Crash after moving a Bezier node after Knot path effect

Could you attach a sample file?

Crash not reproduced with a simple, self-intersecting path using Inkscape 0.48.1 on OS X 10.5.8.

I can confirm an erratic behavior when dragging nodes or node handles with the mouse (the button press/release/drag events don't seem to get handled properly when the cursor moves outside the highlighted node/handle knot of the path). Moving a node with the arrow keys or rotating the handle with the keyboard however works as usual.

Reproduced with Inkscape 0.48.1 as well as Inkscape 0.48+devel 10297 on OS X 10.5.8

Backtraces differ, e.g.:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
Inkscape::UI::NodeIterator<Inkscape::UI::Node>::operator++ () at node.h:228
228 _node = _node->ln_next;
(gdb) bt
#0 Inkscape::UI::NodeIterator<Inkscape::UI::Node>::operator++ () at node.h:228
#1 Inkscape::UI::NodeIterator<Inkscape::UI::Node>::advance () at node.h:388
#2 Inkscape::UI::NodeIterator<Inkscape::UI::Node>::next () at node.h:245
#3 Inkscape::UI::NodeIterator<Inkscape::UI::Node>::next () at node.h:245
#4 Inkscape::UI::CurveDragPoint::dragged (this=0x7601b90, new_pos=@0xbfffef24) at ui/tool/curve-drag-point.cpp:77
#5 0x006197c8 in Inkscape::UI::ControlPoint::_eventHandler (this=0x7601b90, event=0x6a8fd10) at ui/tool/curve-drag-point.cpp:77
#6 0x00621c5f in Inkscape::UI::CurveDragPoint::_eventHandler (this=0x7601b90, event=0x6a8fd10) at ui/tool/curve-drag-point.cpp:77
#7 0x0006fb62 in sp_event_context_snap_watchdog_callback (data=0x7324850) at ui/tool/curve-drag-point.cpp:77
#8 0x034c5b81 in g_timeout_dispatch ()
#9 0x034c371d in g_main_context_dispatch ()
#10 0x034c75ab in g_main_context_iterate ()
#11 0x034c7887 in g_main_loop_run ()
#12 0x01834fa1 in gtk_main ()
#13 0x011eb59b in Gtk::Main::run ()
#14 0x0000588c in Inkscape::UI::NodeIterator<Inkscape::UI::Node>::next () at node.h:245
#15 sp_main_gui (argc=1, argv=0xbffff2d8) at ui/tool/curve-drag-point.cpp:77
#16 0x00004486 in start ()
(gdb)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xff000018
0x0006fb5f in sp_event_context_snap_watchdog_callback (data=0x6e2d440) at event-context.cpp:1320
1320 point->_eventHandler(dse->getEvent());
(gdb) bt
#0 0x0006fb5f in sp_event_context_snap_watchdog_callback (data=0x6e2d440) at event-context.cpp:1320
#1 0x034c5b81 in g_timeout_dispatch ()
#2 0x034c371d in g_main_context_dispatch ()
#3 0x034c75ab in g_main_context_iterate ()
#4 0x034c7887 in g_main_loop_run ()
#5 0x01834fa1 in gtk_main ()
#6 0x011eb59b in Gtk::Main::run ()
#7 0x0000588c in ~vector [inlined] () at stl_vector.h:986
#8 sp_main_gui (argc=1, argv=0xbffff2d8) at main.cpp:993
#9 0x00004486 in start ()
(gdb)

Above backtraces are from Inkscape 0.48+devel r10297 on OS X 10.5.8 (i386) with default preferences in new default document.

Reproduced with Inkscape 0.48.0 on OS X 10.5.8,
Not reproduced with Inkscape 0.47

-> regression

reproduced on Windows XP, Inkscape 0.48+devel r10069 (Mar 16 2011)

Program received signal SIGSEGV, Segmentation fault.
0x89fc7d8b in ?? ()
(gdb) bt
#0 0x89fc7d8b in ?? ()
#1 0x00438a7e in sp_event_context_snap_watchdog_callback ()
#2 0x685ebbbe in g_timeout_dispatch ()
   from C:\InkscapeBZR\inkscape\libglib-2.0-0.dll
#3 0x685eb50b in g_main_context_dispatch ()
   from C:\InkscapeBZR\inkscape\libglib-2.0-0.dll
#4 0x685ee5f5 in g_main_context_iterate ()
   from C:\InkscapeBZR\inkscape\libglib-2.0-0.dll
#5 0x685ee9e4 in g_main_loop_run ()
   from C:\InkscapeBZR\inkscape\libglib-2.0-0.dll
#6 0x014125dc in gtk_main ()
   from C:\InkscapeBZR\inkscape\libgtk-win32-2.0-0.dll
#7 0x01763c3f in Gtk::Main::run ()
   from C:\InkscapeBZR\inkscape\libgtkmm-2.4-1.dll
#8 0x0040553a in sp_main_gui ()
#9 0x004060e7 in main ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x89fc7d8b in ?? ()
(gdb) c
Continuing.

Program exited with code 030000000005.
(gdb) q

Hello,

I'm experiencing this crash on Debian (inkscape -V says "Inkscape 0.48.1 r9760 (Jun 1 2011)"; Debian version 0.48.1-2.1).

I'm also seeing another problem with the Knot path effect, where part or all of a Knot-applied path is not shown when the path nodes and the control handles are moved slightly compared to another path where the knot effect works properly. Should I report that separately? It often happens that moving a node on one of these paths causes Inkscape to crash, so I suspect it's related.

If I press "Undo" after moving a node with the Knot effect applied to it, sometimes I get these errors written to stderr (attached). If I keep moving nodes, the display error continues to happen, and sometimes Inkscape will crash.

Is there any way I can help debug this? I'm comfortable with C++ and building software on Linux, and I may try to build a debug version and poke around, but I don't know anything about the Inkscape codebase.

Hi all,

I have been a user of inkscape 0.48 running on Windows XP for the past 2 years. Recently I had to install it on a Mac and this exact bug keeps crashing inkscape. Here is what I am using

MAC OS X 10.7.2
Inkscape 0.48.2

I also tried older versions of inkscape (e.g., 0.48.0, 0.47) but they all give me the same problem. I finally decided to test it on another windows machine I have (Vista) with all the above versions and nothing seems to work.

Has there been any fixes for this bug?

thanks in advance!

Still reproduced with Inkscape 0.48.2, 0.48.3.1, 0.48.x r9901 and 0.48+devel r11533 on OS X 10.7.4 (64 bit builds, default preferences). Backtraces are essentially the same as already pasted in earlier comments.

Backrace from Inkscape 0.48+devel r11533 (64bit debug build with '-g -O0'):

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000002dc00000030
0x00000001000e2c25 in sp_event_context_snap_watchdog_callback (data=0x10b37c450) at event-context.cpp:1320
1320 point->_eventHandler(ec, dse->getEvent());
(gdb) bt
#0 0x00000001000e2c25 in sp_event_context_snap_watchdog_callback (data=0x10b37c450) at event-context.cpp:1320
#1 0x0000000105b977c2 in g_timeout_dispatch (source=0x10b2bfd40, callback=0, user_data=0xfffffffffffff97c) at gmain.c:3882
#2 0x0000000105b97078 in g_main_dispatch [inlined] () at /Volumes/cyan/mp-test/with-a-long-long-long-directory-name/var/macports/build/_Volumes_cyan_mp-test_src_ports_devel_glib2/glib2/work/glib-2.32.3/glib/gmain.c:2539
#3 0x0000000105b97078 in g_main_context_dispatch (context=0x7fff5fbff2c0) at gmain.c:3075
#4 0x0000000105b98c4e in g_main_context_iterate () at signal.h:118
#5 0x0000000105b9a09f in g_main_loop_run (loop=0x10b2e81f0) at gmain.c:3340
#6 0x0000000103ca5881 in gtk_main ()
#7 0x00000001000096c9 in sp_main_gui (argc=1, argv=0x7fff5fbff6d8) at main.cpp:985
#8 0x000000010000a33e in main (argc=1, argv=0x7fff5fbff6d8) at main.cpp:716
#9 0x0000000100003894 in start ()
(gdb)

On 09/07/2012 19:45, darlan girao wrote:
> Do you know of any fixes for bug #781893 in inkscape?

No - the bug is still present in the current release branch as well as in the development branch, and no one has been working on a fix. A possibly workaround for node-editing such 'knotted' paths: hide the path effect (click on the 'Eye' symbol in the path effect editor) before switching to the node tool. The path effect won't live-update based on the edits, but can be toggled on again after the node-edits are done.

Attaching sample file used to reproduce the crash for backtrace in previous comment.

Steps to reproduce:
1) launch Inkscape, open file
2) select the path, open Path effect editor and apply 'Knot LPE'
3) switch to the node tool, and drag the lower left node with the mouse

-> crash

From the backtrace I tought that the crash was due to a NULL assignment in src/ui/tool/node.h on the lines:
    _node = _node->ln_next;
and
   _node = _node->ln_prev;

Making it more error save by replacing it with:
   _node = (_node?_node->ln_next:NULL);
and
   _node = (_node?_node->ln_prev:NULL);

does not help. An interesting point however is that when adding a g_message comment just in front of these two lines, shows that the node iterator is called an awfull lot of times even when not in the node tool. So something weird is going on, probably in event-context.cpp. If it is not part of the bug, it should be considered as a resource hog to be treated separately.

PS: the node iterator is called every time the mouse pointer is moved, even if not on or over a path (and that eventually should be changed).

previous comment should read:
PS: the node iterator is called every time the mouse pointer is moved when the node tool is active and an object is selected. It is called even if not on or over a path (and that eventually should be changed).

Hi ~suv,

Here is the report I got by reproducing your steps:

 Process: inkscape-bin [17430]
Path: /Applications/Inkscape copy.app/Contents/Resources/bin/inkscape-bin
Identifier: inkscape-bin
Version: ??? (???)
Code Type: X86 (Native)
Parent Process: Inkscape [17428]

Date/Time: 2012-07-09 16:07:59.439 -0300
OS Version: Mac OS X 10.7.2 (11C74)
Report Version: 9

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000019

VM Regions Near 0x19:
--> __PAGEZERO 0000000000000000-0000000000001000 [ 4K] ---/--- SM=NUL /Applications/Inkscape copy.app/Contents/Resources/bin/inkscape-bin
    __TEXT 0000000000001000-00000000009c9000 [ 9.8M] r-x/rwx SM=COW /Applications/Inkscape copy.app/Contents/Resources/bin/inkscape-bin

Application Specific Information:
objc[17430]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 inkscape-bin 0x0006d2f5 sp_event_context_snap_watchdog_callback(void*) + 517
1 libglib-2.0.0.dylib 0x020e0921 g_timeout_dispatch + 33
2 libglib-2.0.0.dylib 0x020de4bd g_main_context_dispatch + 573
3 libglib-2.0.0.dylib 0x020e234b g_main_context_iterate + 1179
4 libglib-2.0.0.dylib 0x020e2627 g_main_loop_run + 439
5 libgtk-x11-2.0.0.dylib 0x01514f91 gtk_main + 177
6 libgtkmm-2.4.1.dylib 0x00f1859b Gtk::Main::run() + 27
7 inkscape-bin 0x000051aa sp_main_gui(int, char const**) + 1146
8 inkscape-bin 0x001fc712 Inkscape::NSApplication::Application::run() + 178
9 inkscape-bin 0x00003b51 main + 353
10 inkscape-bin 0x00003366 start + 54

Thread 1:: Dispatch queue: com.apple.libdispatch-manager
0 libsystem_kernel.dylib 0x9374990a kevent + 10
1 libdispatch.dylib 0x93a8bc58 _dispatch_mgr_invoke + 969
2 libdispatch.dylib 0x93a8a6a7 _dispatch_mgr_thread + 53

Thread 2:
0 libsystem_kernel.dylib 0x9374883e __psynch_cvwait + 10
1 libsystem_c.dylib 0x9232ce21 _pthread_cond_wait + 827
2 libsystem_c.dylib 0x922dd3e0 pthread_cond_timedwait$UNIX2003 + 70
3 libgthread-2.0.0.dylib 0x020ab5eb g_cond_timed_wait_posix_impl + 107
4 libglib-2.0.0.dylib 0x020b2f21 g_async_queue_pop_intern_unlocked + 225
5 libglib-2.0.0.dylib 0x020b31a4 g_async_queue_timed_pop + 52
6 libglib-2.0.0.dylib 0x0210a520 g_thread_pool_thread_proxy + 272
7 libglib-2.0.0.dylib 0x02108608 g_thread_create_proxy + 152
8 libsystem_c.dylib 0x92328ed9 _pthread_start + 335
9 libsystem_c.dylib 0x9232c6de thread_start + 34

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x079e3660 ebx: 0x0006d101 ecx: 0x00000001 edx: 0x05c9c558
  edi: 0x055d9dc8 esi: 0x047a3b50 ebp: 0xbffff188 esp: 0xbffff130
   ss: 0x00000023 efl: 0x00210212 eip: 0x0006d2f5 cs: 0x0000001b
   ds: 0x00000023 es: 0x00000023 fs: 0x00000000 gs: 0x0000000f...

Comitted a workaround for the crash in revision 11547. It also adds some code to make the functionality more robust.

However, the issue is not solved yet. At some time a control point is created (maybe the/an invalid one) with the example file in comment 9. Depending on the workflow even more control points seem to be added. Afterwards while evaluating the snapping callback an invalid control point is encountered. One still has to prevent the creation of the invalid control point (invalid coordinates (nan) and desktop pointer (0xff)).
So Inkscape will still not respond well. If Inkscape shows weird behaviour (not continuing dragging), one has to click once on the canvas.

> Comitted a workaround for the crash in revision 11547.

I still get crashes with r11547 when trying to node-edit the self-intersecting path while the knot LPE is active (backtrace attached). The crash doesn't occur right away, but while trying to restore "normal" mouse behavior after having dragged the same lower left node as mentioned before.

Thanks for the backtrace.
This hard to crack bug is on my to do list (for the medium long term), but if bug state is not changed yet when reading, I will not have done anything.

Still crashes with r12688, and also sends warning messages to the console when moving the node:

** (inkscape.exe:756): WARNING **: encountered non finite point when evaluating snapping callback

Please try again after rev. 13428, and see if it fixed the bug for you too. Thanks.

Behavior is a bit buggy with the switcher not showing up when going from no crossings to one crossing. But the LPE is usable again. The switcher getting lost in some cases is a very minor bug I think.

Tested again on Crunchbang Waldorf.
Crashes with Inkscape 0.48.3.1.
Fixed with revision 13430 (no crash, no console message).

Thanks Johan!