Inkscape

Win64 Inkscape crashes at startup, due to g_utf8_collate handles null pointer

Bug #1677853 reported by Allen Kuo
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
New
Undecided
Unassigned

Bug Description

The issue could be reproduced on "0.91" and "0.92.1" Windows 64 version.
To trace the issue, I use gdb with inkscape.dbg symbol file to trace the problem.

Here is the backtrack:
Starting program: C:\temp\inkscape\inkscape\inkscape.exe
[New Thread 25560.0x437c]
[New Thread 25560.0x8634]
[New Thread 25560.0xef4]
[New Thread 25560.0x8974]
[New Thread 25560.0x8efc]
[New Thread 25560.0x3120]
[New Thread 25560.0x2230]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffe6681c7a3 in strcmp () from C:\WINDOWS\System32\msvcrt.dll
(gdb) bt
#0 0x00007ffe6681c7a3 in strcmp () from C:\WINDOWS\System32\msvcrt.dll
#1 0x000000006863802a in g_utf8_collate () from C:\temp\inkscape\inkscape\libglib-2.0-0.dll
#2 0x0000000000708c31 in ?? ()
#3 0x0000000000ed663f in ?? ()
#4 0x000000000070b2bd in ?? ()
#5 0x000000000072517f in ?? ()
#6 0x00000000007259ca in ?? ()
#7 0x0000000000d27c64 in ?? ()
#8 0x0000000000d32600 in ?? ()
#9 0x0000000000d2d7d1 in ?? ()
#10 0x0000000000bfab35 in ?? ()
#11 0x0000000000cb0861 in ?? ()
#12 0x0000000000cb0a0a in ?? ()
#13 0x00000000006382d2 in ?? ()
#14 0x0000000000638977 in ?? ()
#15 0x000000000082cfe0 in ?? ()
#16 0x0000000000ee9bbe in ?? ()
#17 0x00000000004013b5 in ?? ()
#18 0x00000000004014c8 in ?? ()
#19 0x00007ffe66ba8364 in KERNEL32!BaseThreadInitThunk () from C:\WINDOWS\System32\kernel32.dll
#20 0x00007ffe688370d1 in ntdll!RtlUserThreadStart () from C:\WINDOWS\SYSTEM32\ntdll.dll
#21 0x0000000000000000 in ?? ()

inkscape-0.92.1\src\ui\dialog\swatches.cpp
static bool
compare_swatch_names(SwatchPage const *a, SwatchPage const *b) {

    return g_utf8_collate(a->_name.c_str(), b->_name.c_str()) < 0;
}

I can only find the swatches sort using the function call.
I guess if invalid strings are put into std:list and generate the issue.

I set a breakpoint at "0x000000006863802a (g_utf8_collate)" and run the inkscape again.
After the bp breaks the code, I set PC to next step to bypass the function.
The inkscape run perfectly.

To clarify the issue, I try to install the inkscape on a "English" version Win10 64 bits.
The issue couldn't be reproduced.

My default system is "Traditional Chinese" Taiwan Region Win10 64 bits system.
Is it possible the string utf8 (codepage or something else) convert to lead the issue?

GIMP seems to run well on my system. It might not be a GTK + problem.

PS:
I use Visual Studio 2017 Community to trace the problem,
The exception report is:

Exception thrown at 0x00007FFE6681C7A3 (msvcrt.dll) in inkscape.exe: 0xC0000005: Access violation reading location 0x0000000000000000. occurred

Revision history for this message
Patrick Storz (ede123) wrote :

Could you please post steps how to actually produce the crash, i.e. how to actually create swatches with illegal characters? Inkscape does not even allow me to create swatches with problematic names...

Revision history for this message
TylerDurden (8thrule) wrote :

Maybe related:
https://bugs.launchpad.net/inkscape/+bug/1508928
"Program crashed after adding new Chinese fonts"

Revision history for this message
Allen Kuo (kwyshell) wrote :

Since I haven't built full code in my environment, I try to debug the code in x84-64 ASM.

1. The crash is due to MSVCRT strcmp.
2. g_utf8_collate call strcmp
(https://sourcecodebrowser.com/glib2.0/2.16.6/gunicollate_8c.html#a6d1e8cf779f8ecd81d0a1463065426ed)

g_utf8_collate(a->_name.c_str(), b->_name.c_str)
asm,
000000006E2B8ED4 add rdx,8
000000006E2B8ED8 add rcx,8
000000006E2B8EDC call 000000006E43FAA0
a->_name.c_str = rcx + 8 = 0060efc8
b->_name.c_str = rdx + 8 = 1093e1c8

memory dump:
00000000-0060efc8:
[Invalid Address]
00000000-1093e1c8:
e9 95 bf e4 bb bf e5 ae 8b e4 bd 93 ==> UTF8 string in Chinese

It looks like inkscape could handle ASIA utf8 string correct.
The problem is that a->_name.c_str points to a invalid address. This address leads g_convert generates null string in g_utf8_collate.

