Fontforge Crash in archlinux.

[Changes729]

Hello,
I use fontforge to generate some bitmap fonts in archlinux, but it will crash when I set some fonts' unicode and after confirm. here is the call stack:

(gdb) bt
#0  0x00007ffff79c1fb6 in _GWidget_RemoveGadget () at /usr/lib/libgdraw.so.6
#1  0x00007ffff79cd94f in _ggadget_destroy () at /usr/lib/libgdraw.so.6
#2  0x00007ffff79b9f41 in  () at /usr/lib/libgdraw.so.6
#3  0x00007ffff7a00605 in  () at /usr/lib/libgdraw.so.6
#4  0x00007ffff79c2b08 in  () at /usr/lib/libgdraw.so.6
#5  0x00007ffff7a0b318 in  () at /usr/lib/libgdraw.so.6
#6  0x00007ffff7a0b499 in  () at /usr/lib/libgdraw.so.6
#7  0x00007ffff5ff4be4 in  () at /usr/lib/libglib-2.0.so.0
#8  0x00007ffff5ff53ef in g_main_context_dispatch () at /usr/lib/libglib-2.0.so.0
#9  0x00007ffff5ff72d1 in  () at /usr/lib/libglib-2.0.so.0
#10 0x00007ffff5ff7311 in g_main_context_iteration () at /usr/lib/libglib-2.0.so.0
#11 0x00007ffff7a09e0e in  () at /usr/lib/libgdraw.so.6
#12 0x00007ffff7dd9b27 in fontforge_main () at /usr/lib/libfontforgeexe.so.3
#13 0x00007ffff7a7a023 in __libc_start_main () at /usr/lib/libc.so.6
#14 0x000055555555505e in _start ()

(gdb) disassemble 
Dump of assembler code for function _GWidget_RemoveGadget:
   0x00007ffff79c1f10 <+0>:	push   %r12
   0x00007ffff79c1f12 <+2>:	push   %rbp
   0x00007ffff79c1f13 <+3>:	push   %rbx
   0x00007ffff79c1f14 <+4>:	mov    0x8(%rdi),%rbx
   0x00007ffff79c1f18 <+8>:	test   %rbx,%rbx
   0x00007ffff79c1f1b <+11>:	je     0x7ffff79c1fd0 <_GWidget_RemoveGadget+192>
   0x00007ffff79c1f21 <+17>:	mov    0x38(%rbx),%r12
   0x00007ffff79c1f25 <+21>:	mov    %rdi,%rbp
   0x00007ffff79c1f28 <+24>:	test   %r12,%r12
   0x00007ffff79c1f2b <+27>:	je     0x7ffff79c1fd8 <_GWidget_RemoveGadget+200>
   0x00007ffff79c1f31 <+33>:	testb  $0x4,0x28(%r12)
   0x00007ffff79c1f37 <+39>:	je     0x7ffff79c1fd8 <_GWidget_RemoveGadget+200>
   0x00007ffff79c1f3d <+45>:	mov    0x30(%r12),%rax
   0x00007ffff79c1f42 <+50>:	cmp    %rbp,%rax
   0x00007ffff79c1f45 <+53>:	jne    0x7ffff79c1f5c <_GWidget_RemoveGadget+76>
   0x00007ffff79c1f47 <+55>:	jmpq   0x7ffff79c1ff5 <_GWidget_RemoveGadget+229>
   0x00007ffff79c1f4c <+60>:	nopl   0x0(%rax)
   0x00007ffff79c1f50 <+64>:	mov    0x40(%rax),%rdx
   0x00007ffff79c1f54 <+68>:	cmp    %rbp,%rdx
   0x00007ffff79c1f57 <+71>:	je     0x7ffff79c1f78 <_GWidget_RemoveGadget+104>
   0x00007ffff79c1f59 <+73>:	mov    %rdx,%rax
   0x00007ffff79c1f5c <+76>:	test   %rax,%rax
   0x00007ffff79c1f5f <+79>:	jne    0x7ffff79c1f50 <_GWidget_RemoveGadget+64>
   0x00007ffff79c1f61 <+81>:	lea    0x52108(%rip),%rdi        # 0x7ffff7a14070
   0x00007ffff79c1f68 <+88>:	xor    %eax,%eax
   0x00007ffff79c1f6a <+90>:	callq  *0x6dd60(%rip)        # 0x7ffff7a2fcd0
   0x00007ffff79c1f70 <+96>:	jmp    0x7ffff79c1f80 <_GWidget_RemoveGadget+112>
   0x00007ffff79c1f72 <+98>:	nopw   0x0(%rax,%rax,1)
   0x00007ffff79c1f78 <+104>:	mov    0x40(%rbp),%rdx
   0x00007ffff79c1f7c <+108>:	mov    %rdx,0x40(%rax)
   0x00007ffff79c1f80 <+112>:	cmp    %rbp,0x40(%r12)
   0x00007ffff79c1f85 <+117>:	je     0x7ffff79c2005 <_GWidget_RemoveGadget+245>
   0x00007ffff79c1f87 <+119>:	movq   $0x0,0x40(%rbp)
   0x00007ffff79c1f8f <+127>:	movq   $0x0,0x8(%rbp)
   0x00007ffff79c1f97 <+135>:	jmp    0x7ffff79c1fa6 <_GWidget_RemoveGadget+150>
   0x00007ffff79c1f99 <+137>:	nopl   0x0(%rax)
   0x00007ffff79c1fa0 <+144>:	testb  $0x4,0x48(%rax)
   0x00007ffff79c1fa4 <+148>:	jne    0x7ffff79c1fb2 <_GWidget_RemoveGadget+162>
   0x00007ffff79c1fa6 <+150>:	mov    %rbx,%rax
   0x00007ffff79c1fa9 <+153>:	mov    0x28(%rbx),%rbx
   0x00007ffff79c1fad <+157>:	test   %rbx,%rbx
   0x00007ffff79c1fb0 <+160>:	jne    0x7ffff79c1fa0 <_GWidget_RemoveGadget+144>
   0x00007ffff79c1fb2 <+162>:	mov    0x38(%rax),%rax
=> 0x00007ffff79c1fb6 <+166>:	cmp    %rbp,0x60(%rax)
   0x00007ffff79c1fba <+170>:	je     0x7ffff79c2028 <_GWidget_RemoveGadget+280>
   0x00007ffff79c1fbc <+172>:	cmp    %rbp,0x68(%rax)
   0x00007ffff79c1fc0 <+176>:	je     0x7ffff79c2018 <_GWidget_RemoveGadget+264>
   0x00007ffff79c1fc2 <+178>:	cmp    %rbp,0x78(%rax)
   0x00007ffff79c1fc6 <+182>:	jne    0x7ffff79c1fd0 <_GWidget_RemoveGadget+192>
   0x00007ffff79c1fc8 <+184>:	movq   $0x0,0x78(%rax)
   0x00007ffff79c1fd0 <+192>:	pop    %rbx
   0x00007ffff79c1fd1 <+193>:	pop    %rbp
   0x00007ffff79c1fd2 <+194>:	pop    %r12
   0x00007ffff79c1fd4 <+196>:	retq   
   0x00007ffff79c1fd5 <+197>:	nopl   (%rax)
   0x00007ffff79c1fd8 <+200>:	xor    %eax,%eax
   0x00007ffff79c1fda <+202>:	lea    0x52047(%rip),%rdi        # 0x7ffff7a14028
   0x00007ffff79c1fe1 <+209>:	callq  *0x6dce9(%rip)        # 0x7ffff7a2fcd0
   0x00007ffff79c1fe7 <+215>:	mov    0x30(%r12),%rax
   0x00007ffff79c1fec <+220>:	cmp    %rbp,%rax

(gdb) info registers 
rax            0x0                 0
rbx            0x555555643db0      93824993213872
rcx            0x2                 2
rdx            0x55555594a3c0      93824996385728
rsi            0x0                 0
rdi            0x55555594a480      93824996385920
rbp            0x55555594a480      0x55555594a480
rsp            0x7fffffffce90      0x7fffffffce90
r8             0x555555559014      93824992251924
r9             0x7                 7
r10            0x2a                42
r11            0x20                32
r12            0x555555926d50      93824996240720
r13            0x55555594a210      93824996385296
r14            0x555555926d50      93824996240720
r15            0x1                 1
rip            0x7ffff79c1fb6      0x7ffff79c1fb6 <_GWidget_RemoveGadget+166>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

I think the code accesses the null pointer member:

void _GWidget_RemoveGadget(GGadget *g) {
    struct gwidgetcontainerdata *gd;
    GTopLevelD *td;
    GWindow gw = g->base;
    GGadget *next;

    if ( gw==NULL )
return;

    gd = (struct gwidgetcontainerdata *) (gw->widget_data);
    if ( gd==NULL || !gd->iscontainer )
	GDrawIError( "Attempt to remove a gadget to something which is not a container");
    if ( gd->gadgets==g )
	gd->gadgets = g->prev;
    else {
	for ( next = gd->gadgets; next!=NULL && next->prev!=g; next = next->prev );
	if ( next==NULL )
	    GDrawIError( "Attempt to remove a gadget which is not in the gadget list" );
	else
	    next->prev = g->prev;
    }
    if ( gd->grabgadget == g ) gd->grabgadget = NULL;
    g->prev = NULL;
    g->base = NULL;

    while ( gw->parent!=NULL && !gw->is_toplevel ) gw = gw->parent;
    td = (GTopLevelD *) (gw->widget_data);
=>  if ( td->gdef == g ) td->gdef = NULL;
    if ( td->gcancel == g ) td->gcancel = NULL;
    if ( td->gfocus == g ) td->gfocus = NULL;
}

I use i3-gaps as my window manager, could the error have something to do with this?

Best wishes.

[skef]

Does this crash reproduce reliably? And if so could you list the specific steps to reproduce it and, if relevant, attach any needed files? (You can attach test files by placing them in a zip archive and then adding it by clicking in the "Attach files" region below the comment field.)

[Changes729]

Does this crash reproduce reliably? And if so could you list the specific steps to reproduce it and, if relevant, attach any needed files? (You can attach test files by placing them in a zip archive and then adding it by clicking in the "Attach files" region below the comment field.)

crash will appear when enter alt + o to save current glyph info.

if I set unicode value and then use alt + o to save, it will occur, but if I do nothing and use alt+o to quit, it will not appear.

[probonopd]

I think this issue should be moved to https://github.com/fontforge/fontforge/issues?