Crash when undoing while mouse button pressed

Originator: NO

this is fixed in devel version

warning before trying this:
the cursor gets stuck system wide (at least in linux mint)
with the tool used when inkscape crashed,
one can only move the mouse but clicking doesn't work.

how to get it unstuck:
I have setup a hotkey for the system monitor
and am able to bring it up and kill gdb,
which also shuts down inkscape and releases the mouse.

you have been warned, on to the crash:
While drawing a rectangle and one presses ctrl + z,
inkscape crashes with the following messages:

** (inkscape:11240): WARNING **: Incomplete undo transaction:

** (inkscape:11240): WARNING **: Event: Set attribute style to "stroke-width:32;fill:#2b0000;stroke:none;fill-opacity:1" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Added #<Element:0x0x926e570> to #<Element:0x0xaf77e70> after beginning

** (inkscape:11240): WARNING **: Event: Set attribute id to "rect3270" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Set attribute width to "0" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Set attribute height to "0" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Set attribute x to "0" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Set attribute y to "0" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Set attribute transform to "translate(-7.3563764e-6,0)" on #<Element:0x0xaf77e70>

** (inkscape:11240): WARNING **: Event: Set attribute style to "fill:#2b0000;fill-opacity:1;stroke:none" on #<Element:0x0xaf77e70>

everything above is the same,
and most of the time it crashes with this as the last message:
*** Error in `/usr/bin/inkscape': corrupted double-linked list: 0x0b85cae0 ***

but i have seen it crash with just the following two messages at the end:

** (inkscape:11334): CRITICAL **: void SPObject::requestDisplayUpdate(unsigned int): assertion `this->document != NULL' failed

Program received signal SIGSEGV, Segmentation fault.
0x081d6b24 in ?? ()

and now while i was trying it before posting,
the last message was just:

Program received signal SIGSEGV, Segmentation fault.
0x081d6b24 in ?? ()

it happens with the shape tools, rect, circle, star, spiral,
but not with the freehand, bezier or calligraphic brush, or eraser,
probably because they don't draw anything until the mouse is released.

the spray tool gives alot of warning messages but doesn't seam to crash inkscape.

Tested with:
r12833 on linux mint 15 cinnamon 32bit

As described in latest comment, this issue has resurfaced in current trunk:
- reproduced with latest trunk r12839 on OS X 10.7.5
- not reproduced with 0.48.4 and 0.48.x r9988

Also reproduced with oldest archived trunk build on this machine: r10795.

Backtraces seem to vary a lot, attaching one produced with the rectangle tool, r12839 (GTK+/Quartz 2.24.22).

Two backtraces of the same crash, this time with the ellipse tool, r12839 (GTK+/X11, 2.24.22).

Also reproduced on Crunchbang Waldorf, Inkscape trunk revision 12840.

I think the way to fix this is to disable all accelerators while something is being dragged.

Seems like a good and logic solution.
I also already had a look and could not find a fix.

Testing with r12888

 - Undo while mouse down over chrome: No crash
 - Undo while mouse down over canvas: No crash
 o Undo impossible while mouse down over resize node.
 - Undo while mouse down over non-selected other object: No crash
 - Undo while mouse down over selected other object: No crash
 x Undo while mouse down over selected removed object: CRASH
 x Undo while mouse down over non-selected removed object: CRASH

I conclude the bug I can produce here is because the mouse is about to do something with an object that's getting removed.

Addendum: Undo a colour change while mouse down over selected object: No crash.

Fixed in r12894. items that are deleted on undo have no valid document and have been removed from the selection already. When mouse-up occurs, the code sees this item as valid but non-selected and tries to re-add it. Which the selection container happily accepts back.

I've added a check which should stop any item being selected which has been deleted.

Haven't tried this since the previous post,
tried it now with r12945,
ctlr + z while drawing a rect or a star,
crashed both times with the same messages.

On 2014-01-18 04:35 +0100, Cojnel wrote:
> tried it now with r12945,
> ctlr + z while drawing a rect or a star,
> crashed both times with the same messages.

Also reproduced with r12953 on OS X 10.7.5. Reopening.

Cojnel, I've checked the bug again and can't reproduce it. Can you give precise steps and see if you can identify if the crash is consistent?

~suv - Drawing a object? that's a completely different bug isn't it? This bug was to do with pressing the mouse button over existing objects. I'd like for a new report where this new issue can be tracked.

