Bug 139484

Summary: Qt application crash after a series of input on indic shaper
Product: [Fedora] Fedora Reporter: Lawrence Lim <llim>
Component: qtAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: eng-i18n-bugs, tools-bugs, wtogami
Target Milestone: ---Keywords: i18n
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-12 17:23:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 125997, 126002    

Description Lawrence Lim 2004-11-16 09:39:46 UTC 
Description of problem:
When running Qt application (kedit) in the indic locale using httx, after a
series of input, the application crash.

[snip]
receiving IMEnd with 1 chars
sending IMStart with 0 chars to 0x8d90a80
sending IMEnd with 1 chars to 0x8d90a80, text=à¥
receiving IMEnd with 1 chars
sending IMStart with 0 chars to 0x8d90a80
sending IMEnd with 1 chars to 0x8d90a80, text=à¥
receiving IMEnd with 1 chars
*** glibc detected *** double free or corruption: 0x08e25110 ***
Alarm clock

Version-Release number of selected component (if applicable):
im-sdk-12.1-7
qt-3.3.3-8

How reproducible:
ALways

Steps to Reproduce:
1.in the g-t, killall httx
2.in the g-t, LANG=hi_IN.UTF-8 httx
3.in another g-t, LANG=hi_IN.UTF-8 kedit
4.ctrl-space to activate LE
5.enter a series of input very rapidly
  
Actual results:
Application crash

Expected results:
Application should not crash

Additional info:
Comment 1 Leon Ho 2004-11-17 08:00:30 UTC 
Look like it is about the indic shaper in Qt. I can reproduce it with
cut paste indic character.

Moving to qt component.

Here is the backtrace:
#0  0x00b0b7bc in free () from /usr/lib/libkdecore.so.4
#1  0x05ea9227 in QTextEngine::reallocate (this=0xfee17e70,
totalGlyphs=32)
    at kernel/qtextengine.cpp:913
#2  0x05d96e1d in QOpenType::appendTo (this=0x8f56450, engine=0xfee17e70,
    si=0x8f99f30, doLogClusters=false) at qtextengine_p.h:351
#3  0x05ea47c2 in indic_shape (script=14, string=@0xfee17e74, from=0,
len=10,
    engine=0xfee17e70, si=0x8f99f30) at qscriptengine_x11.cpp:1652
#4  0x05ea9007 in QTextEngine::shape (this=0xfee17e70, item=14)
    at qtextengine_unix.cpp:90
#5  0x05eaa86b in QTextEngine::width (this=0xfee17e70, from=3, len=1)
    at kernel/qtextengine.cpp:1011
#6  0x05d70a6c in QFontMetrics::charWidth (this=0x8f53d00,
str=@0xcc000880,
    pos=3) at kernel/qfont_x11.cpp:711
#7  0x05e61ae2 in QTextFormat::width (this=0x8f53cf0, str=@0xfee17f70,
pos=3)
    at kernel/qrichtext.cpp:3611
#8  0x05e62336 in QTextString::width (this=0x8f53e40, idx=3)
    at qrichtext_p.h:2095
#9  0x05e82a09 in QTextFormatterBreakWords::format (this=0x8f54a60,
    doc=0x8f534b8, parag=0x8f545c8, start=-1) at kernel/qrichtext.cpp:5751
#10 0x05e78841 in QTextParagraph::format (this=0x8f545c8, start=-1,
    doMove=true) at qrichtext_p.h:1189
#11 0x05e7e285 in QTextCursor::insert (this=0x8f54b48, str=@0xcc000880,
    checkNewLine=24, formatting=0x0) at kernel/qrichtext.cpp:588
---Type <return> to continue, or q <return> to quit---
#12 0x05f7d648 in QTextEdit::insert (this=0x8f51ce8, text=@0xcc000880,
    insertionFlags=3422554240) at widgets/qtextedit.cpp:3089
#13 0x05f7dd7f in QTextEdit::insert (this=0xcc000880, text=@0xcc000880,
    removeSelected=128) at widgets/qtextedit.cpp:3030
#14 0x05f7aa0f in QTextEdit::pasteSubType (this=0x8f51ce8,
    subtype=@0xfee18540, m=0x8f45f68) at widgets/qtextedit.cpp:5142
#15 0x05f7af43 in QTextEdit::pasteSubType (this=0x8f51ce8,
subtype=@0xcc000880)
    at widgets/qtextedit.cpp:5031
#16 0x05f764cf in QTextEdit::paste (this=0x8f51ce8)
    at widgets/qtextedit.cpp:3360
#17 0x0641fe86 in KEdit::keyPressEvent () from /usr/lib/libkdeui.so.4
#18 0x05e532cf in QWidget::event (this=0x8f51ce8, e=0xfee18bb0)
    at kernel/qwidget.cpp:4742
#19 0x05f6ce7d in QTextEdit::event (this=0x8f51ce8, e=0xfee18bb0)
    at widgets/qtextedit.cpp:1219
#20 0x05dbe849 in QApplication::internalNotify (this=0xcc000880,
    receiver=0x8f51ce8, e=0xfee18bb0) at kernel/qapplication.cpp:2635
#21 0x05dbee5c in QApplication::notify (this=0xfee190b0,
receiver=0x8f51ce8,
    e=0xfee18bb0) at kernel/qapplication.cpp:2392
#22 0x009eb4e8 in KApplication::notify () from /usr/lib/libkdecore.so.4
#23 0x05d54ce2 in QETWidget::translateKeyEvent (this=0x8f51ce8,
event=0x56,
    grab=6) at qapplication.h:518
#24 0x05d5c2c2 in QApplication::x11ProcessEvent (this=0xfee190b0,
---Type <return> to continue, or q <return> to quit---
    event=0xfee18f50) at kernel/qapplication_x11.cpp:3480
#25 0x05d6e686 in QEventLoop::processEvents (this=0x8ec6510, flags=4)
    at kernel/qeventloop_x11.cpp:192
#26 0x05dd3e75 in QEventLoop::enterLoop (this=0x8ec6510)
    at kernel/qeventloop.cpp:198
#27 0x05dd3dce in QEventLoop::exec (this=0x8ec6510)
    at kernel/qeventloop.cpp:145
#28 0x05dbda4b in QApplication::exec (this=0xfee190b0)
    at kernel/qapplication.cpp:2758
#29 0x0076462c in kdemain () from /usr/lib/libkdeinit_kedit.so
#30 0x080485f2 in ?? ()
#31 0x00000001 in ?? ()
#32 0xfee19284 in ?? ()
#33 0x080496d8 in ?? ()
#34 0x00513ff4 in ?? () from /lib/tls/libc.so.6
#35 0x00000000 in ?? ()
Comment 2 Leon Ho 2004-11-17 08:13:59 UTC 
valgrind --tool=memcheck:

==11857== Use of uninitialised value of size 4
==11857==    at 0xB0B7BC: free (in /usr/lib/libkdecore.so.4.2.0)
==11857==    by 0x5EA9226: QTextEngine::reallocate(int) (in
/usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==11857==    by 0x5D96E1C: QOpenType::appendTo(QTextEngine*,
QScriptItem*, bool) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==11857==    by 0x5EA47C1: (within /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==11857==
==11857== Invalid read of size 4
==11857==    at 0xB0B7BC: free (in /usr/lib/libkdecore.so.4.2.0)
==11857==    by 0x5EA9226: QTextEngine::reallocate(int) (in
/usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==11857==    by 0x5D96E1C: QOpenType::appendTo(QTextEngine*,
QScriptItem*, bool) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==11857==    by 0x5EA47C1: (within /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==11857==  Address 0x3B8D1364 is not stack'd, malloc'd or (recently)
free'd
==11857==
==11857== ERROR SUMMARY: 126 errors from 3 contexts (suppressed: 70
from 1)
==11857== malloc/free: in use at exit: 456810 bytes in 16346 blocks.
==11857== malloc/free: 132688 allocs, 116342 frees, 3014744 bytes
allocated.
==11857== For a detailed leak analysis,  rerun with: --leak-check=yes
==11857== For counts of detected errors, rerun with: -v
Comment 3 Than Ngo 2004-11-17 15:49:26 UTC 
it's strange, i still cannot reproduce it with your instructions on
machine with FC3+updates! could you please give exactly instructions
to reproduce this problem. thanks
Comment 4 Leon Ho 2004-11-19 06:44:04 UTC 
Here is the exact steps to reproduce:
- install ttfonts-hi
- run LANG=hi_IN.UTF-8 kedit
- copy "à¥" by ctrl-c here
- keep and hold ctrl-v in kedit
Comment 5 Than Ngo 2005-02-12 17:23:49 UTC 
It seems to be fixed in qt-3.3.4-4. i cannot reproduce this crash with
this version.