131366 – Crash when I type the letter "i" after the letter "f" in a paragraph with style "emphasis" and font "Linux Biolinum G"

Bug 131366 - Crash when I type the letter "i" after the letter "f" in a paragraph with style "emphasis" and font "Linux Biolinum G"

Summary: Crash when I type the letter "i" after the letter "f" in a paragraph with sty...

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Writer (show other bugs)
Version: (earliest affected)	6.3.5.2 release
Hardware:	All All

Importance:	medium critical
Assignee:	Not Assigned

URL:
Whiteboard:	target:7.0.0 target:6.4.5
Keywords:	bibisected, bisected, regression

Duplicates (6):	132453 132982 133325 134533 135452 137597 (view as bug list)
Depends on:
Blocks:	Font-Rendering
	Show dependency tree / graph

Reported:	2020-03-16 04:55 UTC by Jonathan Buhacoff
Modified:	2020-10-19 17:12 UTC (History)
CC List:	13 users (show)

See Also:
Crash report or crash signature:

Attachments
A document that reproduces the issue every time on my machine (13.84 KB, application/vnd.oasis.opendocument.text) 2020-03-16 04:56 UTC, Jonathan Buhacoff	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonathan Buhacoff 2020-03-16 04:55:28 UTC

Description:
The bug is that, under some circumstances, when I type a word that starts with the letter "f" then the letter "i", LibreOffice Writer crashes when I type the letter "i". Maybe it also happens with other letter combinations but this is the only one I ran into so far. It always happens when the font is Linux Biolinum G, and doesn't happen with other fonts like Calibri.

Steps to Reproduce:
1. Set the font to Linux Biolinum G
2. Set the character style to "Emphasis"
3. Type the letter "f", then the letter "i"  

Actual Results:
Crash.

Expected Results:
Characters should be displayed without crashing. 


Reproducible: Always


User Profile Reset: Yes


OpenGL enabled: Yes

Additional Info:
Version: 6.3.5.2 (x64)
Build ID: dd0751754f11728f69b42ee2af66670068624673
CPU threads: 4; OS: Windows 10.0; UI render: default; VCL: win; 
Locale: en-US (en_US); UI-Language: en-US
Calc: threaded

NOTE: this also happened with the previous version I had installed: 

Version: 6.3.1.2 (x64)
Build ID: b79626edf0065ac373bd1df5c28bd630b4424273
CPU threads: 4; OS: Windows 10.0; UI render: default; VCL: win; 
Locale: en-US (en_US); UI-Language: en-US
Calc: threaded

The bug is also reproducible in safe mode, with and without OpenGL.

Comment 1 Jonathan Buhacoff 2020-03-16 04:56:18 UTC

Created attachment 158706 [details]
A document that reproduces the issue every time on my machine

Comment 2 Julien Nabet 2020-03-16 15:26:58 UTC

On pc Debian x86-64 with master sources updated today, I could reproduce this.

Comment 3 Julien Nabet 2020-03-16 15:31:18 UTC

I retrieved a bt and try to put some breaks but the pb seems in Harfbuzz.
#0  0x00007ffff0b05d0d in (anonymous namespace)::direct_run(bool, void* const*, unsigned char const*, int*, graphite2::Slot**&, unsigned char, graphite2::vm::Machine::status_t&, graphite2::SlotMap*)
    (get_table_mode=false, program=0x7fffd5dbd798, data=0x7fffd5dbd878 "\006", stack=0x7ffffffe3a98, __map=@0x7ffffffe38f0: 0x7ffffffe52e0, _dir=0 '\000', status=@0x7ffffffe4aa8: graphite2::vm::Machine::finished, __smap=0x7ffffffe52d0) at workdir/UnpackedTarball/graphite/src/inc/opcodes.h:473
#1  0x00007ffff0b07313 in graphite2::vm::Machine::run(void* const*, unsigned char const*, graphite2::Slot**&)
    (this=0x7ffffffe3a90, program=0x7fffd5dbd798, data=0x7fffd5dbd878 "\006", is=@0x7ffffffe38f0: 0x7ffffffe52e0) at workdir/UnpackedTarball/graphite/src/direct_machine.cpp:116
#2  0x00007ffff0b02ca4 in graphite2::vm::Machine::Code::run(graphite2::vm::Machine&, graphite2::Slot**&) const (this=0x7fffd6286568, m=..., map=@0x7ffffffe38f0: 0x7ffffffe52e0)
    at workdir/UnpackedTarball/graphite/src/Code.cpp:751
#3  0x00007ffff0afe6c3 in graphite2::Pass::testConstraint(graphite2::Rule const&, graphite2::vm::Machine&) const (this=0x6500a78, r=..., m=...) at workdir/UnpackedTarball/graphite/src/Pass.cpp:653
#4  0x00007ffff0afd5c4 in graphite2::Pass::findNDoRule(graphite2::Slot*&, graphite2::vm::Machine&, graphite2::FiniteStateMachine&) const (this=0x6500a78, slot=@0x7ffffffe3a00: 0x8bd09f0, m=..., fsm=...)
    at workdir/UnpackedTarball/graphite/src/Pass.cpp:512
#5  0x00007ffff0afd221 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const (this=0x6500a78, m=..., fsm=..., reverse=false)
    at workdir/UnpackedTarball/graphite/src/Pass.cpp:420
#6  0x00007ffff0ae975e in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const (this=0x64f08c8, seg=0x8b567d0, firstPass=0 '\000', lastPass=1 '\001', dobidi=1)
    at workdir/UnpackedTarball/graphite/src/Silf.cpp:431
#7  0x00007ffff0ada76b in graphite2::Face::runGraphite(graphite2::Segment*, graphite2::Silf const*) const (this=0x64b3d50, seg=0x8b567d0, aSilf=0x64f08c8) at workdir/UnpackedTarball/graphite/src/Face.cpp:179
#8  0x00007ffff0c9bdb8 in graphite2::Segment::runGraphite() (this=0x8b567d0) at workdir/UnpackedTarball/graphite/src/inc/Segment.h:94
#9  0x00007ffff0c9b8e0 in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int)
    (font=0x0, face=0x64b3d50, script=1818326126, pFeats=0x5ed9290, enc=gr_utf32, pStart=0x8b562b0, nChars=3, dir=2) at workdir/UnpackedTarball/graphite/src/gr_segment.cpp:46
#10 0x00007ffff0c9b772 in gr_make_seg(gr_font const*, gr_face const*, gr_uint32, gr_feature_val const*, gr_encform, void const*, size_t, int)
    (font=0x0, face=0x64b3d50, script=1818326126, pFeats=0x5ed9290, enc=gr_utf32, pStart=0x8b562b0, nChars=3, dir=2) at workdir/UnpackedTarball/graphite/src/gr_segment.cpp:110
#11 0x00007ffff0c424b1 in _hb_graphite2_shape(hb_shape_plan_t*, hb_font_t*, hb_buffer_t*, hb_feature_t const*, unsigned int)
    (shape_plan=0x6564410, font=0x64b3290, buffer=0x8b57790, features=0x0, num_features=0) at hb-graphite2.cc:256
#12 0x00007ffff0c3dd57 in hb_shape_plan_execute(hb_shape_plan_t*, hb_font_t*, hb_buffer_t*, hb_feature_t const*, unsigned int)
    (shape_plan=0x6564410, font=0x64b3290, buffer=0x8b57790, features=0x0, num_features=0) at ./hb-shaper-list.hh:38
#13 0x00007ffff0c3f229 in hb_shape_full(hb_font_t*, hb_buffer_t*, hb_feature_t const*, unsigned int, char const* const*)
    (font=0x64b3290, buffer=0x8b57790, features=0x0, num_features=0, shaper_list=0x7ffffffe5e10) at hb-shape.cc:139
#14 0x00007ffff057aa8b in GenericSalLayout::LayoutText(ImplLayoutArgs&, SalLayoutGlyphs const*) (this=0x61173c0, rArgs=..., pGlyphs=0x0) at vcl/source/gdi/CommonSalLayout.cxx:471
#15 0x00007ffff018d7fd in OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, long const*, SalLayoutFlags, vcl::TextLayoutCache const*, SalLayoutGlyphs const*) const
    (this=0x5e887a0, rOrigStr="Text with the \"Emphasis\" style seems to trigger the problem. Try typing the letter \"i\" after the \"f\" here, on my machine it crashes every time: fi", nMinIndex=143, nLen=3, rLogicalPos=Point = {...}, nLogicalWidth=0, pDXArray=0x0, flags=SalLayoutFlags::GlyphItemsOnly, pLayoutCache=0x0, pGlyphs=0x0) at vcl/source/outdev/text.cxx:1319

Indeed when putting a break in vcl/source/gdi/CommonSalLayout.cxx:471, GDB doesn't stop.

Comment 4 Timur 2020-03-16 15:37:33 UTC

Repro master 7.0+ both Win and Lin.
Np repro 6.2. Regression in 6.3.
 41c8baa8134040fb2bcdf859113cc7d52c53e8c3 is the first bad commit
commit 41c8baa8134040fb2bcdf859113cc7d52c53e8c3
Author: Jenkins Build User <tdf@pollux.tdf>
Date:   Fri Dec 14 09:47:38 2018 +0100

    source 6b84708914f9c026776b28a300ac6d278272881f

Previous commit 5d196bab4f73206315b9fff03fa8e126b658e2f3 (HEAD, refs/bisect/good-5d196bab4f73206315b9fff03fa8e126b658e2f3)
Author: Jenkins Build User <tdf@pollux.tdf>
Date:   Fri Dec 14 08:14:37 2018 +0100

    source 744c82af55d0ef1bfae61d13e5cf32fbd83c8b6b

Single source:
https://gerrit.libreoffice.org/plugins/gitiles/core/+/6b84708914f9c026776b28a300ac6d278272881f%5E!/

commit 6b84708914f9c026776b28a300ac6d278272881f	[log]
author	Miklos Vajna <vmiklos@collabora.com>	Thu Dec 13 09:13:39 2018 +0100
committer	Miklos Vajna <vmiklos@collabora.com>	Fri Dec 14 09:08:04 2018 +0100
tree f44f856fa3b8d105c951b250860a108c413b72e5
parent 744c82af55d0ef1bfae61d13e5cf32fbd83c8b6b [diff]

graphite: update to 1.3.12

Martin Hosken thinks all patches are redundant now, so drop them.

Change-Id: I062168416a1289b7f4dd42d8ae58b7df56a37712
Reviewed-on: https://gerrit.libreoffice.org/65074
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>

CC: Miklos. Please take a look (to fix or to mark EasyHack).

Comment 5 Miklos Vajna 2020-03-16 15:49:40 UTC

Sounds like a crash in graphite itself, should this be forwarded to <https://github.com/silnrsi/graphite>, to their issue tracker?

CC Justin who may know what is the preferred way of handling such "graphite in LO" problems, I don't.

Comment 6 martin_hosken 2020-03-17 07:38:53 UTC

This is a bug in the graphite engine. A fix has been pushed to master and we hope to do a maintenance release in a week or so.

Comment 7 Julien Nabet 2020-03-17 08:01:03 UTC

So not our bug then since Graphite one.

Comment 8 martin_hosken 2020-03-17 08:16:52 UTC

You will still need to upgrade to the newer Graphite library when it comes out.

Comment 9 Jonathan Buhacoff 2020-03-17 14:56:40 UTC

Thanks everyone for the quick resolution!

Comment 10 Miklos Vajna 2020-04-28 09:10:20 UTC

*** Bug 132453 has been marked as a duplicate of this bug. ***

Comment 11 Commit Notification 2020-05-04 07:34:28 UTC

Gabor Kelemen committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/835b86437446a81541ab6923f7776a0a71c44ab9

tdf#131366 Update graphite to 1.3.14

It will be available in 7.0.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 12 Commit Notification 2020-05-07 14:55:01 UTC

Gabor Kelemen committed a patch related to this issue.
It has been pushed to "libreoffice-6-4":

https://git.libreoffice.org/core/commit/55e9293c342647ad89c3f081c5b5b677140ac847

tdf#131366 Update graphite to 1.3.14

It will be available in 6.4.5.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 13 Julien Nabet 2020-05-12 16:59:09 UTC

*** Bug 132982 has been marked as a duplicate of this bug. ***

Comment 14 Julien Nabet 2020-05-23 20:17:27 UTC

*** Bug 133325 has been marked as a duplicate of this bug. ***

Comment 15 Julien Nabet 2020-07-06 10:26:17 UTC

*** Bug 134533 has been marked as a duplicate of this bug. ***

Comment 16 Julien Nabet 2020-08-05 09:39:51 UTC

*** Bug 135452 has been marked as a duplicate of this bug. ***

Comment 17 Timur 2020-10-19 13:59:00 UTC

*** Bug 137597 has been marked as a duplicate of this bug. ***

Comment 18 Jonathan Buhacoff 2020-10-19 17:12:13 UTC

The fix is working for me. Thank you!