Bug 20950

Summary: Reproducible assertion failure running svg/custom/acid3-test-77.html multiple times under guard malloc
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: SVGAssignee: mitz
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt, mjs, mrowe, zimmermann
Priority: P2 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Fix an off-by-one error eric: review+

Description Mark Rowe (bdash) 2008-09-19 17:24:49 PDT 
Running svg/custom/acid3-test-77.html twice in a row under guard malloc leads to an assertion failure:

ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key)
(HashTable.h:443 void WTF::HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T&) [with T = UChar, HashTranslator = WTF::IdentityHashTranslator<UChar, std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> >, Key = UChar, Value = std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, Extractor = WTF::PairFirstExtractor<std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> > >, HashFunctions = WTF::IntHash<unsigned int>, Traits = WTF::PairHashTraits<WTF::HashTraits<UChar>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, KeyTraits = WTF::HashTraits<UChar>])

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
#0  0x03cd098b in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::checkKey<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> > > (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:443
#1  0x03cd0a5c in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> > > (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:457
#2  0x03cd0b26 in WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned int>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup (this=0xd6b5cfe4, key=@0xbfffe056) at HashTable.h:330
#3  0x03cd0b40 in WTF::HashMap<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode>, WTF::IntHash<unsigned int>, WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >::get (this=0xd6b5cfe4, key=@0xbfffe056) at HashMap.h:207
#4  0x03cd0bc5 in WebCore::SVGGlyphMap::get (this=0xd68f4fd4, string=@0xbfffe144, glyphs=@0xbfffe138) at SVGGlyphMap.h:84
#5  0x03ccd68c in WebCore::SVGFontElement::getGlyphIdentifiersForString (this=0xd68f4f30, string=@0xbfffe144, glyphs=@0xbfffe138) at WebCore/svg/SVGFontElement.cpp:237
#6  0x03cd5699 in WebCore::SVGTextRunWalker<WebCore::SVGTextRunWalkerMeasuredLengthData>::walk (this=0xbfffe278, run=@0xbfffe390, isVerticalText=false, language=@0xbfffe28c, from=0, to=1) at WebCore/svg/SVGFont.cpp:278
#7  0x03cd3c0d in floatWidthOfSubStringUsingSVGFont (font=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, from=0, to=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/svg/SVGFont.cpp:415
#8  0x03cd3ddb in WebCore::Font::floatWidthUsingSVGFont (this=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/svg/SVGFont.cpp:433
#9  0x037ee0b9 in WebCore::Font::floatWidth (this=0xd679cfa8, run=@0xbfffe390, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/platform/graphics/Font.cpp:724
#10 0x03ba10fa in WebCore::SVGInlineTextBox::calculateGlyphWidth (this=0xd6b86fbc, style=0xd6794fbc, offset=2, extraCharsAvailable=1, charsConsumed=@0xbfffe420, glyphName=@0xbfffe41c) at WebCore/rendering/SVGInlineTextBox.cpp:80
#11 0x03bfc212 in WebCore::SVGInlineTextBoxQueryWalker::chunkPortionCallback (this=0xbfffe5a8, textBox=0xd6b86fbc, startOffset=0, chunkCtm=@0xd6bdec4c, start=@0xbfffe4ec, end=@0xbfffe4e8) at WebCore/svg/SVGTextContentElement.cpp:201
#12 0x03c0018b in WebCore::SVGTextChunkWalker<WebCore::SVGInlineTextBoxQueryWalker>::operator() (this=0xbfffe5e8, textBox=0xd6b86fbc, startOffset=0, chunkCtm=@0xd6bdec4c, start=@0xbfffe4ec, end=@0xbfffe4e8) at SVGCharacterLayoutInfo.h:342
#13 0x03be5e8f in WebCore::SVGRootInlineBox::walkTextChunks (this=0xd6b88f7c, walker=0xbfffe5e8, textBox=0xd6b86fbc) at WebCore/rendering/SVGRootInlineBox.cpp:1686
#14 0x03bfa999 in executeTextQuery (element=0xd2548e80, mode=WebCore::SVGInlineTextBoxQueryWalker::EndPosition, startPosition=2, length=0, referencePoint={m_x = 0, m_y = 0}) at WebCore/svg/SVGTextContentElement.cpp:360
#15 0x03bfb32f in WebCore::SVGTextContentElement::getEndPositionOfChar (this=0xd2548e80, charnum=2, ec=@0xbfffe728) at WebCore/svg/SVGTextContentElement.cpp:417
#16 0x03a16958 in WebCore::jsSVGTextContentElementPrototypeFunctionGetEndPositionOfChar (exec=0xbfffe8cc, thisValue=0x1083560, args=@0xbfffe774) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:324
#17 0x004fbaa6 in JSC::Machine::cti_op_call_NotJSFunction (args=0xc74fbf90) at JavaScriptCore/VM/Machine.cpp:4423


The Mac OS X Intel Debug build bot hits this assertion failure very, very frequently.
Comment 1 Mark Rowe (bdash) 2008-09-19 17:25:28 PDT 
<rdar://problem/6234059>
Comment 2 Mark Rowe (bdash) 2008-09-19 17:40:26 PDT 
Assertion failure is in SVGFont-related code, which looks to have been written by Nikolas, but touched recently by Dave, Maciej and Dan.  In particular <http://trac.webkit.org/changeset/31836> touched SVGTextRunWalker::walk, which looks to be where things start going obviously wrong.
Comment 3 mitz 2008-09-19 17:42:45 PDT 
I think this is a duplicate of bug 18830.
Comment 4 Mark Rowe (bdash) 2008-09-19 17:43:59 PDT 
Good catch.

*** This bug has been marked as a duplicate of 18830 ***
Comment 5 mitz 2008-09-20 11:35:45 PDT 
Looks like the root cause in this case is different from that of bug 18830 after all, and this one is easy to fix.
Comment 6 mitz 2008-09-20 11:55:14 PDT 
Created attachment 23608 [details]
Fix an off-by-one error
Comment 7 Eric Seidel (no email) 2008-09-20 13:17:24 PDT 
Comment on attachment 23608 [details]
Fix an off-by-one error

Seems this should be pulled out into a nicely named local variable, possibly with a comment explaining why it does not include the first char (or maybe that's obvious from the code).

int remainingCharsInRun = end - it;

or similar.  I would like to see a local variable used when you land, but I don't need to see the patch again.
Comment 8 mitz 2008-09-20 17:50:48 PDT 
Fixed in <http://trac.webkit.org/changeset/36723>.