165540 – Writer kashida position array corrupted during editing

Bug 165540 - Writer kashida position array corrupted during editing

Summary: Writer kashida position array corrupted during editing

Status:	RESOLVED FIXED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Writer (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	Jonathan Clark

URL:
Whiteboard:	target:25.8.0
Keywords:

Depends on:
Blocks:	Kashida-Justification, Tatweel
	Show dependency tree / graph

Reported:	2025-03-02 20:09 UTC by Jonathan Clark
Modified:	2025-03-05 05:29 UTC (History)
CC List:	2 users (show)

See Also:	164140
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonathan Clark 2025-03-02 20:09:23 UTC

Description:
For kashida justification, Writer stores per-paragraph lists of valid kashida insertion positions as string indices inside SwScriptInfo instances. Sometimes, while editing justified paragraphs, this data can be corrupted.

An early symptom of this problem is the following warning message:

> warn:sw.core:28915:28915:sw/source/core/text/porlay.cxx:1573: Kashida array contains wrong data

After this data is corrupted, it's possible that LibreOffice will crash due to an out-of-bounds vector access inside SwScriptInfo::KashidaJustify.

For more details, see bug 164140 comment 15:

(In reply to Hossein from comment #15)
> Created attachment 199549 [details]
> crash log + back trace
> 
> @Jonathan:
> Thanks for providing this fix. It improves the situation a lot, and I no
> longer see text going out of margin in a single page.
> 
> On the other hand:
> 
> 1. LibreOffice crashes for me by typing a lot of text. The attachment is the
> log and the stack trace which I get.
> 
> 2. The same issue happens in a paragraph, long enough to span across pages.
> Please see the next attachment, that I will attach shortly.
> 
> 3. It might be related that, if you create a big paragraph with a very long
> word (for example type a few hundreds of "a" together) LibreOffice tend to
> hang for a seconds or so, after typing each character, which is undesirable.
> This should be also visible in the next attachment.
> 
> I have tested with the latest LO 25.8 dev master from today:
> 
> Version: 25.8.0.0.alpha0+ (X86_64) / LibreOffice Community
> Build ID: dec9f7d5b2d72e83f4feb81bc8845bca506bbe20
> CPU threads: 12; OS: Linux 6.2; UI render: default; VCL: gtk3
> Locale: en-US (en_US.UTF-8); UI: en-US
> Calc: CL threaded


Steps to Reproduce:
1. Open attachment 199549 [details]
2. Type some text at the start of an Arabic script line on page 2
3. Note that Writer prints the "kashida array contains wrong data" warning message

Actual Results:
Writer prints a "kashida array contains wrong data" warning message. Writer may also crash.

Expected Results:
Writer should not corrupt this kashida position information. Writer should not print this warning message, nor should it crash during editing.


Reproducible: Always


User Profile Reset: No

Additional Info:
Version: 25.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: dec9f7d5b2d72e83f4feb81bc8845bca506bbe20
CPU threads: 12; OS: Linux 6.2; UI render: default; VCL: gtk3
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: CL threaded

Comment 1 Hossein 2025-03-03 12:11:16 UTC

Reproducible with the latest LO 25.8 dev master:

Version: 25.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 9d3fba976012b65e740c024e753f034600ce2852
CPU threads: 12; OS: Linux 6.2; UI render: default; VCL: gtk3
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: CL threaded

Comment 2 Commit Notification 2025-03-05 05:08:50 UTC

Jonathan Clark committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/ef31a26abc5ff4851be5360fd8ecd325132c5592

tdf#165540 sw: Fix kashida insertion position data corruption

It will be available in 25.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.

Comment 3 Jonathan Clark 2025-03-05 05:29:39 UTC

The above change significantly revises and simplifies the Writer kashida justification algorithm. As a result, bugs of this category should no longer be possible in kashida justification.

This is probably not exhaustive, but these are the issues I've noticed fixed by this change:

- Fixes the kashida insertion position corruption error, described in this bug.
- The fix from bug 164140 is superseded, as the corrupted data structures no longer exist.
- Fixes the overhanging text regression from bug 164140 comment 16, caused by the previous fix overlooking that the previous implementation performed kashida justification in a loop while looking for insertion opportunities, while also referencing incrementally-built versions of those corrupted data structures.
- Fixes an issue where editing a line may cause kashida to be inserted in positions on other lines which should be rejected by the font.
- Fixes an issue where editing a line may cause kashida to be inserted in positions on other lines which do not have room for them.