Bug 197181

Summary: Assertion fires when calling getSubStringLength() for a fragmented <text> element
Product: WebKit Reporter: Said Abou-Hallawa <sabouhallawa>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ahmad.saleem792, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
test case none

Description Said Abou-Hallawa 2019-04-22 16:18:05 PDT
Created attachment 367991 [details]
test case

Open the attached test case. The following assertion will fire:

0x00000001b2ae79b0 in ::WTFCrash() at Source/WTF/wtf/Assertions.cpp:305
0x00000001a000e75b in WTFCrashWithInfo(int, char const*, char const*, int) at WebKitBuild/Debug/usr/local/include/wtf/Assertions.h:566
0x00000001a3ba3e7d in WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&, unsigned int&, unsigned int&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:140
0x00000001a3ba450c in WebCore::SVGTextQuery::subStringLengthCallback(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:291
0x00000001a3ba3d9c in WebCore::SVGTextQuery::executeQuery(WebCore::SVGTextQuery::Data*, bool (WebCore::SVGTextQuery::*)(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:125
0x00000001a3ba4627 in WebCore::SVGTextQuery::subStringLength(unsigned int, unsigned int) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:305
0x00000001a3f34490 in WebCore::SVGTextContentElement::getSubStringLength(unsigned int, unsigned int) at Source/WebCore/./svg/SVGTextContentElement.cpp:75
0x00000001a12c5d00 in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:295
0x00000001a12ba6d0 in long long WebCore::IDLOperation<WebCore::JSSVGTextContentElement>::call<&(WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at Source/WebCore/bindings/js/JSDOMOperation.h:53
0x00000001a12ba3bc in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLength(JSC::ExecState*) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:300
Comment 1 Said Abou-Hallawa 2019-04-22 16:19:38 PDT
<rdar://problem/50109006>
Comment 2 Ahmad Saleem 2023-01-20 11:03:35 PST
I get hit by this assertion while trying to load test case in Minibrowser WK2 Debug build based of 259136@main and get following:

ASSERTION FAILED: startPosition >= queryData->processedCharacters
rendering/svg/SVGTextQuery.cpp(142) : bool WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data *, const WebCore::SVGTextFragment &, unsigned int &, unsigned int &) const
1   0x139d6ed84 WTFCrash
2   0x280832730 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x285bd1358 WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&, unsigned int&, unsigned int&) const
4   0x285bd1bd4 WebCore::SVGTextQuery::subStringLengthCallback(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const
5   0x285bd1238 WebCore::SVGTextQuery::executeQuery(WebCore::SVGTextQuery::Data*, bool (WebCore::SVGTextQuery::*)(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const) const
6   0x285bd1d08 WebCore::SVGTextQuery::subStringLength(unsigned int, unsigned int) const
7   0x2860366ac WebCore::SVGTextContentElement::getSubStringLength(unsigned int, unsigned int)
8   0x281a6ad08 WebCore::jsSVGTextContentElementPrototypeFunction_getSubStringLengthBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGTextContentElement*)
9   0x281a6a9c4 long long WebCore::IDLOperation<WebCore::JSSVGTextContentElement>::call<&(WebCore::jsSVGTextContentElementPrototypeFunction_getSubStringLengthBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGTextContentElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
10  0x281a69e68 WebCore::jsSVGTextContentElementPrototypeFunction_getSubStringLength(JSC::JSGlobalObject*, JSC::CallFrame*)
11  0x2a4e5403c (null)
12  0x13a496990 llint_entry
13  0x13a470eec vmEntryToJavaScript
14  0x13b4cfa5c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
15  0x13b4ceff8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
16  0x13b938110 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
17  0x13b938254 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
18  0x283240254 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
19  0x28323fd28 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
20  0x28323fb5c WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
21  0x28324050c WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
22  0x283cbd164 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
23  0x283cbb2e8 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
24  0x2863d6984 WebCore::XMLDocumentParser::endElementNs()
25  0x2863d7e18 WebCore::endElementNsHandler(void*, unsigned char const*, unsigned char const*, unsigned char const*)
26  0x1a6f538b4 xmlParseEndTag2
27  0x1a6f4a320 xmlParseTryOrFinish
28  0x1a6f48f40 xmlParseChunk
29  0x2863d5034 WebCore::XMLDocumentParser::doWrite(WTF::String const&)
30  0x2863cb95c WebCore::XMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&)
31  0x283a67eec WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, unsigned char const*, unsigned long)
2023-01-20 19:01:00.281 MiniBrowser[67347:23990700] WebContent process crashed; reloading
ASSERTION FAILED: m_connection
/Users/ahmadsaleem/Documents/GitHub-Webkit-origin/Webkit/Source/WebKit/UIProcess/AuxiliaryProcessProxy.h(86) : IPC::Connection *WebKit::AuxiliaryProcessProxy::connection() const
1   0x135b4ed84 WTFCrash
2   0x11610fc30 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x117231d48 WebKit::AuxiliaryProcessProxy::connection() const
4   0x117c5b848 WebKit::WebPageProxy::messageSenderConnection() const
5   0x117c5b3e4 WebKit::WebPageProxy::sendWheelEvent(WebKit::WebWheelEvent const&, WTF::OptionSet<WebCore::WheelEventProcessingSteps>)
6   0x117c5b298 WebKit::WebPageProxy::handleWheelEvent(WebKit::NativeWebWheelEvent const&)
7   0x11795cd7c WebKit::WebViewImpl::scrollWheel(NSEvent*)
8   0x1175a27ac -[WKWebView(WKImplementationMac) scrollWheel:]
9   0x1a259e618 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:]
10  0x1a259d124 -[NSWindow(NSEventRouting) sendEvent:]
11  0x1a259c25c -[NSApplication(NSEvent) sendEvent:]
12  0x1a27ee360 -[NSApplication _handleEvent:]
13  0x1a2463a08 -[NSApplication run]
14  0x1a243ae28 NSApplicationMain
15  0x100045edc main
16  0x19ede7e50 start
2023-01-20 19:01:00.335 com.apple.WebKit.WebContent.Development[67548:23993744] Application does not have permission to communicate with network resources. rc=1 : errno=3