Bug 162215
| Summary: | [Debug] imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-support.htm is crashing | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | DOM | Assignee: | Chris Dumez <cdumez> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | cdumez |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=107459 | ||
Chris Dumez
New imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-support.htm layout test introduced in Bug 162166 is crashing on debug builds with the following backtrace:
xception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef
VM Regions Near 0xbbadbeef:
-->
__TEXT 0000000102d4a000-0000000102e0c000 [ 776K] r-x/rwx SM=COW /Volumes/VOLUME/*
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 com.apple.JavaScriptCore 0x00000001043a05d7 WTFCrash + 39
1 com.apple.WebCore 0x000000010bc7bd2c WebCore::convertUTF16EntityToUTF8(unsigned short const*, unsigned long, char*, unsigned long) + 188 (XMLDocumentParserLibxml2.cpp:1216)
2 com.apple.WebCore 0x000000010bc7bbed WebCore::getXHTMLEntity(unsigned char const*) + 157 (XMLDocumentParserLibxml2.cpp:1229)
3 com.apple.WebCore 0x000000010bc7a577 WebCore::getEntityHandler(void*, unsigned char const*) + 295 (XMLDocumentParserLibxml2.cpp:1276)
4 libxml2.2.dylib 0x00007fff891300a8 xmlParseEntityRef + 225
5 libxml2.2.dylib 0x00007fff8912f79b xmlParseReference + 194
6 libxml2.2.dylib 0x00007fff891368ef xmlParseTryOrFinish + 5405
7 libxml2.2.dylib 0x00007fff891351dd xmlParseChunk + 901
8 com.apple.WebCore 0x000000010bc77ca8 WebCore::XMLDocumentParser::doWrite(WTF::String const&) + 408 (XMLDocumentParserLibxml2.cpp:690)
9 com.apple.WebCore 0x000000010bc74988 WebCore::XMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) + 312 (XMLDocumentParser.cpp:122)
10 com.apple.WebCore 0x0000000109ac7a4c WebCore::Document::setContent(WTF::String const&) + 108 (Document.cpp:1402)
11 com.apple.WebCore 0x0000000109b9c4bd WebCore::DOMParser::parseFromString(WTF::String const&, WTF::String const&, int&) + 285 (DOMParser.cpp:40)
12 com.apple.WebCore 0x000000010a5628ae WebCore::jsDOMParserPrototypeFunctionParseFromString(JSC::ExecState*) + 1038 (JSDOMParser.cpp:187)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Chris Dumez
Looks like the code that is crashing was added in Bug 107459.
Chris Dumez
When I hit the assertion:
target: &?? (is null terminated? 1)
ASSERTION FAILED: target > originalTarget + 1
So target is null terminated and the function was called with the string "&??\0" it seems.
Chris Dumez
(In reply to comment #2)
> When I hit the assertion:
> target: &?? (is null terminated? 1)
> ASSERTION FAILED: target > originalTarget + 1
>
> So target is null terminated and the function was called with the string
> "&??\0" it seems.
target: 0x117627af5, originalTarget + 1: 0x117627af5
So target is equal to originalTarget + 1.
Chris Dumez
(In reply to comment #3)
> (In reply to comment #2)
> > When I hit the assertion:
> > target: &?? (is null terminated? 1)
> > ASSERTION FAILED: target > originalTarget + 1
> >
> > So target is null terminated and the function was called with the string
> > "&??\0" it seems.
>
> target: 0x117627af5, originalTarget + 1: 0x117627af5
>
> So target is equal to originalTarget + 1.
So the test provides \u0026 as input and we put "&\0" in the target which seems correct.
Chris Dumez
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > When I hit the assertion:
> > > target: &?? (is null terminated? 1)
> > > ASSERTION FAILED: target > originalTarget + 1
> > >
> > > So target is null terminated and the function was called with the string
> > > "&??\0" it seems.
> >
> > target: 0x117627af5, originalTarget + 1: 0x117627af5
> >
> > So target is equal to originalTarget + 1.
>
> So the test provides \u0026 as input and we put "&\0" in the target which
> seems correct.
So the assertion is:
ASSERT(target > originalTarget + 1);
Which means it expects more than 1 characters to be written by WTF::Unicode::convertUTF16ToUTF8() into target. However, some some input such as '\u0026', the conversion to UTF-8 is '&', which is only 1 character. Therefore, I believe this assertion is wrong.
Chris Dumez
*** This bug has been marked as a duplicate of bug 162166 ***