TylerDurden (8thrule):
I think your suggestion might be correct. After dump related memory, I see lots of "fonts" names.
Some of them are ASIA (CJK) utf8 strings.

The issue should be something related to font / font name / font style related parsing & sorting.
Maybe some font name might lead the problem.

Revision history for this message
Patrick Storz (ede123) wrote :

All right, I assumed (in error) you already knew this issue was related to swatches (which I'm starting to doubt now).

I can throw pallettes with names containing arbitrary Unicode characters at Inkscape and it works just fine, so the conflicting call of "g_utf8_collate()" might actually be in glib or gtk+ code and not in Inkscape code at all.

It's unfortunately not visible in the stack trace from where the function is called and I'm afraid we can not efficiently debug this without a more complete trace...

@Allen: Which version of gdb are you using? Could you try with Inkscape 0.92.1 and the gdb contained in the package available from [1]? I usually get useful stack traces (even without symbols file).

[1] https://sourceforge.net/projects/mingw-w64/files/Toolchains%20targetting%20Win64/Personal%20Builds/mingw-builds/5.3.0/threads-win32/seh/

P.S. Related to fonts there's also bug #1495386 where I recently wrote down some findings in comment #5.

Revision history for this message
Allen Kuo (kwyshell) wrote :

@Eduard: Thanks for your great advisement.
Here is the BT:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007ffe6681c7a0 in strcmp () from C:\WINDOWS\System32\msvcrt.dll
(gdb) bt
#0 0x00007ffe6681c7a0 in strcmp () from C:\WINDOWS\System32\msvcrt.dll
#1 0x0000000068654fd9 in g_utf8_collate (str1=<optimized out>, str2=<optimized out>) at gunicollate.c:149
#2 0x000000006e2b8ee1 in ustringPairSort(std::pair<_PangoFontFamily*, Glib::ustring> const&, std::pair<_PangoFontFamily*, Glib::ustring> const&) () from C:\Program Files\Inkscape\libinkscape_base.dll
#3 0x000000006e2bbb40 in font_factory::GetUIFamilies(std::vector<_PangoFontFamily*, std::allocator<_PangoFontFamily*> >&) ()
   from C:\Program Files\Inkscape\libinkscape_base.dll
#4 0x000000006e2beeb9 in Inkscape::FontLister::FontLister() () from C:\Program Files\Inkscape\libinkscape_base.dll
#5 0x000000006e2bf5d5 in Inkscape::FontLister::get_instance() () from C:\Program Files\Inkscape\libinkscape_base.dll
#6 0x000000006e099204 in sp_text_toolbox_prep(SPDesktop*, _GtkActionGroup*, _GObject*) ()
   from C:\Program Files\Inkscape\libinkscape_base.dll
#7 0x000000006e0f9d5d in setup_aux_toolbox(_GtkWidget*, SPDesktop*) () from C:\Program Files\Inkscape\libinkscape_base.dll
#8 0x000000006e0f6255 in Inkscape::UI::ToolboxFactory::setToolboxDesktop(_GtkWidget*, SPDesktop*) ()
   from C:\Program Files\Inkscape\libinkscape_base.dll
#9 0x000000006dde4517 in Inkscape::UI::UXManagerImpl::connectToDesktop(std::vector<_GtkWidget*, std::allocator<_GtkWidget*> > const&, SPDesktop*) () from C:\Program Files\Inkscape\libinkscape_base.dll
#10 0x000000006e0a661a in SPDesktopWidget::createInstance(SPNamedView*) () from C:\Program Files\Inkscape\libinkscape_base.dll
#11 0x000000006e0a672a in sp_desktop_widget_new(SPNamedView*) () from C:\Program Files\Inkscape\libinkscape_base.dll
#12 0x000000006e14d272 in sp_file_new(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
   from C:\Program Files\Inkscape\libinkscape_base.dll
#13 0x000000006e14d655 in sp_file_new_default() () from C:\Program Files\Inkscape\libinkscape_base.dll
#14 0x0000000000406272 in sp_main_gui(int, char const**) ()
#15 0x000000000040e05f in main ()

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.