repeatable seg in Inkscape::Text::Layout::InputStreamTextSource::styleGetBlockProgression

Bug #1391374 reported by Dave Gilbert on 2014-11-11
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Inkscape
High
Mc

Bug Description

Repeatable seg (On FC21/x86-64) on bzr 13701 :

1 Open the attached SVG,
2 Double click on the LINK_ text in the middle of the image until you get the flashing vertical caret
3 move to the end of that text using right arrow
4 delete using backspace until it's an empty line
5 hit up arrow
   Segs

Program received signal SIGSEGV, Segmentation fault.
Inkscape::Text::Layout::InputStreamTextSource::styleGetBlockProgression (this=0x3286e00) at libnrtype/Layout-TNG-Input.cpp:188
188 if (this_style->block_progression.set)
Missing separate debuginfos, use: debuginfo-install GConf2-3.2.6-11.fc21.x86_64 ImageMagick-c++-6.8.8.10-5.fc21.x86_64 ImageMagick-libs-6.8.8.10-5.fc21.x86_64 adwaita-gtk2-theme-3.14.0-1.fc21.x86_64 atkmm-2.22.7-4.fc21.x86_64 avahi-glib-0.6.31-29.fc21.x86_64 avahi-libs-0.6.31-29.fc21.x86_64 bzip2-libs-1.0.6-14.fc21.x86_64 cairomm-1.10.0-9.fc21.x86_64 enchant-1.6.0-9.fc21.x86_64 fftw-libs-double-3.3.4-5.fc21.x86_64 gamin-0.1.10-17.fc21.x86_64 gc-7.4.2-2.fc21.x86_64 glibmm24-2.42.0-1.fc21.x86_64 gnome-vfs2-2.24.4-16.fc21.x86_64 gsl-1.16-15.fc21.x86_64 gtkmm24-2.24.4-4.fc21.x86_64 gtkspell-2.0.16-9.fc21.x86_64 gvfs-1.22.1-2.fc21.x86_64 jbigkit-libs-2.1-2.fc21.x86_64 keyutils-libs-1.5.9-4.fc21.x86_64 krb5-libs-1.12.2-9.fc21.x86_64 lcms2-2.6-4.fc21.x86_64 libacl-2.2.52-7.fc21.x86_64 libatomic_ops-7.4.2-4.fc21.x86_64 libattr-2.4.47-9.fc21.x86_64 libbluray-0.6.2-1.fc21.x86_64 libcom_err-1.42.11-3.fc21.x86_64 librevenge-0.0.1-3.fc21.x86_64 libsigc++20-2.4.0-1.fc21.x86_64 libtiff-4.0.3-18.fc21.x86_64 libtool-ltdl-2.4.2-31.fc21.x86_64 libwpd-0.10.0-3.fc21.x86_64 libwpg-0.3.0-3.fc21.x86_64 libxml2-2.9.1-6.fc21.x86_64 libxshmfence-1.1-3.fc21.x86_64 libxslt-1.1.28-8.fc21.x86_64 openjpeg-libs-1.5.1-13.fc21.x86_64 pangomm-2.34.0-4.fc21.x86_64 poppler-0.26.2-3.fc21.x86_64 poppler-glib-0.26.2-3.fc21.x86_64 popt-1.16-5.fc21.x86_64 xz-libs-5.1.2-14alpha.fc21.x86_64
(gdb) bt full
#0 0x000000000071b694 in Inkscape::Text::Layout::InputStreamTextSource::styleGetBlockProgression() const (this=0x3286e00) at libnrtype/Layout-TNG-Input.cpp:188
        this_style = 0x6569566c6c65436b
#1 0x000000000071feaa in Inkscape::Text::Layout::iterator::cursorUp(int) (this=<optimized out>) at libnrtype/Layout-TNG.h:660
        block_progression = <optimized out>
#2 0x000000000071feaa in Inkscape::Text::Layout::iterator::cursorUp(int) (this=0x9bb91f0, n=n@entry=1) at libnrtype/Layout-TNG-OutIter.cpp:979
        block_progression = <optimized out>
#3 0x0000000000aa2233 in Inkscape::UI::Tools::TextTool::root_handler(_GdkEvent*) (this=0x9bb9100, event=0x677ae60) at ui/tools/text-tool.cpp:1043
        old_start = {_parent_layout = 0x2b43608, _glyph_index = 0, _char_index = 0, _cursor_moving_vertically = <optimized out>, _x_coordinate = <optimized out>}
        old_end = {_parent_layout = 0x2b43608, _glyph_index = 0, _char_index = 0, _cursor_moving_vertically = <optimized out>, _x_coordinate = <optimized out>}
        cursor_moved = false
        screenlines = <optimized out>
        group0_keyval = 65362
        __PRETTY_FUNCTION__ = "virtual bool Inkscape::UI::Tools::TextTool::root_handler(GdkEvent*)"
#4 0x0000000000aa386a in Inkscape::UI::Tools::sp_event_context_virtual_root_handler(Inkscape::UI::Tools::ToolBase*, _GdkEvent*) (event_context=<optimized out>, event=0x677ae60) at ui/tools/tool-base.cpp:1000
        desktop = 0x1eb1c00
        ret = 0
#9 0x0000003d1262a3bf in <emit signal ??? on instance 0x328e000 [SPCanvasArena]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3365
        var_args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffca90, reg_save_area = 0x7fffffffc9d0}}
