Bug 209573 - [patch] scim-bridge crash when used with scim-chewing
[patch] scim-bridge crash when used with scim-chewing
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: scim-bridge (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jens Petersen
:
Depends On:
Blocks: 211262
  Show dependency treegraph
 
Reported: 2006-10-06 00:39 EDT by Scott Tsai
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-02 20:29:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ignore attributes with invalid ranges by testing their unicode character offsets (9.18 KB, patch)
2006-10-06 00:39 EDT, Scott Tsai
no flags Details | Diff

  None (edit)
Description Scott Tsai 2006-10-06 00:39:52 EDT
Description of problem:
When using the scim-chewing input method,
setting GTK_IM_MODULE to "scim-bridge" will cause a crash that will not happen
when GTK_IM_MODULE is "scim" instead.

Version-Release number of selected component (if applicable):
scim-1.4.4-35.fc6
scim-bridge-0.4.5-3.fc6
scim-chewing-0.3.1-7.fc6
scim-libs-1.4.4-35.fc6

How reproducible:
always

Steps to Reproduce:
1. GTK_IM_MODULE=scim-bridge gedit
2. activate the scim-chewing input method and input the traditional Chinese
string "講你想的解法'
I realize this is difficult if you don't know the input method or Chinese.
3. when pressing Enter to commit the string typed above, gedit will crash.
(I'll attach the stack trace with debug symbols)
4. GTK_IM_MODULE=scim gedit
5. repeat step 2 and 3 above, this will not crash.

Actual results:
gedit crashing

Expected results:
no crashes.

Additional info:
I verified this also happens on scim-bridge CVS HEAD.
The crash is caused by very large begin and end positions in the preedit text
attributes that controls appearence of the preedit area (underline and
background color etc).
scim-bridge contains code that tries to validate the begin and end range but
fails for values like:
scim_bridge_client_imcontext_get_preedit_string: attr[3]: <attr type:3,
value:15790320, (begin, end):(2925572328, 2925572330)>

I've attached a patch that verifies the unicode character offsets before calling
g_utf8_offset_to_pointer thus avoiding the crash.
It's unclear to me how those attribute values got placed on the wire in the
first place.

