Bug 1608371 - Inkscape crashes on selecting boxed text
Summary: Inkscape crashes on selecting boxed text
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: inkscape
Version: 29
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-25 12:13 UTC by wqfu
Modified: 2019-01-21 02:02 UTC (History)
14 users (show)

Fixed In Version: inkscape-0.92.4-1.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-21 02:02:28 UTC


Attachments (Terms of Use)
Screencast with a simple way how to reproduce this (991.06 KB, application/octet-stream)
2018-11-15 13:36 UTC, Jan "Yenya" Kasprzak
no flags Details
dumped core (5.75 KB, text/plain)
2018-11-22 14:49 UTC, Douglas
no flags Details


Links
System ID Priority Status Summary Last Updated
Launchpad 1803553 None None None 2018-11-15 13:44:25 UTC

Description wqfu 2018-07-25 12:13:25 UTC
Description of problem:
Inkscape crashes while selecting text.

Version-Release number of selected component (if applicable):
Name         : inkscape
Version      : 0.92.3
Release      : 2.fc28
Arch         : x86_64


How reproducible:
100% for me.

Steps to Reproduce:
1. Open Inkscape (new document will be opened).
2. Select "Text" tool (or simply press F8).
3. Draw a box using this text tool, you'll see a blue box.
4. Type, let say, "Abc".
5. Select "Select and transform objects" tool (F1 hotkey).
6. Select "Text" tool again.
7. Move cursor to the end of "Abc" word (right behind "c" letter)
8. Press left mouse button --> Crash! Every time.

Additional info:
No crashes on flatpak'ed Inkscape. If you move cursor between "b" and "c" letters (or even "A" and "b") - nothing bad happens - you can select text.

Comment 1 wqfu 2018-07-25 12:16:49 UTC
Can be related to https://bugzilla.redhat.com/show_bug.cgi?id=1575842

Comment 2 Edouard Lefebvre 2018-08-01 09:32:11 UTC
I can reproduce this bug with inkscape.x86_64 0.92.3-2.fc28

Comment 3 jman012345 2018-08-01 19:56:28 UTC
If I understand the original description correctly, the bug occurs when dragging the cursor left to right to select text, when the last character is selected.

I was able to reproduce this bug with inkscape.x86_64 0.92.3-2.fc28 as well. During one test, I typed an underscore as the last character, and attempting to select the entire text did not crash the program, but it also did not select the underscore. When the underscore was replaced by an alphabetical character, Inkscape crashed upon selecting the entire text.

Compiled Inkscape 0.92.3 from source (available from https://inkscape.org/en/release/0.92.3/platforms/) and the bug is not present. Simply re-compiling with all dependencies updated and updating the package in the repository should be enough to fix this bug.

Comment 4 pip 2018-08-24 15:32:15 UTC
Crash every time one tries to select the last letter using the mouse. Inkscape 0.92.3 (2405546, 2018-03-11) Fedora 28.

Comment 5 Jan "Yenya" Kasprzak 2018-11-15 13:36:13 UTC
I see this also on F29 with inkscape-0.92.3-5.fc29.x86_64.

The crash message written to the terminal is this:

/usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.

Emergency save activated!
Emergency save completed. Inkscape will close now.
If you can reproduce this crash, please file a bug at www.inkscape.org
with a detailed description of the steps leading to the crash, so we can fix it.
Aborted (core dumped)

It is not even necessary to try to _select_ the last character, just clicking after it makes inkscape crash

- is there an upstream bug for this?

Comment 6 Jan "Yenya" Kasprzak 2018-11-15 13:36:55 UTC
Created attachment 1506073 [details]
Screencast with a simple way how to reproduce this

Comment 7 Jan "Yenya" Kasprzak 2018-11-15 13:44:26 UTC
Reported upstream as https://bugs.launchpad.net/inkscape/+bug/1803553

Comment 8 Adam Matejko 2018-11-21 13:27:22 UTC
Fedora 29 / Inkscape 0.92.3 (2405546, 2018-03-11)

Error when selecting text:

/usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.

Emergency save activated!
Emergency save completed. Inkscape will close now.
If you can reproduce this crash, please file a bug at www.inkscape.org
with a detailed description of the steps leading to the crash, so we can fix it.
/usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.
Aborted (core dumped)

Comment 9 Douglas 2018-11-22 14:49:01 UTC
Created attachment 1507984 [details]
dumped core

Can reproduce on inkscape-0.92.3-5.fc29

Comment 10 Trevor Spiteri 2019-01-10 20:58:13 UTC
I kept hitting this as well. After some digging, I found that:

* _cursorXOnLineToIterator is setting best_char_index == _characters.size()
* and then returning iterator(this, best_char_index),
* which has an initializer saying _glyph_index(p->_characters[c].in_glyph)

That is an out-of-bounds access of p->_characters, which I believe is causing the abort.

Comment 11 Fedora Update System 2019-01-11 19:08:33 UTC
inkscape-0.92.3-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7f9bfd58d0

Comment 12 Fedora Update System 2019-01-12 02:31:06 UTC
inkscape-0.92.3-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7f9bfd58d0

Comment 13 Jan "Yenya" Kasprzak 2019-01-14 09:40:14 UTC
inkscape-0.92.3-9.fc29 does not crash anymore for me, but not only I am not able to click on the existing text object for editing after the last character, but apparently also between the second-to-last and the last character. This is an unusual off-by-two error :-)

Comment 14 Fedora Update System 2019-01-15 08:16:27 UTC
inkscape-0.92.3-10.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5de93d92bd

Comment 15 Fedora Update System 2019-01-15 16:39:12 UTC
inkscape-0.92.3-11.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-85f17f2be2

Comment 16 Fedora Update System 2019-01-16 03:31:25 UTC
inkscape-0.92.3-11.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-85f17f2be2

Comment 17 Jan "Yenya" Kasprzak 2019-01-16 10:13:37 UTC
inkscape-0.92.3-11.fc29 works for me, thanks!

Comment 18 Fedora Update System 2019-01-18 17:57:11 UTC
inkscape-0.92.4-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1dd63e1bd4

Comment 19 Fedora Update System 2019-01-19 04:28:49 UTC
inkscape-0.92.4-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1dd63e1bd4

Comment 20 Fedora Update System 2019-01-21 02:02:28 UTC
inkscape-0.92.4-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.