12 0x00000001038ad7a8 in g_signal_emit (instance=0x105076660, signal_id=83, detail=0) at gsignal.c:3038
> #13 0x00000001000ebce1 in inkscape_selection_modified (selection=0x10816f5a0, flags=9) at inkscape.cpp:903
> #14 0x0000000100160f5b in Inkscape::Selection::_emitModified (this=0x10816f5a0, flags=9) at selection.cpp:90
> #15 0x0000000100160fb6 in Inkscape::Selection::_emit_modified (selection=0x10816f5a0) at selection.cpp:83
> #16 0x000000010393a8f9 in g_idle_dispatch (source=0x10badb280, callback=0x100160f7e <Inkscape::Selection::_emit_modified(Inkscape::Selection*)>, user_data=0x10816f5a0) at gmain.c:4065
> #17 0x0000000103936492 in g_main_dispatch (context=0x104f59b20) at gmain.c:1960
> #18 0x0000000103937c9e in g_main_context_dispatch (context=0x104f59b20) at gmain.c:2513
> #19 0x0000000103938273 in g_main_context_iterate (context=0x104f59b20, block=1, dispatch=1, self=0x104f264d0) at gmain.c:2591
> #20 0x0000000103938ada in g_main_loop_run (loop=0x108bf33f0) at gmain.c:2799
> #21 0x0000000102ec4c70 in gtk_main ()
> #22 0x0000000100031087 in sp_main_gui (argc=1, argv=0x7fff5fbff8f0) at main.cpp:983
> #23 0x0000000100272e68 in Inkscape::NSApplication::Application::run (this=0x7fff5fbff880) at application/application.cpp:114
> #24 0x000000010003182d in main (argc=1, argv=0x7fff5fbff8f0) at main.cpp:719
> 
> I guess the problem is in handling of 64bit address in Inkscape or Glib.
> While "selection" pointer variable has longer-than-32bit value of 0x10816f5a0
> at #13, it is truncated to 32bit value of 0x816f5a0 at #7.
> The problem may reproduce on other 64bit operating systems which frequently
> uses higher-than-32bit virtual addresses, while this seems not to be the case
> in Linux.
> 
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/inkscape/+bug/672111/+subscribe

-- 
Hideo TANIDA

Revision history for this message

su_v (suv-lp) wrote on 2010-11-07:

> However, I think my friend who has reported the problem for the first was
> using official package from sf. net.

No, just the opposite: the crash reported in bug #629363 does _not_ happen with the official package nor with local builds on Leopard in 32bit mode.

While the description of how the crashes might differ in details, the backtrace in the so far three reported cases indicate a similar cause (all are 64bit system: 2 osx, + gentoo).

Revision history for this message

Hideo TANIDA (nida-hid) wrote on 2010-11-08:

I do agree the problem may NOT reproduce in 32bit environment. The problem of
the pointer variable being truncated seems very likely to be a problem related
to the 64bit world.

However, I could neither test official build (which contains 32bit binary) of
Inkscape myself (as I have only SSH access to the machine I have obtained the
stack trace), nor talk to the friend reported the problem first, today. Sorry.
I'll add more info. on the situation when ready.

Revision history for this message

cxcampb (ccampbell95-gmail) wrote on 2011-04-11:

This sounds like my bug, also. 64 bit Mac, segmentation fault after trying to change fill color of text.

Revision history for this message

Gellule (gellule-xg) wrote on 2011-05-26:

A patch is available in a bug that might be related to this one: https://bugs.launchpad.net/inkscape/+bug/629363

Revision history for this message

Gellule (gellule-xg) wrote on 2011-06-02:

I would mark this bug as duplicate of #672111

Revision history for this message

su_v (suv-lp) wrote on 2011-06-02:

Gellule wrote:
> I would mark this bug as duplicate of #672111

Hmm, bug #672111 is this one - did you mean bug #629363 instead?

Revision history for this message

Gellule (gellule-xg) wrote on 2011-06-02:

Indeed. Time to go to bed. I would mark this bug as duplicate of #629363.

Revision history for this message

su_v (suv-lp) wrote on 2011-06-02:

#10

Linking as duplicate to bug #629363. Please add a comment here and revert the duplicate status if you don't agree or if the same crash still occurs in the next bug-fix release (0.48.2) or with a development build >= r10237.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #629363 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.