Inkscape

Crash while switching from Outline to Normal mode

Bug #167411 reported by Knutux-users
2
Affects Status Importance Assigned to Milestone
Inkscape
Fix Released
Critical
Richard Hughes

Bug Description

Steps to reproduce - open complex drawing, switch to
Outline, switch back to Normal view and it crashes.
Problem is - it can be reproduced constantly, but only
with a single document (which has external references
to bitmaps, after removing those references it no
longer reproduces)

Program received signal SIGSEGV, Segmentation fault.
font_instance::BBox (this=0x7912f98, glyph_id=87)
    at c:/mingw/bin/../lib/gcc/mingw32/3.4.2/../../../
../include/c++/3.4.2/bits/---Type <return> to
continue, or q <retu
rn> to quit---
stl_vector.h:462
462 operator[](size_type __n) { return
*(begin() + __n); }
(gdb) bt
#0 font_instance::BBox (this=0x7912f98, glyph_id=87)
    at c:/mingw/bin/../lib/gcc/mingw32/3.4.2/../../../
../include/c++/3.4.2/bits/stl_vector.h:462
#1 0x0075ee0c in raster_font::BBox (this=0x5a37ef8,
glyph_id=87,
    area=0x22eab0) at libnrtype/RasterFont.cpp:110
#2 0x005a78dd in nr_arena_glyphs_update
(item=0x61d80b0, area=0x0,
    gc=0x22ebb0, state=510, reset=510) at display/nr-
arena-glyphs.cpp:149
#3 0x004415ac in nr_arena_item_invoke_update
(item=0x61d80b0, area=0x0,
    gc=0x22ec40, state=510, reset=510) at display/nr-
arena-item.cpp:252
#4 0x0049a73d in nr_arena_group_update
(item=0x61c7000, area=0x0,
    gc=0x22ed70, state=510, reset=510) at display/nr-
arena-group.cpp:170
#5 0x005a81c4 in nr_arena_glyphs_group_update
(item=0x61c7000, area=0x0,
    gc=0x22ed70, state=510, reset=510) at display/nr-
arena-glyphs.cpp:421
#6 0x004415ac in nr_arena_item_invoke_update
(item=0x61c7000, area=0x0,
    gc=0x22ee00, state=510, reset=510) at display/nr-
arena-item.cpp:252
#7 0x0049a73d in nr_arena_group_update
(item=0x61d5c78, area=0x0,
    gc=0x22ee90, state=510, reset=510) at display/nr-
arena-group.cpp:170
#8 0x004415ac in nr_arena_item_invoke_update
(item=0x61d5c78, area=0x0,
    gc=0x22ef20, state=510, reset=510) at display/nr-
arena-item.cpp:252
#9 0x0049a73d in nr_arena_group_update
(item=0x61d5d10, area=0x0,
    gc=0x22efb0, state=510, reset=510) at display/nr-
arena-group.cpp:170
#10 0x004415ac in nr_arena_item_invoke_update
(item=0x61d5d10, area=0x0,
    gc=0x22f040, state=510, reset=510) at display/nr-
arena-item.cpp:252
---Type <return> to continue, or q <return> to quit---
#11 0x0049a73d in nr_arena_group_update
(item=0x61c4558, area=0x0,
    gc=0x22f0d0, state=510, reset=510) at display/nr-
arena-group.cpp:170
#12 0x004415ac in nr_arena_item_invoke_update
(item=0x61c4558, area=0x0,
    gc=0x22f160, state=510, reset=510) at display/nr-
arena-item.cpp:252
#13 0x0049a73d in nr_arena_group_update
(item=0x61c45f0, area=0x0,
    gc=0x22f1f0, state=510, reset=510) at display/nr-
arena-group.cpp:170
#14 0x004415ac in nr_arena_item_invoke_update
(item=0x61c45f0, area=0x0,
    gc=0x22f280, state=510, reset=510) at display/nr-
arena-item.cpp:252
#15 0x0049a73d in nr_arena_group_update
(item=0x60d27b8, area=0x0,
    gc=0x22f310, state=510, reset=510) at display/nr-
arena-group.cpp:170
#16 0x004415ac in nr_arena_item_invoke_update
(item=0x60d27b8, area=0x0,
    gc=0x22f3a0, state=510, reset=510) at display/nr-
arena-item.cpp:252
#17 0x0049a73d in nr_arena_group_update
(item=0x4ba1a18, area=0x0,
    gc=0x22f430, state=510, reset=510) at display/nr-
arena-group.cpp:170
#18 0x004415ac in nr_arena_item_invoke_update
(item=0x4ba1a18, area=0x0,
    gc=0x22f4c0, state=510, reset=510) at display/nr-
arena-item.cpp:252
#19 0x0049a73d in nr_arena_group_update
(item=0x3bd4ed8, area=0x0,
    gc=0x22f550, state=510, reset=510) at display/nr-
arena-group.cpp:170
#20 0x004415ac in nr_arena_item_invoke_update
(item=0x3bd4ed8, area=0x0,
    gc=0x3b04018, state=510, reset=510) at display/nr-
arena-item.cpp:252
#21 0x0053bdf7 in sp_canvas_arena_update
(item=0x3b03f70, affine=@0x22f690,
    flags=1) at display/canvas-arena.cpp:154
#22 0x004d885e in sp_canvas_item_invoke_update
(item=0x3b03f70,
---Type <return> to continue, or q <return> to quit---
    affine=@0x22f780, flags=2) at display/sp-canvas.
cpp:264
#23 0x004d8fd8 in sp_canvas_group_update
(item=0x3b06678, affine=@0x22f780,
    flags=2) at display/sp-canvas.cpp:725
#24 0x004d885e in sp_canvas_item_invoke_update
(item=0x3b06678,
    affine=@0x22f870, flags=1) at display/sp-canvas.
cpp:264
#25 0x004d8fd8 in sp_canvas_group_update
(item=0x3adddd8, affine=@0x22f870,
    flags=1) at display/sp-canvas.cpp:725
#26 0x004d885e in sp_canvas_item_invoke_update
(item=0x3adddd8,
    affine=@0x22f930, flags=0) at display/sp-canvas.
cpp:264
#27 0x004daed9 in do_update (canvas=0x3b02c48) at
display/sp-canvas.cpp:1768
#28 0x004db04f in idle_handler (data=0x3b02c48) at
display/sp-canvas.cpp:1796
#29 0x00a1aa96 in _libmsvcrt_a_iname ()
   from d:\leisure\ink\inkscape\libglib-2.0-0.dll
#30 0x03b02c48 in ?? ()
#31 0x00000000 in ?? () from
#32 0x00000000 in ?? () from
#33 0x079dd598 in ?? ()
#34 0x08807a88 in ?? ()
#35 0x00a1aa5e in _libmsvcrt_a_iname ()
   from d:\leisure\ink\inkscape\libglib-2.0-0.dll
#36 0x0022f9f8 in ?? ()
#37 0x00a18b87 in _libmsvcrt_a_iname ()
   from d:\leisure\ink\inkscape\libglib-2.0-0.dll
---Type <return> to continue, or q <return> to quit---
#38 0x08807a88 in ?? ()
#39 0x004db010 in do_update () at ./libnr/nr-point.h:47
Previous frame inner to this frame (corrupt stack?)