    #5 0x00000000006fee13 in sp_marshal_INT__POINTER_POINTER(GClosure*, GValue*, guint, GValue const*, gpointer, gpointer) (closure=0x3252760, return_value=0x7fffffffc8d0, n_param_values=<optimized out>, param_values=0x7fffffffc800, invocation_hint=<optimized out>, marshal_data=0x0) at helper/sp-marshal.cpp:247
                cc = 0x3252760
                data1 = 0x328e000
                __PRETTY_FUNCTION__ = "void sp_marshal_INT__POINTER_POINTER(GClosure*, GValue*, guint, const GValue*, gpointer, gpointer)"
                callback = <optimized out>
                data2 = <optimized out>
                v_return = <optimized out>
    #6 0x0000003d1260fd35 in g_closure_invoke (closure=0x3252760, return_value=return_value@entry=0x7fffffffc8d0, n_param_values=3, param_values=param_values@entry=0x7fffffffc800, invocation_hint=invocation_hint@entry=0x7fffffffc7a0)
    at gclosure.c:768
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 0
                real_closure = 0x3252740
                __FUNCTION__ = "g_closure_invoke"
    #7 0x0000003d12621a52 in signal_emit_unlocked_R (node=node@entry=0x328b9d0, detail=detail@entry=0, instance=instance@entry=0x328e000, emission_return=emission_return@entry=0x7fffffffc8d0, instance_and_params=instance_and_params@entry=0x7fffffffc800) at gsignal.c:3553
                tmp = <optimized out>
                handler = 0x3233090
                accumulator = 0x0
                emission = {next = 0x7fffffffcce0, instance = 0x328e000, ihint = {signal_id = 207, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
                handler_list = <optimized out>
                return_accu = 0x7fffffffc8d0
                accu =
                      {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 207
                max_sequential_handler_number = 27354
                return_value_altered = 0
    #8 0x0000003d12629d68 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffc9b0) at gsignal.c:3319
                return_value =
                      {g_type = 24, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                error = 0x0
                rtype = 24
                static_scope = 0
                instance_and_params = 0x7fffffffc800
                signal_return_type = <optimized out>
                param_values = 0x7fffffffc818
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __FUNCTION__ = "g_signal_emit_valist"
#10 0x00000000005ecf43 in sp_canvas_arena_send_event(SPCanvasArena*, GdkEvent*) (arena=arena@entry=0x328e000 [SPCanvasArena], event=event@entry=0x677ae60) at display/canvas-arena.cpp:323
        ret = 0
---Type <return> to continue, or q <return> to quit---
#11 0x00000000005ed1e0 in sp_canvas_arena_event(SPCanvasItem*, GdkEvent*) (item=<optimized out>, event=0x677ae60) at display/canvas-arena.cpp:310
        new_arena = <optimized out>
        arena = 0x328e000 [SPCanvasArena]
        ret = 0
#16 0x0000003d1262a3bf in <emit signal ??? on instance 0x328e000 [SPCanvasArena]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3365
        var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffcfc0, reg_save_area = 0x7fffffffcf00}}
    #12 0x00000000006febff in sp_marshal_BOOLEAN__POINTER(GClosure*, GValue*, guint, GValue const*, gpointer, gpointer) (closure=0x31766a0, return_value=0x7fffffffce00, n_param_values=<optimized out>, param_values=0x7fffffffcd50, invocation_hint=<optimized out>, marshal_data=0x5ecfd0 <sp_canvas_arena_event(SPCanvasItem*, GdkEvent*)>) at helper/sp-marshal.cpp:124
                cc = 0x31766a0
                data1 = 0x328e000
                __PRETTY_FUNCTION__ = "void sp_marshal_BOOLEAN__POINTER(GClosure*, GValue*, guint, const GValue*, gpointer, gpointer)"
                callback = <optimized out>
                data2 = <optimized out>
                v_return = <optimized out>
