Bug 286905

Summary: [Win, Apple] "std::span::operator[]" raises "span index out of range" error in ComplexTextController::adjustGlyphsAndAdvances for fast/text/word-break-letter-spacing-utf16-surrogates.html
Product: WebKit Reporter: Fujii Hironori <fujii.hironori>
Component: New BugsAssignee: Fujii Hironori <fujii.hironori>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Fujii Hironori
Reported 2025-02-02 21:17:44 PST
This patch changed to use Debug CRT for Windows Debug build. https://github.com/WebKit/WebKit/commit/f60c50cc4705a69df96dcd29e47d2ea4927b6d5e With this patch, Windows Debug builds crashes for fast/text/word-break-letter-spacing-utf16-surrogates.html. > Program: C:\webkit\wb\webkitbuild\debug\bin\WebCore.dll > File: C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.42.34433\include\span > Line: 454 > > Expression: span index out of range Callstack: WebCore!std::span<const char16_t,18446744073709551615>::operator[]+0x70 WebCore!WebCore::ComplexTextController::adjustGlyphsAndAdvances+0x8fa WebCore!WebCore::ComplexTextController::finishConstruction+0x2d WebCore!WebCore::ComplexTextController::ComplexTextController+0x206 WebCore!WebCore::FontCascade::widthForComplexText+0x6a WebCore!WebCore::FontCascade::width+0x2cd WebCore!WebCore::Layout::TextUtil::width+0x512 WebCore!WebCore::Layout::TextUtil::width+0x341 WebCore!WebCore::Layout::InlineItemsBuilder::computeContentAttributesAndInlineTextItemWidths+0x39a WebCore!WebCore::Layout::InlineItemsBuilder::build+0x146 WebCore!WebCore::Layout::InlineFormattingContext::rebuildInlineItemListIfNeeded+0x118 WebCore!WebCore::Layout::InlineFormattingContext::layout+0x70 WebCore!WebCore::LayoutIntegration::LineLayout::layout+0x2b3 WebCore!WebCore::RenderBlockFlow::layoutInlineContent+0x60f WebCore!WebCore::RenderBlockFlow::layoutInlineChildren+0x62 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x1dd WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderBlockFlow::layoutBlockChild+0x35b WebCore!WebCore::RenderBlockFlow::layoutBlockChildren+0x399 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x239 WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderBlockFlow::layoutBlockChild+0x35b WebCore!WebCore::RenderBlockFlow::layoutBlockChildren+0x399 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x239 WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderBlockFlow::layoutBlockChild+0x35b WebCore!WebCore::RenderBlockFlow::layoutBlockChildren+0x399 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x239 WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderView::layout+0x444 WebCore!WebCore::LocalFrameViewLayoutContext::performLayout+0xa95 WebCore!WebCore::LocalFrameViewLayoutContext::layout+0x18a WebCore!WebCore::Document::implicitClose+0x539 WebCore!WebCore::FrameLoader::checkCallImplicitClose+0xc8 WebCore!WebCore::FrameLoader::checkCompleted+0x20a WebCore!WebCore::FrameLoader::finishedParsing+0x11f WebCore!WebCore::Document::finishedParsing+0x3c8 WebCore!WebCore::HTMLConstructionSite::finishedParsing+0x39 WebCore!WebCore::HTMLTreeBuilder::finished+0x10f WebCore!WebCore::HTMLDocumentParser::end+0x102 WebCore!WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd+0x127 WebCore!WebCore::HTMLDocumentParser::prepareToStopParsing+0x149 WebCore!WebCore::HTMLDocumentParser::attemptToEnd+0x36 WebCore!WebCore::HTMLDocumentParser::finish+0x3e WebCore!WebCore::DocumentWriter::end+0x1bf WebCore!WebCore::DocumentLoader::finishedLoading+0x332 WebCore!WebCore::DocumentLoader::notifyFinished+0x241 WebCore!WebCore::CachedResource::checkNotify+0x90 WebCore!WebCore::CachedResource::finishLoading+0x44 WebCore!WebCore::CachedRawResource::finishLoading+0x172 WebCore!WebCore::SubresourceLoader::didFinishLoading+0x4bd WebKit2!WebKit::WebResourceLoader::didFinishResourceLoad+0x22b WebKit2!IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (WebCore::NetworkLoadMetrics &&),std::tuple<WebCore::NetworkLoadMetrics> >::<lambda_1>::operator()<WebCore::NetworkLoadMetrics>+0x30 WebKit2!std::invoke<`lambda at C:\webkit\wb\Source\WebKit\Platform\IPC\HandleMessage.h:132:9',WebCore::NetworkLoadMetrics>+0x1d WebKit2!std::_Apply_impl<`lambda at C:\webkit\wb\Source\WebKit\Platform\IPC\HandleMessage.h:132:9',std::tuple<WebCore::NetworkLoadMetrics>,0>+0x2a WebKit2!std::apply<`lambda at C:\webkit\wb\Source\WebKit\Platform\IPC\HandleMessage.h:132:9',std::tuple<WebCore::NetworkLoadMetrics> >+0x22 WebKit2!IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (WebCore::NetworkLoadMetrics &&),std::tuple<WebCore::NetworkLoadMetrics> >+0x4f WebKit2!IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad,IPC::Connection,WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (WebCore::NetworkLoadMetrics &&)>+0xd0 WebKit2!WebKit::WebResourceLoader::didReceiveMessage+0x28a WebKit2!WebKit::NetworkProcessConnection::dispatchMessage+0xcf WebKit2!WebKit::NetworkProcessConnection::didReceiveMessage+0x3d7 WebKit2!IPC::Connection::dispatchMessage+0x189 WebKit2!IPC::Connection::dispatchMessage+0x253
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2025-02-02 21:24:13 PST
ComplexTextController::adjustGlyphsAndAdvances has this line. > bool isLastCharacter = characterIndexInRun + 1 == m_run.length() || (U16_IS_LEAD(character) && characterIndexInRun + 2 == m_run.length() && U16_IS_TRAIL(charactersSpan[characterIndex + 1])); https://github.com/WebKit/WebKit/blob/1e0659534b435300efb8da173e0c6a79db7adf96/Source/WebCore/platform/graphics/ComplexTextController.cpp#L760 In "charactersSpan[characterIndex + 1]", charactersSpan's size was 1 and characterIndex was 0 in case of the error. 288340@main introduced std::span for this expression.
Fujii Hironori
Comment 2 2025-02-02 22:10:33 PST
Pull request: https://github.com/WebKit/WebKit/pull/39896
EWS
Comment 3 2025-02-04 10:03:44 PST
Committed 289794@main (5757471893c3): <https://commits.webkit.org/289794@main> Reviewed commits have been landed. Closing PR #39896 and removing active labels.
Radar WebKit Bug Importer
Comment 4 2025-02-04 10:04:15 PST
<rdar://problem/144170042>
Brent Fulgham
Comment 5 2025-02-26 12:30:06 PST
This code path is used in Apple builds, too, so refining the title slightly.
EWS
Comment 6 2025-02-28 07:10:57 PST
Committed 289651.197@safari-7621-branch (6e6e5ba5c2be): <https://commits.webkit.org/289651.197@safari-7621-branch> Reviewed commits have been landed. Closing PR #2686 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.