Crashing stack trace below:
#0  IA__g_utf8_offset_to_pointer (str=0xbab5d0 "", offset=6309040) at gutf8.c:302
#1  0x00002aaab33e5e87 in scim_bridge_client_imcontext_get_preedit_string
(context=<value optimized out>, str=0xe34930, 
    pango_attrs=0x2, cursor_pos=0x6044b2) at scim-bridge-client-imcontext-gtk.c:657
#2  0x000000340ff10515 in IA__gtk_im_context_get_preedit_string
(context=0xbae020, str=0x7fff2701f760, 
    attrs=0x7fff2701f758, cursor_pos=0x7fff2701f76c) at gtkimcontext.c:262
#3  0x000000340ff10515 in IA__gtk_im_context_get_preedit_string
(context=0xaa2940, str=0x7fff2701f760, 
    attrs=0x7fff2701f758, cursor_pos=0x7fff2701f76c) at gtkimcontext.c:262
#4  0x000000340ffe20ac in gtk_text_view_preedit_changed_handler
(context=0xbab5d0, text_view=0xaa6170) at gtktextview.c:6844
#5  0x000000340a20b16a in IA__g_closure_invoke (closure=0xaa8900,
return_value=0x0, n_param_values=1, 
    param_values=0x7fff2701fa10, invocation_hint=0x7fff2701f8d0) at gclosure.c:490
#6  0x000000340a21b3bd in signal_emit_unlocked_R (node=0xaa5f90, detail=0,
instance=0xaa2940, emission_return=0x0, 
    instance_and_params=0x7fff2701fa10) at gsignal.c:2438
#7  0x000000340a21c826 in IA__g_signal_emit_valist (instance=0xaa2940,
signal_id=<value optimized out>, detail=0, 
    var_args=0x7fff2701fc90) at gsignal.c:2197
#8  0x000000340a21e3d0 in IA__g_signal_emit_by_name (instance=0xaa2940,
detailed_signal=0x3410071dfd "preedit_changed")
    at gsignal.c:2265
#9  0x000000340a20b16a in IA__g_closure_invoke (closure=0xbab720,
return_value=0x0, n_param_values=1, 
    param_values=0x7fff27020020, invocation_hint=0x7fff2701fee0) at gclosure.c:490
#10 0x000000340a21b3bd in signal_emit_unlocked_R (node=0xaa5f90, detail=0,
instance=0xbae020, emission_return=0x0, 
    instance_and_params=0x7fff27020020) at gsignal.c:2438
#11 0x000000340a21c826 in IA__g_signal_emit_valist (instance=0xbae020,
signal_id=<value optimized out>, detail=0, 
    var_args=0x7fff270202a0) at gsignal.c:2197
#12 0x000000340a21e3d0 in IA__g_signal_emit_by_name (instance=0xbae020,
detailed_signal=0x2aaab33ed7cc "e ()")
    at gsignal.c:2265
#13 0x00002aaab33eb47a in scim_bridge_client_read_and_dispatch () at
scim-bridge-client.c:539
#14 0x00002aaab33ebe55 in scim_bridge_client_handle_key_event (imcontext=<value
optimized out>, key_event=0xe3b8a0, 
    consumed=0x7fff27020514) at scim-bridge-client.c:1581
#15 0x00002aaab33e65f6 in filter_key_event (imcontext=0xbae020, event=0xbf88f0,
consumed=0x7fff27020514)
    at scim-bridge-client-imcontext-gtk.c:117
#16 0x00002aaab33e672b in scim_bridge_client_imcontext_filter_key_event
(context=<value optimized out>, event=0xbf88f0)
    at scim-bridge-client-imcontext-gtk.c:580
#17 0x000000340ffe0d33 in gtk_text_view_key_press_event (widget=0xaa6170,
event=0xbf88f0) at gtktextview.c:3870
#18 0x000000341441a830 in gtk_source_view_get_show_line_numbers () from
/usr/lib64/libgtksourceview-1.0.so.0
#19 0x000000340ff3015d in _gtk_marshal_BOOLEAN__BOXED (closure=0x70feb0,
return_value=0x7fff27020980, 
    n_param_values=<value optimized out>, param_values=0x7fff27020a80,
invocation_hint=<value optimized out>, 
    marshal_data=0x341441a740) at gtkmarshalers.c:84
#20 0x000000340a20b220 in IA__g_closure_invoke (closure=0x70feb0,
return_value=0x7fff27020980, n_param_values=2, 
    param_values=0x7fff27020a80, invocation_hint=0x7fff27020940) at gclosure.c:490
#21 0x000000340a21b9dd in signal_emit_unlocked_R (node=0x70ff20, detail=0,
instance=0xaa6170, 
    emission_return=0x7fff27020ca0, instance_and_params=0x7fff27020a80) at
gsignal.c:2476
#22 0x000000340a21c5ef in IA__g_signal_emit_valist (instance=0xaa6170,
signal_id=<value optimized out>, detail=0, 
    var_args=0x7fff27020d00) at gsignal.c:2207
#23 0x000000340a21ca03 in IA__g_signal_emit (instance=0xbab5d0,
signal_id=6309040, detail=2653740) at gsignal.c:2241
#24 0x000000341002d63e in gtk_widget_event_internal (widget=0xaa6170,
event=0xbf88f0) at gtkwidget.c:3911
#25 0x0000000000448d84 in _gedit_window_move_tab_to_new_window ()
#26 0x000000340ff3015d in _gtk_marshal_BOOLEAN__BOXED (closure=0x70feb0,
return_value=0x7fff27020ff0, 
    n_param_values=<value optimized out>, param_values=0x7fff270210f0,
invocation_hint=<value optimized out>, 
---Type <return> to continue, or q <return> to quit---
    marshal_data=0x448d50) at gtkmarshalers.c:84
#27 0x000000340a20b16a in IA__g_closure_invoke (closure=0x70feb0,
return_value=0x7fff27020ff0, n_param_values=2, 
    param_values=0x7fff270210f0, invocation_hint=0x7fff27020fb0) at gclosure.c:490
#28 0x000000340a21b9dd in signal_emit_unlocked_R (node=0x70ff20, detail=0,
instance=0x71e020, 
    emission_return=0x7fff27021310, instance_and_params=0x7fff270210f0) at
gsignal.c:2476
#29 0x000000340a21c5ef in IA__g_signal_emit_valist (instance=0x71e020,
signal_id=<value optimized out>, detail=0, 
    var_args=0x7fff27021370) at gsignal.c:2207
#30 0x000000340a21ca03 in IA__g_signal_emit (instance=0xbab5d0,
signal_id=6309040, detail=2653740) at gsignal.c:2241
#31 0x000000341002d63e in gtk_widget_event_internal (widget=0x71e020,
event=0xbf88f0) at gtkwidget.c:3911
#32 0x000000340ff29915 in IA__gtk_propagate_event (widget=0x71e020,
event=0xbf88f0) at gtkmain.c:2162
#33 0x000000340ff2a861 in IA__gtk_main_do_event (event=0xbf88f0) at gtkmain.c:1422
#34 0x000000341044674c in gdk_event_dispatch (source=<value optimized out>,
callback=<value optimized out>, 
    user_data=<value optimized out>) at gdkevents-x11.c:2320
#35 0x000000340922cf44 in IA__g_main_context_dispatch (context=0x6da840) at
gmain.c:2045
#36 0x000000340922fd7d in g_main_context_iterate (context=0x6da840, block=1,
dispatch=1, self=<value optimized out>)
    at gmain.c:2677
#37 0x000000340923008a in IA__g_main_loop_run (loop=0xab3f00) at gmain.c:2881
#38 0x000000340ff2abf3 in IA__gtk_main () at gtkmain.c:1001
#39 0x0000000000424491 in main ()
Comment 1 Scott Tsai 2006-10-06 00:39:52 EDT
Created attachment 137895 [details]
ignore attributes with invalid ranges by testing their unicode character offsets
Comment 2 Jens Petersen 2006-10-06 04:36:36 EDT
Could you please test with the latest scim-bridge in rawhide?
I suspect this is already fixed in 0.4.5.
Comment 3 Scott Tsai 2006-10-06 06:35:39 EDT
This happens on scim-bridge-0.4.5-3.fc6.x86_64, the other components involved
have  "Version-Release number of selected component" like I reported above.

Is there a more recent build that have not been pushed out to public mirrors?
Comment 5 Jens Petersen 2006-10-06 07:16:11 EDT
Sorry, Scott, I was paying attention to product version field. :)

It would help if you could write down the key input sequence for the
chinese string if it is not too much trouble for non-Chinese speakers
to reproduce this more easily.
Comment 6 Scott Tsai 2006-10-06 07:37:09 EDT
1. add "/IMEngine/Chewing/KeyboardType = KB_HSU" to ~/.scim/config
2. the key sequence will then be:
"jekfnefcekfdgsjeeffyf"
Comment 7 Ryo Dairiki 2006-10-09 09:16:19 EDT
Thank you for the nice backtrace.
It must be fixed on the CVS latest.
Please try it and tell me if there's still a problem. :)
Comment 8 Scott Tsai 2006-10-09 09:47:08 EDT
Ryo, thanks :)
From the cvs logs I see that this checkin indeed fixed the bug:
  revision 1.60
  date: 2006/10/06 16:47:22;  author: ryo-dairiki;  state: Exp;  lines: +40 -15
  - Get rid of the unwanted underline attributes defautly applied on the preedit
string

In client-gtk/scim-bridge-client-imcontext-gtk.c,
scim_bridge_client_imcontext_get_preedit_string, do you consider these
attributes with illegal {begin,end}_pos a bug somewhere in the scim system ?

I sure hope this fix can make it into FC6 final, having to wait for an update
until you can type without fearing every program crashing is just no fun.
Comment 9 Ryo Dairiki 2006-10-09 10:11:59 EDT
> do you consider these attributes with illegal {begin,end}_pos a bug somewhere
in the scim system ?

I haven't confirm that, but I think it's a bug of scim-chewing.


> do you consider these
attributes with illegal {begin,end}_pos a bug somewhere in the scim system ?

I hope so too.
Comment 10 Jens Petersen 2006-10-18 03:13:17 EDT
Yes, this appears to be fixed in cvs.
Thank you, Dairiki-san. :)
Comment 12 Jens Petersen 2006-10-18 21:51:57 EDT
Should be fixed in next devel build.
Comment 13 Scott Tsai 2006-10-18 22:57:42 EDT
I'm guessing this didn't make it into fc6 final and would become one of the
early updates ?
Comment 14 Jens Petersen 2006-10-19 00:09:25 EDT
(In reply to comment #13)
> I'm guessing this didn't make it into fc6 final and would become one of the
> early updates ?

That's right, Scott.

So I'm leaving this in assigned until FC6 is out and we have an fc6 OS version
in bugzilla.
Comment 15 Scott Tsai 2006-10-19 13:43:14 EDT
Jens:
I can certainly understand this bug not being flagged as release critical and
that fc6 is in deep freeze. Nevertheless I'll write a long message and try to
convince you that this bug will be very painfull to Taiwanese users.

scim-chewing implements a phonetic input method for traditional Chinese with a
builtin dictionary and heuristics for phrase choosing. This is the primary
method of text input used in Taiwan with over 99% marketshare.

Users behind corporate firewalls and those without internet connectivity mostly
install from CDROM media and never perform yum updates.
This is the case for my last three jobs with two consumer electronics companies
and one mainboard manufacturer.

The user experience with this bug in effect:
* Joe types text into application
* The application window disappears along with the document he was just working on
Imagine diagnosing this problem without the knowledge of "ulimit -c unlimited"
and not knowing about the magic of separate debuginfo packages. 

The number of bugs filed in bugzilla will underestimate the number of users
effected because producing coherent bug reports in English is just not the forte
of most Taiwanese users. This is unlikely to change.
I imagine you would have the same problem if the main Korean input method had a
crasher bug.

Due to the reasons stated above, implemening automated testing for the input
methods known to have large marketshares is highly desirable.
The rapid change of input method subsystems from the XIM servers to IIIMF to
scim to the introduction of scim-bridge likely caused more instability and
discouraged the implementation of automated tests.

I really wish I had caught this bug earlier for fc6 but the anaconda bugs
prevented me from installing a test release until test3.

Perhaps someone could add this to:
http://fedoraproject.org/wiki/Bugs/FC6Common
Comment 16 Jens Petersen 2006-10-23 02:36:42 EDT
Thanks, Scott.  Yup I hear what you're saying and agree with you,
but unfortunately this fix can't make final FC6 so it will have to be
an update.  I also regret that this didn't get fixed in time for fc6.
Comment 17 Fedora Update System 2006-10-24 16:18:23 EDT
scim-bridge-0.4.7-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 18 Fedora Update System 2006-11-02 16:45:03 EST
scim-bridge-0.4.7-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.