From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Jan 17 07:30:03 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AA661065670 for ; Sun, 17 Jan 2010 07:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B61E18FC16 for ; Sun, 17 Jan 2010 07:30:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0H7U2fA055491 for ; Sun, 17 Jan 2010 07:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0H7U2nI055483; Sun, 17 Jan 2010 07:30:02 GMT (envelope-from gnats) Resent-Date: Sun, 17 Jan 2010 07:30:02 GMT Resent-Message-Id: <201001170730.o0H7U2nI055483@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Thinker K.F. Li" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3349106566C for ; Sun, 17 Jan 2010 07:22:46 +0000 (UTC) (envelope-from thinker.li@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id B04F88FC0C for ; Sun, 17 Jan 2010 07:22:46 +0000 (UTC) Received: by pwi15 with SMTP id 15so1231401pwi.3 for ; Sat, 16 Jan 2010 23:22:46 -0800 (PST) Received: by 10.143.26.42 with SMTP id d42mr3088745wfj.219.1263711553427; Sat, 16 Jan 2010 22:59:13 -0800 (PST) Received: from eeebox.branda.to (122-120-0-3.dynamic.hinet.net [122.120.0.3]) by mx.google.com with ESMTPS id 23sm3041092pzk.0.2010.01.16.22.59.11 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 16 Jan 2010 22:59:12 -0800 (PST) Received: from eeebox.branda.to (localhost [127.0.0.1]) by eeebox.branda.to (8.14.4/8.14.3) with ESMTP id o0H73Oek099266 for ; Sun, 17 Jan 2010 15:03:24 +0800 (CST) (envelope-from thinker@branda.to) Received: (from thinker@localhost) by eeebox.branda.to (8.14.4/8.14.3/Submit) id o0H73NYL099265; Sun, 17 Jan 2010 15:03:23 +0800 (CST) (envelope-from thinker) Message-Id: <201001170703.o0H73NYL099265@eeebox.branda.to> Date: Sun, 17 Jan 2010 15:03:23 +0800 (CST) From: "Thinker K.F. Li" Sender: Thinker Li To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/142903: Inkscape hangs for an infinite loop when opening a file X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Thinker K.F. Li" List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jan 2010 07:30:03 -0000 >Number: 142903 >Category: ports >Synopsis: Inkscape hangs for an infinite loop when opening a file >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 17 07:30:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Thinker K.F. Li >Release: FreeBSD 9.0-CURRENT i386 >Organization: branda.to >Environment: System: FreeBSD eeebox.branda.to 9.0-CURRENT FreeBSD 9.0-CURRENT #2: Sun Sep 13 12:59:28 CST 2009 thinker@eeebox.branda.to:/usr/src/sys/i386/compile/eeebox i386 >Description: Inkscape hangs for an infinite loop when opening a file or a new file when Inkscape is running with empty content. It was casued by accessing invalid memory. Inkscape::DocumentSubset::Relations:_doRemove() keeps accessing a block of memory, immediately, after freeing it. It may fine and be hidden for other OS, but, for FreeBSD, free() would clean content of passed memory block and explose the issue. >How-To-Repeat: 1. Run Inkscape without passing any argument. 2. Open a SVG file or open a new document. 3. Inkscape will no more response for any command (infinite loop). >Fix: Apply following patch to postponse releasing until the block of memory is no more used. --- patch-src-document-subset.cpp begins here --- --- src/document-subset.cpp.orig 2010-01-17 13:47:18.000000000 +0800 +++ src/document-subset.cpp 2010-01-17 13:49:59.000000000 +0800 @@ -184,9 +184,6 @@ void _doRemove(SPObject *obj) { Record &record=records[obj]; - record.release_connection.disconnect(); - record.position_changed_connection.disconnect(); - records.erase(obj); if ( record.parent == NULL ) { Record &root = records[NULL]; @@ -198,6 +195,12 @@ } } + /* Record must be ereased after removing from root, or + * content of record would be invalided. */ + record.release_connection.disconnect(); + record.position_changed_connection.disconnect(); + records.erase(obj); + removed_signal.emit(obj); sp_object_unref(obj); } --- patch-src-document-subset.cpp ends here --- >Release-Note: >Audit-Trail: >Unformatted: