Inkscape

Bug #1224486
Comment #9

Comment 9 for bug 1224486

Revision history for this message

David Mathog (mathog) wrote on 2013-09-12:

Sorry, this is long, as I could not find the exact problem, just narrow it down a bit.

1: It only happens with flowed text.
2: it only happens on the wrapped part of a continued line.
3: It only happens on a continued line when the cursor is not at the end of the string.

To demonstrate this:

1. start inkscape
2. drag out a small text box, wide enough for just a few letters and tall enough for several lines.
3. type "abc def" such that it wraps and "def" is on the second line.

When the first line is being typed the cursor moves and stays at the end (right side) of the line.
When it wraps and"def" is entered, the cursor stays at the start (left side) of the line.

If an "enter" key is pressed with the cursor in that position, the program will crash when the next regular letter is pressed.

However, if the keyboard arrow keys are used to move the cursor to the end of the line, then "enter" is nontoxic.

Inserting an "enter" anywhere but after the last character on a wrapped line is toxic.

Normal text has none of these issues.

So I think one key part of the problem is that there is a bug in the cursor positioning for wrapped lines in flowed text. The crash seems to result from that.

The program crashes in text-editing.cpp at insert_into_spstring() at the string->replace because when "\n" is inserted in one of the toxic scenarios the string's length gets out of sync with the iterator, with the iterator being one position past the end of the string. The \n character is not entered in the flowed text scenario, or only entered part way. The iter_at value passed into this function has a value as if the \n is there. However, iterate from string->begin to string->end and it comes up one short - no \n has been inserted. Conclusion, somewhere the iterator is incremented without the character actually being inserted. Seems like the line should have split. In any case, the iterator should never be past the length of the line.

In all cases where a '\n' is entered and the execution passes through the part of sp_te_insert_line() under
the conditional

} else if (SP_IS_STRING(split_obj)) {

then it will crash on the next normal letter entered. So I think the block of code from about lines 422 -440 in text-editing.cpp is broken, but I do not see how.

The following is probably a related problem:

Draw out a tall narrow text box.
Enter "abc def" such that it wraps.
Use arrow keys to move cursor to right of "f".
Press "enter"
Enter "ghi jkl" such that it wraps.
Use mouse or arrow keys to place cursor between "d" and "e".
Press "enter".

Line should split, instead a blank line is added between "def" and "ghi".
Cursor between "a" and "b" or "b" and "c" splits as it should.

So the first part of wrapped line edits properly, subsequent parts do not.

Sorry, this is long, as I could not find the exact problem, just narrow it down a bit.

1: It only happens with flowed text. 
2: it only happens on the  wrapped part of a continued line. 
3: It only happens on a continued line when the cursor is not at the end of the string.

To demonstrate this:

1.  start inkscape
2.  drag out a small text box, wide enough for just a few letters and tall enough for several lines.
3.  type "abc def" such that it wraps and "def" is on the second line.

When the first line is being typed the cursor moves and stays at the end (right side) of the line.
When it wraps  and"def" is entered, the cursor stays at the start (left side) of the line.

If an "enter" key is pressed with the cursor in that position, the program will crash when the next regular letter is pressed.

However, if the keyboard arrow keys are used to move the cursor to the end of the line, then "enter" is nontoxic.

Inserting an "enter" anywhere but after the last character on a wrapped line is toxic.

Normal text has none of these issues.

So I think one key part of the problem is that there is a bug in the cursor positioning for wrapped lines in flowed text.  The crash seems to result from that.

The program crashes in text-editing.cpp at  insert_into_spstring() at the string->replace because when "\n" is inserted in one of the toxic scenarios the string's length gets out of sync with the iterator, with the iterator being one position past the end of the string.  The \n character is not entered in the flowed text scenario, or only entered part way.   The iter_at value passed into this function has a value as if the \n is there.  However, iterate from string->begin to string->end and it comes up one short - no \n has been inserted.  Conclusion, somewhere the iterator is incremented without the character actually being inserted.  Seems like the line should have split.  In any case, the iterator should never be past the length of the line.

In all cases where a '\n' is entered and the execution passes through the part of sp_te_insert_line() under
the conditional

} else if (SP_IS_STRING(split_obj)) {

then it will crash on the next normal letter entered.   So I think the block of code from about lines 422 -440 in text-editing.cpp is broken, but I do not see how.

The following is probably a related problem:

Line should split, instead a blank line is added between "def" and "ghi".  
Cursor between "a" and "b" or "b" and "c" splits as it should.

So the first part of wrapped line edits properly, subsequent parts do not.