Bug 134632

Summary: ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
Product: WebKit Reporter: Martin Hodovan <mhodovan.u-szeged>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, commit-queue, darin, esprehn+autocc, ggaren, glenn, gyuyoung.kim, macpherson, menard, msaboff, rhodovan.u-szeged, rniwa, selenagomezzrw, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Proposed patch
darin: review-, darin: commit-queue-
Proposed patch
buildbot: commit-queue-
Archive of layout-test-results from webkit-ews-09 for mac-mountainlion-wk2
none
Proposed patch none

Martin Hodovan
Reported 2014-07-04 06:02:26 PDT
Test case: <style> * { @\aaa } </style> Output: ASSERTION FAILED: name[0] == '@' && length >= 2 Source/WebCore/css/CSSParser.cpp(10618) : void WebCore::CSSParser::detectAtToken(int, bool) [with CharacterType = unsigned char] Backtrace: #0 0x00007ffff58284d1 in WTFCrash () at /home/martin/Data/WebKit2/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff0a34fff in WebCore::CSSParser::detectAtToken<unsigned char> (this=0x7fffffffbe60, length=1, hasEscape=true) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.cpp:10618 #2 0x00007ffff0a2ca81 in WebCore::CSSParser::realLex<unsigned char> (this=0x7fffffffbe60, yylvalWithoutType=0x7fffffffa2d0) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.cpp:11211 #3 0x00007ffff19c6750 in WebCore::CSSParser::lex (this=0x7fffffffbe60, cssyylval=0x7fffffffa2d0) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.h:396 #4 0x00007ffff19c67a0 in WebCore::cssyylex (cssyylval=0x7fffffffa2d0, parser=0x7fffffffbe60) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.h:696 #5 0x00007ffff19c113a in cssyyparse (parser=0x7fffffffbe60) at /home/martin/Data/WebKit2/WebKitBuild/Debug/DerivedSources/WebCore/CSSGrammar.cpp:2816 #6 0x00007ffff09f8996 in WebCore::CSSParser::parseSheet (this=0x7fffffffbe60, sheet=0x7d2ae0, string=..., startLineNumber=8, ruleSourceDataResult=0x0, logErrors=true) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.cpp:440 #7 0x00007ffff0b22d23 in WebCore::StyleSheetContents::parseStringAtLine (this=0x7d2ae0, sheetText=..., startLineNumber=8, createdByParser=true) at /home/martin/Data/WebKit2/Source/WebCore/css/StyleSheetContents.cpp:326 #8 0x00007ffff0c07060 in WebCore::InlineStyleSheetOwner::createSheet (this=0x779558, element=..., text=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/InlineStyleSheetOwner.cpp:147 #9 0x00007ffff0c06b18 in WebCore::InlineStyleSheetOwner::createSheetFromTextContents (this=0x779558, element=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/InlineStyleSheetOwner.cpp:97 #10 0x00007ffff0c06ad5 in WebCore::InlineStyleSheetOwner::finishParsingChildren (this=0x779558, element=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/InlineStyleSheetOwner.cpp:91 #11 0x00007ffff0dff7f9 in WebCore::HTMLStyleElement::finishParsingChildren (this=0x7794f0) at /home/martin/Data/WebKit2/Source/WebCore/html/HTMLStyleElement.cpp:90 #12 0x00007ffff0ea1452 in WebCore::HTMLElementStack::popCommon (this=0x624e88) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLElementStack.cpp:578 #13 0x00007ffff0e9fe76 in WebCore::HTMLElementStack::pop (this=0x624e88) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLElementStack.cpp:214 #14 0x00007ffff0ec9569 in WebCore::HTMLTreeBuilder::processEndTag (this=0x624e50, token=0x7fffffffd290) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2179 #15 0x00007ffff0ebfd60 in WebCore::HTMLTreeBuilder::processToken (this=0x624e50, token=0x7fffffffd290) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:386 #16 0x00007ffff0ebfb72 in WebCore::HTMLTreeBuilder::constructTree (this=0x624e50, token=0x7fffffffd290) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:354 #17 0x00007ffff0e996fc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x71bf50, rawToken=...) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:352 #18 0x00007ffff0e99383 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x71bf50, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:309 #19 0x00007ffff0e98b89 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x71bf50, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:189 #20 0x00007ffff0e99c43 in WebCore::HTMLDocumentParser::append (this=0x71bf50, inputSource=...) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:428 #21 0x00007ffff0b7c661 in WebCore::DecodedDataDocumentParser::flush (this=0x71bf50, writer=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #22 0x00007ffff0fe8217 in WebCore::DocumentWriter::end (this=0x791360) at /home/martin/Data/WebKit2/Source/WebCore/loader/DocumentWriter.cpp:247 #23 0x00007ffff0fd28f9 in WebCore::DocumentLoader::finishedLoading (this=0x7912c0, finishTime=0) at /home/martin/Data/WebKit2/Source/WebCore/loader/DocumentLoader.cpp:441 #24 0x00007ffff0fd2662 in WebCore::DocumentLoader::notifyFinished (this=0x7912c0, resource=0x7ac4f0) at /home/martin/Data/WebKit2/Source/WebCore/loader/DocumentLoader.cpp:375 #25 0x00007ffff107fc42 in WebCore::CachedResource::checkNotify (this=0x7ac4f0) at /home/martin/Data/WebKit2/Source/WebCore/loader/cache/CachedResource.cpp:334 #26 0x00007ffff107fd28 in WebCore::CachedResource::finishLoading (this=0x7ac4f0) at /home/martin/Data/WebKit2/Source/WebCore/loader/cache/CachedResource.cpp:350 #27 0x00007ffff107cd26 in WebCore::CachedRawResource::finishLoading (this=0x7ac4f0, data=0x64bf20) at /home/martin/Data/WebKit2/Source/WebCore/loader/cache/CachedRawResource.cpp:98 #28 0x00007ffff1032d1e in WebCore::SubresourceLoader::didFinishLoading (this=0x7aca50, finishTime=0) at /home/martin/Data/WebKit2/Source/WebCore/loader/SubresourceLoader.cpp:310 #29 0x00007ffff102efef in WebCore::ResourceLoader::didFinishLoading (this=0x7aca50, finishTime=0) at /home/martin/Data/WebKit2/Source/WebCore/loader/ResourceLoader.cpp:517 #30 0x00007ffff193e23f in WebCore::readCallback (asyncResult=0x7b09c0, data=0x7ad0d0) at /home/martin/Data/WebKit2/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302 #31 0x00007fffebef3aaa in async_ready_callback_wrapper (source_object=0x6851b0, res=0x7b09c0, user_data=0x7ad0d0) at ginputstream.c:519 #32 0x00007fffebf1347b in g_task_return_now (task=0x7b09c0) at gtask.c:1108 #33 0x00007fffebf13499 in complete_in_idle_cb (task=0x7b09c0) at gtask.c:1117 #34 0x00007fffeb963536 in g_main_dispatch (context=0x67f760) at gmain.c:3065 #35 g_main_context_dispatch (context=context@entry=0x67f760) at gmain.c:3641 #36 0x00007fffeccd95c0 in _ecore_glib_select__locked (ecore_timeout=<optimized out>, efds=<optimized out>, wfds=0x7fffffffd9b0, rfds=0x7fffffffd930, ecore_fds=8, ctx=<optimized out>) at lib/ecore/ecore_glib.c:172 #37 _ecore_glib_select (ecore_fds=8, rfds=0x7fffffffd930, wfds=0x7fffffffd9b0, efds=<optimized out>, ecore_timeout=<optimized out>) at lib/ecore/ecore_glib.c:204 #38 0x00007fffeccdc0a4 in _ecore_main_select (timeout=<optimized out>) at lib/ecore/ecore_main.c:1579 #39 0x00007fffeccdcc45 in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at lib/ecore/ecore_main.c:2007 #40 0x00007fffeccdcd07 in ecore_main_loop_begin () at lib/ecore/ecore_main.c:1042 #41 0x00007ffff7678933 in WTF::RunLoop::run () at /home/martin/Data/WebKit2/Source/WTF/wtf/efl/RunLoopEfl.cpp:51 #42 0x00007ffff75fd5fe in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffde58) at /home/martin/Data/WebKit2/Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #43 0x00007ffff75fd3db in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffde58) at /home/martin/Data/WebKit2/Source/WebKit2/WebProcess/efl/WebProcessMainEfl.cpp:128 #44 0x0000000000400840 in main (argc=2, argv=0x7fffffffde58) at /home/martin/Data/WebKit2/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32
Attachments
Proposed patch (5.25 KB, patch)
2014-07-04 06:13 PDT, Martin Hodovan 		darin: review-
darin: commit-queue-
DetailsFormatted DiffDiff
Proposed patch (4.80 KB, patch)
2014-07-29 07:25 PDT, Martin Hodovan 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from webkit-ews-09 for mac-mountainlion-wk2 (482.84 KB, application/zip)
2014-07-29 11:29 PDT, Build Bot 		no flags
Details
Proposed patch (4.80 KB, patch)
2014-08-05 04:08 PDT, Martin Hodovan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Martin Hodovan
Comment 1 2014-07-04 06:13:16 PDT
Created attachment 234405 [details] Proposed patch Backported from Chromium: https://codereview.chromium.org/241053002
Darin Adler
Comment 2 2014-07-04 12:00:13 PDT
Comment on attachment 234405 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=234405&action=review > Source/WebCore/css/CSSParser.cpp:11231 > + // The standard enables unicode escapes in at-rules. In this case only the resultString will contain the > + // correct identifier, hence we have to use it to determine its length instead of the usual pointer arithmetic. The bug is in parseIdentifier, which needs to bump the result pointer even in the 16-bit slow case. Not doing that will cause many other problems, so just changing this code path to quiet the assertion is wrong. The line of code that should be added to parseIdentifer is: result += result16 - start16; The reason it’s important to fix the bug in parseIdentifier is that multiple call sites of parseIdentifier are affected by this, not just this one code path. But also, the 16-bit code path in parseIdentifier doesn’t really need to switch to parsing 16-bit input. It’s only the output string that needs to be 16-bit, and the way it currently does things is unnecessarily inefficient. This code is made terribly confusing by using the name "result" for a pointer to the next character to be parsed. We should call this current, not result, and we should also investigate using a const pointer for it and eliminating code that writes into it. But that’s beyond the scope of this.
Martin Hodovan
Comment 3 2014-07-29 07:25:13 PDT
Created attachment 235687 [details] Proposed patch Thank you for the complete solution and sorry about the delay. I updated the patch. (I am making a follow-up patch to rename the confusing 'result' pointer to 'current'.)
Build Bot
Comment 4 2014-07-29 11:29:47 PDT
Comment on attachment 235687 [details] Proposed patch Attachment 235687 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/5421317947916288 New failing tests: media/media-fragments/TC0001.html
Build Bot
Comment 5 2014-07-29 11:29:51 PDT
Created attachment 235697 [details] Archive of layout-test-results from webkit-ews-09 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-09 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Martin Hodovan
Comment 6 2014-08-05 04:08:13 PDT
Created attachment 236025 [details] Proposed patch
WebKit Commit Bot
Comment 7 2014-08-05 11:14:50 PDT
Comment on attachment 236025 [details] Proposed patch Clearing flags on attachment: 236025 Committed r172036: <http://trac.webkit.org/changeset/172036>
WebKit Commit Bot
Comment 8 2014-08-05 11:14:56 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.