    #13 0x0000003d1260fd35 in g_closure_invoke (closure=closure@entry=0x31766a0, return_value=return_value@entry=0x7fffffffce00, n_param_values=2, param_values=param_values@entry=0x7fffffffcd50, invocation_hint=invocation_hint@entry=0x7fffffffccf0) at gclosure.c:768
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 0
                real_closure = 0x3176680
                __FUNCTION__ = "g_closure_invoke"
    #14 0x0000003d1262194a in signal_emit_unlocked_R (node=node@entry=0x317ed50, detail=detail@entry=0, instance=instance@entry=0x328e000, emission_return=emission_return@entry=0x7fffffffce00, instance_and_params=instance_and_params@entry=0x7fffffffcd50) at gsignal.c:3591
                accumulator = 0x0
                emission = {next = 0x7fffffffd190, instance = 0x328e000, ihint = {signal_id = 148, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 53000016}
                handler_list = <optimized out>
                return_accu = 0x7fffffffce00
                accu =
                      {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 148
                max_sequential_handler_number = 27354
                return_value_altered = 0
    #15 0x0000003d12629d68 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffcee0) at gsignal.c:3319
                return_value =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                error = 0x0
                rtype = 20
                static_scope = 0
                instance_and_params = 0x7fffffffcd50
                signal_return_type = <optimized out>
                param_values = 0x7fffffffcd68
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __FUNCTION__ = "g_signal_emit_valist"
#17 0x000000000063ea11 in SPCanvasImpl::emitEvent(SPCanvas*, _GdkEvent*) (canvas=<optimized out>, event=0x677c9e0) at display/sp-canvas.cpp:1515
        parent = <optimized out>
        ev = 0x677c970
        item = 0x328e000 [SPCanvasArena]
        finished = 0
        event = 0x677c9e0
        canvas = <optimized out>
#22 0x0000003d1262a3bf in <emit signal ??? on instance 0x317f000 [SPCanvas]> (instance=instance@entry=0x317f000, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365
        var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffd470, reg_save_area = 0x7fffffffd3b0}}
    #18 0x000000379f54780d in _gtk_marshal_BOOLEAN__BOXED (closure=0x14c6810, return_value=0x7fffffffd150, n_param_values=<optimized out>, param_values=0x7fffffffd200, invocation_hint=<optimized out>, marshal_data=<optimized out>)
    at gtkmarshalers.c:86
                callback = 0x63ebc0 <SPCanvasImpl::handleKeyEvent(_GtkWidget*, _GdkEventKey*)>
                cc = 0x14c6810
                data1 = 0x317f000
                data2 = 0x1302ef0
                v_return = <optimized out>
---Type <return> to continue, or q <return> to quit---
                __FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED"
    #19 0x0000003d1260fc8f in g_closure_invoke (closure=closure@entry=0x14c6810, return_value=return_value@entry=0x7fffffffd150, n_param_values=2, param_values=param_values@entry=0x7fffffffd200, invocation_hint=invocation_hint@entry=0x7fffffffd1a0) at gclosure.c:768
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 1
                real_closure = 0x14c67f0
                __FUNCTION__ = "g_closure_invoke"
    #20 0x0000003d1262194a in signal_emit_unlocked_R (node=node@entry=0x14c6860, detail=detail@entry=0, instance=instance@entry=0x317f000, emission_return=emission_return@entry=0x7fffffffd2b0, instance_and_params=instance_and_params@entry=0x7fffffffd200) at gsignal.c:3591
                accumulator = 0x14c68d0
                emission = {next = 0x7fffffffd690, instance = 0x317f000, ihint = {signal_id = 43, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 51864608}
                handler_list = <optimized out>
                return_accu = 0x7fffffffd150
