127052 2014-01-15 09:21:35 -0800 ASSERTION FAILED: m_pos <= toRenderText(m_renderer)->textLength() in WebCore::InlineIterator::fastIncrementInTextNode 2016-08-03 13:39:07 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned bfulgham gyuyoung.kim koivisto sam simon.fraser oldest_to_newest 968353 0 221275 rhodovan.u-szeged 2014-01-15 09:21:35 -0800 Created attachment 221275 Test case The failing test case (with spaces): <p align="right"> <a>L</a> <br>LOL The backtrace: ASSERTION FAILED: m_pos <= toRenderText(m_renderer)->textLength() /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineIterator.h(320) : void WebCore::InlineIterator::fastIncrementInTextNode() 1 0x7ffff5c35e44 WTFCrash 2 0x7ffff177cd9a WebCore::InlineIterator::fastIncrementInTextNode() 3 0x7ffff177ceb8 WebCore::InlineIterator::increment(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>*) 4 0x7ffff196030c WebCore::checkMidpoints(WebCore::MidpointState<WebCore::InlineIterator>&, WebCore::InlineIterator&) 5 0x7ffff196069d WebCore::BreakingContext::handleEndOfLine() 6 0x7ffff195a3fa WebCore::LineBreaker::nextSegmentBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow>&) 7 0x7ffff1959c14 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow>&) 8 0x7ffff17b0d9e WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) 9 0x7ffff17af6c4 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 10 0x7ffff17b2f4e WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 11 0x7ffff1796002 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 12 0x7ffff17952b3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 13 0x7ffff176411f WebCore::RenderBlock::layout() 14 0x7ffff1796409 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 15 0x7ffff1795f00 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 16 0x7ffff17952d7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 17 0x7ffff176411f WebCore::RenderBlock::layout() 18 0x7ffff1796409 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 19 0x7ffff1795f00 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 20 0x7ffff17952d7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 21 0x7ffff176411f WebCore::RenderBlock::layout() 22 0x7ffff1796409 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 23 0x7ffff1795f00 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 24 0x7ffff17952d7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 25 0x7ffff176411f WebCore::RenderBlock::layout() 26 0x7ffff1935afd WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 27 0x7ffff1936779 WebCore::RenderView::layout() 28 0x7ffff14cc7d9 WebCore::FrameView::layout(bool) 29 0x7ffff0f148f0 WebCore::Document::implicitClose() 30 0x7ffff13a58d7 WebCore::FrameLoader::checkCallImplicitClose() 31 0x7ffff13a566b WebCore::FrameLoader::checkCompleted() Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff177cd9a in WebCore::InlineIterator::fastIncrementInTextNode (this=0x7fffffff8f00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineIterator.h:320 #2 0x00007ffff177ceb8 in WebCore::InlineIterator::increment (this=0x7fffffff8f00, resolver=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineIterator.h:360 #3 0x00007ffff196030c in WebCore::checkMidpoints (lineMidpointState=..., lBreak=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:1078 #4 0x00007ffff196069d in WebCore::BreakingContext::handleEndOfLine (this=0x7fffffff8fd0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:1122 #5 0x00007ffff195a3fa in WebCore::LineBreaker::nextSegmentBreak (this=0x7fffffffa410, resolver=..., lineInfo=..., renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/LineBreaker.cpp:175 #6 0x00007ffff1959c14 in WebCore::LineBreaker::nextLineBreak (this=0x7fffffffa410, resolver=..., lineInfo=..., renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/LineBreaker.cpp:89 #7 0x00007ffff17b0d9e in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x11aaa60, layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1318 #8 0x00007ffff17af6c4 in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x11aaa60, layoutState=..., hasInlineChild=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1075 #9 0x00007ffff17b2f4e in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x11aaa60, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1671 #10 0x00007ffff1796002 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x11aaa60, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:547 #11 0x00007ffff17952b3 in WebCore::RenderBlockFlow::layoutBlock (this=0x11aaa60, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:373 #12 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x11aaa60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314 #13 0x00007ffff1796409 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x11592b0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:608 #14 0x00007ffff1795f00 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x11592b0, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:527 #15 0x00007ffff17952d7 in WebCore::RenderBlockFlow::layoutBlock (this=0x11592b0, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:375 #16 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x11592b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314 #17 0x00007ffff1796409 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x1158d50, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:608 #18 0x00007ffff1795f00 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x1158d50, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:527 #19 0x00007ffff17952d7 in WebCore::RenderBlockFlow::layoutBlock (this=0x1158d50, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:375 #20 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x1158d50) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314 #21 0x00007ffff1796409 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7f2060, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:608 #22 0x00007ffff1795f00 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7f2060, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:527 #23 0x00007ffff17952d7 in WebCore::RenderBlockFlow::layoutBlock (this=0x7f2060, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:375 #24 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x7f2060) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314 #25 0x00007ffff1935afd in WebCore::RenderView::layoutContent (this=0x7f2060, state=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:158 #26 0x00007ffff1936779 in WebCore::RenderView::layout (this=0x7f2060) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:342 #27 0x00007ffff14cc7d9 in WebCore::FrameView::layout (this=0x6f8450, allowSubtree=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1322 #28 0x00007ffff0f148f0 in WebCore::Document::implicitClose (this=0x11c6690) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2457 #29 0x00007ffff13a58d7 in WebCore::FrameLoader::checkCallImplicitClose (this=0x723198) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:899 #30 0x00007ffff13a566b in WebCore::FrameLoader::checkCompleted (this=0x723198) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:842 #31 0x00007ffff13a53c6 in WebCore::FrameLoader::finishedParsing (this=0x723198) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:763 #32 0x00007ffff0f1bd7b in WebCore::Document::finishedParsing (this=0x11c6690) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4449 #33 0x00007ffff121452f in WebCore::HTMLConstructionSite::finishedParsing (this=0x725208) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:337 #34 0x00007ffff124d882 in WebCore::HTMLTreeBuilder::finished (this=0x7251f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3046 #35 0x00007ffff121b836 in WebCore::HTMLDocumentParser::end (this=0x109eda0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749 #36 0x00007ffff121b921 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x109eda0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760 #37 0x00007ffff121a569 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x109eda0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203 #38 0x00007ffff121b966 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x109eda0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772 #39 0x00007ffff121ba1f in WebCore::HTMLDocumentParser::finish (this=0x109eda0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821 #40 0x00007ffff1398122 in WebCore::DocumentWriter::end (this=0x1136640) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:252 #41 0x00007ffff138383e in WebCore::DocumentLoader::finishedLoading (this=0x11365a0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:441 #42 0x00007ffff13835ac in WebCore::DocumentLoader::notifyFinished (this=0x11365a0, resource=0x114d500) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:375 #43 0x00007ffff142849c in WebCore::CachedResource::checkNotify (this=0x114d500) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:336 #44 0x00007ffff142857e in WebCore::CachedResource::finishLoading (this=0x114d500) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:352 #45 0x00007ffff1425092 in WebCore::CachedRawResource::finishLoading (this=0x114d500, data=0x807960) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #46 0x00007ffff13e0f31 in WebCore::SubresourceLoader::didFinishLoading (this=0x114da60, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:309 #47 0x00007ffff13dd241 in WebCore::ResourceLoader::didFinishLoading (this=0x114da60, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:517 #48 0x00007ffff215e414 in WebCore::readCallback (asyncResult=0x11519c0, data=0x73f4e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1336 #49 0x00007fffe80e8bc9 in async_ready_callback_wrapper (source_object=0x877c00, res=0x11519c0, user_data=0x73f4e0) at ginputstream.c:530 #50 0x00007fffe810accb in g_task_return_now (task=0x11519c0) at gtask.c:1105 #51 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114 #52 0x00007fffed805473 in g_main_dispatch (context=0x1151040) at gmain.c:3054 #53 g_main_context_dispatch (context=0x1151040) at gmain.c:3630 #54 0x00007ffff758aaee in _ecore_glib_select__locked (ecore_timeout=0x1151040, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, ecore_fds=1, ctx=<optimized out>) at ecore_glib.c:171 #55 _ecore_glib_select (ecore_fds=1, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x1151040) at ecore_glib.c:205 #56 0x00007ffff7584cb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466 #57 0x00007ffff7585789 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1860 #58 0x00007ffff7585b47 in ecore_main_loop_begin () at ecore_main.c:956 #59 0x0000000000406d21 in main (argc=2, argv=0x7fffffffdd48) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1032 1217130 1 bfulgham 2016-08-03 13:39:07 -0700 This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case. 221275 2014-01-15 09:21:35 -0800 2014-01-15 09:21:35 -0800 Test case lastCrash.html text/html 35 rhodovan.u-szeged PHAgYWxpZ249InJpZ2h0Ij4KPGE+TDwvYT4gIDxicj5MT0w=