another guide deletion-related crash

Crash not reproduced with Inkscape 0.48.4 on OS X 10.7.5 (64bit), based on the provided steps.

Crash not reproduced with Inkscape 0.48.4 (0.48.4-1ubuntu3) on Ubuntu 13.10 (VM, 64bit, Unity as desktop) either.

Not reproduced on Crunchbang Waldorf (Debian stable) with Inkscape 0.48.3.1, 0.48.x r10018 and trunk r13165.

backtrace for the problem experienced

disassembly

instrumented output. with fprintf(stderr, ...) inserted at some places

a single guide was added, then deleted
i don't know why the first destroy/origin set happened, but it could be normal

after the second destroy, the given function runs again
now it's clearly visible that SP_IS_CTRLPOINT(SP_GUIDELINE(object)->origin) is the one what fails
could this be a gtk-related problem? 2.24.22 here

lifecycle of some gtk-thing which causes the problem

sorry i cant't do gtk, so i don't know what's that about

Do you happen to use a custom default template?

A crash is reproducible on OS X with stable (but not with trunk) if using these modified document properties, and a visible grid:

Document Properties > Snap > Snap to guides:
 [x] Always snap
  [ ] Snap only when closer than:

(setting in original default template is 'Snap only when closer than:')

Steps with which I managed to reproduce the crash with local builds of the stable release branch (but not with trunk):

1) launch inkscape with default (new) prefs, locale: en_US.UTF-8
2) open 'Document Properties > Snap'
3) Change 'Snap to guides' to '[x] Always snap'
4) close 'Document Properties' dialog (Ctrl+W)
5) Enable grid (menu 'View > Grid')
6) create a guide
7) delete the guide (hover until highlighted & delete it with <Backspace>)

--> crash:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xffffffffffffffff
0x0000000100449d13 in sp_guideline_destroy (object=0x1198e7590) at guideline.cpp:93
93 if (SP_GUIDELINE(object)->origin != NULL && SP_IS_CTRLPOINT(SP_GUIDELINE(object)->origin)) {

The odd thing is that on my system (OS X 10.7.5) this crash only seems to occur with some of the local builds: apparently only those which use the most recent stable versions of the dependencies (gtk2 2.24.23, gtkmm 2.24.4, glib2 2.38.2, glibmm 2.38.1, libsigc++ 2.2.11, cairo 1.12.16, etc.) and are compiled with clang, but not with the builds of the same revisions using older versions and compiled with llvm-gcc-4.2.

Sorry for the long delays, I have little free time, and mainly in the mornings.

Here I have the default settings. I've even deleted .config/inkscape folder just to be sure. So:
Snap to objects = only when closer than 20 px
Snap to grids = always
Snap to guides = only when closer than 20 px

gtk2 is 2.24.22-1
gtkmm is 1:2.24.4-1
glib2 is 2.38.2-5
glibmm is 2.36.2-1
libsigc is 2.2.11-3
libcairo is 1.12.16-2
libcairomm is 1.10.0-1
libpango is 1.36.2-2
libpangomm is 2.34.0-1
libatk is 2.10.0-2
libatkmm is 2.22.7-2

Based on the *-dbg packages, it seems like all were compiled by gcc 4.8.

Unfortunately I cannot downgrade libgtk, as a lot of packages depend on the newest one.
However I have tried inkscape 0.48.3.1-1.3 and experienced the same crash.

After taking another look at lifecycle.txt, it seems like this is an use-after-free, or more like double-free thing, but in the meantime some object-related memory location was reused by another gtk object. gtk_object_destroy sets some gtk-related pointer to NULL, while gtk_label_init sets it to -1, and this is what the second sp_guideline_destroy sees.

Not reproduced on Crunchbang Waldorf, Inkscape 0.48.3.1 and trunk revision 13446 (with 'Snap to guides' to '[x] Always snap').

Confirmed by duplicate Bug #1286421 "inkscape crashed with SIGSEGV".