127052 – ASSERTION FAILED: m_pos <= toRenderText(m_renderer)->textLength() in WebCore::InlineIterator::fastIncrementInTextNode

Bug 127052 - ASSERTION FAILED: m_pos <= toRenderText(m_renderer)->textLength() in WebCore::InlineIterator::fastIncrementInTextNode

Summary: ASSERTION FAILED: m_pos <= toRenderText(m_renderer)->textLength() in WebCore:...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2014-01-15 09:21 PST by Renata Hodovan
Modified:	2016-08-03 13:39 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Test case (35 bytes, text/html) 2014-01-15 09:21 PST, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2014-01-15 09:21:35 PST

Created attachment 221275 [details]
Test case

The failing test case (with spaces):

<p align="right">
<a>L</a>  <br>LOL


The backtrace:

ASSERTION FAILED: m_pos <= toRenderText(m_renderer)->textLength()
/home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineIterator.h(320) : void WebCore::InlineIterator::fastIncrementInTextNode()
1   0x7ffff5c35e44 WTFCrash
2   0x7ffff177cd9a WebCore::InlineIterator::fastIncrementInTextNode()
3   0x7ffff177ceb8 WebCore::InlineIterator::increment(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>*)
4   0x7ffff196030c WebCore::checkMidpoints(WebCore::MidpointState<WebCore::InlineIterator>&, WebCore::InlineIterator&)
5   0x7ffff196069d WebCore::BreakingContext::handleEndOfLine()
6   0x7ffff195a3fa WebCore::LineBreaker::nextSegmentBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow>&)
7   0x7ffff1959c14 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow>&)
8   0x7ffff17b0d9e WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int)
9   0x7ffff17af6c4 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool)
10  0x7ffff17b2f4e WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
11  0x7ffff1796002 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
12  0x7ffff17952b3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
13  0x7ffff176411f WebCore::RenderBlock::layout()
14  0x7ffff1796409 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
15  0x7ffff1795f00 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
16  0x7ffff17952d7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
17  0x7ffff176411f WebCore::RenderBlock::layout()
18  0x7ffff1796409 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
19  0x7ffff1795f00 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
20  0x7ffff17952d7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
21  0x7ffff176411f WebCore::RenderBlock::layout()
22  0x7ffff1796409 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
23  0x7ffff1795f00 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
24  0x7ffff17952d7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
25  0x7ffff176411f WebCore::RenderBlock::layout()
26  0x7ffff1935afd WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
27  0x7ffff1936779 WebCore::RenderView::layout()
28  0x7ffff14cc7d9 WebCore::FrameView::layout(bool)
29  0x7ffff0f148f0 WebCore::Document::implicitClose()
30  0x7ffff13a58d7 WebCore::FrameLoader::checkCallImplicitClose()
31  0x7ffff13a566b WebCore::FrameLoader::checkCompleted()

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff177cd9a in WebCore::InlineIterator::fastIncrementInTextNode (this=0x7fffffff8f00)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineIterator.h:320
#2  0x00007ffff177ceb8 in WebCore::InlineIterator::increment (this=0x7fffffff8f00, resolver=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineIterator.h:360
#3  0x00007ffff196030c in WebCore::checkMidpoints (lineMidpointState=..., lBreak=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:1078
#4  0x00007ffff196069d in WebCore::BreakingContext::handleEndOfLine (this=0x7fffffff8fd0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:1122
#5  0x00007ffff195a3fa in WebCore::LineBreaker::nextSegmentBreak (this=0x7fffffffa410, resolver=..., lineInfo=..., renderTextInfo=..., 
    lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/LineBreaker.cpp:175
#6  0x00007ffff1959c14 in WebCore::LineBreaker::nextLineBreak (this=0x7fffffffa410, resolver=..., lineInfo=..., renderTextInfo=..., 
    lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/line/LineBreaker.cpp:89
#7  0x00007ffff17b0d9e in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x11aaa60, layoutState=..., resolver=..., cleanLineStart=..., 
    cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1318
#8  0x00007ffff17af6c4 in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x11aaa60, layoutState=..., hasInlineChild=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1075
#9  0x00007ffff17b2f4e in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x11aaa60, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1671
#10 0x00007ffff1796002 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x11aaa60, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:547
#11 0x00007ffff17952b3 in WebCore::RenderBlockFlow::layoutBlock (this=0x11aaa60, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:373
#12 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x11aaa60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314
#13 0x00007ffff1796409 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x11592b0, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:608
#14 0x00007ffff1795f00 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x11592b0, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:527
#15 0x00007ffff17952d7 in WebCore::RenderBlockFlow::layoutBlock (this=0x11592b0, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:375
#16 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x11592b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314
#17 0x00007ffff1796409 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x1158d50, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:608
#18 0x00007ffff1795f00 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x1158d50, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:527
#19 0x00007ffff17952d7 in WebCore::RenderBlockFlow::layoutBlock (this=0x1158d50, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:375
#20 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x1158d50) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314
#21 0x00007ffff1796409 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7f2060, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:608
#22 0x00007ffff1795f00 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7f2060, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:527
#23 0x00007ffff17952d7 in WebCore::RenderBlockFlow::layoutBlock (this=0x7f2060, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:375
#24 0x00007ffff176411f in WebCore::RenderBlock::layout (this=0x7f2060) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1314
#25 0x00007ffff1935afd in WebCore::RenderView::layoutContent (this=0x7f2060, state=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:158
#26 0x00007ffff1936779 in WebCore::RenderView::layout (this=0x7f2060) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:342
#27 0x00007ffff14cc7d9 in WebCore::FrameView::layout (this=0x6f8450, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1322
#28 0x00007ffff0f148f0 in WebCore::Document::implicitClose (this=0x11c6690) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2457
#29 0x00007ffff13a58d7 in WebCore::FrameLoader::checkCallImplicitClose (this=0x723198)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:899
#30 0x00007ffff13a566b in WebCore::FrameLoader::checkCompleted (this=0x723198) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:842
#31 0x00007ffff13a53c6 in WebCore::FrameLoader::finishedParsing (this=0x723198) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:763
#32 0x00007ffff0f1bd7b in WebCore::Document::finishedParsing (this=0x11c6690) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4449
#33 0x00007ffff121452f in WebCore::HTMLConstructionSite::finishedParsing (this=0x725208)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:337
#34 0x00007ffff124d882 in WebCore::HTMLTreeBuilder::finished (this=0x7251f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3046
#35 0x00007ffff121b836 in WebCore::HTMLDocumentParser::end (this=0x109eda0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749
#36 0x00007ffff121b921 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x109eda0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760
#37 0x00007ffff121a569 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x109eda0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203
#38 0x00007ffff121b966 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x109eda0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772
#39 0x00007ffff121ba1f in WebCore::HTMLDocumentParser::finish (this=0x109eda0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821
#40 0x00007ffff1398122 in WebCore::DocumentWriter::end (this=0x1136640) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:252
#41 0x00007ffff138383e in WebCore::DocumentLoader::finishedLoading (this=0x11365a0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:441
#42 0x00007ffff13835ac in WebCore::DocumentLoader::notifyFinished (this=0x11365a0, resource=0x114d500)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:375
#43 0x00007ffff142849c in WebCore::CachedResource::checkNotify (this=0x114d500)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:336
#44 0x00007ffff142857e in WebCore::CachedResource::finishLoading (this=0x114d500)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:352
#45 0x00007ffff1425092 in WebCore::CachedRawResource::finishLoading (this=0x114d500, data=0x807960)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#46 0x00007ffff13e0f31 in WebCore::SubresourceLoader::didFinishLoading (this=0x114da60, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:309
#47 0x00007ffff13dd241 in WebCore::ResourceLoader::didFinishLoading (this=0x114da60, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:517
#48 0x00007ffff215e414 in WebCore::readCallback (asyncResult=0x11519c0, data=0x73f4e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1336
#49 0x00007fffe80e8bc9 in async_ready_callback_wrapper (source_object=0x877c00, res=0x11519c0, user_data=0x73f4e0) at ginputstream.c:530
#50 0x00007fffe810accb in g_task_return_now (task=0x11519c0) at gtask.c:1105
#51 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114
#52 0x00007fffed805473 in g_main_dispatch (context=0x1151040) at gmain.c:3054
#53 g_main_context_dispatch (context=0x1151040) at gmain.c:3630
#54 0x00007ffff758aaee in _ecore_glib_select__locked (ecore_timeout=0x1151040, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, ecore_fds=1, 
    ctx=<optimized out>) at ecore_glib.c:171
#55 _ecore_glib_select (ecore_fds=1, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x1151040) at ecore_glib.c:205
#56 0x00007ffff7584cb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466
#57 0x00007ffff7585789 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1860
#58 0x00007ffff7585b47 in ecore_main_loop_begin () at ecore_main.c:956
#59 0x0000000000406d21 in main (argc=2, argv=0x7fffffffdd48) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1032

Comment 1 Brent Fulgham 2016-08-03 13:39:07 PDT

This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.