@Martin - I simply follow the steps do reproduce from the original description:

> Steps to reproduce:
>
> 1. Select e.g. the Spiral tool
> 2. Draw a spiral
> 3. While still holding down the mouse button, press Ctrl+Z

I don't see where these STR mention "This bug was to do with pressing the mouse button over existing objects". Can you clarify?

Martin Owens,

1. activate the rectangle tool
2. move the mouse over the canvas and hold down the left mousebutton
3. (do not release the mousebutton),
   move the mouse so that a rectangle is drawn
4. press ctrl + z
5. in r12945, inkscape crashes and the rectangle cursor gets stuck throughout the OS (linux mint 15 32bit),
the terminal outputs:
** (inkscape:4255): WARNING **: Incomplete undo transaction:

** (inkscape:4255): WARNING **: Event: Set attribute style to "fill:#808080;fill-opacity:1" on #<Element:0x0xaf50770>

** (inkscape:4255): WARNING **: Event: Added #<Element:0x0x91bcaf0> to #<Element:0x0xaf50770> after beginning

** (inkscape:4255): WARNING **: Event: Set attribute id to "rect3262" on #<Element:0x0xaf50770>

** (inkscape:4255): WARNING **: Event: Set attribute width to "0" on #<Element:0x0xaf50770>

** (inkscape:4255): WARNING **: Event: Set attribute height to "0" on #<Element:0x0xaf50770>

** (inkscape:4255): WARNING **: Event: Set attribute x to "0" on #<Element:0x0xaf50770>

** (inkscape:4255): WARNING **: Event: Set attribute y to "0" on #<Element:0x0xaf50770>

** (inkscape:4255): WARNING **: Event: Set attribute transform to "translate(-7.3563764e-6,0)" on #<Element:0x0xaf50770>

** (inkscape:4255): CRITICAL **: void SPObject::requestDisplayUpdate(unsigned int): assertion `this->document != NULL' failed

Program received signal SIGSEGV, Segmentation fault.
0x081e6154 in ?? ()

And in v0.48.4 r9939, inkscape does not crash,
but the terminal outputs:
** (inkscape:4316): WARNING **: Incomplete undo transaction:

** (inkscape:4316): WARNING **: Event: Set attribute style to "fill:#808080;fill-opacity:1" on #<Element:0x0xac779f0>

** (inkscape:4316): WARNING **: Event: Added #<Element:0x0x8f855f0> to #<Element:0x0xac779f0> after beginning

** (inkscape:4316): WARNING **: Event: Set attribute id to "rect2989" on #<Element:0x0xac779f0>

** (inkscape:4316): WARNING **: Event: Set attribute width to "0" on #<Element:0x0xac779f0>

** (inkscape:4316): WARNING **: Event: Set attribute height to "0" on #<Element:0x0xac779f0>

** (inkscape:4316): WARNING **: Event: Set attribute x to "0" on #<Element:0x0xac779f0>

** (inkscape:4316): WARNING **: Event: Set attribute y to "0" on #<Element:0x0xac779f0>

(inkscape:4316): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `SPRect'

** (inkscape:4316): CRITICAL **: void sp_rect_position_set(SPRect*, gdouble, gdouble, gdouble, gdouble): assertion `SP_IS_RECT(rect)' failed

(inkscape:4316): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `SPRect'

** (inkscape:4316): CRITICAL **: void sp_rect_position_set(SPRect*, gdouble, gdouble, gdouble, gdouble): assertion `SP_IS_RECT(rect)' failed

(inkscape:4316): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `SPRect'

** (inkscape:4316): CRITICAL **: void sp_rect_position_set(SPRect*, gdouble, gdouble, gdouble, gdouble): assertion `SP_IS_RECT(rect)' failed

(inkscape:4316): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `SPRect'

** (inkscape:4316): CRITICAL **: void sp_rect_position_set(SPRect*, gdouble, gdouble, gdouble, gdouble): asser...

Hey guys, I've just committed r12955 which stops undo when dragging with any tool. Please have a test.

Tested successfully on Crunchbang Waldorf, Inkscape trunk revision 12955.

Inkscape no longer crashes, but the terminal outputs the following message when pressing Ctrl+Z:

CRITICAL **: static gboolean Inkscape::DocumentUndo::undo(SPDocument*): assertion `doc->priv->sensitive' failed

Tested with r12955 on linux mint 15 32bit.