                accu =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 43
                max_sequential_handler_number = 27354
                return_value_altered = 0
    #21 0x0000003d12629d68 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd390) at gsignal.c:3319
                return_value =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                error = 0x0
                rtype = 20
                static_scope = 0
                instance_and_params = 0x7fffffffd200
                signal_return_type = <optimized out>
                param_values = 0x7fffffffd218
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __FUNCTION__ = "g_signal_emit_valist"
#23 0x000000379f67709c in gtk_widget_event_internal (widget=widget@entry=0x317f000 [SPCanvas], event=event@entry=0x677c9e0) at gtkwidget.c:5017
        signal_num = <optimized out>
        return_val = 0
#24 0x000000379f677391 in IA__gtk_widget_event (widget=widget@entry=0x317f000 [SPCanvas], event=event@entry=0x677c9e0) at gtkwidget.c:4814
        __FUNCTION__ = "IA__gtk_widget_event"
#25 0x000000379f68c90b in IA__gtk_window_propagate_key_event (window=window@entry=0x3821960 [gtkmm__GtkWindow], event=event@entry=0x677c9e0) at gtkwindow.c:5199
        parent = <optimized out>
        handled = 0
        widget = 0x3821960 [gtkmm__GtkWindow]
        focus = 0x317f000 [SPCanvas]
        __FUNCTION__ = "IA__gtk_window_propagate_key_event"
#26 0x000000379f68f493 in gtk_window_key_press_event (widget=0x3821960 [gtkmm__GtkWindow], event=0x677c9e0) at gtkwindow.c:5229
        window = 0x3821960 [gtkmm__GtkWindow]
        handled = <optimized out>
#31 0x0000003d1262a3bf in <emit signal ??? on instance 0x3821960 [gtkmm__GtkWindow]> (instance=instance@entry=0x3821960, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365
        var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffd970, reg_save_area = 0x7fffffffd8b0}}
    #27 0x000000379f54780d in _gtk_marshal_BOOLEAN__BOXED (closure=0x14c6810, return_value=0x7fffffffd650, n_param_values=<optimized out>, param_values=0x7fffffffd700, invocation_hint=<optimized out>, marshal_data=<optimized out>)
    at gtkmarshalers.c:86
                callback = 0x37a4906ff0 <Gtk::Widget_Class::key_press_event_callback(_GtkWidget*, _GdkEventKey*)>
                cc = 0x14c6810
                data1 = 0x3821960
                data2 = 0x1302ef0
                v_return = <optimized out>
                __FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED"
    #28 0x0000003d1260fd35 in g_closure_invoke (closure=closure@entry=0x14c6810, return_value=return_value@entry=0x7fffffffd650, n_param_values=2, param_values=param_values@entry=0x7fffffffd700, invocation_hint=invocation_hint@entry=0x7fffffffd6a0) at gclosure.c:768
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 0
---Type <return> to continue, or q <return> to quit---
                __FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED"
    #19 0x0000003d1260fc8f in g_closure_invoke (closure=closure@entry=0x14c6810, return_value=return_value@entry=0x7fffffffd150, n_param_values=2, param_values=param_values@entry=0x7fffffffd200, invocation_hint=invocation_hint@entry=0x7fffffffd1a0) at gclosure.c:768
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 1
                real_closure = 0x14c67f0
                __FUNCTION__ = "g_closure_invoke"
    #20 0x0000003d1262194a in signal_emit_unlocked_R (node=node@entry=0x14c6860, detail=detail@entry=0, instance=instance@entry=0x317f000, emission_return=emission_return@entry=0x7fffffffd2b0, instance_and_params=instance_and_params@entry=0x7fffffffd200) at gsignal.c:3591
                accumulator = 0x14c68d0
                emission = {next = 0x7fffffffd690, instance = 0x317f000, ihint = {signal_id = 43, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 51864608}
                handler_list = <optimized out>
