Bug 156443

Summary: Using some functions crashes Inkscape
Product: [Fedora] Fedora Reporter: Simon Lanzmich <simonlanzmich>
Component: inkscapeAssignee: Phillip Compton <compton>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: bugs.michael, denisleroy, dmalcolm, samuel.mutel, toniw
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-31 17:04:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 156219, 156228    
Bug Blocks:    

Description Simon Lanzmich 2005-04-30 11:41:32 UTC 
Description of problem:
Using inkscape, several functions crash the program. For example, when I
press Shift+Ctrl+F to open the Fill and Stroke dialog or select the Keyboard
shortcut help from the menu, it crashes. Some other dialogs, for example the
Text + Font dialog opens correctly. I have installed inkscape via yum from
extras-development and have a fully updated FC4-test2 system.

Version-Release number of selected component (if applicable):
0.41-1

How reproducible:
Always

Steps to Reproduce:
1. Open Inkscape
2. Press Shift+Ctrl+F
  
Actual results:
Inkscape crashes and gives the following output:

[simon@simon ~]$ inkscape
*** glibc detected *** inkscape: free(): invalid pointer:
0x0000000001cb01a0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x394c56a3de]
/lib64/libc.so.6(__libc_free+0x6e)[0x394c56a90e]
inkscape(_ZNSt10_List_baseIN4sigc9slot_baseESaIS1_EE8_M_clearEv
+0x28)[0x4ab848]
/usr/lib64/libsigc-2.0.so.0(_ZN4sigc11signal_baseD2Ev
+0x37)[0x35db203bcf]
inkscape(_ZN8Inkscape12URIReferenceD2Ev+0x26)[0x50d9a6]
inkscape(_ZN19SPClipPathReferenceD0Ev+0x10)[0x4d9bc0]
inkscape[0x4d5f73]
/usr/lib64/libgobject-2.0.so.0(g_closure_invoke+0xfb)[0x394dc0a27d]
/usr/lib64/libgobject-2.0.so.0[0x394dc17489]
/usr/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0x696)[0x394dc1880c]
/usr/lib64/libgobject-2.0.so.0(g_signal_emit+0x83)[0x394dc18bb7]
inkscape(_Z24sp_object_invoke_releaseP8SPObject+0xa1)[0x4dfd51]
inkscape(_Z16sp_object_detachP8SPObjectS0_+0xeb)[0x4e09eb]
inkscape(_Z22sp_object_detach_unrefP8SPObjectS0_+0x97)[0x4e0b57]
inkscape(_ZN8Inkscape3XML10SimpleNode11removeChildEP6SPRepr
+0xdd)[0x5c29fd]
inkscape(_ZN8SPObject12deleteObjectEbb+0x110)[0x4e2580]
inkscape[0x589d40]
inkscape[0x58a52c]
inkscape(_Z31sp_stroke_style_line_widget_newv+0x79f)[0x58d88f]
inkscape(_Z27sp_object_properties_dialogv+0x351)[0x5847a1]
inkscape(_Z17sp_action_performP8SPActionPv+0x9f)[0x60fb7f]
inkscape(_Z18sp_shortcut_invokejP6SPView+0x28)[0x4c0498]
inkscape[0x6125d8]
/usr/lib64/libgtk-x11-2.0.so.0[0x31b1f03792]
/usr/lib64/libgobject-2.0.so.0(g_closure_invoke+0xfb)[0x394dc0a27d]
/usr/lib64/libgobject-2.0.so.0[0x394dc178eb]
/usr/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0x3ce)[0x394dc18544]
/usr/lib64/libgobject-2.0.so.0(g_signal_emit+0x83)[0x394dc18bb7]
/usr/lib64/libgtk-x11-2.0.so.0[0x31b1fc79f8]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_propagate_event+0x191)[0x31b1f021c1]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_main_do_event+0x310)[0x31b1f024f4]
/usr/lib64/libgdk-x11-2.0.so.0[0x31b2240051]
/usr/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x1d5)[0x394c32499e]
/usr/lib64/libglib-2.0.so.0[0x394c327644]
/usr/lib64/libglib-2.0.so.0(g_main_loop_run+0x192)[0x394c327b30]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa1)[0x31b1f01a75]
inkscape(_Z11sp_main_guiiPPKc+0x153)[0x4a7fe3]
inkscape(main+0x19e)[0x4a826e]
/lib64/libc.so.6(__libc_start_main+0xdc)[0x394c51c49c]
inkscape(_ZN3Gtk10CellLayoutD1Ev+0x6a)[0x4a723a]
======= Memory map: ========
00400000-00804000 r-xp 00000000 08:08
135402                             /usr/bin/inkscape
00903000-00937000 rw-p 00403000 08:08
135402                             /usr/bin/inkscape
00937000-01fb4000 rw-p 00937000 00:00 0
[heap]
31b0400000-31b0408000 r-xp 00000000 08:08
136971                         /usr/X11R6/lib64/libXrender.so.1.2.2
31b0408000-31b0508000 ---p 00008000 08:08
136971                         /usr/X11R6/lib64/libXrender.so.1.2.2
31b0508000-31b0509000 rw-p 00008000 08:08
136971                         /usr/X11R6/lib64/libXrender.so.1.2.2
31b0600000-31b0603000 r-xp 00000000 08:08
137213                         /usr/X11R6/lib64/libXrandr.so.2.0
31b0603000-31b0702000 ---p 00003000 08:08
137213                         /usr/X11R6/lib64/libXrandr.so.2.0
31b0702000-31b0703000 rw-p 00002000 08:08
137213                         /usr/X11R6/lib64/libXrandr.so.2.0
31b0800000-31b0809000 r-xp 00000000 08:08
138455                         /usr/X11R6/lib64/libXcursor.so.1.0.2
31b0809000-31b0909000 ---p 00009000 08:08
138455                         /usr/X11R6/lib64/libXcursor.so.1.0.2
31b0909000-31b090a000 rw-p 00009000 08:08
138455                         /usr/X11R6/lib64/libXcursor.so.1.0.2
31b0a00000-31b0a14000 r-xp 00000000 08:08
140021                         /usr/X11R6/lib64/libXft.so.2.1.2
31b0a14000-31b0b13000 ---p 00014000 08:08
140021                         /usr/X11R6/lib64/libXft.so.2.1.2
31b0b13000-31b0b14000 rw-p 00013000 08:08
140021                         /usr/X11R6/lib64/libXft.so.2.1.2
31b0c00000-31b0c0b000 r-xp 00000000 08:08
140577                         /usr/lib64/libpangox-1.0.so.0.800.1
31b0c0b000-31b0d0b000 ---p 0000b000 08:08
140577                         /usr/lib64/libpangox-1.0.so.0.800.1
31b0d0b000-31b0d0c00
Emergency save activated!
Emergency save completed. Inkscape will close now.
If you can reproduce this crash, please file a bug at www.inkscape.org
with a detailed description of the steps leading to the crash, so we can
fix it.

Expected results:
The Fill and Stroke dialog should open.

Additional info:
Comment 1 Michael Schwendt 2005-04-30 13:10:34 UTC 
Just for the record, i386 is affected, too. Could be improper usage of libsigc++20.

(gdb) bt
#0  0x0089c7e2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x00e212dc in raise () from /lib/libc.so.6
#2  0x00e22a28 in abort () from /lib/libc.so.6
#3  0x00e5608a in __libc_message () from /lib/libc.so.6
#4  0x00e5bf94 in _int_free () from /lib/libc.so.6
#5  0x00e5c4cf in free () from /lib/libc.so.6
#6  0x0096b7a9 in operator delete () from /usr/lib/libstdc++.so.6
#7  0x080ddf69 in std::_List_base<sigc::slot_base, std::allocator<sigc::slot_bas
e> >::_M_clear (this=0xa18de48)
    at /usr/lib/gcc/i386-redhat-linux/3.4.2/../../../../include/c++/3.4.2/ext/ne
w_allocator.h:86
#8  0x00de6449 in ~signal_base (this=0xa18de30)
    at /usr/lib/gcc/i386-redhat-linux/4.0.0/../../../../include/c++/4.0.0/bits/s
tl_list.h:332
#9  0x0813d8d8 in ~URIReference (this=0xa18de18) at uri-references.h:94
#10 0x0810b0e8 in ~SPClipPathReference (this=0xa18de18) at sp-item.cpp:310
#11 0x081076b6 in sp_item_release (object=0x9eebff4) at sp-item.cpp:310
#12 0x00331817 in g_cclosure_marshal_VOID__VOID ()
   from /usr/lib/libgobject-2.0.so.0
#13 0x00325d9b in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#14 0x00326285 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#15 0x00334c96 in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#16 0x00335ee0 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
---Type <return> to continue, or q <return> to quit---
Comment 2 Denis Leroy 2005-05-01 04:07:23 UTC 
I was able to reproduce the problem. I think this is a binary incompatibility
between the currently available inkscape RPM and the libstdc++ library from
gcc4. It needs to be rebuilt, however i was UNABLE to recompile the inkscape
SRPM: it fails from something that looks like a gcc4 incompatibility related to
bug 156219 (the current gtkmm24s don't build either).

Now for the good news. Inkscape builds and works just fine with the recently
updated libsigc++20-2.0.11, gtkmm24-2.6.2 and glibmm24-2.6.1. All of inkscape
features and dialog boxes work.

I will add the appropriate rebuild requests to the FC4 status page.
Comment 3 Michael Schwendt 2005-05-01 09:25:32 UTC 
Thanks for looking into it! For destructor related crashes, that sounds like a
theory indeed. Actually, Inkscape was one of the packages, which failed to
rebuild after the automated release version bump, which I later filed as bug 156228.
Comment 4 Jef Spaleta 2005-05-15 13:55:05 UTC 
*** Bug 157778 has been marked as a duplicate of this bug. ***
Comment 5 Michael Schwendt 2005-05-31 17:04:26 UTC 
inkscape-0.41-7, which should appear in Fedora Extras Development soon, should
fix this.