Segmentation fault in sp_filter_primitive_read_in

Bug #1474011 reported by Renata Hodovan on 2015-07-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Medium
Kris

Bug Description

Checked inkscape version:
  revno: 14243
  branch nick: inkscape

Running inkscape without GUI (-z runtime flag) ends in a segmentation fault when loading the test below.

<svg>
   <feMergeNode in="foo"></feMergeNode>
</svg>

If inkscape loads the same test with GUI then it also aborts on a failed assertion check.

The backtrace of the crash:

Program received signal SIGSEGV, Segmentation fault.
sp_filter_primitive_read_in (prim=0x0, name=<optimized out>, name@entry=0x17af800 "foo") at sp-filter-primitive.cpp:220
220 SPFilter *parent = SP_FILTER(prim->parent);
(gdb) bt
#0 0x00000000005610e6 in sp_filter_primitive_read_in(SPFilterPrimitive*, char const*) (prim=0x0, name=<optimized out>, name@entry=0x17af800 "foo")
    at sp-filter-primitive.cpp:220
#1 0x00000000007240cb in SPFeMergeNode::set(unsigned int, char const*) (this=0x1774080, key=158, value=0x17af800 "foo") at filters/mergenode.cpp:52
#2 0x00000000005a95fa in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x1774080, document=0x17bbea0, repr=0x17b9b20, cloned=<optimized out>) at sp-object.cpp:758
#3 0x00000000005abbc8 in SPObject::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1775120, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-object.cpp:698
#4 0x000000000058027b in SPItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1775120, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-item.cpp:409
#5 0x0000000000593859 in SPLPEItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1775120, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-lpe-item.cpp:80
#6 0x00000000005836b9 in SPGroup::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1775120, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-item-group.cpp:71
#7 0x00000000005b946c in SPRoot::build(SPDocument*, Inkscape::XML::Node*) (this=0x1775120, document=0x17bbea0, repr=0x17b9c10) at sp-root.cpp:73
#8 0x00000000005a95fa in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x1775120, document=0x17bbea0, repr=0x17b9c10, cloned=<optimized out>) at sp-object.cpp:758
#9 0x00000000004af7d1 in SPDocument::createDoc(Inkscape::XML::Document*, char const*, char const*, char const*, unsigned int, SPDocument*) (rdoc=rdoc@entry=
    0x17a9a60, uri=uri@entry=0x13e9c30 "inkscape/nv_not_null/crash.js", base=base@entry=0x175f3d0 "inkscape/nv_not_null/", name=name@entry=0x176f040 "crash.js", keepalive=keepalive@entry=1, parent=parent@entry=0x0) at document.cpp:383
#10 0x00000000004b0c1e in SPDocument::createNewDoc(char const*, unsigned int, bool, SPDocument*) (uri=0x13e9c30 "inkscape/nv_not_null/crash.js", keepalive=1, make_new=<optimized out>, parent=0x0) at document.cpp:558
#11 0x0000000000676d51 in Inkscape::Extension::Input::open(char const*) (this=0x14ed4e0, uri=uri@entry=0x13e9c30 "inkscape/nv_not_null/crash.js")
    at extension/input.cpp:153
#12 0x00000000006748b6 in Inkscape::Extension::open(Inkscape::Extension::Extension*, char const*) (key=key@entry=0x0, filename=filename@entry=0x13e9c30 "inkscape/nv_not_null/crash.js") at extension/system.cpp:117
Python Exception <class 'TypeError'> iter() returned non-iterator of type '_iterator':
#13 0x00000000004723b7 in sp_process_file_list(GSList*) (fl=0x14cb3b0) at main.cpp:1107
#14 0x000000000047391d in sp_main_console(int, char const**) (argc=3, argv=0x7fffffffd918) at main.cpp:1341
#15 0x00007fffefe49a40 in __libc_start_main (main=
    0x4596d0 <main(int, char**)>, argc=3, argv=0x7fffffffd918, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd908) at libc-start.c:289
#16 0x00000000004705a9 in _start ()

The backtrace of the assertion failure:

Emergency save activated!
Emergency save completed. Inkscape will close now.
If you can reproduce this crash, please file a bug at www.inkscape.org
with a detailed description of the steps leading to the crash, so we can fix it.
**
ERROR:sp-namedview.cpp:1053:SPNamedView* sp_document_namedview(SPDocument*, const gchar*): assertion failed: (nv != NULL)