                return_accu = 0x7fffffffd150
                accu =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 43
                max_sequential_handler_number = 27354
                return_value_altered = 0
    #21 0x0000003d12629d68 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd390) at gsignal.c:3319
                return_value =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                error = 0x0
                rtype = 20
                static_scope = 0
                instance_and_params = 0x7fffffffd200
                signal_return_type = <optimized out>
                param_values = 0x7fffffffd218
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __FUNCTION__ = "g_signal_emit_valist"
#23 0x000000379f67709c in gtk_widget_event_internal (widget=widget@entry=0x317f000 [SPCanvas], event=event@entry=0x677c9e0) at gtkwidget.c:5017
        signal_num = <optimized out>
        return_val = 0
#24 0x000000379f677391 in IA__gtk_widget_event (widget=widget@entry=0x317f000 [SPCanvas], event=event@entry=0x677c9e0) at gtkwidget.c:4814
        __FUNCTION__ = "IA__gtk_widget_event"
#25 0x000000379f68c90b in IA__gtk_window_propagate_key_event (window=window@entry=0x3821960 [gtkmm__GtkWindow], event=event@entry=0x677c9e0) at gtkwindow.c:5199
        parent = <optimized out>
        handled = 0
        widget = 0x3821960 [gtkmm__GtkWindow]
        focus = 0x317f000 [SPCanvas]
        __FUNCTION__ = "IA__gtk_window_propagate_key_event"
#26 0x000000379f68f493 in gtk_window_key_press_event (widget=0x3821960 [gtkmm__GtkWindow], event=0x677c9e0) at gtkwindow.c:5229
        window = 0x3821960 [gtkmm__GtkWindow]
        handled = <optimized out>
#31 0x0000003d1262a3bf in <emit signal ??? on instance 0x3821960 [gtkmm__GtkWindow]> (instance=instance@entry=0x3821960, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365
        var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffd970, reg_save_area = 0x7fffffffd8b0}}
    #27 0x000000379f54780d in _gtk_marshal_BOOLEAN__BOXED (closure=0x14c6810, return_value=0x7fffffffd650, n_param_values=<optimized out>, param_values=0x7fffffffd700, invocation_hint=<optimized out>, marshal_data=<optimized out>)
    at gtkmarshalers.c:86
                callback = 0x37a4906ff0 <Gtk::Widget_Class::key_press_event_callback(_GtkWidget*, _GdkEventKey*)>
                cc = 0x14c6810
                data1 = 0x3821960
                data2 = 0x1302ef0
                v_return = <optimized out>
                __FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED"
    #28 0x0000003d1260fd35 in g_closure_invoke (closure=closure@entry=0x14c6810, return_value=return_value@entry=0x7fffffffd650, n_param_values=2, param_values=param_values@entry=0x7fffffffd700, invocation_hint=invocation_hint@entry=0x7fffffffd6a0) at gclosure.c:768
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 0
---Type <return> to continue, or q <return> to quit---
                real_closure = 0x14c67f0
                __FUNCTION__ = "g_closure_invoke"
    #29 0x0000003d1262194a in signal_emit_unlocked_R (node=node@entry=0x14c6860, detail=detail@entry=0, instance=instance@entry=0x3821960, emission_return=emission_return@entry=0x7fffffffd7b0, instance_and_params=instance_and_params@entry=0x7fffffffd700) at gsignal.c:3591
                accumulator = 0x14c68d0
                emission = {next = 0x0, instance = 0x3821960, ihint = {signal_id = 43, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 20114512}
                handler_list = <optimized out>
                return_accu = 0x7fffffffd650
                accu =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 43
                max_sequential_handler_number = 27354
                return_value_altered = 1
    #30 0x0000003d12629d68 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd890) at gsignal.c:3319
