20950 2008-09-19 17:24:49 -0700 Reproducible assertion failure running svg/custom/acid3-test-77.html multiple times under guard malloc 2008-09-20 17:50:48 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED InRadar, NeedsReduction P2 Normal --- 1 mrowe mitz hyatt mjs mrowe zimmermann oldest_to_newest 91838 0 mrowe 2008-09-19 17:24:49 -0700 Running svg/custom/acid3-test-77.html twice in a row under guard malloc leads to an assertion failure: ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) (HashTable.h:443 void WTF::HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T&) [with T = UChar, HashTranslator = WTF::IdentityHashTranslator<UChar, std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> >, Key = UChar, Value = std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, Extractor = WTF::PairFirstExtractor<std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> > >, HashFunctions = WTF::IntHash<unsigned int>, Traits = WTF::PairHashTraits<WTF::HashTraits<UChar>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, KeyTraits = WTF::HashTraits<UChar>]) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef #0 0x03cd098b in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::checkKey<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> > > (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:443 #1 0x03cd0a5c in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> > > (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:457 #2 0x03cd0b26 in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:330 #3 0x03cd0b40 in WTF::HashMap<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode>, WTF::IntHash<unsigned int>, WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >::get (this=0xd6b5cfe4, key=@0xbfffe056) at HashMap.h:207 #4 0x03cd0bc5 in WebCore::SVGGlyphMap::get (this=0xd68f4fd4, string=@0xbfffe144, glyphs=@0xbfffe138) at SVGGlyphMap.h:84 #5 0x03ccd68c in WebCore::SVGFontElement::getGlyphIdentifiersForString (this=0xd68f4f30, string=@0xbfffe144, glyphs=@0xbfffe138) at WebCore/svg/SVGFontElement.cpp:237 #6 0x03cd5699 in WebCore::SVGTextRunWalker<WebCore::SVGTextRunWalkerMeasuredLengthData>::walk (this=0xbfffe278, run=@0xbfffe390, isVerticalText=false, language=@0xbfffe28c, from=0, to=1) at WebCore/svg/SVGFont.cpp:278 #7 0x03cd3c0d in floatWidthOfSubStringUsingSVGFont (font=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, from=0, to=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/svg/SVGFont.cpp:415 #8 0x03cd3ddb in WebCore::Font::floatWidthUsingSVGFont (this=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/svg/SVGFont.cpp:433 #9 0x037ee0b9 in WebCore::Font::floatWidth (this=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/platform/graphics/Font.cpp:724 #10 0x03ba10fa in WebCore::SVGInlineTextBox::calculateGlyphWidth (this=0xd6b86fbc, style=0xd6794fbc, offset=2, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/rendering/SVGInlineTextBox.cpp:80 #11 0x03bfc212 in WebCore::SVGInlineTextBoxQueryWalker::chunkPortionCallback (this=0xbfffe5a8, textBox=0xd6b86fbc, startOffset=0, chunkCtm=@0xd6bdec4c, start=@0xbfffe4ec, end=@0xbfffe4e8) at WebCore/svg/SVGTextContentElement.cpp:201 #12 0x03c0018b in WebCore::SVGTextChunkWalker<WebCore::SVGInlineTextBoxQueryWalker>::operator() (this=0xbfffe5e8, textBox=0xd6b86fbc, startOffset=0, chunkCtm=@0xd6bdec4c, start=@0xbfffe4ec, end=@0xbfffe4e8) at SVGCharacterLayoutInfo.h:342 #13 0x03be5e8f in WebCore::SVGRootInlineBox::walkTextChunks (this=0xd6b88f7c, walker=0xbfffe5e8, textBox=0xd6b86fbc) at WebCore/rendering/SVGRootInlineBox.cpp:1686 #14 0x03bfa999 in executeTextQuery (element=0xd2548e80, mode=WebCore::SVGInlineTextBoxQueryWalker::EndPosition, startPosition=2, length=0, referencePoint={m_x = 0, m_y = 0}) at WebCore/svg/SVGTextContentElement.cpp:360 #15 0x03bfb32f in WebCore::SVGTextContentElement::getEndPositionOfChar (this=0xd2548e80, charnum=2, ec=@0xbfffe728) at WebCore/svg/SVGTextContentElement.cpp:417 #16 0x03a16958 in WebCore::jsSVGTextContentElementPrototypeFunctionGetEndPositionOfChar (exec=0xbfffe8cc, thisValue=0x1083560, args=@0xbfffe774) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:324 #17 0x004fbaa6 in JSC::Machine::cti_op_call_NotJSFunction (args=0xc74fbf90) at JavaScriptCore/VM/Machine.cpp:4423 The Mac OS X Intel Debug build bot hits this assertion failure very, very frequently. 