Description of problem: Inkscape crashes while selecting text. Version-Release number of selected component (if applicable): Name : inkscape Version : 0.92.3 Release : 2.fc28 Arch : x86_64 How reproducible: 100% for me. Steps to Reproduce: 1. Open Inkscape (new document will be opened). 2. Select "Text" tool (or simply press F8). 3. Draw a box using this text tool, you'll see a blue box. 4. Type, let say, "Abc". 5. Select "Select and transform objects" tool (F1 hotkey). 6. Select "Text" tool again. 7. Move cursor to the end of "Abc" word (right behind "c" letter) 8. Press left mouse button --> Crash! Every time. Additional info: No crashes on flatpak'ed Inkscape. If you move cursor between "b" and "c" letters (or even "A" and "b") - nothing bad happens - you can select text.
Can be related to https://bugzilla.redhat.com/show_bug.cgi?id=1575842
I can reproduce this bug with inkscape.x86_64 0.92.3-2.fc28
If I understand the original description correctly, the bug occurs when dragging the cursor left to right to select text, when the last character is selected. I was able to reproduce this bug with inkscape.x86_64 0.92.3-2.fc28 as well. During one test, I typed an underscore as the last character, and attempting to select the entire text did not crash the program, but it also did not select the underscore. When the underscore was replaced by an alphabetical character, Inkscape crashed upon selecting the entire text. Compiled Inkscape 0.92.3 from source (available from https://inkscape.org/en/release/0.92.3/platforms/) and the bug is not present. Simply re-compiling with all dependencies updated and updating the package in the repository should be enough to fix this bug.
Crash every time one tries to select the last letter using the mouse. Inkscape 0.92.3 (2405546, 2018-03-11) Fedora 28.
I see this also on F29 with inkscape-0.92.3-5.fc29.x86_64. The crash message written to the terminal is this: /usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Emergency save activated! Emergency save completed. Inkscape will close now. If you can reproduce this crash, please file a bug at www.inkscape.org with a detailed description of the steps leading to the crash, so we can fix it. Aborted (core dumped) It is not even necessary to try to _select_ the last character, just clicking after it makes inkscape crash - is there an upstream bug for this?
Created attachment 1506073 [details] Screencast with a simple way how to reproduce this
Reported upstream as https://bugs.launchpad.net/inkscape/+bug/1803553
Fedora 29 / Inkscape 0.92.3 (2405546, 2018-03-11) Error when selecting text: /usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Emergency save activated! Emergency save completed. Inkscape will close now. If you can reproduce this crash, please file a bug at www.inkscape.org with a detailed description of the steps leading to the crash, so we can fix it. /usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Aborted (core dumped)
Created attachment 1507984 [details] dumped core Can reproduce on inkscape-0.92.3-5.fc29
I kept hitting this as well. After some digging, I found that: * _cursorXOnLineToIterator is setting best_char_index == _characters.size() * and then returning iterator(this, best_char_index), * which has an initializer saying _glyph_index(p->_characters[c].in_glyph) That is an out-of-bounds access of p->_characters, which I believe is causing the abort.
inkscape-0.92.3-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7f9bfd58d0
inkscape-0.92.3-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7f9bfd58d0
inkscape-0.92.3-9.fc29 does not crash anymore for me, but not only I am not able to click on the existing text object for editing after the last character, but apparently also between the second-to-last and the last character. This is an unusual off-by-two error :-)
inkscape-0.92.3-10.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5de93d92bd
inkscape-0.92.3-11.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-85f17f2be2
inkscape-0.92.3-11.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-85f17f2be2
inkscape-0.92.3-11.fc29 works for me, thanks!
inkscape-0.92.4-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1dd63e1bd4
inkscape-0.92.4-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1dd63e1bd4
inkscape-0.92.4-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.