Menu

#239 Text segfault with Modified event after delete

closed-fixed
Jeffrey Hobbs
18. [text] (26)
9
2007-12-13
2007-06-14
Anonymous
No

8.4 text widget has problems when processing <<Modified>> event caused by delete. This segfaults once the widget gets focus (sorry, I cannot test 8.5):

#!/usr/bin/wish8.4
text .t
.t insert insert x
bind .t <<Modified>> update
.t edit modified 0
pack .t

update
after 4000
.t delete 1.0 1.1

Alternatively, use just the first 6 lines, click in the left halve of the window and press Backspace to get Segmentation fault as well.

This is a minimalistic example and rather strange one, doing "update" does not make much sense. However it ilustrates likely data corruption which has other symptoms as well.

I wanted to invoke procedure after every text change and I found that after delete and <<Modified>> event, this procedure still reports text as it was BEFORE delete (while inserting chars is fine). Example:

proc modified {} {
if {![.t edit modified]} {
# invoked by itself
return
}
.t edit modified 0
puts text:[.t get 1.0 end]
}
text .t
bind .t <<Modified>> modified
pack .t

Now type "A" in text widget, delete it and type "X". Response is:

text:A <-- OK
text:A <-- WRONG! Text is empty now!
text:X <-- OK

Text widget itself looks as it should ("A" appears, disappears, "X" appears). Things also look OK when inspected outside of the event processing procedure. Just after delete, while processing <<Modified>>, data structures seem to be inconsistent, leading to slight errors or even segfaults.

Vaclav Hanzl

hanzl (at) noel dot feld dot cvut dot cz

Discussion

  • Nobody/Anonymous

    Nobody/Anonymous - 2007-06-14

    Logged In: NO

    Original report was for Debian Sarge.

    Now I verified that the first 6 lines can also bring down freewrap6.2 Wish under Windows XP.

    Vaclav Hanzl

     

  • Koen Danckaert

    Koen Danckaert - 2007-06-19

    Logged In: YES
    user_id=1388916
    Originator: NO

    Seems like the dirty-flag is incremented too early during a delete action.
    Following patch solves this issue:

    diff -bru tk8.5a6/generic/tkText.c tk8.5a6my/generic/tkText.c
    --- tk8.5a6/generic/tkText.c 2007-06-19 15:36:52.000000000 +0200
    +++ tk8.5a6my/generic/tkText.c 2007-06-19 15:37:11.000000000 +0200
    @@ -3111,11 +3111,11 @@
    get = TextGetText(textPtr, &index1, &index2, 0);
    TextPushUndoAction(textPtr, get, 0, &index1, &index2);
    }
    - UpdateDirtyFlag(sharedTextPtr);
    -
    sharedTextPtr->stateEpoch++;

    TkBTreeDeleteIndexRange(sharedTextPtr->tree, &index1, &index2);
    +
    + UpdateDirtyFlag(sharedTextPtr);
    }

    resetViewCount = 0;

     

  • Donal K. Fellows

    Donal K. Fellows - 2007-06-26
    • priority: 5 --> 9
     

  • Vaclav Hanzl

    Vaclav Hanzl - 2007-10-08

    Logged In: YES
    user_id=1818446
    Originator: NO

    I just reported another maybe related Tk bug - in tk bug tracker, #1809538

     

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-12-13
    • status: open --> closed-fixed
     

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-12-13

    Logged In: YES
    user_id=72656
    Originator: NO

    Segfault confirmed in 8.4, not in 8.5, but the fix to have the Modified trigger after the delete (an equiv for 8.4) fixes the segfault. This seems correct as the insert does occur before the Modified on the other side.

    Fix commited to have <<Modified>> trigger after actual delete in 8.4.17 and 8.5.0.