91839 1 mrowe 2008-09-19 17:25:28 -0700 <rdar://problem/6234059> 91840 2 mrowe 2008-09-19 17:40:26 -0700 Assertion failure is in SVGFont-related code, which looks to have been written by Nikolas, but touched recently by Dave, Maciej and Dan. In particular <http://trac.webkit.org/changeset/31836> touched SVGTextRunWalker::walk, which looks to be where things start going obviously wrong. 91841 3 mitz 2008-09-19 17:42:45 -0700 I think this is a duplicate of bug 18830. 91842 4 mrowe 2008-09-19 17:43:59 -0700 Good catch. *** This bug has been marked as a duplicate of 18830 *** 91912 5 mitz 2008-09-20 11:35:45 -0700 Looks like the root cause in this case is different from that of bug 18830 after all, and this one is easy to fix. 91915 6 23608 mitz 2008-09-20 11:55:14 -0700 Created attachment 23608 Fix an off-by-one error 91919 7 23608 eric 2008-09-20 13:17:24 -0700 Comment on attachment 23608 Fix an off-by-one error Seems this should be pulled out into a nicely named local variable, possibly with a comment explaining why it does not include the first char (or maybe that's obvious from the code). int remainingCharsInRun = end - it; or similar. I would like to see a local variable used when you land, but I don't need to see the patch again. 91954 8 mitz 2008-09-20 17:50:48 -0700 Fixed in <http://trac.webkit.org/changeset/36723>. 23608 2008-09-20 11:55:14 -0700 2008-09-20 13:17:24 -0700 Fix an off-by-one error 20950_r1.diff text/plain 1796 mitz SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAzNjcxMSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTQgQEAKKzIwMDgtMDktMjAgIERhbiBCZXJuc3RlaW4gIDxtaXR6QGFwcGxlLmNv bT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAtIGZp eCBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjA5NTAKKyAgICAgICAg ICBSZXByb2R1Y2libGUgYXNzZXJ0aW9uIGZhaWx1cmUgcnVubmluZyBzdmcvY3VzdG9tL2FjaWQz LXRlc3QtNzcuaHRtbCBtdWx0aXBsZSB0aW1lcyB1bmRlciBndWFyZCBtYWxsb2MKKworICAgICAg ICAqIHN2Zy9TVkdUZXh0Q29udGVudEVsZW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6U1ZH SW5saW5lVGV4dEJveFF1ZXJ5V2Fsa2VyOjpjaHVua1BvcnRpb25DYWxsYmFjayk6IENoYW5nZWQg dG8KKyAgICAgICAgbm90IGluY2x1ZGUgdGhlIGZpcnN0IGNoYXJhY3RlciBpbiB0aGUgZXh0cmFD aGFyc0F2YWlsYWJsZSBjb3VudC4KKwogMjAwOC0wOS0yMCAgSG9sZ2VyIEhhbnMgUGV0ZXIgRnJl eXRoZXIgIDx6ZWNrZUBzZWxmaXNoLm9yZz4KIAogICAgICAgICBCdWlsZCBmaXguCkluZGV4OiBX ZWJDb3JlL3N2Zy9TVkdUZXh0Q29udGVudEVsZW1lbnQuY3BwCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNv cmUvc3ZnL1NWR1RleHRDb250ZW50RWxlbWVudC5jcHAJKHJldmlzaW9uIDM2Njk3KQorKysgV2Vi Q29yZS9zdmcvU1ZHVGV4dENvbnRlbnRFbGVtZW50LmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTk2 LDkgKzE5Niw5IEBAIHN0cnVjdCBTVkdJbmxpbmVUZXh0Qm94UXVlcnlXYWxrZXIgewogICAgICAg ICAgICAgICAgICAgICBpbnQgY2hhcnNDb25zdW1lZDsKICAgICAgICAgICAgICAgICAgICAgU3Ry aW5nIGdseXBoTmFtZTsKICAgICAgICAgICAgICAgICAgICAgaWYgKGlzVmVydGljYWxUZXh0KQot ICAgICAgICAgICAgICAgICAgICAgICAgbV9xdWVyeVBvaW50UmVzdWx0Lm1vdmUoaXQtPngsIGl0 LT55ICsgdGV4dEJveC0+Y2FsY3VsYXRlR2x5cGhIZWlnaHQoc3R5bGUsIG5ld09mZnNldCwgZW5k IC0gaXQpKTsKKyAgICAgICAgICAgICAgICAgICAgICAgIG1fcXVlcnlQb2ludFJlc3VsdC5tb3Zl KGl0LT54LCBpdC0+eSArIHRleHRCb3gtPmNhbGN1bGF0ZUdseXBoSGVpZ2h0KHN0eWxlLCBuZXdP ZmZzZXQsIGVuZCAtIGl0IC0gMSkpOwogICAgICAgICAgICAgICAgICAgICBlbHNlCi0gICAgICAg ICAgICAgICAgICAgICAgICBtX3F1ZXJ5UG9pbnRSZXN1bHQubW92ZShpdC0+eCArIHRleHRCb3gt PmNhbGN1bGF0ZUdseXBoV2lkdGgoc3R5bGUsIG5ld09mZnNldCwgZW5kIC0gaXQsIGNoYXJzQ29u c3VtZWQsIGdseXBoTmFtZSksIGl0LT55KTsKKyAgICAgICAgICAgICAgICAgICAgICAgIG1fcXVl cnlQb2ludFJlc3VsdC5tb3ZlKGl0LT54ICsgdGV4dEJveC0+Y2FsY3VsYXRlR2x5cGhXaWR0aChz dHlsZSwgbmV3T2Zmc2V0LCBlbmQgLSBpdCAtIDEsIGNoYXJzQ29uc3VtZWQsIGdseXBoTmFtZSks IGl0LT55KTsKIAogICAgICAgICAgICAgICAgICAgICBtX3N0b3BQcm9jZXNzaW5nID0gdHJ1ZTsK ICAgICAgICAgICAgICAgICAgICAgcmV0dXJuOwo=