Summary: | Assertion fires when calling getSubStringLength() for a fragmented <text> element | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Said Abou-Hallawa <sabouhallawa> | ||||
Component: | SVG | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | NEW --- | ||||||
Severity: | Normal | CC: | ahmad.saleem792, webkit-bug-importer, zimmermann | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
I get hit by this assertion while trying to load test case in Minibrowser WK2 Debug build based of 259136@main and get following: ASSERTION FAILED: startPosition >= queryData->processedCharacters rendering/svg/SVGTextQuery.cpp(142) : bool WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data *, const WebCore::SVGTextFragment &, unsigned int &, unsigned int &) const 1 0x139d6ed84 WTFCrash 2 0x280832730 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x285bd1358 WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&, unsigned int&, unsigned int&) const 4 0x285bd1bd4 WebCore::SVGTextQuery::subStringLengthCallback(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const 5 0x285bd1238 WebCore::SVGTextQuery::executeQuery(WebCore::SVGTextQuery::Data*, bool (WebCore::SVGTextQuery::*)(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const) const 6 0x285bd1d08 WebCore::SVGTextQuery::subStringLength(unsigned int, unsigned int) const 7 0x2860366ac WebCore::SVGTextContentElement::getSubStringLength(unsigned int, unsigned int) 8 0x281a6ad08 WebCore::jsSVGTextContentElementPrototypeFunction_getSubStringLengthBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGTextContentElement*) 9 0x281a6a9c4 long long WebCore::IDLOperation<WebCore::JSSVGTextContentElement>::call<&(WebCore::jsSVGTextContentElementPrototypeFunction_getSubStringLengthBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGTextContentElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 10 0x281a69e68 WebCore::jsSVGTextContentElementPrototypeFunction_getSubStringLength(JSC::JSGlobalObject*, JSC::CallFrame*) 11 0x2a4e5403c (null) 12 0x13a496990 llint_entry 13 0x13a470eec vmEntryToJavaScript 14 0x13b4cfa5c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 15 0x13b4ceff8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 16 0x13b938110 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 17 0x13b938254 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 18 0x283240254 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 19 0x28323fd28 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 20 0x28323fb5c WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 21 0x28324050c WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&) 22 0x283cbd164 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) 23 0x283cbb2e8 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) 24 0x2863d6984 WebCore::XMLDocumentParser::endElementNs() 25 0x2863d7e18 WebCore::endElementNsHandler(void*, unsigned char const*, unsigned char const*, unsigned char const*) 26 0x1a6f538b4 xmlParseEndTag2 27 0x1a6f4a320 xmlParseTryOrFinish 28 0x1a6f48f40 xmlParseChunk 29 0x2863d5034 WebCore::XMLDocumentParser::doWrite(WTF::String const&) 30 0x2863cb95c WebCore::XMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&) 31 0x283a67eec WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, unsigned char const*, unsigned long) 2023-01-20 19:01:00.281 MiniBrowser[67347:23990700] WebContent process crashed; reloading ASSERTION FAILED: m_connection /Users/ahmadsaleem/Documents/GitHub-Webkit-origin/Webkit/Source/WebKit/UIProcess/AuxiliaryProcessProxy.h(86) : IPC::Connection *WebKit::AuxiliaryProcessProxy::connection() const 1 0x135b4ed84 WTFCrash 2 0x11610fc30 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x117231d48 WebKit::AuxiliaryProcessProxy::connection() const 4 0x117c5b848 WebKit::WebPageProxy::messageSenderConnection() const 5 0x117c5b3e4 WebKit::WebPageProxy::sendWheelEvent(WebKit::WebWheelEvent const&, WTF::OptionSet<WebCore::WheelEventProcessingSteps>) 6 0x117c5b298 WebKit::WebPageProxy::handleWheelEvent(WebKit::NativeWebWheelEvent const&) 7 0x11795cd7c WebKit::WebViewImpl::scrollWheel(NSEvent*) 8 0x1175a27ac -[WKWebView(WKImplementationMac) scrollWheel:] 9 0x1a259e618 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] 10 0x1a259d124 -[NSWindow(NSEventRouting) sendEvent:] 11 0x1a259c25c -[NSApplication(NSEvent) sendEvent:] 12 0x1a27ee360 -[NSApplication _handleEvent:] 13 0x1a2463a08 -[NSApplication run] 14 0x1a243ae28 NSApplicationMain 15 0x100045edc main 16 0x19ede7e50 start 2023-01-20 19:01:00.335 com.apple.WebKit.WebContent.Development[67548:23993744] Application does not have permission to communicate with network resources. rc=1 : errno=3 |
Created attachment 367991 [details] test case Open the attached test case. The following assertion will fire: 0x00000001b2ae79b0 in ::WTFCrash() at Source/WTF/wtf/Assertions.cpp:305 0x00000001a000e75b in WTFCrashWithInfo(int, char const*, char const*, int) at WebKitBuild/Debug/usr/local/include/wtf/Assertions.h:566 0x00000001a3ba3e7d in WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&, unsigned int&, unsigned int&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:140 0x00000001a3ba450c in WebCore::SVGTextQuery::subStringLengthCallback(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:291 0x00000001a3ba3d9c in WebCore::SVGTextQuery::executeQuery(WebCore::SVGTextQuery::Data*, bool (WebCore::SVGTextQuery::*)(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:125 0x00000001a3ba4627 in WebCore::SVGTextQuery::subStringLength(unsigned int, unsigned int) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:305 0x00000001a3f34490 in WebCore::SVGTextContentElement::getSubStringLength(unsigned int, unsigned int) at Source/WebCore/./svg/SVGTextContentElement.cpp:75 0x00000001a12c5d00 in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:295 0x00000001a12ba6d0 in long long WebCore::IDLOperation<WebCore::JSSVGTextContentElement>::call<&(WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at Source/WebCore/bindings/js/JSDOMOperation.h:53 0x00000001a12ba3bc in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLength(JSC::ExecState*) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:300