Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-72754

QTextEngine crashes when navigating over a line that contains a trailing tab character

    XMLWordPrintable

    Details

    • Platform/s:
      Linux/X11
    • Commits:
      a8db9b8663f0bf3d66b36b5f743bd2fd47105cb6 (qt/qtbase/5.12.1)

      Description

      Because of https://codereview.qt-project.org/244594, qtextengine.cpp crashes when pressing Key_Down (or Key_Up etc.) in a QTextEdit that contains a trailing tab character.

      #2  <signal handler called>
      #3  0x00007fde299a2942 in QTextEngine::shape (this=0x16a5ad50, item=item@entry=3) at /d/qt/5/kde/qtbase/src/gui/text/qtextengine.cpp:1982
      #4  0x00007fde299b27b9 in QTextLine::xToCursor (this=this@entry=0x7fffe00fecd0, _x=<optimized out>, cpos=cpos@entry=QTextLine::CursorBetweenCharacters) at /d/qt/5/kde/qtbase/src/gui/text/qtextlayout.cpp:3047
      #5  0x00007fde299ffa05 in QTextCursorPrivate::movePosition (this=0x16f1c010, op=op@entry=QTextCursor::Down, mode=mode@entry=QTextCursor::MoveAnchor) at /d/qt/5/kde/qtbase/src/gui/text/qtextcursor.cpp:587
      #6  0x00007fde29a0245e in QTextCursor::movePosition (this=this@entry=0x16bf0ca0, op=op@entry=QTextCursor::Down, mode=mode@entry=QTextCursor::MoveAnchor, n=n@entry=1) at /d/qt/5/kde/qtbase/src/gui/text/qtextcursor.cpp:1253
      #7  0x00007fde2a2cb9eb in QWidgetTextControlPrivate::cursorMoveKeyEvent (this=this@entry=0x16bf0c20, e=e@entry=0x7fffe00ffda0) at /d/qt/5/kde/qtbase/src/widgets/widgets/qwidgettextcontrol.cpp:281
      #8  0x00007fde2a2cda9a in QWidgetTextControlPrivate::keyPressEvent (this=this@entry=0x16bf0c20, e=e@entry=0x7fffe00ffda0) at /d/qt/5/kde/qtbase/src/widgets/widgets/qwidgettextcontrol.cpp:1217
      #9  0x00007fde2a2d0a39 in QWidgetTextControl::processEvent (this=<optimized out>, e=0x7fffe00ffda0, matrix=..., contextWidget=0x16d26e00) at /d/qt/5/kde/qtbase/src/widgets/widgets/qwidgettextcontrol.cpp:1023
      #10 0x00007fde2a2c789a in QWidgetTextControl::processEvent (this=this@entry=0x16d2b260, e=e@entry=0x7fffe00ffda0, coordinateOffset=..., contextWidget=contextWidget@entry=0x16d26e00) at /d/qt/5/kde/qtbase/src/widgets/widgets/qwidgettextcontrol.cpp:983

      Testcase:

      cd qtbase/examples/widgets/richtext/textedit
      wget http://www.davidfaure.fr/2018/mytext
      ./textedit mytext
      

      and then press Key_Down 4 times.

      The new code says

      ushort *lc = logClusters(&li);
      *lc = item ? lc[-1] : 0;
      

      and lc is nullptr (I added Q_ASSERT(lc) and it hits that assert).

      Is it enough to put an if(lc) around all this, i.e. do nothing if lc is null?

        Attachments

        For Gerrit Dashboard: QTBUG-72754
        # Subject Branch Project Status CR V

          Activity

            People

            Assignee:
            laknoll Lars Knoll
            Reporter:
            dfaure_kdab David Faure
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes