Bug 232053

Summary: Negative length returned by TextUtil::midWordBreak with surrogate pair
Product: WebKit Reporter: Gabriel Nava Marino <gnavamarino>
Component: TextAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, mmaxfield, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Gabriel Nava Marino
Reported 2021-10-20 15:44:32 PDT
In the case where the surrogate pair overlaps with the start position, the computed right location could end up being one less than the startPosition yielding a -1 length value for the returned TextUtil::MidWordBreak.
Attachments
Patch (7.19 KB, patch)
2021-10-20 15:52 PDT, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Patch (8.07 KB, patch)
2021-10-27 12:12 PDT, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Patch (8.20 KB, patch)
2021-10-28 10:50 PDT, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Patch (8.19 KB, patch)
2021-10-28 11:15 PDT, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Gabriel Nava Marino
Comment 1 2021-10-20 15:52:47 PDT
Created attachment 441951 [details] Patch
Myles C. Maxfield
Comment 2 2021-10-20 20:41:18 PDT
Comment on attachment 441951 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=441951&action=review > Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:181 > + return { startPosition, std::max<unsigned>(right, startPosition) - startPosition, leftSideWidth }; Do you have any more detail about the circumstances leading to this being negative? I'm not sure this is the right fix.
Gabriel Nava Marino
Comment 3 2021-10-20 20:54:39 PDT
Comment on attachment 441951 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=441951&action=review >> Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:181 >> + return { startPosition, std::max<unsigned>(right, startPosition) - startPosition, leftSideWidth }; > > Do you have any more detail about the circumstances leading to this being negative? I'm not sure this is the right fix. Per this comment in the line above, "right" is computed to point to the start of the surrogate pair. > // When the substring does not fit, the right side is supposed to be the start of the surrogate pair if applicable. If our text is 'a\ud800\udc00a' then "right" gets value 1 per the logic in U16_SET_CP_START since this is where the surrogate starts. Since startPosition is 2, we end up computing a length = right - startPosition = 1 - 2 = -1.
Myles C. Maxfield
Comment 4 2021-10-26 21:57:36 PDT
It looks like this is stale now after https://trac.webkit.org/changeset/284780/webkit
Myles C. Maxfield
Comment 5 2021-10-26 22:08:24 PDT
In fact, this bug seems fixed now on ToT. I ran the 3 tests in this patch and logged the values of right and startPosition, and right is always >= startPosition.
Gabriel Nava Marino
Comment 6 2021-10-27 09:30:16 PDT
(In reply to Myles C. Maxfield from comment #5) > In fact, this bug seems fixed now on ToT. I ran the 3 tests in this patch > and logged the values of right and startPosition, and right is always >= > startPosition. Thank you for the clarification! I will then use this bug to submit the new test cases only.
Gabriel Nava Marino
Comment 7 2021-10-27 11:09:55 PDT
(In reply to Myles C. Maxfield from comment #5) > In fact, this bug seems fixed now on ToT. I ran the 3 tests in this patch > and logged the values of right and startPosition, and right is always >= > startPosition. Looks like this test is still crashing: fast/text/word-break-letter-spacing-utf16-surrogates.html It is hitting the new RELEASE_ASSERT in TextUtil::breakWord added in the above patch. RELEASE_ASSERT(right >= startPosition); I will investigate.
Gabriel Nava Marino
Comment 8 2021-10-27 12:12:14 PDT
Created attachment 442621 [details] Patch
Radar WebKit Bug Importer
Comment 9 2021-10-27 15:45:19 PDT
<rdar://problem/84731205>
alan
Comment 10 2021-10-28 09:58:07 PDT
Comment on attachment 442621 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442621&action=review > Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:178 > + if (right < startPosition) > + right = surrogatePairAwareIndex(middle); Shouldn't we just simply bail out at this point? We know that our middle point (which becomes the right) falls before the start position. We surely not going to find a non-empty fitting content anymore in here.
Gabriel Nava Marino
Comment 11 2021-10-28 10:50:15 PDT
Created attachment 442720 [details] Patch
Gabriel Nava Marino
Comment 12 2021-10-28 10:52:01 PDT
(In reply to zalan from comment #10) > Comment on attachment 442621 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=442621&action=review > > > Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:178 > > + if (right < startPosition) > > + right = surrogatePairAwareIndex(middle); > > Shouldn't we just simply bail out at this point? We know that our middle > point (which becomes the right) falls before the start position. We surely > not going to find a non-empty fitting content anymore in here. Yes, I have incorporated this suggestion in the latest patch.
alan
Comment 13 2021-10-28 10:57:48 PDT
Comment on attachment 442720 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442720&action=review > Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:178 > + return { 0, 0 }; nitpick: it's really not important but you could write it as return { };
Gabriel Nava Marino
Comment 14 2021-10-28 11:15:26 PDT
Created attachment 442723 [details] Patch
Gabriel Nava Marino
Comment 15 2021-10-28 11:15:55 PDT
(In reply to zalan from comment #13) > Comment on attachment 442720 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=442720&action=review > > > Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:178 > > + return { 0, 0 }; > > nitpick: it's really not important but you could write it as return { }; Thank you for the suggestion. Let's use { };.
EWS
Comment 16 2021-10-28 19:53:54 PDT
Committed r285016 (243660@main): <https://commits.webkit.org/243660@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442723 [details].
Note You need to log in before you can comment on or make changes to this bug.