Inkscape

trunk: crash on delete containing layer

Bug #1310802 reported by Liam P. White
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Fix Released
High
Liam P. White
Inkscape 0.48.5

Bug Description

This came to my attention after the following: http://sta.sh/01sci2ur9gts

Steps to reproduce (r13295, default prefs):
1. If no layer exists, create a layer.
2. Create a sublayer.
3. Remove the main layer

--> crash

Revision history for this message
su_v (suv-lp) wrote :

On OS X 10.7.5:
- crash not reproduced with 0.48.4 r9939, r10025
- crash reproduced with 0.48+devel rev >= 12727

Console warning with stable branch:
** (inkscape:22703): CRITICAL **: void SPDesktop::setCurrentLayer(SPObject*): assertion `SP_IS_GROUP(object)' failed

Console warning with rev >=12532 and <= 12726:
** (inkscape-12532:22745): CRITICAL **: void Inkscape::LayerModel::setCurrentLayer(SPObject*): assertion 'currentRoot() == object || (currentRoot() && currentRoot()->isAncestorOf(object))' failed

tags: added: crash layers
Changed in inkscape:
importance: Undecided → High
Revision history for this message
su_v (suv-lp) wrote :
Changed in inkscape:
milestone: none → 0.91
status: New → Confirmed
tags: added: regression
Revision history for this message
Liam P. White (liampwhite) wrote :

Attached patch fully fixes the issue (no more warnings, no more crashing).

1. The code stores the old layer temporarily and looks for the next one to set as the active layer.
2. It incorrectly identifies the existing layer's last child as the new layer. BAD
3. The old layer gets deleted. Destructor called, children deleted as well.
4. Dangling pointer to freed memory at child address
5. Object is attempted to be used (typeof operator for __dynamic_cast())
6. crash

The patch interferes at step 2 by detecting if the layer to be made active is the last child of the old layer. If it is, it throws it out as a possibility and prevents the warning/crash.

Revision history for this message
Liam P. White (liampwhite) wrote :

Proposing for backport since it eliminates the warning generated here in all situations, and also improves stability (unreferenced memory may be cleaned up, causing a crash in certain cases).

Changed in inkscape:
assignee: nobody → Liam P. White (inkscapebrony)
status: Confirmed → In Progress
tags: added: backport-proposed
Revision history for this message
su_v (suv-lp) wrote :

Patch from comment #3 tested successfully on OS X 10.7.5 with 0.48+devel r13301.

Attached proposed backported diff for lp:inkscape/0.48.x tested successfully with 0.48.4 r10025 on OS X 10.7.5.

Revision history for this message
jazzynico (jazzynico) wrote :

Patch from comment #4 tested successfully on Crunchbang Waldorf, Inkscape trunk revision 13301 [1].

Patch from comment #5 tested successfully on Crunchbang Waldorf, Inkscape 0.48.x revision 10025.

[1] Note that I ran into a crash when testing the layers dialog with the patched trunk (*** glibc detected *** inkscape: malloc(): smallbin double linked list corrupted), but I'm not sure it's related to the patch (it happened only once when deleting a layer, and I can't find a way to reproduce it).

Revision history for this message
Liam P. White (liampwhite) wrote :

Fix committed in r13323.

Changed in inkscape:
status: In Progress → Fix Committed
Revision history for this message
Krzysztof Kosinski (tweenk) wrote :

Patch applied to stable in r10037.

tags: removed: backport-proposed
su_v (suv-lp)
Changed in inkscape:
milestone: 0.91 → 0.48.5
Alex Valavanis (valavanisalex)
Changed in inkscape:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.