[Pkg-lyx-devel] Bug#548519: fixed

Sun Sep 27 23:30:28 UTC 2009

Hi

Here is the output of gdb :

Program received signal SIGSEGV, Segmentation fault.
0x08100d95 in lyx::DocIterator::inMathed (this=0x8bb90d8) at ../../src/DocIterator.h:123
123		{ return !empty() && inset().inMathed(); }
(gdb) 

(gdb) print depth()
$35 = 3
(gdb) print slices_.size()
$36 = 3
(gdb) print slices_[0].inset().inMathed()
$37 = false
(gdb) print slices_[1].inset().inMathed()
$38 = true
(gdb) print slices_[2].inset().inMathed()
Cannot access memory at address 0x20

(gdb) print empty()
$39 = false

(gdb) bt
#0  0x08100d95 in lyx::DocIterator::inMathed (this=0x8bb90d8) at ../../src/DocIterator.h:123
#1  0x08249215 in lyx::Cursor::inMacroMode (this=0x8bb90d8) at ../../src/Cursor.cpp:1549
#2  0x08249b14 in lyx::Cursor::macroModeClose (this=0x8bb90d8) at ../../src/Cursor.cpp:1446
#3  0x0822c611 in lyx::BufferView::mouseSetCursor (this=0x8bb9050, cur=..., select=false) at ../../src/BufferView.cpp:1971
#4  0x081e19f6 in lyx::Text::dispatch (this=0x8b9d65c, cur=..., cmd=...) at ../../src/Text3.cpp:1279
#5  0x083f0a26 in lyx::InsetText::doDispatch (this=0x8b9d648, cur=..., cmd=...) at ../../src/insets/InsetText.cpp:261
#6  0x0830b800 in lyx::Inset::dispatch (this=0x8b9d648, cur=..., cmd=...) at ../../src/insets/Inset.cpp:215
#7  0x0824e6c9 in lyx::Cursor::dispatch (this=0xbfffd2ec, cmd0=...) at ../../src/Cursor.cpp:316
#8  0x08230f14 in lyx::BufferView::mouseEventDispatch (this=0x8bb9050, cmd0=...) at ../../src/BufferView.cpp:1726
#9  0x084660dc in lyx::frontend::GuiWorkArea::dispatch (this=0x8bb7bc8, cmd0=..., mod=lyx::NoModifier)
    at ../../../../src/frontends/qt4/GuiWorkArea.cpp:461
#10 0x0846684e in lyx::frontend::GuiWorkArea::mousePressEvent (this=0x8bb7bc8, e=0xbfffdcac)
    at ../../../../src/frontends/qt4/GuiWorkArea.cpp:682
#11 0xb778b87e in QWidget::event(QEvent*) () from /usr/lib/libQtGui.so.4
#12 0xb7b31f53 in QFrame::event(QEvent*) () from /usr/lib/libQtGui.so.4
#13 0xb7bd0f6f in QAbstractScrollArea::viewportEvent(QEvent*) () from /usr/lib/libQtGui.so.4
#14 0xb7bd3545 in ?? () from /usr/lib/libQtGui.so.4
#15 0xb74fcbfa in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4
#16 0xb77357ec in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#17 0xb773e2e1 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4
#18 0x0841aa9a in lyx::frontend::GuiApplication::notify (this=0x88a66d0, receiver=0x8bb7e30, event=0xbfffdcac)
    at ../../../../src/frontends/qt4/GuiApplication.cpp:1276
#19 0xb74fd9cb in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4
#20 0xb773d36e in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&) ()
   from /usr/lib/libQtGui.so.4
#21 0xb77abea5 in ?? () from /usr/lib/libQtGui.so.4
#22 0xb77ab386 in QApplication::x11ProcessEvent(_XEvent*) () from /usr/lib/libQtGui.so.4
#23 0xb77d5892 in ?? () from /usr/lib/libQtGui.so.4
#24 0xb6e544b8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#25 0xb6e57a13 in ?? () from /usr/lib/libglib-2.0.so.0
#26 0xb6e57b98 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#27 0xb7528858 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#28 0xb77d4fd5 in ?? () from /usr/lib/libQtGui.so.4
#29 0xb74fc01a in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#30 0xb74fc462 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
#31 0xb74fe8b9 in QCoreApplication::exec() () from /usr/lib/libQtCore.so.4
#32 0xb7735697 in QApplication::exec() () from /usr/lib/libQtGui.so.4
#33 0x0841c6be in lyx::frontend::GuiApplication::exec (this=0x88a66d0) at ../../../../src/frontends/qt4/GuiApplication.cpp:1078
#34 0x0815dd9a in lyx::LyX::exec (this=0xbffff5e4, argc=@0xbffff610, argv=0xbffff694) at ../../src/LyX.cpp:343
---Type <return> to continue, or q <return> to quit---
#35 0x08074820 in main (argc=1, argv=0xbffff694) at ../../src/main.cpp:46
(gdb) 

Finally I found how to solve the problem.
The problem was that in src/mathed/InsetMathScript.cpp in the function notifyCursorLeaves.

Here are the problematic lines :

  Cursor insetCur = old;
  int scriptSlice	= insetCur.find(this);
  LASSERT(scriptSlice != -1, /**/);
  insetCur.cutOff(scriptSlice);
  insetCur.recordUndoInset();

  // Let the script inset commit suicide. This is
  // modelled on Cursor.pullArg(), but tries not to
  // invoke notifyCursorLeaves again and does not touch
  // cur (since the top slice will be deleted
  // afterwards)
  MathData ar = cell(0);
  insetCur.pop();
  insetCur.cell().erase(insetCur.pos());
  insetCur.cell().insert(insetCur.pos(), ar);

The problem with "insetCur.pop()" is that it remove also the last item of old, but doesn't update the size of old.
It was the reason why I got with gdb :

(gdb) print slices_.size()
$36 = 3
(gdb) print slices_[2].inset().inMathed()
Cannot access memory at address 0x20

old is declared as constant, but since the last item of old is deleted, it is no more supposed to be constant,
Then I replaced insetCur by old and update the functions definitions and that's it.

If you want to reproduce the crash, open crash.lyx and remove the "a" in the subscript inside the math equation,
then click outside the math equation

Bye
Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash.lyx
Type: application/x-lyx
Size: 1084 bytes
Desc: crash.lyx
URL: <http://lists.alioth.debian.org/pipermail/pkg-lyx-devel/attachments/20090928/01454188/attachment-0001.lyx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_crash.patch
Type: text/x-patch
Size: 2996 bytes
Desc: fix_crash.patch
URL: <http://lists.alioth.debian.org/pipermail/pkg-lyx-devel/attachments/20090928/01454188/attachment-0001.bin>