Crash on undo redo after closing Undo History dialog
Steps to reproduce:
- open Inkscape
- draw a rectangle
- open Undo History dialog
- close dialog
- undo
- redo
What happened?
- crash (sometimes on undo instead of redo).
- also happened on undo when steps are a bit more complicated (i.e. larger string on undo/redo, different actions used)
Backtrace Inkscape 1.1-dev (a69188b5f2, 2020-12-10): inkscape-backtrace-undo-history.txt
ASAN output (on first undo) on Inkscape 1.1-dev (82c3dccfc7, 2020-11-18) inkscape-asan-undo-history.txt
pasted output from ASAN
================================================================= ==344121==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400023f990 at pc 0x7fe790aa3a82 bp 0x7ffc74833a20 sp 0x7ffc74833a10 READ of size 8 at 0x61400023f990 thread T0 #0 0x7fe790aa3a81 in std::_Rb_tree, std::_Select1st >, std::less, std::allocator > >::_M_begin() /usr/include/c++/9/bits/stl_tree.h:745 #1 0x7fe790aa3a81 in std::_Rb_tree, std::_Select1st >, std::less, std::allocator > >::lower_bound(Inkscape::EventLog::CallbackTypes const&) /usr/include/c++/9/bits/stl_tree.h:1282 #2 0x7fe790aa3a81 in std::map, std::allocator > >::lower_bound(Inkscape::EventLog::CallbackTypes const&) /usr/include/c++/9/bits/stl_map.h:1258 #3 0x7fe790aa3a81 in std::map, std::allocator > >::operator[](Inkscape::EventLog::CallbackTypes const&&) /usr/include/c++/9/bits/stl_map.h:515 #4 0x7fe790aa3a81 in Inkscape::EventLogPrivate::selectRow(Gtk::TreePath const&) ../src/event-log.cpp:138 #5 0x7fe790aa0af2 in Inkscape::EventLog::notifyUndoEvent(Inkscape::Event*) ../src/event-log.cpp:237 #6 0x7fe7909786c0 in Inkscape::CompositeUndoStackObserver::UndoStackObserverRecord::issueUndo(Inkscape::Event*) ../src/composite-undo-stack-observer.h:72 #7 0x7fe7909786c0 in Inkscape::CompositeUndoStackObserver::notifyUndoEvent(Inkscape::Event*) ../src/composite-undo-stack-observer.cpp:51 #8 0x7fe790a2c622 in Inkscape::DocumentUndo::undo(SPDocument*) ../src/document-undo.cpp:256 #9 0x7fe790c521ae in sp_undo(SPDesktop*, SPDocument*) ../src/selection-chemistry.cpp:1237 #10 0x7fe790e74888 in Inkscape::EditVerb::perform(SPAction*, void*) ../src/verbs.cpp:958 #11 0x7fe790e8c2df in sigc::pointer_functor2::operator()(SPAction* const&, void* const&) const /usr/include/sigc++-2.0/sigc++/functors/ptr_fun.h:147 #12 0x7fe790e8c2df in sigc::adaptor_functor >::deduce_result_type::type sigc::adaptor_functor >::operator()(SPAction*&, void*&) const /usr/include/sigc++-2.0/sigc++/adaptors/adaptor_trait.h:108 #13 0x7fe790e8c2df in sigc::bind_functor<-1, sigc::pointer_functor2, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::deduce_result_type::type sigc::bind_functor<-1, sigc::pointer_functor2, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator()(SPAction*&) /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1136 #14 0x7fe790e8c2df in sigc::bind_functor<-1, sigc::bind_functor<-1, sigc::pointer_functor2, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, SPAction*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator()() /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1124 #15 0x7fe790e8c2df in sigc::internal::slot_call, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, SPAction*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, void>::call_it(sigc::internal::slot_rep*) /usr/include/sigc++-2.0/sigc++/functors/slot.h:483 #16 0x7fe78e9f39e8 in sigc::internal::signal_emit0::emit(sigc::internal::signal_impl*) /usr/include/sigc++-2.0/sigc++/signal.h:798 #17 0x7fe78e9f39e8 in sigc::signal0::emit() const /usr/include/sigc++-2.0/sigc++/signal.h:2804 #18 0x7fe78e9f39e8 in sp_action_perform(SPAction*, void*) ../src/helper/action.cpp:139 #19 0x7fe78f5a3c3f in Inkscape::Shortcuts::invoke_verb(_GdkEventKey const*, Inkscape::UI::View::View*) ../src/ui/shortcuts.cpp:473 #20 0x7fe790e986a2 in InkscapeWindow::on_key_press_event(_GdkEventKey*) ../src/inkscape-window.cpp:200 #21 0x7fe78b8acfe8 in Gtk::Widget_Class::key_press_event_callback(_GtkWidget*, _GdkEventKey*) gtk/gtkmm/widget.cc:4482 #22 0x7fe78afec5ee in _gtk_marshal_BOOLEAN__BOXEDv debian/build/deb/gtk/gtkmarshalers.c:129 #23 0x7fe78c17ca55 in _g_closure_invoke_va ../../../gobject/gclosure.c:873 #24 0x7fe78c19add0 in g_signal_emit_valist ../../../gobject/gsignal.c:3407 #25 0x7fe78c19c0d2 in g_signal_emit ../../../gobject/gsignal.c:3554 #26 0x7fe78af96c22 in gtk_widget_event_internal ../../../../gtk/gtkwidget.c:7808 #27 0x7fe78af96c22 in gtk_widget_event_internal ../../../../gtk/gtkwidget.c:7677 #28 0x7fe78ae521de in propagate_event ../../../../gtk/gtkmain.c:2690 #29 0x7fe78ae543da in gtk_main_do_event ../../../../gtk/gtkmain.c:1920 #30 0x7fe78ae543da in gtk_main_do_event ../../../../gtk/gtkmain.c:1690 #31 0x7fe78ab3cf78 in _gdk_event_emit ../../../../gdk/gdkevents.c:73 #32 0x7fe78ab70105 in gdk_event_source_dispatch ../../../../../gdk/x11/gdkeventsource.c:367 #33 0x7fe78d767fbc in g_main_dispatch ../../../glib/gmain.c:3309 #34 0x7fe78d767fbc in g_main_context_dispatch ../../../glib/gmain.c:3974 #35 0x7fe78d76823f in g_main_context_iterate ../../../glib/gmain.c:4047 #36 0x7fe78d7682e2 in g_main_context_iteration ../../../glib/gmain.c:4108 #37 0x7fe78c2aafd4 in g_application_run ../../../gio/gapplication.c:2559 #38 0x558229337b51 in main ../src/inkscape-main.cpp:229 #39 0x7fe78d0f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #40 0x55822933577d in _start (/home/nal/all/inkscape/asan/output/bin/inkscape+0x377d)0x61400023f990 is located 336 bytes inside of 408-byte region [0x61400023f840,0x61400023f9d8) freed by thread T0 here: #0 0x7fe79234e025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025) #1 0x7fe79049b79d in Inkscape::UI::Dialog::UndoHistory::~UndoHistory() ../src/ui/dialog/undo-history.cpp:161 #2 0x7fe78d748486 in g_datalist_clear ../../../glib/gdataset.c:273
previously allocated by thread T0 here: #0 0x7fe79234c947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) #1 0x7fe79049ae14 in Inkscape::UI::Dialog::UndoHistory::getInstance() ../src/ui/dialog/undo-history.cpp:89 #2 0x7fe78fd51113 in Inkscape::UI::Dialog::DialogContainer::dialog_factory(unsigned int) ../src/ui/dialog/dialog-container.cpp:177 #3 0x7fe78fd5b2e2 in Inkscape::UI::Dialog::DialogContainer::new_dialog(unsigned int, Inkscape::UI::Dialog::DialogNotebook*) ../src/ui/dialog/dialog-container.cpp:286 #4 0x7fe78fd5c091 in Inkscape::UI::Dialog::DialogContainer::new_dialog(unsigned int) ../src/ui/dialog/dialog-container.cpp:260 #5 0x7fe790e7628c in Inkscape::DialogVerb::perform(SPAction*, void*) ../src/verbs.cpp:2007 #6 0x7fe790e8c2df in sigc::pointer_functor2<SPAction*, void*, void>::operator()(SPAction* const&, void* const&) const /usr/include/sigc++-2.0/sigc++/functors/ptr_fun.h:147 #7 0x7fe790e8c2df in sigc::adaptor_functor<sigc::pointer_functor2<SPAction*, void*, void> >::deduce_result_type<SPAction*&, void*&, void, void, void, void, void>::type sigc::adaptor_functor<sigc::pointer_functor2<SPAction*, void*, void> >::operator()<SPAction*&, void*&>(SPAction*&, void*&) const /usr/include/sigc++-2.0/sigc++/adaptors/adaptor_trait.h:108 #8 0x7fe790e8c2df in sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::deduce_result_type<SPAction*&, void, void, void, void, void, void>::type sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator()<SPAction*&>(SPAction*&) /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1136 #9 0x7fe790e8c2df in sigc::bind_functor<-1, sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, SPAction*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator()() /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1124 #10 0x7fe790e8c2df in sigc::internal::slot_call<sigc::bind_functor<-1, sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, SPAction*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, void>::call_it(sigc::internal::slot_rep*) /usr/include/sigc++-2.0/sigc++/functors/slot.h:483 #11 0x7fe78e9f39e8 in sigc::internal::signal_emit0<void, sigc::nil>::emit(sigc::internal::signal_impl*) /usr/include/sigc++-2.0/sigc++/signal.h:798 #12 0x7fe78e9f39e8 in sigc::signal0<void, sigc::nil>::emit() const /usr/include/sigc++-2.0/sigc++/signal.h:2804 #13 0x7fe78e9f39e8 in sp_action_perform(SPAction*, void*) ../src/helper/action.cpp:139 #14 0x7fe78f5a3c3f in Inkscape::Shortcuts::invoke_verb(_GdkEventKey const*, Inkscape::UI::View::View*) ../src/ui/shortcuts.cpp:473 #15 0x7fe790e986a2 in InkscapeWindow::on_key_press_event(_GdkEventKey*) ../src/inkscape-window.cpp:200 #16 0x7fe78b8acfe8 in Gtk::Widget_Class::key_press_event_callback(_GtkWidget*, _GdkEventKey*) gtk/gtkmm/widget.cc:4482
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/9/bits/stl_tree.h:745 in std::_Rb_tree<Inkscape::EventLog::CallbackTypes const, std::pair<Inkscape::EventLog::CallbackTypes const, sigc::connection>, std::_Select1st<std::pair<Inkscape::EventLog::CallbackTypes const, sigc::connection> >, std::less<Inkscape::EventLog::CallbackTypes const>, std::allocator<std::pair<Inkscape::EventLog::CallbackTypes const, sigc::connection> > >::_M_begin() Shadow bytes around the buggy address: 0x0c288003fee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c288003fef0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c288003ff00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c288003ff10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c288003ff20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c288003ff30: fd fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c288003ff40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c288003ff50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c288003ff60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c288003ff70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c288003ff80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==344121==ABORTING
What should have happened?
- no crash
Version Info:
- Inkscape 1.1-dev (a69188b5f2, 2020-12-10) Linux Mint 20
- Inkscape 1.1-dev (a69188b5f2, 2020-12-10) Windows 10
- Introduced in GDL replacement (inkscape@c2d0ea12)