GNOME Bugzilla – Bug 158288
dia crashes when closing diagram
Last modified: 2005-10-08 20:18:30 UTC
Distribution: Debian 3.1 Package: dia Severity: normal Version: 0.94 Synopsis: dia crashes when closing diagram Bugzilla-Product: dia Bugzilla-Component: general Bugzilla-Version: 0.94 BugBuddy-GnomeVersion: 2.0 (2.6.1.1) Description: Description of the crash: Dia nearly always crashes when trying to close the attached diagram, especially after first zooming in and out for a while. I don't know if this is related, but when zooming some of the strings will almost always be shown in very small and dia warns that "Failed to appropriately tweak zoomed font for zoom factor 5.000000". Also sometimes (not as often but often anyway) some text or lines are shown in slightly wrong places. Changing the zoom factor usually fixes this. I thought I'd mention this as it's almost always the first weird thing to happen when using dia, before the crash. Steps to reproduce the crash: 1. open the attached diagram 2. zoom in and out for a while 3. try to close the dialog Expected Results: The dialog is closed. Additional Information: This is so easily reproduced for me that it will be easy for me to answer requests for more information if you cannot reproduce it. See the attached valgrind log file (it's from a different run but a very similar crash). The interesting stuff starts from line 1119, but I included it all for completeness. The "Invalid write of size 4" on line 1119 happens when opening the attached diagram while everything after that (from line 1138) happens after pushing the diagram window's close button and leads directly to the crash. I'm using dia-gnome 0.94.0-3 from Debian/unstable, recompiled with debug symbols and no optimizations. Here's the version information of everything dia-gnome depends on: ii dia-common 0.94.0-3 Diagram editor (common files) ii dia-libs 0.94.0-3 Diagram editor (library files) ii libart-2.0-2 2.3.16-6 Library of functions for 2D graphi ii libatk1.0-0 1.6.1-5 The ATK accessibility toolkit ii libaudiofile0 0.2.6-4 Open-source version of SGI's audio ii libbonobo2-0 2.6.2-7 Bonobo CORBA interfaces library ii libbonoboui2-0 2.6.1-1 The Bonobo UI library ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libesd0 0.2.35-2 Enlightened Sound Daemon - Shared ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared lib ii libgconf2-4 2.6.4-2 GNOME configuration database syste ii libgcrypt11 1.2.0-4 LGPL Crypto library - runtime libr ii libglib2.0-0 2.4.7-1 The GLib library of C routines ii libgnome-keyring0 0.2.1-3 GNOME keyring services library ii libgnome2-0 2.6.1.2-2 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.6.1.1-2 A powerful object-oriented display ii libgnomeui-0 2.6.1.1cvs-1 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.6.2-2 The GNOME virtual file-system libr ii libgnutls11 1.0.16-9 GNU TLS library - runtime library ii libgpg-error0 1.0-1 library for common error values an ii libgtk2.0-0 2.4.13-1 The GTK+ graphical user interface ii libice6 4.3.0.dfsg.1-8 Inter-Client Exchange library ii libjpeg62 6b-9 The Independent JPEG Group's JPEG ii liborbit2 1:2.10.2-1.1 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.4.1-4 Layout and rendering of internatio ii libpng12-0 1.2.7-1 PNG library - runtime ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libsm6 4.3.0.dfsg.1-8 X Window System Session Management ii libtasn1-2 0.2.10-3 Manage ASN.1 structures (runtime) ii libx11-6 4.3.0.dfsg.1-8 X Window System protocol client li ii libxml2 2.6.11-5 GNOME XML library ii xlibs 4.3.0.dfsg.1-8 X Window System client libraries m ii zlib1g 1:1.2.2-1 compression library - runtime Debugging Information: Backtrace was generated from '/usr/bin/dia' Using host libthread_db library "/usr/lib/debug/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 31475)] 0x40b28be8 in waitpid () from /usr/lib/debug/libpthread.so.0
+ Trace 51990
Thread 1 (Thread 16384 (LWP 31475))
------- Bug moved to this database by unknown@bugzilla.gnome.org 2004-11-14 13:26 ------- Unknown platform unknown. Setting to default platform "Other". Unknown milestone "unknown" in product "dia". Setting to default milestone for this product, '---' The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, unknown@bugzilla.gnome.org. Previous reporter was sliedes@cc.hut.fi. Setting to default status "UNCONFIRMED". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Created attachment 33775 [details] The .dia file that triggers the bug
Created attachment 33776 [details] Valgrind log for a dia crash
Appears to be a unique stack trace. Thanks for filing an excellent report Sami. Changing severity to critical and priority to high.
For the record: I'm getting a bunch off error messages when loading the diagram : - Error loading diagram. Linked object not found in document. (x5) - Error? trying to connect a non connectable handle. Check this out... (x38) - Unknown types while reading diagram file thj - isa - Error loading diagram. connection handle does not exist. Zoomin in and out for a while didn't cause any harm (tested on Linux, but may be the while was not long enough;-) Closing didn't crash either.
The font problem when zooming in and out seems to be fixed in HEAD, but it still crashes when closing the diagram (I don't even need to zoom to make this happen; sometimes dia only enters an infinite loop when closing, sometimes it segfaults). A quick peek suggests it might be related to some memory being freed twice. I might take a closer look at it some time next week, my schedule permitting.
Maybe you should just try out dia from cvs with : 2004-11-29 Hans Breuer <hans@breuer.org> * app/diagram.c : fixed diagram_finalize while I was there.
HEAD still crashes, but I think I have the bug traced down. What happens is that I have a custom object with text (the one named "thj - isa" - sorry, I didn't realize the shape itself wasn't included in the .dia file), and there are multiple copies of it in the diagram. Now the memcpy() in objects/custom/custom_object.c:1328 also copies the Text *object in struct _GraphicElementText (objects/custom/shape_info.h). As a result when destroying the diagram the text object gets freed multiple times, crashing dia.
Created attachment 34310 [details] A custom object for the ER sheet, needed to crash Add this to the ER sheet and open er.dia. After that closing it crashes (see diagnosis in the above comment).
Looking at you shapes file it I supect the problem is the second text element. Not tested but the code appears not to handle this (there is only one editable text in _Custom
My guess was right, kind of. Please try again with current cvs: 2004-12-12 Hans Breuer <hans@breuer.org> * objects/custom/custom_object.c : custom_destroy is called per object. It _must not_ destroy class stuff (ShapeInfo) cause it does not hold a reference to it. Fixes e.g. bug #158288, #160550, ...
Yes, this seems to fix the bug. Thanks.
Adjusting target to help finding 0.94 dups already fixed