Program terminated with signal SIGABRT, Aborted.
#0 0x00007fc685331267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007fc685331267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007fc685332eca in __GI_abort () at abort.c:89
#2 0x00007fc686496b55 in g_assertion_message (domain=domain@entry=0x0, file=file@entry=0xd3a9c8 "sp-namedview.cpp", line=line@entry=1053, func=func@entry=0xd3ae60 <sp_document_namedview(SPDocument*, char const*)::__PRETTY_FUNCTION__> "SPNamedView* sp_document_namedview(SPDocument*, const gchar*)", message=message@entry=0x2b36230 "assertion failed: (nv != NULL)") at /build/buildd/glib2.0-2.44.1/./glib/gtestutils.c:2356
#3 0x00007fc686496bea in g_assertion_message_expr (domain=0x0, file=0xd3a9c8 "sp-namedview.cpp", line=1053, func=0xd3ae60 <sp_document_namedview(SPDocument*, char const*)::__PRETTY_FUNCTION__> "SPNamedView* sp_document_namedview(SPDocument*, const gchar*)", expr=<optimized out>)
    at /build/buildd/glib2.0-2.44.1/./glib/gtestutils.c:2371
#4 0x00000000005a655c in sp_document_namedview(SPDocument*, char const*) (document=0x2ee9ea0, id=id@entry=0x0) at sp-namedview.cpp:1053
#5 0x00000000005a6565 in sp_document_namedview(SPDocument const*, char const*) (document=<optimized out>, id=id@entry=0x0) at sp-namedview.cpp:1068
#6 0x00000000004a9c5b in SPDocument::getDisplayUnit() const (this=<optimized out>) at document.cpp:601
#7 0x00000000005b9955 in SPRoot::update(SPCtx*, unsigned int) (this=0x2e796b0, ctx=0x7ffcf36e4170, flags=25) at sp-root.cpp:287
#8 0x00000000005a9ec3 in SPObject::updateDisplay(SPCtx*, unsigned int) (this=0x2e796b0, ctx=0x7ffcf36e4170, flags=25) at sp-object.cpp:1175
#9 0x00000000004ac26b in SPDocument::_updateDocument() (this=this@entry=0x2ee9ea0) at document.cpp:1166
#10 0x00000000004ac299 in sp_document_idle_handler(gpointer) (data=0x2ee9ea0) at document.cpp:1234
#11 0x00007fc686470b4d in g_main_context_dispatch (context=0x2b951d0) at /build/buildd/glib2.0-2.44.1/./glib/gmain.c:3122
#12 0x00007fc686470b4d in g_main_context_dispatch (context=context@entry=0x2b951d0) at /build/buildd/glib2.0-2.44.1/./glib/gmain.c:3737
#13 0x00007fc686470f20 in g_main_context_iterate (context=0x2b951d0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.44.1/./glib/gmain.c:3808
#14 0x00007fc686471242 in g_main_loop_run (loop=0x2fb01e0) at /build/buildd/glib2.0-2.44.1/./glib/gmain.c:4002
#15 0x00007fc68be20da3 in IA__gtk_dialog_run (dialog=0x2f2e050 [GtkMessageDialog]) at /build/buildd/gtk+2.0-2.24.27/gtk/gtkdialog.c:1094
#16 0x00000000004e72da in Inkscape::Application::crash_handler(int) () at inkscape.cpp:699
#17 0x00007fc6853312f0 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#18 0x00000000005610e6 in sp_filter_primitive_read_in(SPFilterPrimitive*, char const*) (prim=0x0, name=<optimized out>, name@entry=0x2ee1b20 "foo")
    at sp-filter-primitive.cpp:220
#19 0x00000000007240cb in SPFeMergeNode::set(unsigned int, char const*) (this=0x2e7cf90, key=158, value=0x2ee1b20 "foo") at filters/mergenode.cpp:52
#20 0x00000000005a95fa in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x2e7cf90, document=0x2ee9ea0, repr=0x2ee8940, cloned=<optimized out>) at sp-object.cpp:758
#21 0x00000000005abbc8 in SPObject::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x2e796b0, document=document@entry=0x2ee9ea0, repr=repr@entry=0x2ee8a30) at sp-object.cpp:698
#22 0x000000000058027b in SPItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x2e796b0, document=document@entry=0x2ee9ea0, repr=repr@entry=0x2ee8a30) at sp-item.cpp:409
#23 0x0000000000593859 in SPLPEItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x2e796b0, document=document@entry=0x2ee9ea0, repr=repr@entry=0x2ee8a30) at sp-lpe-item.cpp:80
#24 0x00000000005836b9 in SPGroup::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x2e796b0, document=document@entry=0x2ee9ea0, repr=repr@entry=0x2ee8a30) at sp-item-group.cpp:71
#25 0x00000000005b946c in SPRoot::build(SPDocument*, Inkscape::XML::Node*) (this=0x2e796b0, document=0x2ee9ea0, repr=0x2ee8a30) at sp-root.cpp:73
#26 0x00000000005a95fa in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x2e796b0, document=0x2ee9ea0, repr=0x2ee8a30, cloned=<optimized out>) at sp-object.cpp:758
#27 0x00000000004af7d1 in SPDocument::createDoc(Inkscape::XML::Document*, char const*, char const*, char const*, unsigned int, SPDocument*) (rdoc=rdoc@entry=
    0x2ed7a60, uri=uri@entry=0x2e6b238 "/home/reni/data/minimalize/inkscape/nv_not_null/crash.svg", base=base@entry=0x2e724c0 "/home/reni/data/minimalize/inkscape/nv_not_null/", name=name@entry=0x2c645d0 "crash.svg", keepalive=keepalive@entry=1, parent=parent@entry=0x0) at document.cpp:383
#28 0x00000000004b0c1e in SPDocument::createNewDoc(char const*, unsigned int, bool, SPDocument*) (uri=0x2e6b238 "/home/reni/data/minimalize/inkscape/nv_not_null/crash.svg", keepalive=1, make_new=<optimized out>, parent=0x0) at document.cpp:558
#29 0x0000000000676d51 in Inkscape::Extension::Input::open(char const*) (this=
    0x2c07420, uri=uri@entry=0x2e6b238 "/home/reni/data/minimalize/inkscape/nv_not_null/crash.svg") at extension/input.cpp:153
#30 0x00000000006748b6 in Inkscape::Extension::open(Inkscape::Extension::Extension*, char const*) (key=key@entry=0x0, filename=0x2e6b238 "/home/reni/data/minimalize/inkscape/nv_not_null/crash.svg") at extension/system.cpp:117
#31 0x00000000004c3678 in sp_file_open(Glib::ustring const&, Inkscape::Extension::Extension*, bool, bool) (uri=..., key=key@entry=0x0, add_to_recent=add_to_recent@entry=true, replace_empty=replace_empty@entry=true) at file.cpp:276
#32 0x00000000004741e3 in sp_main_gui(int, char const**) (argc=2, argv=0x7ffcf36e5508) at main.cpp:1065
#33 0x00007fc68531ca40 in __libc_start_main (main=
    0x4596d0 <main(int, char**)>, argc=2, argv=0x7ffcf36e5508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcf36e54f8) at libc-start.c:289
#34 0x00000000004705a9 in _start ()

Renata Hodovan (hodovan) wrote :
su_v (suv-lp) on 2015-07-13
tags: added: crash filters-svg svg
su_v (suv-lp) wrote :

On 2015-07-13 15:57 (+0200), Renata Hodovan wrote:
> Checked inkscape version: git 7d235ed

There is no official git repository for Inkscape - any chances you could add the branch name and revision number from the bazaar repo to the bug description?

su_v (suv-lp) wrote :

Crash on load with broken filter definition (missing parent elements <filter> and <feMerge> for subelement <feMergeNode>) reproduced with Inkscape 0.48.5 r10040, 0.91 r13725 and 0.91+devel r14243 on OS X 10.7.5.

Changed in inkscape:
importance: Undecided → Medium
status: New → Confirmed
Renata Hodovan (hodovan) on 2015-07-13
description: updated
Kris (kris-degussem) wrote :

Maybe a NULL check on line 198 might fix the issue (can not check myself atm):

if (!prim)
{
    return Inkscape::Filters::NR_FILTER_SLOT_NOT_SET;
}

Kris (kris-degussem) wrote :

(in src/sp-filter-primitive.cpp)

su_v (suv-lp) wrote :

Modified test case with required namespace declaration

su_v (suv-lp) on 2015-07-14
tags: removed: svg
Kris (kris-degussem) wrote :

Does not crash anymore in my case with the null check added in trunk r14263.

Changed in inkscape:
status: Confirmed → Fix Committed
assignee: nobody → Kris (kris-degussem)
milestone: none → 0.92
su_v (suv-lp) on 2015-09-30
tags: added: backport-proposed
su_v (suv-lp) wrote :

Fix backported to 0.91.x in rev 13831.

Changed in inkscape:
milestone: 0.92 → 0.91.1
tags: removed: backport-proposed
jazzynico (jazzynico) on 2017-01-22
Changed in inkscape:
milestone: 0.91.1 → 0.92
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers