Description of problem: When using the scim-chewing input method, setting GTK_IM_MODULE to "scim-bridge" will cause a crash that will not happen when GTK_IM_MODULE is "scim" instead. Version-Release number of selected component (if applicable): scim-1.4.4-35.fc6 scim-bridge-0.4.5-3.fc6 scim-chewing-0.3.1-7.fc6 scim-libs-1.4.4-35.fc6 How reproducible: always Steps to Reproduce: 1. GTK_IM_MODULE=scim-bridge gedit 2. activate the scim-chewing input method and input the traditional Chinese string "講你想的解法' I realize this is difficult if you don't know the input method or Chinese. 3. when pressing Enter to commit the string typed above, gedit will crash. (I'll attach the stack trace with debug symbols) 4. GTK_IM_MODULE=scim gedit 5. repeat step 2 and 3 above, this will not crash. Actual results: gedit crashing Expected results: no crashes. Additional info: I verified this also happens on scim-bridge CVS HEAD. The crash is caused by very large begin and end positions in the preedit text attributes that controls appearence of the preedit area (underline and background color etc). scim-bridge contains code that tries to validate the begin and end range but fails for values like: scim_bridge_client_imcontext_get_preedit_string: attr[3]: <attr type:3, value:15790320, (begin, end):(2925572328, 2925572330)> I've attached a patch that verifies the unicode character offsets before calling g_utf8_offset_to_pointer thus avoiding the crash. It's unclear to me how those attribute values got placed on the wire in the first place. Crashing stack trace below: #0 IA__g_utf8_offset_to_pointer (str=0xbab5d0 "", offset=6309040) at gutf8.c:302 #1 0x00002aaab33e5e87 in scim_bridge_client_imcontext_get_preedit_string (context=<value optimized out>, str=0xe34930, pango_attrs=0x2, cursor_pos=0x6044b2) at scim-bridge-client-imcontext-gtk.c:657 #2 0x000000340ff10515 in IA__gtk_im_context_get_preedit_string (context=0xbae020, str=0x7fff2701f760, attrs=0x7fff2701f758, cursor_pos=0x7fff2701f76c) at gtkimcontext.c:262 #3 0x000000340ff10515 in IA__gtk_im_context_get_preedit_string (context=0xaa2940, str=0x7fff2701f760, attrs=0x7fff2701f758, cursor_pos=0x7fff2701f76c) at gtkimcontext.c:262 #4 0x000000340ffe20ac in gtk_text_view_preedit_changed_handler (context=0xbab5d0, text_view=0xaa6170) at gtktextview.c:6844 #5 0x000000340a20b16a in IA__g_closure_invoke (closure=0xaa8900, return_value=0x0, n_param_values=1, param_values=0x7fff2701fa10, invocation_hint=0x7fff2701f8d0) at gclosure.c:490 #6 0x000000340a21b3bd in signal_emit_unlocked_R (node=0xaa5f90, detail=0, instance=0xaa2940, emission_return=0x0, instance_and_params=0x7fff2701fa10) at gsignal.c:2438 #7 0x000000340a21c826 in IA__g_signal_emit_valist (instance=0xaa2940, signal_id=<value optimized out>, detail=0, var_args=0x7fff2701fc90) at gsignal.c:2197 #8 0x000000340a21e3d0 in IA__g_signal_emit_by_name (instance=0xaa2940, detailed_signal=0x3410071dfd "preedit_changed") at gsignal.c:2265 #9 0x000000340a20b16a in IA__g_closure_invoke (closure=0xbab720, return_value=0x0, n_param_values=1, param_values=0x7fff27020020, invocation_hint=0x7fff2701fee0) at gclosure.c:490 #10 0x000000340a21b3bd in signal_emit_unlocked_R (node=0xaa5f90, detail=0, instance=0xbae020, emission_return=0x0, instance_and_params=0x7fff27020020) at gsignal.c:2438 #11 0x000000340a21c826 in IA__g_signal_emit_valist (instance=0xbae020, signal_id=<value optimized out>, detail=0, var_args=0x7fff270202a0) at gsignal.c:2197 #12 0x000000340a21e3d0 in IA__g_signal_emit_by_name (instance=0xbae020, detailed_signal=0x2aaab33ed7cc "e ()") at gsignal.c:2265 #13 0x00002aaab33eb47a in scim_bridge_client_read_and_dispatch () at scim-bridge-client.c:539 #14 0x00002aaab33ebe55 in scim_bridge_client_handle_key_event (imcontext=<value optimized out>, key_event=0xe3b8a0, consumed=0x7fff27020514) at scim-bridge-client.c:1581 #15 0x00002aaab33e65f6 in filter_key_event (imcontext=0xbae020, event=0xbf88f0, consumed=0x7fff27020514) at scim-bridge-client-imcontext-gtk.c:117 #16 0x00002aaab33e672b in scim_bridge_client_imcontext_filter_key_event (context=<value optimized out>, event=0xbf88f0) at scim-bridge-client-imcontext-gtk.c:580 #17 0x000000340ffe0d33 in gtk_text_view_key_press_event (widget=0xaa6170, event=0xbf88f0) at gtktextview.c:3870 #18 0x000000341441a830 in gtk_source_view_get_show_line_numbers () from /usr/lib64/libgtksourceview-1.0.so.0 #19 0x000000340ff3015d in _gtk_marshal_BOOLEAN__BOXED (closure=0x70feb0, return_value=0x7fff27020980, n_param_values=<value optimized out>, param_values=0x7fff27020a80, invocation_hint=<value optimized out>, marshal_data=0x341441a740) at gtkmarshalers.c:84 #20 0x000000340a20b220 in IA__g_closure_invoke (closure=0x70feb0, return_value=0x7fff27020980, n_param_values=2, param_values=0x7fff27020a80, invocation_hint=0x7fff27020940) at gclosure.c:490 #21 0x000000340a21b9dd in signal_emit_unlocked_R (node=0x70ff20, detail=0, instance=0xaa6170, emission_return=0x7fff27020ca0, instance_and_params=0x7fff27020a80) at gsignal.c:2476 #22 0x000000340a21c5ef in IA__g_signal_emit_valist (instance=0xaa6170, signal_id=<value optimized out>, detail=0, var_args=0x7fff27020d00) at gsignal.c:2207 #23 0x000000340a21ca03 in IA__g_signal_emit (instance=0xbab5d0, signal_id=6309040, detail=2653740) at gsignal.c:2241 #24 0x000000341002d63e in gtk_widget_event_internal (widget=0xaa6170, event=0xbf88f0) at gtkwidget.c:3911 #25 0x0000000000448d84 in _gedit_window_move_tab_to_new_window () #26 0x000000340ff3015d in _gtk_marshal_BOOLEAN__BOXED (closure=0x70feb0, return_value=0x7fff27020ff0, n_param_values=<value optimized out>, param_values=0x7fff270210f0, invocation_hint=<value optimized out>, ---Type <return> to continue, or q <return> to quit--- marshal_data=0x448d50) at gtkmarshalers.c:84 #27 0x000000340a20b16a in IA__g_closure_invoke (closure=0x70feb0, return_value=0x7fff27020ff0, n_param_values=2, param_values=0x7fff270210f0, invocation_hint=0x7fff27020fb0) at gclosure.c:490 #28 0x000000340a21b9dd in signal_emit_unlocked_R (node=0x70ff20, detail=0, instance=0x71e020, emission_return=0x7fff27021310, instance_and_params=0x7fff270210f0) at gsignal.c:2476 #29 0x000000340a21c5ef in IA__g_signal_emit_valist (instance=0x71e020, signal_id=<value optimized out>, detail=0, var_args=0x7fff27021370) at gsignal.c:2207 #30 0x000000340a21ca03 in IA__g_signal_emit (instance=0xbab5d0, signal_id=6309040, detail=2653740) at gsignal.c:2241 #31 0x000000341002d63e in gtk_widget_event_internal (widget=0x71e020, event=0xbf88f0) at gtkwidget.c:3911 #32 0x000000340ff29915 in IA__gtk_propagate_event (widget=0x71e020, event=0xbf88f0) at gtkmain.c:2162 #33 0x000000340ff2a861 in IA__gtk_main_do_event (event=0xbf88f0) at gtkmain.c:1422 #34 0x000000341044674c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at gdkevents-x11.c:2320 #35 0x000000340922cf44 in IA__g_main_context_dispatch (context=0x6da840) at gmain.c:2045 #36 0x000000340922fd7d in g_main_context_iterate (context=0x6da840, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2677 #37 0x000000340923008a in IA__g_main_loop_run (loop=0xab3f00) at gmain.c:2881 #38 0x000000340ff2abf3 in IA__gtk_main () at gtkmain.c:1001 #39 0x0000000000424491 in main ()
Created attachment 137895 [details] ignore attributes with invalid ranges by testing their unicode character offsets
Could you please test with the latest scim-bridge in rawhide? I suspect this is already fixed in 0.4.5.
This happens on scim-bridge-0.4.5-3.fc6.x86_64, the other components involved have "Version-Release number of selected component" like I reported above. Is there a more recent build that have not been pushed out to public mirrors?
Sorry, Scott, I was paying attention to product version field. :) It would help if you could write down the key input sequence for the chinese string if it is not too much trouble for non-Chinese speakers to reproduce this more easily.
1. add "/IMEngine/Chewing/KeyboardType = KB_HSU" to ~/.scim/config 2. the key sequence will then be: "jekfnefcekfdgsjeeffyf"
Thank you for the nice backtrace. It must be fixed on the CVS latest. Please try it and tell me if there's still a problem. :)
Ryo, thanks :) From the cvs logs I see that this checkin indeed fixed the bug: revision 1.60 date: 2006/10/06 16:47:22; author: ryo-dairiki; state: Exp; lines: +40 -15 - Get rid of the unwanted underline attributes defautly applied on the preedit string In client-gtk/scim-bridge-client-imcontext-gtk.c, scim_bridge_client_imcontext_get_preedit_string, do you consider these attributes with illegal {begin,end}_pos a bug somewhere in the scim system ? I sure hope this fix can make it into FC6 final, having to wait for an update until you can type without fearing every program crashing is just no fun.
> do you consider these attributes with illegal {begin,end}_pos a bug somewhere in the scim system ? I haven't confirm that, but I think it's a bug of scim-chewing. > do you consider these attributes with illegal {begin,end}_pos a bug somewhere in the scim system ? I hope so too.
Yes, this appears to be fixed in cvs. Thank you, Dairiki-san. :)
Should be fixed in next devel build.
I'm guessing this didn't make it into fc6 final and would become one of the early updates ?
(In reply to comment #13) > I'm guessing this didn't make it into fc6 final and would become one of the > early updates ? That's right, Scott. So I'm leaving this in assigned until FC6 is out and we have an fc6 OS version in bugzilla.
Jens: I can certainly understand this bug not being flagged as release critical and that fc6 is in deep freeze. Nevertheless I'll write a long message and try to convince you that this bug will be very painfull to Taiwanese users. scim-chewing implements a phonetic input method for traditional Chinese with a builtin dictionary and heuristics for phrase choosing. This is the primary method of text input used in Taiwan with over 99% marketshare. Users behind corporate firewalls and those without internet connectivity mostly install from CDROM media and never perform yum updates. This is the case for my last three jobs with two consumer electronics companies and one mainboard manufacturer. The user experience with this bug in effect: * Joe types text into application * The application window disappears along with the document he was just working on Imagine diagnosing this problem without the knowledge of "ulimit -c unlimited" and not knowing about the magic of separate debuginfo packages. The number of bugs filed in bugzilla will underestimate the number of users effected because producing coherent bug reports in English is just not the forte of most Taiwanese users. This is unlikely to change. I imagine you would have the same problem if the main Korean input method had a crasher bug. Due to the reasons stated above, implemening automated testing for the input methods known to have large marketshares is highly desirable. The rapid change of input method subsystems from the XIM servers to IIIMF to scim to the introduction of scim-bridge likely caused more instability and discouraged the implementation of automated tests. I really wish I had caught this bug earlier for fc6 but the anaconda bugs prevented me from installing a test release until test3. Perhaps someone could add this to: http://fedoraproject.org/wiki/Bugs/FC6Common
Thanks, Scott. Yup I hear what you're saying and agree with you, but unfortunately this fix can't make final FC6 so it will have to be an update. I also regret that this didn't get fixed in time for fc6.
scim-bridge-0.4.7-1.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.