Inkscape

text on path, select text, choose [unchanged] in undo history

Bug #1271004 reported by Cojnel on 2014-01-21

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Inkscape	Fix Released	High	Krzysztof Kosinski	Inkscape 0.91 "0.91"

Bug Description

Tested with linux mint 15 32bit.
(version numbers below, different in trunk and stable)

1. open the Edit > Undo History... dialog.
2. draw a path.
3. pick the text tool.
4. click on the canvas and write a couple of letters.
5. select both the path and the text.
6. choose from the menu, Text > put on path.
7. pick the text tool.
8. move the cursor slightly above the text,
   when a blue outline shows up around the text,
   double click to select it.
9. now scroll to the top of the undo history
   dialog and click on [Unchanged].

In v0.48.4 r9939,
most of the time inkscape doesn't crash,
but these it outputs these messages:
(inkscape:7207): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `SPObject'

or:
(inkscape:7207): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `SPObject'

or:
(inkscape:7236): GLib-GObject-WARNING **: invalid uninstantiatable type `<invalid>' in cast to `SPObject'

but it has crashed a couple of times with these messages:
Program received signal SIGSEGV, Segmentation fault.
0x0847434d in Inkscape::Text::Layout::fitToPathAlign (
this=this@entry=0xa65e340, startOffset=..., path=...)
at libnrtype/Layout-TNG-Output.cpp:427
427 in libnrtype/Layout-TNG-Output.cpp

or:
Program received signal SIGSEGV, Segmentation fault.
text_tag_attributes_at_position (item=0xa65f220, position=...,
char_index=char_index@entry=0xbfffe720) at text-editing.cpp:948
948 in text-editing.cpp
.

In r12960,
inkscape crashes, with this messages:
Program received signal SIGSEGV, Segmentation fault.
0xb64dec31 in __dynamic_cast () from /usr/lib/i386-linux-gnu/libstdc++.so.6

or:
Program received signal SIGSEGV, Segmentation fault.
0x00000205 in ?? ()

See original description

Tags:

Related branches

lp:~inkscape.dev/inkscape/trunk

Cojnel (cojnel) on 2014-01-21

description:

updated

Revision history for this message

jazzynico (jazzynico) wrote on 2014-01-22:

#1

Reproduced on Crunchbang Waldorf, Inkscape trunk revision 12966.

Changed in inkscape:
importance:	Undecided → High
milestone:	none → 0.91
status:	New → Triaged

Revision history for this message

jazzynico (jazzynico) wrote on 2014-01-22:

#2

bt-1271004-CrunchbangWaldorf-r12966.txt Edit (14.9 KiB, text/plain)

GDB backtrace (simple and full).

tags:

added: regression

Revision history for this message

jazzynico (jazzynico) wrote on 2014-01-22:

#3

Some (modest) findings: In ui/tools/text-tools.cpp:1530, pos_obj is a valid SP_OBJECT, but fails to test as a SP_STRING. Additionally, testing pos_obj->getRepr() returns NULL instead of the XML representation of the object's tree.

Revision history for this message

Johan Engelen (johanengelen) wrote on 2014-02-24:

#4

A crash on dynamic_cast is likely to happen when the object pointed to has been deleted (possibly by another thread).
I.e.

Object* obj = new Object();
delete obj;
dynamic_cast<Object*>(obj); <-- crash

Revision history for this message

Krzysztof Kosinski (tweenk) wrote on 2014-03-05:

#5

Can't reproduce with r13117 - no crash or other console messages, other than those from the Undo History dialog.*

This might be related to the recently fixed issue with document modifications on load.

*) these messages are related to the fact that glibmm relies on adding properties to objects after they are initialized, which is deprecated in glib, and are unrelated to the bug.

Changed in inkscape:
status:	Triaged → Incomplete

Revision history for this message

su_v (suv-lp) wrote on 2014-03-05:

#6

1271004-bt-full-r13114-debug-osx-quartz-64bit.txt Edit (26.6 KiB, text/plain)

Crash still reproduced with r13114 and r13117 on OS X 10.7.5.

(Backtrace with debug build r13114 attached)

Changed in inkscape:
status:	Incomplete → Confirmed

Revision history for this message

Krzysztof Kosinski (tweenk) wrote on 2014-03-05:

#7

OK, reproduced. The cause is stale slots in the desktop's query style signal - the text tool does not store the connections anywhere and uses ptr_fun instead of mem_fun. Working on a fix.

Changed in inkscape:
assignee:	nobody → Krzysztof Kosinski (tweenk)

Revision history for this message

Krzysztof Kosinski (tweenk) wrote on 2014-03-05:

#8

Looks like stale slots were not the only problem (those were fixed in r13118). When an object is deleted, the selection emits the 'changed' signal, which in turn causes Inkscape::UI::Widget::SelectedStyle to be called, which calls the 'query_style' signal on the desktop. This invokes the query style method on the text tool, but its changed signal didn't have the chance to run yet, so the text tool contains dangling pointers to nonexistent objects.

Revision history for this message

Krzysztof Kosinski (tweenk) wrote on 2014-03-08:

#9

Fixed in r13129.
Also fixed is a similar crash in the gradient dragger when used with some tools.

Changed in inkscape:
status:	Confirmed → Fix Committed

Bryce Harrington (bryce) on 2015-02-21

Changed in inkscape:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.