Inkscape

Segmentation fault in SPIPaint::read

Bug #1474346 reported by Renata Hodovan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Triaged
Medium
Unassigned

Bug Description

OS: Ubunu 15.04, x86_64

Inkscape version:
  revno: 14243
  branch nick: inkscape

Test case:

<svg>
    <clipPath fill="urlfoo"></clipPath>
</svg>

Extra flags:
    -z // run without GUI

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000005e667d in SPIPaint::read (this=0x1778248, str=0x0) at style-internal.cpp:1218
1218 while ( g_ascii_isspace(*str) ) {
(gdb) bt
#0 0x00000000005e667d in SPIPaint::read(char const*) (this=0x1778248, str=0x0) at style-internal.cpp:1218
#1 0x00000000005de379 in SPStyle::read(SPObject*, Inkscape::XML::Node*) (str=<optimized out>, this=0x1778248) at style-internal.h:132
#2 0x00000000005de379 in SPStyle::read(SPObject*, Inkscape::XML::Node*) (repr=0x17b9b20, this=0x1778248) at style-internal.h:137
#3 0x00000000005de379 in SPStyle::read(SPObject*, Inkscape::XML::Node*) (this=0x1777920, object=0x1772fd0, repr=0x17b9b20) at style.cpp:609
#4 0x00000000005ab8c4 in SPObject::set(unsigned int, char const*) (this=0x1772fd0, key=<optimized out>, value=0x0) at sp-object.cpp:939
#5 0x0000000000555e2e in SPClipPath::build(SPDocument*, Inkscape::XML::Node*) (this=0x1772fd0, doc=0x17bbea0, repr=<optimized out>) at sp-clippath.cpp:56
#6 0x00000000005a95ca in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x1772fd0, document=0x17bbea0, repr=0x17b9b20, cloned=<optimized out>) at sp-object.cpp:758
#7 0x00000000005abb98 in SPObject::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774fe0, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-object.cpp:698
#8 0x000000000058024b in SPItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774fe0, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-item.cpp:409
#9 0x0000000000593829 in SPLPEItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774fe0, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-lpe-item.cpp:80
#10 0x0000000000583689 in SPGroup::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774fe0, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-item-group.cpp:71
#11 0x00000000005b943c in SPRoot::build(SPDocument*, Inkscape::XML::Node*) (this=0x1774fe0, document=0x17bbea0, repr=0x17b9c10) at sp-root.cpp:73
#12 0x00000000005a95ca in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x1774fe0, document=0x17bbea0, repr=0x17b9c10, cloned=<optimized out>) at sp-object.cpp:758
#13 0x00000000004af7a1 in SPDocument::createDoc(Inkscape::XML::Document*, char const*, char const*, char const*, unsigned int, SPDocument*) (rdoc=rdoc@entry=0x17a9a60, uri=uri@entry=0x14138b0 "inkscape/sp_filter_get_image_name/crash.svg", base=base@entry=0x1775630 "inkscape/sp_filter_get_image_name/", name=name@entry=0x15540f0 "crash.svg", keepalive=keepalive@entry=1, parent=parent@entry=0x0) at document.cpp:383
#14 0x00000000004b0bee in SPDocument::createNewDoc(char const*, unsigned int, bool, SPDocument*) (uri=0x14138b0 "inkscape/sp_filter_get_image_name/crash.svg", keepalive=1, make_new=<optimized out>, parent=0x0) at document.cpp:558
#15 0x0000000000676d21 in Inkscape::Extension::Input::open(char const*) (this=
    0x14cd630, uri=uri@entry=0x14138b0 "inkscape/sp_filter_get_image_name/crash.svg") at extension/input.cpp:153
#16 0x0000000000674886 in Inkscape::Extension::open(Inkscape::Extension::Extension*, char const*) (key=key@entry=0x0, filename=filename@entry=0x14138b0 "inkscape/sp_filter_get_image_name/crash.svg") at extension/system.cpp:117
Python Exception <class 'TypeError'> iter() returned non-iterator of type '_iterator':
#17 0x0000000000472377 in sp_process_file_list(GSList*) (fl=0x14cb3b0) at main.cpp:1107
#18 0x00000000004738dd in sp_main_console(int, char const**) (argc=3, argv=0x7fffffffd918) at main.cpp:1341
#19 0x00007fffefe49a40 in __libc_start_main (main=
    0x459690 <main(int, char**)>, argc=3, argv=0x7fffffffd918, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd908) at libc-start.c:289
#20 0x0000000000470569 in _start ()

See original description
Revision history for this message
Renata Hodovan (hodovan) wrote :
Renata Hodovan (hodovan)
description: updated
su_v (suv-lp)
tags: added: clipping crash styles
Changed in inkscape:
importance: Undecided → Medium
Revision history for this message
su_v (suv-lp) wrote :

Modified test case with required namespace declaration

Revision history for this message
su_v (suv-lp) wrote :

On OS X 10.7.5, crash
- not reproduced with Inkscape 0.48.5 r10040,
- reproduced with 0.91 r13725 and 0.91+devel r14245

Changed in inkscape:
status: New → Confirmed
Revision history for this message
jazzynico (jazzynico) wrote :

Crash reproduced on Windows XP (32bit) with Inkscape trunk rev. 10568.
Not reproduced with 0.48.5.

Changed in inkscape:
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.