                return_value =
                      {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                error = 0x0
                rtype = 20
                static_scope = 0
                instance_and_params = 0x7fffffffd700
                signal_return_type = <optimized out>
                param_values = 0x7fffffffd718
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __FUNCTION__ = "g_signal_emit_valist"
#32 0x000000379f67709c in gtk_widget_event_internal (widget=widget@entry=0x3821960 [gtkmm__GtkWindow], event=event@entry=0x677c9e0) at gtkwidget.c:5017
        signal_num = <optimized out>
        return_val = 0
#33 0x000000379f677391 in IA__gtk_widget_event (widget=widget@entry=0x3821960 [gtkmm__GtkWindow], event=event@entry=0x677c9e0) at gtkwidget.c:4814
        __FUNCTION__ = "IA__gtk_widget_event"
#34 0x000000379f545b8f in IA__gtk_propagate_event (widget=0x3821960 [gtkmm__GtkWindow], event=0x677c9e0) at gtkmain.c:2464
        window = 0x3821960 [gtkmm__GtkWindow]
        handled_event = <optimized out>
        __FUNCTION__ = "IA__gtk_propagate_event"
#35 0x000000379f545f5b in IA__gtk_main_do_event (event=0x677c9e0) at gtkmain.c:1685
        event_widget = <optimized out>
        grab_widget = 0x3821960 [gtkmm__GtkWindow]
        window_group = <optimized out>
        rewritten_event = <optimized out>
        tmp_list = <optimized out>
        __FUNCTION__ = "IA__gtk_main_do_event"
#36 0x00000037a985ffbc in gdk_event_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkevents-x11.c:2403
        display = <optimized out>
        event = 0x677c9e0
#37 0x0000003d10a49afb in g_main_context_dispatch (context=0x1467000) at gmain.c:3111
        dispatch = 0x37a985ff70 <gdk_event_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x1461e60
        current = 0x3235d30
        i = 0
#38 0x0000003d10a49afb in g_main_context_dispatch (context=context@entry=0x1467000) at gmain.c:3710
#39 0x0000003d10a49e98 in g_main_context_iterate (context=0x1467000, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781
        max_priority = 2147483647
        timeout = 26
---Type <return> to continue, or q <return> to quit---
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = 2
        fds = 0x364deb0
#40 0x0000003d10a4a1c2 in g_main_loop_run (loop=0x67884f0) at gmain.c:3975
        __FUNCTION__ = "g_main_loop_run"
#41 0x000000379f544ea7 in IA__gtk_main () at gtkmain.c:1257
        tmp_list = 0x0
        functions = 0x0
        init = <optimized out>
        loop = 0x67884f0
#42 0x00000000004763ac in sp_main_gui(int, char const**) (argc=2, argv=0x7fffffffddf8) at main.cpp:1075
        main_instance = <incomplete type>
        fl = 0x0
        retVal = <optimized out>
        __PRETTY_FUNCTION__ = "int sp_main_gui(int, const char**)"
        dataDirs =
            std::vector of length 4, capacity 4 = {{static npos = 18446744073709551615, string_ = "/home/dg/.local/share"}, {static npos = 18446744073709551615, string_ = "/usr/share/kde-settings/kde-profile/default/share"}, {static npos = 18446744073709551615, string_ = "/usr/local/share"}, {static npos = 18446744073709551615, string_ = "/usr/share"}}
        usericondir = <optimized out>
        create_new = <optimized out>
#43 0x0000003d0de1ffe0 in __libc_start_main (main=0x457220 <main(int, char**)>, argc=2, argv=0x7fffffffddf8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at libc-start.c:289
        result = <optimized out>
        unwind_buf =
              {cancel_jmp_buf = {{jmp_buf = {0, 2237656736471186528, 4664150, 140737488346608, 0, 0, -2237657337942770592, 2267521446977731680}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0xc61d00 <__libc_csu_init>, 0x7fffffffddf8}, data = {prev = 0x0, cleanup = 0x0, canceltype = 12983552}}}
        not_first_call = <optimized out>
#44 0x0000000000472b7f in _start ()

