crash, draw path/shape, press the spacebar quickly (rev >= 12730)

Bug #1265376 reported by Cojnel on 2014-01-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
High
Markus Engel

Bug Description

Draw a path
switch to the node tool (this step isn't required but it sometimes causes the crash faster)
press the spacebar quickly
inkscape crashes with these messages:

sometimes it just crashes with this message:
Program received signal SIGSEGV, Segmentation fault.
0xb62dd90c in ?? () from /lib/i386-linux-gnu/libc.so.6

other times these messages show up without crashing inkscape:
(inkscape:6489): GLib-GObject-CRITICAL **: g_closure_unref: assertion `closure->ref_count > 0' failed

(inkscape:6489): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GObject'

(inkscape:6489): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed

one is still able to keep pressing the spacebar until inkscape stops responding, and gdb outputs:
*** Error in `/usr/bin/inkscape': corrupted double-linked list: 0x0b83fee0 ***

Ctrl + C has to be pressed to get back to the (gdb) terminal prompt,
^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in __kernel_vsyscall ()

iv'e also seen this message but it didn't crash:
** (inkscape:6106): CRITICAL **: void sp_canvas_item_destroy(SPCanvasItem*): assertion `SP_IS_CANVAS_ITEM(item)' failed

when i continued pressing the spacebar, inkscape crashed with these messages:
Gdk:ERROR:/build/buildd/gtk+2.0-2.24.17/gdk/gdkregion-generic.c:1114:miUnionNonO: assertion failed: (r->x1 < r->x2)

Program received signal SIGABRT, Aborted.
0xb7fdd424 in __kernel_vsyscall ()

It also happens when drawing shapes,
after drawing a rectangle and switching to the node tool then pressing the spacebar quickly, these messages appeared:
Program received signal SIGSEGV, Segmentation fault.
0xb70ac7d0 in sigc::internal::trackable_callback_list::~trackable_callback_list() () from /usr/lib/i386-linux-gnu/libsigc-2.0.so.0

and another time:
(inkscape:6739): GLib-GObject-CRITICAL **: g_closure_unref: assertion `closure->ref_count > 0' failed

Program received signal SIGSEGV, Segmentation fault.
0xb64f12c9 in std::__detail::_List_node_base::_M_unhook() ()
   from /usr/lib/i386-linux-gnu/libstdc++.so.6

i tried deleting the preferences.xml so that a new one is created but it had no effect.

tested with r12865
on linux mint 15 cinnamon 32bit

v0.48.4 r9939 doesn't crash when trying this.

jazzynico (jazzynico) wrote :

Not reproduced on Windows XP, Inkscape trunk revision 12886.

Changed in inkscape:
importance: Undecided → High
jazzynico (jazzynico) wrote :

Not reproduced on Windows XP, Inkscape trunk revision 12886. No crash, no warning.

jazzynico (jazzynico) wrote :

Reproduced on Crunchbang Waldorf, Inkscape trunk revision 12976.
Surprisingly, I get different GDB traces, no matter how I test (with a shape, empty canvas, different tools selected..):

1. The most frequent trace, seen 7 times on 10 tests:
#0 0x00007f00f4010b80 in ?? ()
#1 0x00000000004d7a23 in GrDrag::~GrDrag (this=0x60adf50, __in_chrg=<optimized out>) at gradient-drag.cpp:673

2. Seen only once:
#0 0x00007f00f4010b80 in ?? ()
#1 0x0000000000540b1b in Inkscape::SelTrans::~SelTrans (this=0x632c820, __in_chrg=<optimized out>) at seltrans.cpp:184

3. Seen twice:
#0 0x00007f00f4010b80 in ?? ()
#1 0x00007ffff401139e in sigc::internal::slot_rep::notify(void*) () from /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0

Changed in inkscape:
status: New → Confirmed
tags: added: regression
jazzynico (jazzynico) wrote :
jazzynico (jazzynico) wrote :
jazzynico (jazzynico) wrote :
Changed in inkscape:
status: Confirmed → Triaged
milestone: none → 0.91
su_v (suv-lp) wrote :

Testing with archived builds on OS X 10.7.5:
- not reproduced with rev <= 12729
- reproduced with rev >= 12733

Change log 12733-12729:
<http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/changes/12733>

jazzynico (jazzynico) wrote :

> - not reproduced with rev <= 12729
> - reproduced with rev >= 12733

Very helpful, thanks!

The regression was indeed due to revision 12730 (https://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/12730).
Unfortunately, 12730 fixed Bug #1239131 (switch from gradient to dropper tool loses gradient stop selection), and reverting it (more or less, the code changed again between 12730 and now) with the attached patch reopens the report.

su_v (suv-lp) on 2014-01-29
summary: - crash, draw path/shape, press the spacebar quickly
+ crash, draw path/shape, press the spacebar quickly (rev >= 12730)
jazzynico (jazzynico) wrote :

Reduced steps (tested on Crunchbang Waldorf, r12984):
1. Start with a default document.
2. Switch to the node tool.
3. Press space 3 or 4 times (no need to be fast).

New findings: Inkscape doesn't crash if you disable the selection cue and gradient drag preferences for the selector tool and the node tool, that confirms there's something wrong in the way the tool's GrDrag (see comment #4) and SelCue are destroyed.

Cojnel (cojnel) wrote :

Turning off selection cue and gradient editing,
in both the selector and node tools,
didn't prevent crashes from happening,
with r12992 on linux mint 16.

jazzynico (jazzynico) wrote :

I still can't reproduce the crash on Windows. Tested again with revision 12994, official devlibs (libsigc++2-2.2.11) and 12823, experimental GTK3 devlibs (libsigc++2-2.2.10). No crash, no warning.

Note that Crunchbang Waldorf (as well as Debian Wheezy, Jessie and Sid) have libsigc++2-2.2.10.

Markus Engel (engelmarkus) wrote :

As far as I can see, this is caused by the way the tools are toggled.
The function that handles the space key is actually a member function of the tool class. On toggling however the tool will be deleted and thus no members of this tool may be accessed anymore. That's causing the segfaults.
Try the attached patch.
We should probably refactor that later. For now be careful when you modify the code there.

Changed in inkscape:
assignee: nobody → Markus Engel (engelmarkus)
status: Triaged → In Progress
Markus Engel (engelmarkus) wrote :

I played around with this a lot now and can't reproduce it anymore.
Thus, I committed the patch from comment #12 in r13087.
If this does not solve the problem for you, please report.

Changed in inkscape:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers