KiCad

eeschema segfault on undo

Bug #1434988 reported by Chris Pavlina
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
KiCad
Fix Released
Critical
Unassigned

Bug Description

(bzr-5528)

hmm... anybody feel like doing some pointer tracing? I started getting into it but then realized I was getting too deep into things to have time to do this right now...

Just got a segfault in eeschema on undo. Poking around in the core dump, it looks like there was an invalid pointer in an ITEM_PICKER::m_pickedItem.

Here's the last *valid* line:

/home/cmp/git/kicad/eeschema/schematic_undo_redo.cpp:297
item->Move( ... );

The next line, bizarrely, is dialog_about::~dialog_about !

The reason for this is clear, going to the last valid frame and inspecting "item":

(gdb) p item
$16 = (SCH_ITEM *) 0x1c1acc0
(gdb) p *item
$17 = {<EDA_ITEM> = {<KIGFX::VIEW_ITEM> = {_vptr.VIEW_ITEM = 0x7f02537f0310 <vtable for dialog_about+16>, m_view = 0x0, m_flags = 1, m_requiredUpdate = 255, m_groups = 0x0, m_groupsSize = 0,
      m_layers = std::bitset}, m_StructType = SCH_LINE_T, m_Status = 0, Pnext = 0x1c1ad90, Pback = 0x1c1ac00, m_List = 0x7f02537f6700 <s_oldWires>, m_Parent = 0x0, m_TimeStamp = 1427099594,
    m_forceVisible = false, m_Flags = 0, m_Image = 0x0}, m_Layer = LAYER_FIRST, m_connections = std::vector of length 0, capacity 0, m_storedPos = {x = 0, y = 0}}

-----

<vtable for dialog_about+16>
So, either the data has been corrupted, or the pointer was invalid. Likely, it's going to take someone looking through every ITEM_PICKER::ITEM_PICKER() to see if there's ever a chance to stuff anything invalid in there.

-----

I won't delete the core dump, so let me know if there's any more information I can drag out of it.

-----

Full backtrace:
#0 0x00007f0262c1fe94 in free () from /usr/lib/libc.so.6
#1 0x00007f025315548b in wxString::ConvertedBuffer<char>::~ConvertedBuffer (this=0x1c1b1b8, __in_chrg=<optimized out>) at /usr/include/wx-3.0/wx/string.h:3490
#2 0x00007f025315336d in wxString::~wxString (this=0x1c1b1b0, __in_chrg=<optimized out>) at /usr/include/wx-3.0/wx/string.h:393
#3 0x00007f02533dfa13 in AboutAppInfo::~AboutAppInfo (this=0x1c1b0d0, __in_chrg=<optimized out>) at /home/cmp/git/kicad/common/./dialog_about/aboutinfo.h:46
#4 0x00007f02533e071d in dialog_about::~dialog_about (this=0x1c1acc0, __in_chrg=<optimized out>) at /home/cmp/git/kicad/common/dialog_about/dialog_about.cpp:58
#5 0x00007f02532d1da6 in SCH_EDIT_FRAME::PutDataInPreviousState (this=0x1cbba90, aList=0x1eb7570, aRedoCommand=false) at /home/cmp/git/kicad/eeschema/schematic_undo_redo.cpp:297
#6 0x00007f02532d2156 in SCH_EDIT_FRAME::GetSchematicFromUndoList (this=0x1cbba90, event=...) at /home/cmp/git/kicad/eeschema/schematic_undo_redo.cpp:350
#7 0x00007f0264266b5e in wxAppConsoleBase::CallEventHandler(wxEvtHandler*, wxEventFunctor&, wxEvent&) const () from /usr/lib/libwx_baseu-3.0.so.0
#8 0x00007f0264403508 in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#9 0x00007f026440360b in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) () from /usr/lib/libwx_baseu-3.0.so.0
#10 0x00007f02644039b8 in wxEvtHandler::TryHereOnly(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#11 0x00007f025332d4ef in EDA_BASE_FRAME::ProcessEvent (this=0x1cbba90, aEvent=...) at /home/cmp/git/kicad/common/basicframe.cpp:164
#12 0x00007f02644037c3 in wxEvtHandler::DoTryChain(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#13 0x00007f0264403aa5 in wxEvtHandler::ProcessEvent(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#14 0x00007f0253230f26 in SCH_EDIT_FRAME::OnHotKey (this=0x1cbba90, aDC=0x7fff54897b10, aHotKey=1073741914, aPosition=..., aItem=0x0) at /home/cmp/git/kicad/eeschema/hotkeys.cpp:453
#15 0x00007f0253190c46 in SCH_EDIT_FRAME::GeneralControl (this=0x1cbba90, aDC=0x7fff54897b10, aPosition=..., aHotKey=1073741914) at /home/cmp/git/kicad/eeschema/controle.cpp:244
#16 0x00007f0253398b54 in EDA_DRAW_PANEL::OnKeyEvent (this=0x124ee30, event=...) at /home/cmp/git/kicad/common/draw_panel.cpp:1407
#17 0x00007f0264266b5e in wxAppConsoleBase::CallEventHandler(wxEvtHandler*, wxEventFunctor&, wxEvent&) const () from /usr/lib/libwx_baseu-3.0.so.0
#18 0x00007f0264403508 in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#19 0x00007f026440360b in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) () from /usr/lib/libwx_baseu-3.0.so.0
#20 0x00007f02644039b8 in wxEvtHandler::TryHereOnly(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#21 0x00007f0264403a43 in wxEvtHandler::ProcessEventLocally(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#22 0x00007f0264403aa5 in wxEvtHandler::ProcessEvent(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#23 0x00007f0264e315cb in wxScrollHelperEvtHandler::ProcessEvent(wxEvent&) () from /usr/lib/libwx_gtk2u_core-3.0.so.0
#24 0x00007f0264403817 in wxEvtHandler::SafelyProcessEvent(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#25 0x00007f0264bcde3a in ?? () from /usr/lib/libwx_gtk2u_core-3.0.so.0
#26 0x00007f026269490f in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#27 0x00007f026206c175 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#28 0x00007f026207da5c in ?? () from /usr/lib/libgobject-2.0.so.0
#29 0x00007f0262086205 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#30 0x00007f026208695f in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#31 0x00007f02627abb9c in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#32 0x00007f02627bf6ab in gtk_window_propagate_key_event () from /usr/lib/libgtk-x11-2.0.so.0
#33 0x00007f0264bbb3b8 in ?? () from /usr/lib/libwx_gtk2u_core-3.0.so.0
#34 0x00007f026269490f in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#35 0x00007f026206c175 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#36 0x00007f026207da5c in ?? () from /usr/lib/libgobject-2.0.so.0
#37 0x00007f0262086205 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#38 0x00007f026208695f in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#39 0x00007f02627abb9c in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#40 0x00007f026269312f in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#41 0x00007f02626934eb in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#42 0x00007f02623082cc in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#43 0x00007f026134771d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#44 0x00007f0261347a08 in ?? () from /usr/lib/libglib-2.0.so.0
#45 0x00007f0261347d32 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#46 0x00007f0262692467 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#47 0x00007f0264b9d1d5 in wxGUIEventLoop::DoRun() () from /usr/lib/libwx_gtk2u_core-3.0.so.0
#48 0x00007f02642acd50 in wxEventLoopBase::Run() () from /usr/lib/libwx_baseu-3.0.so.0
#49 0x00007f0264268f06 in wxAppConsoleBase::MainLoop() () from /usr/lib/libwx_baseu-3.0.so.0
#50 0x000000000043ee7c in APP_KICAD::OnRun (this=0xe75bf0) at /home/cmp/git/kicad/kicad/kicad.cpp:274
#51 0x00007f026430481d in wxEntry(int&, wchar_t**) () from /usr/lib/libwx_baseu-3.0.so.0
#52 0x000000000043d226 in main (argc=1, argv=0x7fff54899028) at /home/cmp/git/kicad/kicad/kicad.cpp:306

Tags: eeschema undo
Chris Pavlina (pavlina-chris)
tags: added: eeschema undo
Revision history for this message
Chris Pavlina (pavlina-chris) wrote :

For what it's worth, it just happened to me again on the same schematic, which is just demos/pic_programmer. Still not able to properly reproduce it, but as I've never seen this before and now one schematic has done it twice, maybe that one's more prone to it for some reason. Might be a starting point.

Revision history for this message
Nick Østergaard (nickoe) wrote :

Marking segfaulting bugs as critical.

Changed in kicad:
importance: Undecided → Critical
Revision history for this message
Chris Pavlina (pavlina-chris) wrote :
Download full text (6.8 KiB)

Happened again today in 5588. Same behavior, though it jumped to a different arbitrary place. Something's stuffing a pointer wrong...

           PID: 27304 (kicad)
           UID: 1000 (cmp)
           GID: 1000 (cmp)
        Signal: 11 (SEGV)
     Timestamp: Thu 2015-04-09 19:12:34 EDT (46min ago)
  Command Line: /opt/kicad/bin/kicad
    Executable: /opt/kicad/bin/kicad
 Control Group: /user.slice/user-1000.slice/session-c1.scope
          Unit: session-c1.scope
         Slice: user-1000.slice
       Session: c1
     Owner UID: 1000 (cmp)
       Boot ID: 71a69430ff9c4f90a002d4406a8baef0
    Machine ID: f11eafa91b284132aa328da2c8850845
      Hostname: cmp-desktop
      Coredump: /var/lib/systemd/coredump/core.kicad.1000.71a69430ff9c4f90a002d4406a8baef0.27304.1428621154000000.lz4
       Message: Process 27304 (kicad) of user 1000 dumped core.

GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /opt/kicad/bin/kicad...done.
[New LWP 27304]
[New LWP 27318]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `/opt/kicad/bin/kicad'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x00007fb8f9a9a280 in SCH_EDIT_FRAME::PutDataInPreviousState (this=0x1905c10, aList=0x1860150, aRedoCommand=false)
    at /home/cmp/git/kicad/eeschema/schematic_undo_redo.cpp:297
#2 0x00007fb8f9a9a630 in SCH_EDIT_FRAME::GetSchematicFromUndoList (this=0x1905c10, event=...)
    at /home/cmp/git/kicad/eeschema/schematic_undo_redo.cpp:350
#3 0x00007fb90660db5e in wxAppConsoleBase::CallEventHandler(wxEvtHandler*, wxEventFunctor&, wxEvent&) const ()
   from /usr/lib/libwx_baseu-3.0.so.0
#4 0x00007fb9067aa508 in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) ()
   from /usr/lib/libwx_baseu-3.0.so.0
#5 0x00007fb9067aa60b in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) () from /usr/lib/libwx_baseu-3.0.so.0
#6 0x00007fb9067aa9b8 in wxEvtHandler::TryHereOnly(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#7 0x00007fb8f9af585d in EDA_BASE_FRAME::ProcessEvent (this=0x1905c10, aEvent=...)
    at /home/cmp/git/kicad/common/basicframe.cpp:164
#8 0x00007fb9067aa7c3 in wxEvtHandler::DoTryChain(wxEvent&) () from /usr/lib/libwx_baseu-3.0.so.0
#9 0x00007fb9067aaaa5 in wxE...

Read more...

Revision history for this message
jean-pierre charras (jp-charras) wrote :

rev 5591 should fix it.

Changed in kicad:
status: New → Fix Committed
Jon Neal (reportingsjr)
Changed in kicad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.