Inkscape

Segmentation fault in sp_filter_primitive_name_previous_out

Bug #1474388 reported by Renata Hodovan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Triaged
Medium
Unassigned

Bug Description

OS: Ubunu 15.04, x86_64

Inkscape version:
  revno: 14243
  branch nick: inkscape

Test case:
<svg xmlns="http://www.w3.org/2000/svg">
    <feBlend color-profile="inherit"></feBlend>
</svg>

Extra flags:
    -z // run without GUI

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
sp_filter_primitive_name_previous_out (prim=prim@entry=0x1772f30) at sp-filter-primitive.cpp:247
247 SPObject *i = parent->children;
(gdb) bt
#0 0x0000000000561255 in sp_filter_primitive_name_previous_out(SPFilterPrimitive*) (prim=prim@entry=0x1772f30) at sp-filter-primitive.cpp:247
#1 0x000000000071e755 in SPFeBlend::build(SPDocument*, Inkscape::XML::Node*) (this=0x1772f30, document=<optimized out>, repr=0x17b9b20)
    at filters/blend.cpp:56
#2 0x00000000005a95ca in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x1772f30, document=0x17bbea0, repr=0x17b9b20, cloned=<optimized out>) at sp-object.cpp:758
#3 0x00000000005abb98 in SPObject::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774510, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-object.cpp:698
#4 0x000000000058024b in SPItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774510, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-item.cpp:409
#5 0x0000000000593829 in SPLPEItem::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774510, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-lpe-item.cpp:80
#6 0x0000000000583689 in SPGroup::build(SPDocument*, Inkscape::XML::Node*) (this=this@entry=0x1774510, document=document@entry=0x17bbea0, repr=repr@entry=0x17b9c10) at sp-item-group.cpp:71
#7 0x00000000005b943c in SPRoot::build(SPDocument*, Inkscape::XML::Node*) (this=0x1774510, document=0x17bbea0, repr=0x17b9c10) at sp-root.cpp:73
#8 0x00000000005a95ca in SPObject::invoke_build(SPDocument*, Inkscape::XML::Node*, unsigned int) (this=0x1774510, document=0x17bbea0, repr=0x17b9c10, cloned=<optimized out>) at sp-object.cpp:758
#9 0x00000000004af7a1 in SPDocument::createDoc(Inkscape::XML::Document*, char const*, char const*, char const*, unsigned int, SPDocument*) (rdoc=rdoc@entry=0x17a9a60, uri=uri@entry=0x14ea220 "inkscape/sp_filter_primitive_name_previous_out/crash.svg", base=base@entry=0x1771270 "inkscape/sp_filter_primitive_name_previous_out/", name=name@entry=0x176cbe0 "crash.svg", keepalive=keepalive@entry=1, parent=parent@entry=0x0) at document.cpp:383
#10 0x00000000004b0bee in SPDocument::createNewDoc(char const*, unsigned int, bool, SPDocument*) (uri=0x14ea220 "inkscape/sp_filter_primitive_name_previous_out/crash.svg", keepalive=1, make_new=<optimized out>, parent=0x0) at document.cpp:558
#11 0x0000000000676d21 in Inkscape::Extension::Input::open(char const*) (this=0x14ea4b0, uri=uri@entry=0x14ea220 "inkscape/sp_filter_primitive_name_previous_out/crash.svg") at extension/input.cpp:153
#12 0x0000000000674886 in Inkscape::Extension::open(Inkscape::Extension::Extension*, char const*) (key=key@entry=0x0, filename=filename@entry=0x14ea220 "inkscape/sp_filter_primitive_name_previous_out/crash.svg") at extension/system.cpp:117
Python Exception <class 'TypeError'> iter() returned non-iterator of type '_iterator':
#13 0x0000000000472377 in sp_process_file_list(GSList*) (fl=0x14cb3b0) at main.cpp:1107
#14 0x00000000004738dd in sp_main_console(int, char const**) (argc=3, argv=0x7fffffffd908) at main.cpp:1341
#15 0x00007fffefe49a40 in __libc_start_main (main=
    0x459690 <main(int, char**)>, argc=3, argv=0x7fffffffd908, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd8f8) at libc-start.c:289
#16 0x0000000000470569 in _start ()

Revision history for this message
Renata Hodovan (hodovan) wrote :
Revision history for this message
su_v (suv-lp) wrote :

On OS X 10.7.5, crash
- not reproduced with Inkscape 0.48.5 r10040,
- reproduced with 0.91 r13725 and 0.91+devel r14245

Console messages with Inkscape 0.48.5:
(inkscape:27645): GLib-GObject-WARNING **: invalid cast from 'SPRoot' to 'SPFilter'

(inkscape:27645): GLib-GObject-WARNING **: invalid cast from 'SPRoot' to 'SPFilter'

tags: added: crash filters-svg
Changed in inkscape:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
jazzynico (jazzynico) wrote :

Reproduced on Windows XP (32bit) with Inkscape trunk rev. 14274 and 13031.
Doesn't crash but unusable with rev. 12485 and 12282 (the UI doesn't refresh, the menus and dialogs are empty...).
Works as expected with 0.48.5.

Changed in inkscape:
status: Confirmed → Triaged
Revision history for this message
jazzynico (jazzynico) wrote :

feComposite and feDisplacementMap also crash in sp_filter_primitive_name_previous_out.

Console error (also affects feBlend):
ERROR:src/sp-namedview.cpp:1053:SPNamedView* sp_document_namedview(SPDocument*, const gchar*): assertion failed: (nv != NULL)

Note that the other filter primitives also crash when used the same way, but not in the same part of the code.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.