su_v (suv-lp) wrote :

Reproduced on OS X 10.7.5 with
- Inkscape 0.48.5 r10043
- Inkscape 0.91pre2 r13636
- Inkscape 0.91+devel r13697, r13702

The steps to reproduce and the backtrace is similar to the crash already tracked in
- Bug #1029690 “Crash while editing truncated flowed text”
  <https://bugs.launchpad.net/inkscape/+bug/1029690>

The difference is the structure of the <text> element: in this case, the text was not created with inkscape (no <tspan> element of regular text, no (truncated) flowed text either):

<text class='text' id='label' font-family="'Droid Sans'" stroke='none' stroke-width='0' fill='#000000' font-size='1.49931' x='11.5888' y='4.4391' text-anchor='middle'>LINK_</text>

Proposing to link as duplicate (a variation) to bug #1029690.

tags: added: crash text
Changed in inkscape:
importance: Undecided → High
status: New → Confirmed
Mc (mc...) wrote :

I can reproduce a similar bug with these simple steps :

-> draw a path (even a simple segment will do)
-> write something
-> put text on path
then,
- take the text tool
- click on the text on the path
- ctrl+a (select all the text)
- <bkspc> (should delete all the text, leaving the cursor) => SIGSEGV

backtrace attached

Mc (mc...) wrote :

I'm not really sure about the root cause of this... The attached patch removes the segfault and doesn't produce any unexpected behaviour that i could see in a few tests, but i cannot tell for sure in which contexts _input_stream would be empty and .front() would be able to return something usable.

Dave Gilbert (ubuntu-treblig) wrote :

Hi Mc,
  That's not fixed it quite; indeed hitting up arrow no longer dies, but hitting left arrow instead segs still.

Mc (mc...) wrote :

I can't reproduce this...

Dave Gilbert (ubuntu-treblig) wrote :
Download full text (10.0 KiB)

Hi Mc,
  Hmm ok, here's a backtrace then. This is with bzr up to date at rev 13806 with manually applied your patch:
bzr diff
=== modified file 'src/libnrtype/Layout-TNG.h'
--- src/libnrtype/Layout-TNG.h 2014-11-10 17:39:33 +0000
+++ src/libnrtype/Layout-TNG.h 2014-12-20 21:58:42 +0000
@@ -657,7 +657,12 @@

     /** The overall block-progression of the whole flow. */
     inline Direction _blockProgression() const
- {return static_cast<InputStreamTextSource*>(_input_stream.front())->styleGetBlockProgression();}
+ {
+ if(_input_stream.empty())return LEFT_TO_RIGHT;
+ return static_cast<InputStreamTextSource*>(_input_stream.front())->styleGetBlockProgression();
+ }
+
+

Program received signal SIGSEGV, Segmentation fault.
0x00000000007251f1 in Inkscape::Text::Layout::iterator::prevLineCursor (this=0x9c62d60, n=<optimized out>, n@entry=1) at libnrtype/Layout-TNG-OutIter.cpp:795
795 if (_parent_layout->_lines[line_index - n].in_shape != _parent_layout->_lines[line_index].in_shape) {
(gdb) bt full
#0 0x00000000007251f1 in Inkscape::Text::Layout::iterator::prevLineCursor(int) (this=0x9c62d60, n=<optimized out>, n@entry=1) at libnrtype/Layout-TNG-OutIter.cpp:795
        line_index = 4294967295
#1 0x0000000000725ece in Inkscape::Text::Layout::iterator::cursorLeft() (this=<optimized out>) at libnrtype/Layout-TNG-OutIter.cpp:1003
        block_progression = <optimized out>
#2 0x0000000000aac4cc in Inkscape::UI::Tools::TextTool::root_handler(_GdkEvent*) (this=0x9c62c70, event=0x676db50) at ui/tools/text-tool.cpp:995
        old_start = {_parent_layout = 0x2b3eff8, _glyph_index = 0, _char_index = 0, _cursor_moving_vertically = <optimized out>, _x_coordinate = <optimized out>}
        old_end = {_parent_layout = 0x2b3eff8, _glyph_index = 0, _char_index = 0, _cursor_moving_vertically = <optimized out>, _x_coordinate = <optimized out>}
        cursor_moved = false
        screenlines = <optimized out>
        group0_keyval = 65361
        __PRETTY_FUNCTION__ = "virtual bool Inkscape::UI::Tools::TextTool::root_handler(GdkEvent*)"
#3 0x0000000000aadaea in Inkscape::UI::Tools::sp_event_context_virtual_root_handler(Inkscape::UI::Tools::ToolBase*, _GdkEvent*) (event_context=<optimized out>, event=0x676db50) at ui/tools/tool-base.cpp:1000
        desktop = 0x1ebec00
        ret = 0
#4 0x0000000000704d23 in sp_marshal_INT__POINTER_POINTER(GClosure*, GValue*, guint, GValue const*, gpointer, gpointer) (closure=0x328a090, return_value=0x7fffffffc8c0, n_param_values=<optimized out>, param_values=0x7fffffffc7f0, invocation_hint=<optimized out>, marshal_data=0x0) at helper/sp-marshal.cpp:247
        cc = 0x328a090
        data1 = 0x3288000
        __PRETTY_FUNCTION__ = "void sp_marshal_INT__POINTER_POINTER(GClosure*, GValue*, guint, const GValue*, gpointer, gpointer)"
        callback = <optimized out>
        data2 = <optimized out>
        v_return = <optimized out>
#5 0x00007ffff6dd4d35 in g_closure_invoke () at /lib64/libgobject-2.0.so.0
#6 0x00007ffff6de6a42 in signal_emit_unlocked_R () at /lib64/libgobject-2.0.so.0
#7 0x00007ffff6deed58 in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
#8 0x00007ffff6def3af in...

Dave Gilbert (ubuntu-treblig) wrote :

note the line_index value

Mc (mc...) on 2015-05-08
Changed in inkscape:
assignee: nobody → Mc (mc...)
status: Confirmed → Fix Committed
Mc (mc...) wrote :

Fixed in r14127

su_v (suv-lp) wrote :

(quoting Mc- on irc: "it may be easily backported if nothing is obviously wrong")

Changed in inkscape:
milestone: none → 0.92
tags: added: backport-proposed
Dave Gilbert (ubuntu-treblig) wrote :

Excellent, thank you.

su_v (suv-lp) wrote :

Fix backported to 0.91.x in rev 13791.

Changed in inkscape:
milestone: 0.92 → 0.91.1
tags: removed: backport-proposed
jazzynico (jazzynico) on 2017-01-28
Changed in inkscape:
milestone: 0.91.1 → 0.92
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers