Inkscape

trunk: crash on 'Path > Combine' of 'Select Same'-selected paths (rev >= 12532)

Bug #1229678 reported by su_v
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Fix Released
High
Martin Owens

Bug Description

Inkscape trunk crashes on 'Path > Combine' of a selection of paths (selected by context menu 'Select Same > Fill and Stroke') in the attached document.

Steps to reproduce:
1) launch inkscape (default prefs, default new document)
2) open attached drawing
3) select path in upper left corner of the page
4) shift-click on the path touching the right page border in the middle
5) from the context menu, use 'Select Same > Fill and Stroke'
6) combine the selection ('Ctrl+K')

--> crash:
** (inkscape:78272): CRITICAL **: void Inkscape::Selection::remove(SPObject*): assertion `includes(obj)' failed

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000010
0x00000001000f0690 in __gnu_cxx::__normal_iterator<Geom::Path*, std::vector<Geom::Path, std::allocator<Geom::Path> > >::__normal_iterator (this=0x7fff5fbfe608, __i=@0x10) at stl_iterator.h:653
653 __normal_iterator(const _Iterator& __i) : _M_current(__i) { }
(gdb) bt
#0 0x00000001000f0690 in __gnu_cxx::__normal_iterator<Geom::Path*, std::vector<Geom::Path, std::allocator<Geom::Path> > >::__normal_iterator (this=0x7fff5fbfe608, __i=@0x10) at stl_iterator.h:653
#1 0x00000001000dcbaf in std::vector<Geom::Path, std::allocator<Geom::Path> >::begin (this=0x10) at stl_vector.h:331
#2 0x00000001000de85c in Geom::operator*= (path_in=@0x10, m=@0x7fff5fbfe860) at pathvector.h:50
#3 0x00000001004bdfd0 in SPCurve::transform (this=0x0, m=@0x7fff5fbfe860) at curve.cpp:185
#4 0x0000000100205963 in sp_selected_path_combine (desktop=0x10db1dc00) at path-chemistry.cpp:122
#5 0x0000000100468491 in Inkscape::SelectionVerb::perform (action=0x108c5d940, data=0x5c) at verbs.cpp:1185

Encountered with Inkscape 0.48+devel r12583 on OS X 10.7.5, reproduced with same revision on Ubuntu 12.10 (VM, 64bit).

Based on tests with archived builds:
- not reproduced with rev <= 12531
- reproduced with rev >= 12532
this regression was likely introduced with the merge of the C++ification of the SP tree in r12532:
<http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/12532>

Revision history for this message
su_v (suv-lp) wrote :

Sample file (the paths originate from a quick doodle with the paint bucket tool).

Revision history for this message
su_v (suv-lp) wrote :

Backtrace

Revision history for this message
Martin Owens (doctormo) wrote :

The "select same" functionality was using selection->setList which was subtly broken by allowing the same item to be selected twice. Thus when combining, the item tries to be deleted twice... crash.

See r12586. I managed to reduce the code complexity too.

Changed in inkscape:
assignee: nobody → Martin Owens (doctormo)
status: New → Fix Committed
Revision history for this message
Markus Engel (engelmarkus) wrote :

First of all: There's something wrong with this "select same" function. It says "22 objects selected", although there are only 11 paths in the whole file. This happens in r12531 as well, that's before c++ification.

Okay, the crash is caused due to the fact that there is one path in your file with 0 nodes, namely:
<path style="fill:#ffb380;stroke:none" d="" id="path3306" inkscape:connector-curvature="0" />
As paths with an empty d attribute are allowed ("Note that the BNF allows the path ‘d’ attribute to be empty. This is not an error, instead it disables rendering of the path."), we should think about how to handle that best. I think this can cause lots of other problems as well. Should SPPath return "NULL" when it's got an empty d attribute or should it return a pointer to an empty SPCurve object?

Revision history for this message
Markus Engel (engelmarkus) wrote :

Ah, seems I was too slow ;) .

Revision history for this message
Martin Owens (doctormo) wrote :

Interesting look at your thinking. The zero node path shouldn't cause the issue because selecting all paths with the tool without first selecting the top-left corner item, doesn't crash. thus it's more likely the empty curve is being added all the same.

Revision history for this message
su_v (suv-lp) wrote :

Earlier and latest revision r12586 don't crash when combining the empty path with itself, or with a random one of the other paths (the empty path can be selected with <TAB> (keep an eye on the messages in status bar), and another one added to the (invisible) selection with a single 'Shift+LMB').

Crash as originally reported no longer reproduced with r12586 - thx :)

(I haven't tested 'Select Same' again after that "reduction of code complexity …)

Changed in inkscape:
milestone: 0.49 → none
status: Fix Committed → Fix Released
Revision history for this message
su_v (suv-lp) wrote :

Follow-up report (regression introduced with the changes in r12586):
- Bug #1243408 “Intermittantly cannot de-select objects by clicking on the canvas (rev >= 12586)”
  <https://bugs.launchpad.net/inkscape/+bug/1243408>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.