While drawing a rect,
and one presses: ctrl + z,
the terminal outputs:
** (inkscape:5137): CRITICAL **: static gboolean Inkscape::DocumentUndo::undo(SPDocument*): assertion `doc->priv->sensitive' failed

one is still able to continue drawing the rect.

But it seams like the fix introduced some more serious problems.

When pressing the right mouse button to finish drawing a bezier path,
or sometimes when moving a node with the node editing tool,
inkscape crashes with these messages:
ERROR:../../src/document-undo.cpp:158:static void Inkscape::DocumentUndo::maybeDone(SPDocument*, const gchar*, unsigned int, const Glib::ustring&): assertion failed: (doc->priv->sensitive)

Program received signal SIGABRT, Aborted.
0xb7fdd424 in __kernel_vsyscall ()

And when drawing a rect,
then switching to the selection tool,
and dragging the rect to a new location,
inkscape crashes,
and the selection cursor gets stuck and i'm unable to
click on anything until the gdb process has been killed
through the system monitor,
the terminal outputs:
ERROR:../../src/xml/simple-document.cpp:30:virtual void Inkscape::XML::SimpleDocument::beginTransaction(): assertion failed: (!_in_transaction)

Program received signal SIGABRT, Aborted.
0xb7fdd424 in __kernel_vsyscall ()

Also after drawing a rect (and releasing the mouse button),
and then pressing undo (any undo method works),
the rect is still left behind in the xml editor,
and its x,y,w and h attributes say: 0
if one changes the w and h attributes to: 100
then the rect shows up in the top left corner of the page.

when drawing an ellipse (and releasing the mouse button),
and pressing undo the ellipse jumps
to the top left corner, but it doesn't
change width or height.

Latest builds (rev >= 12955) are unusable on OS X 10.7.5 too, e.g.:
- builds using the native Quartz backend of GTK+ crash on mouse button release when drawing a new shape
- builds using the X11 backend of GTK+ crash when moving the just created shape (as described by Cojnel)
I didn't continue testing since the native builds can't even create shapes anymore to allow further investigation.

Please revert revision 12955.

New crash confirmed on Crunchbang Waldorf (sorry for my incomplete test).

GDB backtrace attached.

Hmm, ok so if the solution in the last revision is problematic, then we need to either a) revert and classify this as wont fix or b) work out each of the resulting problems of having undo's sensitivity change asynchronously.

One will notice in the code a change to document-undo.cpp where I change the assert_if( ..sensitive) to return_val_if_fail( ... ), this is what causes the warning reported by jazzy above. The error Cojnel reports looks like the same assert_if in another function and I will target that first for a solution.

OK I've committed r12959. to move the remaining asserts to return_ifs. There is a transactional race condition happening still which is infrequent, but is related to the fix put in place. Basically half way through a transaction the button is released and tries to set_sensitive which fails.

But I'm not sure what should be done. Block the call, refuse to set sensitive if there's a transaction taking place. Bit of a catch 22 since most solutions have consequences.

r12959 on OS X 10.7.5 (both GTK+ backends tested), default prefs, new doc:
- Critical console warnings for all actions:
Creating and editing objects produces critical warning on the console
(for text objects, each added character produces a new critical warning)

** (inkscape:56577): CRITICAL **: static void Inkscape::DocumentUndo::maybeDone(SPDocument*, const gchar*, unsigned int, const Glib::ustring&): assertion 'doc->priv->sensitive' failed

- Undo, Undo History broken:
In a new document, Undo history seem to only record creation of objects, but not further edits (e.g. transforms)
Applying Undo (Ctrl+Z) right after creating an object doesn't delete the object (see Cojnel's accurate description)
Once an object has been further edited (e.g. moved), undo is defunct ('Ctrl+Z' does nothing)

** (inkscape:67928): CRITICAL **: static gboolean Inkscape::DocumentUndo::undo(SPDocument*): assertion 'doc->priv->sensitive' failed

- Crash with ellipses:
Moving an ellipse just created in a new document with the select tool crashes inkscape (not consistently, but probably in 50% of the tests - not sure what the trigger is)

… and probably other regressions, all (imvho) more critical to even basic usage than the issue originally reported here (Crash when attempting to undo an action before the action was completed)

Repeating my earlier proposal to fully revert r12955 (and to reset bug status to 'Confirmed').

This bug is difficult, please be kindly to your resident bug fixer; :-)

I've reverted the two recent changes regarding setting the sensitivity of undo while dragging in a tool.

