flowregion trips GetDest assertion

Bug #1762681 reported by Hermann Höhne on 2018-04-10
54
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Inkscape
High
Mc

Bug Description

Inkscape crashes due to a failed assertion caused by a SVG FlowRegion. I do not know what a FlowRegion is or if this instance is valid or not. I attached the example file.

Inkscape Version: 0.92.3 (unknown) / 0.92.3+68~ubuntu16.04.1 (from http://ppa.launchpad.net/inkscape.dev)
Operating System: Ubuntu 16.04.4 x86_64

Inkscape output:
ERROR:/build/inkscape-vgG8ts/inkscape-0.92.3+68~ubuntu16.04.1/src/sp-flowregion.cpp:360:void GetDest(SPObject*, Shape**): assertion failed: (item != NULL)

Backtrace:
#0 0x00007ffff4281428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff428302a in __GI_abort () at abort.c:89
#2 0x00007ffff6679d65 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007ffff6679dfa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007ffff75a45fb in ?? () from /usr/bin/../lib/inkscape/libinkscape_base.so
#5 0x00007ffff75a48a3 in SPFlowregion::UpdateComputed() () from /usr/bin/../lib/inkscape/libinkscape_base.so
#6 0x00007ffff75a50cd in SPFlowregion::write(Inkscape::XML::Document*, Inkscape::XML::Node*, unsigned int) ()
   from /usr/bin/../lib/inkscape/libinkscape_base.so
#7 0x00007ffff75a99ab in SPFlowtext::write(Inkscape::XML::Document*, Inkscape::XML::Node*, unsigned int) ()
   from /usr/bin/../lib/inkscape/libinkscape_base.so
#8 0x00007ffff74dde04 in fix_update(SPObject*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#9 0x00007ffff74decd3 in sp_file_text_run_recursive(void (*)(SPObject*), SPObject*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#10 0x00007ffff74ded3b in sp_file_text_run_recursive(void (*)(SPObject*), SPObject*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#11 0x00007ffff74ded3b in sp_file_text_run_recursive(void (*)(SPObject*), SPObject*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#12 0x00007ffff74ded3b in sp_file_text_run_recursive(void (*)(SPObject*), SPObject*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#13 0x00007ffff74ded3b in sp_file_text_run_recursive(void (*)(SPObject*), SPObject*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#14 0x00007ffff74dedd5 in sp_file_convert_text_baseline_spacing(SPDocument*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#15 0x00007ffff74cc5cd in SPDocument::createDoc(Inkscape::XML::Document*, char const*, char const*, char const*, unsigned int, SPDocument*) ()
   from /usr/bin/../lib/inkscape/libinkscape_base.so
#16 0x00007ffff74cd042 in SPDocument::createNewDoc(char const*, unsigned int, bool, SPDocument*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#17 0x00007ffff6f649a8 in Inkscape::Extension::Input::open(char const*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#18 0x00007ffff6f676ec in Inkscape::Extension::open(Inkscape::Extension::Extension*, char const*) () from /usr/bin/../lib/inkscape/libinkscape_base.so
#19 0x00007ffff74d9648 in sp_file_open(Glib::ustring const&, Inkscape::Extension::Extension*, bool, bool) ()
   from /usr/bin/../lib/inkscape/libinkscape_base.so
#20 0x000055555555c3ef in sp_main_gui(int, char const**) ()
#21 0x00007ffff426c830 in __libc_start_main (main=0x55555555a1d0 <main>, argc=2, argv=0x7fffffffdf08, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffdef8) at ../csu/libc-start.c:291
#22 0x000055555555a709 in _start ()

Alvin Penner (apenner) wrote :

- confirmed on Windows 10, Inkscape 0.92.3 (2405546, 2018-03-11)
- confirmed on Windows 10, Inkscape 0.92+devel (e9e25c0, 2018-03-28)

the DOS error message is:
ERROR:../src/sp-flowregion.cpp:360:void GetDest(SPObject*, Shape**): assertion failed: (item != NULL)

Changed in inkscape:
status: New → Confirmed
Alvin Penner (apenner) wrote :

backtrace:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x74252cf3 in KERNELBASE!DeleteAce () from C:\WINDOWS\SysWOW64\KernelBase.dll
(gdb) bt
#0 0x74252cf3 in KERNELBASE!DeleteAce () from C:\WINDOWS\SysWOW64\KernelBase.dll
#1 0x68828b59 in ?? () from c:\program files (x86)\inkscape\libglib-2.0-0.dll
#2 0x68819bb5 in ?? () from c:\program files (x86)\inkscape\libglib-2.0-0.dll
#3 0x68819c36 in ?? () from c:\program files (x86)\inkscape\libglib-2.0-0.dll
#4 0x0381427c in libinkscape_base!_ZN12SPFlowregionD2Ev () from c:\program files (x86)\inkscape\libinkscape_base.dll
#5 0x0381585b in libinkscape_base!_ZN12SPFlowregion5writeEPN8Inkscape3XML8DocumentEPNS1_4NodeEj ()
   from c:\program files (x86)\inkscape\libinkscape_base.dll
#6 0x0385bdc4 in libinkscape_base!_ZN8SPObject10updateReprEj () from c:\program files (x86)\inkscape\libinkscape_base.dll
#7 0x03819f72 in libinkscape_base!_ZN10SPFlowtext5writeEPN8Inkscape3XML8DocumentEPNS1_4NodeEj ()
   from c:\program files (x86)\inkscape\libinkscape_base.dll
#8 0x0066ede8 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x74252cf3 in KERNELBASE!DeleteAce () from C:\WINDOWS\SysWOW64\KernelBase.dll
(gdb) c
Continuing.
[Inferior 1 (process 1124) exited with code 03]

Adam Smith (aasmith) wrote :

https://commons.wikimedia.org/wiki/File:Meuble_h%C3%A9raldique_Enclume_marteau.svg

This file appears to trip the same bug for me. (Using version 0.92.3 on a Linux Mint machine.)

Patrick Storz (ede123) on 2018-08-13
Changed in inkscape:
importance: Undecided → High
status: Confirmed → Triaged
Igor (igory) wrote :

It looks like an error caused by parsing flowRegion with xml:space="preserve" on flowRoot.

This SVG works:
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<svg>
<flowRoot xml:space="preserve">
<flowRegion><rect height="100" width="100"/></flowRegion>
<flowPara>a</flowPara>
</flowRoot>
</svg>

This doesn't:
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<svg>
<flowRoot xml:space="preserve">
<flowRegion> <rect height="100" width="100"/></flowRegion>
<flowPara>a</flowPara>
</flowRoot>
</svg>

Alvin Penner (apenner) wrote :

running Windows 10, Inkscape 0.92+devel (322689f, 2018-11-03) (32 bit)

I can no longer reproduce this bug, it appears to be fixed.

Patrick Storz (ede123) wrote :

OK, great! Thanks for testing!

Changed in inkscape:
assignee: nobody → Mc (mc...)
milestone: none → 1.0
tags: added: backport-proposed
Changed in inkscape:
status: Triaged → Fix Committed
Patrick Storz (ede123) wrote :
tags: removed: backport-proposed
Changed in inkscape:
milestone: 1.0 → 0.92.4
Bryce Harrington (bryce) on 2019-01-18
Changed in inkscape:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers