inkscape crashed with SIGSEGV in Inkscape::Extension::Implementation::Script::effect()

Bug #944077 reported by Matthew Paul Thomas on 2012-03-01
364
This bug affects 54 people
Affects Status Importance Assigned to Milestone
Inkscape
High
jazzynico
inkscape (Ubuntu)
Medium
Unassigned

Bug Description

Crashed while using the "Color Markers to Match Path" extension.

ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: inkscape 0.48.3-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-17.27-generic 3.2.6
Uname: Linux 3.2.0-17-generic i686
NonfreeKernelModules: wl
ApportVersion: 1.93-0ubuntu2
Architecture: i386
Date: Thu Mar 1 15:21:10 2012
ExecutablePath: /usr/bin/inkscape
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcCmdline: inkscape
SegvAnalysis:
 Segfault happened at: 0x83f1040 <_ZN8Inkscape9Extension14Implementation6Script6effectEPNS0_6EffectEPNS_2UI4View4ViewEPNS1_27ImplementationDocumentCacheE+960>: mov 0x120(%eax),%eax
 PC (0x083f1040) ok
 source "0x120(%eax)" (0x00000120) not located in a known VMA region (needed readable region)!
 destination "%eax" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: inkscape
StacktraceTop:
 Inkscape::Extension::Implementation::Script::effect(Inkscape::Extension::Effect*, Inkscape::UI::View::View*, Inkscape::Extension::Implementation::ImplementationDocumentCache*) ()
 Inkscape::Extension::ExecutionEnv::run() ()
 Inkscape::Extension::Effect::effect(Inkscape::UI::View::View*) ()
 Inkscape::Extension::Effect::prefs(Inkscape::UI::View::View*) ()
 sp_action_perform(SPAction*, void*) ()
Title: inkscape crashed with SIGSEGV in Inkscape::Extension::Implementation::Script::effect()
UpgradeStatus: Upgraded to precise on 2012-02-27 (2 days ago)
UserGroups: adm admin cdrom dialout dip fax floppy fuse lpadmin plugdev sambashare tape video

Related branches

Matthew Paul Thomas (mpt) wrote :

StacktraceTop:
 Inkscape::Extension::Implementation::Script::effect (this=0x8fc62b0, module=0x90c7cc0, doc=0x90e7d20, docCache=0x0) at extension/implementation/script.cpp:734
 Inkscape::Extension::ExecutionEnv::run (this=0xbff7a6f0) at extension/execution-env.cpp:210
 Inkscape::Extension::Effect::effect (this=0x8fca070, doc=0x90e7d20) at extension/effect.cpp:275
 Inkscape::Extension::Effect::prefs (this=0x8fca070, doc=0x90e7d20) at extension/effect.cpp:240
 sp_action_perform (action=0x90f8578, data=0x0) at helper/action.cpp:181

Changed in inkscape (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in inkscape (Ubuntu):
status: New → Confirmed
visibility: private → public
tags: added: crash
Changed in inkscape:
importance: Undecided → High
Alvin Penner (apenner) wrote :

not reproduced on Windows XP, Inkscape rev 11060.
could you provide details of the settings, colors, etc?

Doug McMahon (mc3man) wrote :

Not sure what Windows XP has to do with this, Inkscape works fine in 11.10 also
As far as 12.04 not so & the recent upgrade shows no improvement.
As far as repo'ing the crash, open any svg & try to apply any of the color extensions

Johan Engelen (johanengelen) wrote :

was fixed in rev10611 by Jazz. (comical syntax though, so I'll change that a bit now ;)

Changed in inkscape:
assignee: nobody → JazzyNico (jazzynico)
milestone: none → 0.49
status: New → Fix Committed
jazzynico (jazzynico) on 2012-04-05
tags: added: backport-proposed
Changed in inkscape (Ubuntu):
status: Confirmed → Triaged
Kris (kris-degussem) wrote :

Backported for inkscape 0.48.4 in revision 9893.

Changed in inkscape:
milestone: 0.49 → 0.48.4
tags: removed: backport-proposed
su_v (suv-lp) on 2012-05-05
tags: added: extensions-plugins
Doug McMahon (mc3man) on 2012-06-20
tags: added: quantal
su_v (suv-lp) wrote :

Could the fix for this bug be reviewed?

AFAICT the crash occurs when running extensions in documents which use an arbitrary ID for the node <namedview> (other than what is used in default templates) -> e.g. when opening PDF files, Plain SVG files, or other SVG documents which originally didn't have this custom node at all (Inkscape in such cases assigns a new ID based on its normal scheme: name of the xml node + a random number).

Apparently the regression was introduced by the patch for
  Bug #789122 “changing current layer through an extension”
  <https://bugs.launchpad.net/inkscape/+bug/789122>
  <http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/10608>
which AFAIU retrieves the node <namedview> by the ID it has in default templates ("base"). Is the some hidden rule for 'Inkscape SVG' that a <namedview> is not a real <namedview> node unless it has the ID "base"? AFAICT other parts of Inkscape handle such <namedview> nodes just fine (i.e. are able to load the settings independent of the ID).

The current fix for this bug (bug #944077) simply ignores <namedview> nodes which have a different ID (probably breaking the patch for bug #789122 for all documents which are not based on the default document).

Isn't there a different way to retrieve the node <namedview> other than by an (arbitrary) ID "base"?

        SPObject *obj = mydoc->getObjectById("base");

        // Getting the named view from the document generated by the extension
        SPNamedView *nv = (SPNamedView *) obj;

        //Check if it has a default layer set up
        if ( nv != NULL){
            if( nv->default_layer_id != 0 ) {
                SPDocument *document = desktop->doc();
                //If so, get that layer
                layer = document->getObjectById(g_quark_to_string(nv->default_layer_id));
            }
        }

su_v (suv-lp) wrote :

Workaround in Inkscape 0.48.3.1 for affected files to avoid a crash when running an extension:
rename the id of <namedview> to "base".

Steps:
1) open affected file
2) open 'Edit > XML Editor…'
3) select the node <sodipodi:namedview …> in the list on the left
4) select the attribute 'id' in the upper right list
5) at the bottom right, the string of the id is shown in the edit field
   (probably something like "namedview12345" - numbers will vary)
6) overwrite the id string with "base", click on 'Set', close XML Editor
7) try again to run the extension
-> it should know work without triggering the crash.

jazzynico (jazzynico) wrote :

Attaching the new patch here.

Changed in inkscape:
status: Fix Committed → In Progress
jazzynico (jazzynico) wrote :

The attachment "789122-v2.diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
tags: added: patch-forwarded-upstream
removed: patch
jazzynico (jazzynico) wrote :

Patch committed in the trunk, revision 11576.
Please test!

jazzynico (jazzynico) on 2012-08-06
Changed in inkscape:
milestone: 0.48.4 → 0.49
status: In Progress → Fix Committed
tags: added: backport-proposed
ScislaC (scislac) wrote :

Backported to 0.48.x branch, r9906.

Changed in inkscape:
milestone: 0.49 → 0.48.4
su_v (suv-lp) on 2012-08-14
tags: removed: backport-proposed
Doug McMahon (mc3man) wrote :

Is any of this going to make it into Debian/Ubuntu in the near future ??

ScislaC (scislac) wrote :

Doug: The patch has been backported for 0.48.4... if you have the backports repo proposed for your distro, it should hopefully be available soon after the actual release of 0.48.4. I will try to pull strings to ensure it will be available in Ubuntu 12.10 at the least once we cut the tarball (no guarantees though).

Ted Gould (ted) on 2012-12-17
Changed in inkscape:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package inkscape - 0.48.4-0ubuntu1

---------------
inkscape (0.48.4-0ubuntu1) raring; urgency=low

  * New upstream release (LP: #1091308). Fixes several Ubuntu bugs:
    - Inkscape crashed with SIGSEGV in getObject() (LP: #941317)
    - Inkscape crashed with SIGSEGV in
      Inkscape::Extension::Implementation::Script::effect() (LP: #944077)
    - Inkscape crashed with SIGSEGV in
      Inkscape::Extension::Output::get_extension() (LP: #973174)
    - Overlay scrollbars causing input boxes to be small (LP: #946631)
  * Drop 03_track_libpoppler25_abi_changes.patch: applied upstream
  * Drop 04_track_libpoppler25_abi_changes_colorspace.patch: applied upstream
 -- Alexander Valavanis <email address hidden> Wed, 19 Dec 2012 13:45:59 +0000

Changed in inkscape (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.