Bug 237330

Summary: A text node longer than 65,535 characters following another text node is invisible in a scrolling context
Product: WebKit Reporter: Jed Fox <jed>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, changseok, esprehn+autocc, ews-watchlist, glenn, koivisto, kondapallykalyan, mmaxfield, pdr, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Mac (Apple Silicon)   
OS: macOS 12   
Attachments:
Description Flags
HTML file with sample code that does and does not trigger the bug
none
Test reduction (just a slight iteration on the test above)
none
Patch none

Jed Fox
Reported 2022-03-01 09:38:28 PST
Created attachment 453507 [details] HTML file with sample code that does and does not trigger the bug I’ve narrowed the reproduction down to the following specific requirements: - A parent node must have `overflow: auto` (not necessarily the immediate parent of the text node) - The text node must not be the first node on its line (taking word wrapping into account) - The text node must have at least 65,536 characters (I tested with the ASCII 0, although it seems that other characters can be present) Encountered in the wild: https://github.com/facebook/jsx/pull/136#issuecomment-1055288199 Reproduced on STP Release 140 (Safari 15.4, WebKit 17614.1.1.5) and WebKit r290647 on macOS 12.2.1 (21D62)
Attachments
HTML file with sample code that does and does not trigger the bug (385.06 KB, text/html)
2022-03-01 09:38 PST, Jed Fox 		no flags
Details
Test reduction (just a slight iteration on the test above) (64.14 KB, text/html)
2022-03-01 16:01 PST, alan 		no flags
Details
Patch (131.61 KB, patch)
2022-03-03 08:34 PST, alan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-03-01 15:33:51 PST
<rdar://problem/89645522>
alan
Comment 2 2022-03-01 16:01:19 PST
Created attachment 453545 [details] Test reduction (just a slight iteration on the test above)
alan
Comment 3 2022-03-01 16:02:58 PST
This is most likely caused by our 64K RenderText split.
alan
Comment 4 2022-03-01 16:10:34 PST
Yeah, it must be it. If some of the characters are wrapped inside an inline box e.g. <span>0</span> (fragmenting the text content, producing multiple renderers), the content shows up fine.
alan
Comment 5 2022-03-02 11:20:57 PST
Apparently LegacyInlineTextBox can't hold more than 65535 characters. unsigned short m_len { 0 }; arithmetic overflow causes m_len -> 0 and the rest of the layout believes it's a blank box.
alan
Comment 6 2022-03-03 08:34:05 PST
Created attachment 453745 [details] Patch
EWS
Comment 7 2022-03-03 09:57:47 PST
Committed r290782 (248026@main): <https://commits.webkit.org/248026@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 453745 [details].
Note You need to log in before you can comment on or make changes to this bug.