Revision history for this message
Knutux-users (knutux-users) wrote :

first stack trace lines with optimisation disabled:

#0 0x008861a3 in __gnu_cxx::hashtable<std::pair<int const,
int>, int, __gnu_cxx::hash<int>, std::_Select1st<std::
pair<int const, int> >, std::equal_to<int>, std::
allocator<int> >::_M_bkt_num_key (this=0x5a30004,
__key=@0x22ed48, __n=0) at c:/mingw/bin/../lib/gcc/mingw32/
3.4.2/../../../../include/c++/3.4.2/ext/hashtable.h:518
#1 0x00886168 in __gnu_cxx::hashtable<std::pair<int const,
int>, int, __gnu_cxx::hash<int>, std::_Select1st<std::
pair<int const, int> >, std::equal_to<int>, std::
allocator<int> >::_M_bkt_num_key (this=0x5a30004,
__key=@0x22ed48) at c:/mingw/bin/../lib/gcc/mingw32/3.4.2/..
/../../../include/c++/3.4.2/ext/hashtable.h:508
#2 0x0087137a in __gnu_cxx::hashtable<std::pair<int const,
int>, int, __gnu_cxx::hash<int>, std::_Select1st<std::
pair<int const, int> >, std::equal_to<int>, std::
allocator<int> >::find (this=0x5a30004, __key=@0x22ed48) at
c:/mingw/bin/../lib/gcc/mingw32/3.4.2/../../../../include/
c++/3.4.2/ext/hashtable.h:447
#3 0x0086f79a in __gnu_cxx::hash_map<int, int, __gnu_cxx::
hash<int>, std::equal_to<int>, std::allocator<int> >::find
(this=0x5a30004, __key=@0x22ed48) at c:/mingw/bin/../lib/
gcc/mingw32/3.4.2/../../../../include/c++/3.4.2/ext/
hash_map:176
#4 0x0059e999 in font_instance::BBox (this=0x5a2ffe0,
glyph_id=68) at libnrtype/FontInstance.cpp:616
#5 0x00750a37 in raster_font::BBox (this=0x5a45590,
glyph_id=68, area=0x22eec0) at libnrtype/RasterFont.cpp:110

