Bug 20950

Summary: Reproducible assertion failure running svg/custom/acid3-test-77.html multiple times under guard malloc
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: SVGAssignee: mitz
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt, mjs, mrowe, zimmermann
Priority: P2 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Fix an off-by-one error eric: review+

Mark Rowe (bdash)
Reported 2008-09-19 17:24:49 PDT
Running svg/custom/acid3-test-77.html twice in a row under guard malloc leads to an assertion failure: ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) (HashTable.h:443 void WTF::HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T&) [with T = UChar, HashTranslator = WTF::IdentityHashTranslator<UChar, std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> >, Key = UChar, Value = std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, Extractor = WTF::PairFirstExtractor<std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> > >, HashFunctions = WTF::IntHash<unsigned int>, Traits = WTF::PairHashTraits<WTF::HashTraits<UChar>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, KeyTraits = WTF::HashTraits<UChar>]) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef #0 0x03cd098b in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::checkKey<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> > > (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:443 #1 0x03cd0a5c in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> > > (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:457 #2 0x03cd0b26 in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:330 #3 0x03cd0b40 in WTF::HashMap<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode>, WTF::IntHash<unsigned int>, WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >::get (this=0xd6b5cfe4, key=@0xbfffe056) at HashMap.h:207 #4 0x03cd0bc5 in WebCore::SVGGlyphMap::get (this=0xd68f4fd4, string=@0xbfffe144, glyphs=@0xbfffe138) at SVGGlyphMap.h:84 #5 0x03ccd68c in WebCore::SVGFontElement::getGlyphIdentifiersForString (this=0xd68f4f30, string=@0xbfffe144, glyphs=@0xbfffe138) at WebCore/svg/SVGFontElement.cpp:237 #6 0x03cd5699 in WebCore::SVGTextRunWalker<WebCore::SVGTextRunWalkerMeasuredLengthData>::walk (this=0xbfffe278, run=@0xbfffe390, isVerticalText=false, language=@0xbfffe28c, from=0, to=1) at WebCore/svg/SVGFont.cpp:278 #7 0x03cd3c0d in floatWidthOfSubStringUsingSVGFont (font=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, from=0, to=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/svg/SVGFont.cpp:415 #8 0x03cd3ddb in WebCore::Font::floatWidthUsingSVGFont (this=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/svg/SVGFont.cpp:433 #9 0x037ee0b9 in WebCore::Font::floatWidth (this=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/platform/graphics/Font.cpp:724 #10 0x03ba10fa in WebCore::SVGInlineTextBox::calculateGlyphWidth (this=0xd6b86fbc, style=0xd6794fbc, offset=2, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/rendering/SVGInlineTextBox.cpp:80 #11 0x03bfc212 in WebCore::SVGInlineTextBoxQueryWalker::chunkPortionCallback (this=0xbfffe5a8, textBox=0xd6b86fbc, startOffset=0, chunkCtm=@0xd6bdec4c, start=@0xbfffe4ec, end=@0xbfffe4e8) at WebCore/svg/SVGTextContentElement.cpp:201 #12 0x03c0018b in WebCore::SVGTextChunkWalker<WebCore::SVGInlineTextBoxQueryWalker>::operator() (this=0xbfffe5e8, textBox=0xd6b86fbc, startOffset=0, chunkCtm=@0xd6bdec4c, start=@0xbfffe4ec, end=@0xbfffe4e8) at SVGCharacterLayoutInfo.h:342 #13 0x03be5e8f in WebCore::SVGRootInlineBox::walkTextChunks (this=0xd6b88f7c, walker=0xbfffe5e8, textBox=0xd6b86fbc) at WebCore/rendering/SVGRootInlineBox.cpp:1686 #14 0x03bfa999 in executeTextQuery (element=0xd2548e80, mode=WebCore::SVGInlineTextBoxQueryWalker::EndPosition, startPosition=2, length=0, referencePoint={m_x = 0, m_y = 0}) at WebCore/svg/SVGTextContentElement.cpp:360 #15 0x03bfb32f in WebCore::SVGTextContentElement::getEndPositionOfChar (this=0xd2548e80, charnum=2, ec=@0xbfffe728) at WebCore/svg/SVGTextContentElement.cpp:417 #16 0x03a16958 in WebCore::jsSVGTextContentElementPrototypeFunctionGetEndPositionOfChar (exec=0xbfffe8cc, thisValue=0x1083560, args=@0xbfffe774) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:324 #17 0x004fbaa6 in JSC::Machine::cti_op_call_NotJSFunction (args=0xc74fbf90) at JavaScriptCore/VM/Machine.cpp:4423 The Mac OS X Intel Debug build bot hits this assertion failure very, very frequently.
Attachments
Fix an off-by-one error (1.75 KB, patch)
2008-09-20 11:55 PDT, mitz 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-09-19 17:25:28 PDT
<rdar://problem/6234059>
Mark Rowe (bdash)
Comment 2 2008-09-19 17:40:26 PDT
Assertion failure is in SVGFont-related code, which looks to have been written by Nikolas, but touched recently by Dave, Maciej and Dan. In particular <http://trac.webkit.org/changeset/31836> touched SVGTextRunWalker::walk, which looks to be where things start going obviously wrong.
mitz
Comment 3 2008-09-19 17:42:45 PDT
I think this is a duplicate of bug 18830.
Mark Rowe (bdash)
Comment 4 2008-09-19 17:43:59 PDT
Good catch. *** This bug has been marked as a duplicate of 18830 ***
mitz
Comment 5 2008-09-20 11:35:45 PDT
Looks like the root cause in this case is different from that of bug 18830 after all, and this one is easy to fix.
mitz
Comment 6 2008-09-20 11:55:14 PDT
Created attachment 23608 [details] Fix an off-by-one error
Eric Seidel (no email)
Comment 7 2008-09-20 13:17:24 PDT
Comment on attachment 23608 [details] Fix an off-by-one error Seems this should be pulled out into a nicely named local variable, possibly with a comment explaining why it does not include the first char (or maybe that's obvious from the code). int remainingCharsInRun = end - it; or similar. I would like to see a local variable used when you land, but I don't need to see the patch again.
mitz
Comment 8 2008-09-20 17:50:48 PDT
Fixed in <http://trac.webkit.org/changeset/36723>.
Note You need to log in before you can comment on or make changes to this bug.