I've implemented a new stratagem regarding the bug and local tests prove very positive. But because of previous knock on effects, I'm keeping the bug at Confirmed until ~suv specifically is happy with the fix.

r12960 on linux mint 15 32bit.

Pressing ctrl + z while drawing an object,
doesn't output anything to the terminal or
cause a crash anymore.

but undo and redo stops working after clicking once on
the canvas or on an object with the node editing tool.

Draw a rect (or any object (shape, path, text)),
activate the node editing tool,
click once on the canvas or on the rect,
undo and redo stops working for any
action performed in this state.

To see that redo doesn't work,
choose a previous entry in the
edit > undo history... dialog,
and press redo.

To get undo/redo working again,
switch to another tool,
pan the canvas (middle mouse button drag)
or with the node editing tool active,
double click on the canvas or on a drawn object.
.

There also are some warning/critical messages
when pressing undo/redo after drawing a 3d box.

draw a 3d box on the canvas,
press undo,
the terminal outputs:
(inkscape:3370): GLib-GObject-WARNING **: instance of invalid non-instantiatable type `(null)'
(inkscape:3370): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

now press redo,
the terminal outputs:
(inkscape:3370): Gtk-CRITICAL **: gtk_tree_store_move: assertion `VALID_ITER (iter, tree_store)' failed

in the xml editor, select the 3d box group,
the terminal outputs 6 of the messages above
im guessing it's one for every each of the
6 paths in the 3d box group,

with the 3d box group selected in the xml editor,
press undo,
the terminal outputs:
** (inkscape:3370): WARNING **: Incomplete undo transaction:
** (inkscape:3370): WARNING **: Event: Moved #<Element:0x0xbff3e70> after beginning in #<Element:0x0xbfee2f0>
** (inkscape:3370): WARNING **: Event: Moved #<Element:0x0xbff3c70> after beginning in #<Element:0x0xbfee2f0>
** (inkscape:3370): WARNING **: Event: Moved #<Element:0x0xbff3ff0> after beginning in #<Element:0x0xbfee2f0>
** (inkscape:3370): WARNING **: Event: Moved #<Element:0x0xbff3970> after beginning in #<Element:0x0xbfee2f0>
** (inkscape:3370): WARNING **: Event: Moved #<Element:0x0xbfee170> after beginning in #<Element:0x0xbfee2f0>
** (inkscape:3370): WARNING **: Event: Moved #<Element:0x0xbff3af0> after beginning in #<Element:0x0xbfee2f0>
(inkscape:3370): Gtk-CRITICAL **: gtk_tree_store_move: assertion `VALID_ITER (iter, tree_store)' failed

but the undo action didn't revert to
a state before the 3d box was drawn,
when undo is pressed again,
the 3d box goes away and
the terminal outputs:
(inkscape:3862): Gtk-CRITICAL **: gtk_tree_store_move: assertion `VALID_ITER (iter, tree_store)' failed
(inkscape:3862): GLib-GObject-WARNING **: instance of invalid non-instantiatable type `(null)'
(inkscape:3862): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

> There also are some warning/critical messages
> when pressing undo/redo after drawing a 3d box.

AFAICT the 3dbox issues are not related to the changes for this bug (also reproducible with r12954).

> but undo and redo stops working after clicking once on
> the canvas or on an object with the node editing tool.

Confirmed with r12960 on OS X 10.7.5

Not reproduced with
- rev 12885 (last locally archived build before the first commit for this bug: r12894)
- rev 12954 (last locally archived build before the recent series of changes for this bug, rev >= 12955).

OK I've moved the blocking code from tool-base to sp-canvas. This allows the node tool to correctly work. I should note here that the only tool to NOT call tool-base root_handler for events is the node-tool when releasing a mouse button when the mouse is outside of an object. This is because there's no item to run an event on. But this might make weird things happen IMO.

But that doesn't effect us here any more. Please test, I think this commit is a keeper.

Tested with r12969
on linux mint 15 32bit.

Undo and redo stops working after
right clicking and choosing delete.

Open edit > undo history...
and draw a couple of objects.

In the undo history, click on an undo state
after [unchanged] so that both undo and redo
can be tested at the same time.

Right click on the canvas and choose delete
it happens with or without and object selected.

Now both undo and redo have stopped working,

To get it working again,
click on the canvas once with any tool.

Addition to the previous comment, #31

Choosing any of the right click menu entries,
causes undo and redo to stop working.

Good catch Cojnel, I've fixed it in r12974