Failing line is
    _M_hash(__key) % __n
(__n is 0, so that gives an arithmetic exception)

Solution - do not use __gnu_cxx::hash (maybe switch to std::
map) or add check for empty() before calling find (in all
places in the code)

Revision history for this message
Knutux-users (knutux-users) wrote :

Crash while switching from Outline to Normal mode

Revision history for this message
Knutux-users (knutux-users) wrote :

Unable to upload a file (too big), so here is an URL - http:
//knutux.googlepages.com/LithuaniaPhysicalMapDetailed.zip (I
can reproduce crash constantly using this file - open,
switch mode to outline and back and it crashes)

Revision history for this message
Rwst (rwst) wrote :
Download full text (7.9 KiB)

confirmed on OpenSuSE 10 so not Windows-specific. the crash
happens even at Normal->Outline. valgrind does not crash but
gives me first a bunch of these (maybe unrelated)

==28533== Conditional jump or move depends on uninitialised
value(s)
==28533== at 0x83548F2: nr_rect_d_union(NRRect*, NRRect
const*, NRRect const*) (nr-rect.cpp:65)
==28533== by 0x8181C1B: sp_item_invoke_bbox_full(SPItem
const*, NRRect*, NR::Matrix const&, unsigned, unsigned)
(sp-item.cpp:702)
==28533== by 0x816E514: sp_clippath_get_bbox(SPClipPath*,
NRRect*, NR::Matrix const&, unsigned) (sp-clippath.cpp:336)
==28533== by 0x8181B95: sp_item_invoke_bbox_full(SPItem
const*, NRRect*, NR::Matrix const&, unsigned, unsigned)
(sp-item.cpp:696)
==28533== by 0x8181CAC: sp_item_invoke_bbox(SPItem
const*, NRRect*, NR::Matrix const&, unsigned) (sp-item.cpp:665)
==28533== by 0x818255A: sp_item_update(SPObject*, SPCtx*,
unsigned) (sp-item.cpp:559)
==28533== by 0x817DC59: sp_group_update(SPObject*,
SPCtx*, unsigned) (sp-item-group.cpp:241)
==28533== by 0x81891B5: SPObject::updateDisplay(SPCtx*,
unsigned) (sp-object.cpp:1248)
==28533== by 0x817DDD8: sp_group_update(SPObject*,
SPCtx*, unsigned) (sp-item-group.cpp:260)
==28533== by 0x8196BB1: sp_root_update(SPObject*, SPCtx*,
unsigned) (sp-root.cpp:545)
==28533== by 0x81891B5: SPObject::updateDisplay(SPCtx*,
unsigned) (sp-object.cpp:1248)
==28533== by 0x8155E55:
sp_document_ensure_up_to_date(SPDocument*) (document.cpp:704)

and then it gives me memory problems starting with

==28533== Conditional jump or move depends on uninitialised
value(s)
==28533== at 0x8338DF9:
Inkscape::Text::Layout::Calculator::_computeFontLineHeight(font_instance*,
double, SPStyle const*, Inkscape::Text::Layout::LineHeight*,
double*) (Layout-TNG-Compute.cpp:914)
==28533== by 0x8339800:
Inkscape::Text::Layout::Calculator::_buildSpansForPara(Inkscape::Text::Layout::Calculator::ParagraphInfo*)
const (Layout-TNG-Compute.cpp:1060)
==28533== by 0x833AFB4:
Inkscape::Text::Layout::Calculator::calculate()
(Layout-TNG-Compute.cpp:1357)
==28533== by 0x833B746:
Inkscape::Text::Layout::calculateFlow()
(Layout-TNG-Compute.cpp:1494)
==28533== by 0x81A0A9E: SPText::rebuildLayout()
(sp-text.cpp:547)
==28533== by 0x81A0EEA: sp_text_update(SPObject*, SPCtx*,
unsigned) (sp-text.cpp:245)
==28533== by 0x81891B5: SPObject::updateDisplay(SPCtx*,
unsigned) (sp-object.cpp:1248)
==28533== by 0x817DDD8: sp_group_update(SPObject*,
SPCtx*, unsigned) (sp-item-group.cpp:260)
==28533== by 0x81891B5: SPObject::updateDisplay(SPCtx*,
unsigned) (sp-object.cpp:1248)
==28533== by 0x817DDD8: sp_group_update(SPObject*,
SPCtx*, unsigned) (sp-item-group.cpp:260)
==28533== by 0x81891B5: SPObject::updateDisplay(SPCtx*,
unsigned) (sp-object.cpp:1248)
==28533== by 0x817DDD8: sp_group_update(SPObject*,
SPCtx*, unsigned) (sp-item-group.cpp:260)

and culminating in

==28533== Syscall param writev(vector[...]) points to
uninitialised byte(s)
==28533== at 0x1CA7B986: do_writev (in
/lib/tls/libc-2.3.5.so)
==28533== by 0x1C6AC2FD: (within
/usr/X11R6/lib/libX11.so.6.2)
==28533== by 0x1C6AC60E: _X11TransWritev (in
/usr/X11R6/lib/libX11.so.6.2...

Read more...

Revision history for this message
Rwst (rwst) wrote :

assigning to pjrm as he changed the relevant code
(nr-arena-glyphs.cpp:144) recently.

Revision history for this message
Buliabyak-users (buliabyak-users) wrote :

Confirmed on linux, my backtrace below. This is a difficult
one. Cyreve, since it's somewhere in font code, can you have
a look?

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 1091338912 (LWP 22269)]
0x08336903 in font_instance::BBox (this=0x410a4d90,
glyph_id=87) at hash_fun.h:110
110 { size_t operator()(int __x) const { return __x; } };
(gdb) bt
#0 0x08336903 in font_instance::BBox (this=0x410a4d90,
glyph_id=87) at hash_fun.h:110
#1 0x083381cc in raster_font::BBox (this=0xadafbd8,
glyph_id=87, area=0xbfffe2f0)
    at libnrtype/RasterFont.cpp:110
#2 0x08301773 in nr_arena_glyphs_update (item=0xaba3e40,
area=0x0, gc=0xa90a078, state=510,
    reset=510) at display/nr-arena-glyphs.cpp:149
#3 0x082f90e1 in nr_arena_item_invoke_update
(item=0xaba3e40, area=0x0, gc=0xbfffe4b4,
    state=510, reset=510) at display/nr-arena-item.cpp:252
#4 0x082fb419 in nr_arena_group_update (item=0xaba2f00,
area=0x0, gc=0xbfffe5b0, state=510,
    reset=510) at display/nr-arena-group.cpp:170
#5 0x08302157 in nr_arena_glyphs_group_update
(item=0xaba2f00, area=0x0, gc=0xbfffe5b0,
    state=510, reset=510) at display/nr-arena-glyphs.cpp:421
#6 0x082f90e1 in nr_arena_item_invoke_update
(item=0xaba2f00, area=0x0, gc=0xbfffe674,
    state=510, reset=510) at display/nr-arena-item.cpp:252
#7 0x082fb419 in nr_arena_group_update (item=0xaba0130,
area=0x0, gc=0xbfffe6d0, state=510,
    reset=510) at display/nr-arena-group.cpp:170
#8 0x082f90e1 in nr_arena_item_invoke_update
(item=0xaba0130, area=0x0, gc=0xbfffe794,
    state=510, reset=510) at display/nr-arena-item.cpp:252
#9 0x082fb419 in nr_arena_group_update (item=0xaba01c8,
area=0x0, gc=0xbfffe7f0, state=510,
    reset=510) at display/nr-arena-group.cpp:170
#10 0x082f90e1 in nr_arena_item_invoke_update
(item=0xaba01c8, area=0x0, gc=0xbfffe8b4,
    state=510, reset=510) at display/nr-arena-item.cpp:252
#11 0x082fb419 in nr_arena_group_update (item=0xab95a18,
area=0x0, gc=0xbfffe910, state=510,
    reset=510) at display/nr-arena-group.cpp:170
#12 0x082f90e1 in nr_arena_item_invoke_update
(item=0xab95a18, area=0x0, gc=0xbfffe9d4,
    state=510, reset=510) at display/nr-arena-item.cpp:252
#13 0x082fb419 in nr_arena_group_update (item=0xab95ab0,
area=0x0, gc=0xbfffea30, state=510,
    reset=510) at display/nr-arena-group.cpp:170
#14 0x082f90e1 in nr_arena_item_invoke_update
(item=0xab95ab0, area=0x0, gc=0xbfffeaf4,
    state=510, reset=510) at display/nr-arena-item.cpp:252
#15 0x082fb419 in nr_arena_group_update (item=0xa855130,
area=0x0, gc=0xbfffeb50, state=510,
    reset=510) at display/nr-arena-group.cpp:170

Revision history for this message
Richard Hughes (cyreve) wrote :

Ralf, can you attach the entire valgrind dump? I think that
initial "Conditional jump or move depends on uninitialised"
is a separate problem, unrelated to this.

Revision history for this message
Rwst (rwst) wrote :

done. you are right. the interesting part starts at line 288.

Revision history for this message
Richard Hughes (cyreve) wrote :

Gak. Evil bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.