GNOME Bugzilla – Bug 368972
Crash when selecting text using the keyboard
Last modified: 2006-11-08 00:08:13 UTC
Steps to reproduce: 1. Install a recent development version of Wireshark from http://www.wireshark.org/download/automated/win32/ 2. Run Wireshark and select Help->About Wireshark. 3. Verify that it was compiled with GTK+ 2.8.x 4. Click the mouse in the text area of the about dialog. 5. Using the shift key and the right arrow (and NOT the mouse), start selecting text. When you reach the end of the line, Wireshark will crash. Stack trace: From MS VS 2005: > libglib-2.0-0.dll!0036cd15() [Frames below may be incorrect and/or missing, no symbols loaded for libglib-2.0-0.dll] libpango-1.0-0.dll!64291c6a() libgtk-win32-2.0-0.dll!6055f4f8() libgtk-win32-2.0-0.dll!60572f68() libgobject-2.0-0.dll!01c53935() libgtk-win32-2.0-0.dll!604d846a() libglib-2.0-0.dll!003418f9() libgobject-2.0-0.dll!01c66aa6() ntdll.dll!7c9105c8() ntdll.dll!7c91056d() ntdll.dll!7c9106eb() msvcrt.dll!77c2c3c9() libglib-2.0-0.dll!00365ce8() libgobject-2.0-0.dll!01c72f0a() libgobject-2.0-0.dll!01c6814a() libgobject-2.0-0.dll!01c72e1d() libgobject-2.0-0.dll!01c72e1d() libgtk-win32-2.0-0.dll!604939f7() ntdll.dll!7c9106eb() msvcrt.dll!77c2c3c9() msvcrt.dll!77c2c3ce() libglib-2.0-0.dll!003599ed() msvcrt.dll!77c2c42e() libgtk-win32-2.0-0.dll!60494a21() libgtk-win32-2.0-0.dll!60494c8d() libgtk-win32-2.0-0.dll!60494eba() libgtk-win32-2.0-0.dll!60570db2() libgobject-2.0-0.dll!01c53935() libglib-2.0-0.dll!003418f9() libgobject-2.0-0.dll!01c66aa6() libgobject-2.0-0.dll!01c57494() libgobject-2.0-0.dll!01c734f9() libgobject-2.0-0.dll!01c6797c() ntdll.dll!7c9106eb() msvcrt.dll!77c2c3c9() libgobject-2.0-0.dll!01c57494() libgdk-win32-2.0-0.dll!6b06bd4b() ntdll.dll!7c9105c8() ntdll.dll!7c910551() ntdll.dll!7c91056d() ntdll.dll!7c9106eb() msvcrt.dll!77c2c3c9() ntdll.dll!7c9106eb() msvcrt.dll!77c2c3c9() msvcrt.dll!77c2c3ce() libgdk-win32-2.0-0.dll!6b07a87b() libgdk-win32-2.0-0.dll!6b07af75() ntdll.dll!7c91056d() libgdk-win32-2.0-0.dll!6b06126f() libgdk-win32-2.0-0.dll!6b043000() libgobject-2.0-0.dll!01c67e96() libgtk-win32-2.0-0.dll!6066c474() libgtk-win32-2.0-0.dll!6067de52() libgtk-win32-2.0-0.dll!60682e71() libgtk-win32-2.0-0.dll!60570db2() libgobject-2.0-0.dll!01c53935() libgobject-2.0-0.dll!01c72d97() ntdll.dll!7c9106eb() libgobject-2.0-0.dll!01c66aa6() libgobject-2.0-0.dll!01c576cb() libgobject-2.0-0.dll!01c57494() libgobject-2.0-0.dll!01c734f9() libgobject-2.0-0.dll!01c6797c() ntdll.dll!7c91056d() ntdll.dll!7c9105c8() ntdll.dll!7c910551() libgdk-win32-2.0-0.dll!6b06f394() msvcrt.dll!77c2c2e3() libgdk-win32-2.0-0.dll!6b057fe6() user32.dll!77d48734() user32.dll!77d48bd9() user32.dll!77d4885a() user32.dll!77d4882a() libgdk-win32-2.0-0.dll!6b06126f() libgdk-win32-2.0-0.dll!6b043000() libgobject-2.0-0.dll!01c67e96() libgtk-win32-2.0-0.dll!6066c474() libgtk-win32-2.0-0.dll!6056e050() libgtk-win32-2.0-0.dll!6056f24d() libglib-2.0-0.dll!0034b549() libgdk-win32-2.0-0.dll!6b06f65e() libglib-2.0-0.dll!003621c2() libglib-2.0-0.dll!0034d9b7() libglib-2.0-0.dll!0034ce8d() libglib-2.0-0.dll!0034ee8b() libglib-2.0-0.dll!0034f06a() libglib-2.0-0.dll!0034b522() libgtk-win32-2.0-0.dll!6056e7be() msvcrt.dll!77c2c2e3() wireshark.exe!u3_register_pid() Line 70 + 0xa bytes C wireshark.exe!main(int argc=0, char * * argv=0x01cb49e4) Line 2989 C wireshark.exe!WinMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ * hPrevInstance=0x00000000, char * lpszCmdLine=0x0015233b, int nCmdShow=1) Line 3051 + 0x17 bytes C wireshark.exe!_WinMainCRTStartup() + 0x134 bytes kernel32.dll!7c816fd7() Other information: This happens in every other dialog with selectable text, as far as I can tell. It doesn't happen in the 0.99.4 release or earlier, which were compiled with GTK+ 2.6.
You should verify that the bug is reproducable with a minimal test program, or with gtk-demo.exe as included with the gtk+ development packages. GTK+ 2.8 is not maintained any longer. The maintained branch is 2.10, and the latest version as of now is 2.10.6. See ftp://ftp.gtk.org/pub/gtk/v2.10/win32/ .
The bug is reproducible in gtk-demo.exe from the GTK+ 2.8.20 and 2.10.6 distributions: 1. Double-click "Dialog and Message Boxes" 2. Click "Message Dialog" 3. Click somewhere in the "This message box..." line. Make sure the caret has been placed there 4. While holding down the shift key, press the right arrow key until the selection wraps BTW, http://www.gimp.org/~tml/gimp/win32/ still lists GTK+ 2.8.20 as the current release, and no 2.10.x packages are listed. Is there a better place to track GTK+ Win32 releases?
I couldn't reproduce this problem. I'm using GTK+ 2.10.6 from Gaim (http://prdownloads.sourceforge.net/gaim/gtk-runtime-2.10.6-rev-a.exe?download) on Windows XP.
Eeek, I *can* reproduce it with GTK+ 2.10.6 as distributed from ftp.gtk.org, and also with my working build, built with debugging, so it should be straightforward to track down and fix.
The immediate cause for the crash is in Pango. In pango-layout.c:pango_layout_move_cursor_visually(), we see: else /* (vis_pos == n_vis && direction > 0) */ { vis_pos = 0; if (paragraph_boundary) vis_pos--; } vis2log_map = pango_layout_line_get_vis2log_map (line, strong); ==> here vis_pos can be -1, boom! log_pos = g_utf8_pointer_to_offset (layout->text + line->start_index, layout->text + line->start_index + vis2log_map[vis_pos]); For some reason vis_pos being -1 doesn't cause a crash on Linux, but the code still indeed indexes the vis2log_map array with -1, so the bug is cross-platform. Verified by adding a printf to show the value of vis_pos at the arrow, and it indeeed is -1 also on X11.
Created attachment 76188 [details] [review] patch Tor, can you check this patch out?
Works fine, thanks! Committed to HEAD and pango-1-14: 2006-11-08 Behdad Esfahbod <behdad@gnome.org> * pango/pango-layout.c (pango_layout_move_cursor_visually): Don't index vis2log_map[] with a negative value. Fixes #368972.