Bug 134632 - ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
Summary: ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detect...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2014-07-04 06:02 PDT by Martin Hodovan
Modified: 2014-08-05 11:14 PDT (History)
13 users (show)

See Also:


Attachments
Proposed patch (5.25 KB, patch)
2014-07-04 06:13 PDT, Martin Hodovan
darin: review-
darin: commit-queue-
Details | Formatted Diff | Diff
Proposed patch (4.80 KB, patch)
2014-07-29 07:25 PDT, Martin Hodovan
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from webkit-ews-09 for mac-mountainlion-wk2 (482.84 KB, application/zip)
2014-07-29 11:29 PDT, Build Bot
no flags Details
Proposed patch (4.80 KB, patch)
2014-08-05 04:08 PDT, Martin Hodovan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Hodovan 2014-07-04 06:02:26 PDT
Test case:
<style>
    * {
        @\aaa
    }
</style>


Output:
ASSERTION FAILED: name[0] == '@' && length >= 2
Source/WebCore/css/CSSParser.cpp(10618) : void WebCore::CSSParser::detectAtToken(int, bool) [with CharacterType = unsigned char]


Backtrace:
#0  0x00007ffff58284d1 in WTFCrash () at /home/martin/Data/WebKit2/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff0a34fff in WebCore::CSSParser::detectAtToken<unsigned char> (this=0x7fffffffbe60, length=1, hasEscape=true) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.cpp:10618
#2  0x00007ffff0a2ca81 in WebCore::CSSParser::realLex<unsigned char> (this=0x7fffffffbe60, yylvalWithoutType=0x7fffffffa2d0) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.cpp:11211
#3  0x00007ffff19c6750 in WebCore::CSSParser::lex (this=0x7fffffffbe60, cssyylval=0x7fffffffa2d0) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.h:396
#4  0x00007ffff19c67a0 in WebCore::cssyylex (cssyylval=0x7fffffffa2d0, parser=0x7fffffffbe60) at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.h:696
#5  0x00007ffff19c113a in cssyyparse (parser=0x7fffffffbe60) at /home/martin/Data/WebKit2/WebKitBuild/Debug/DerivedSources/WebCore/CSSGrammar.cpp:2816
#6  0x00007ffff09f8996 in WebCore::CSSParser::parseSheet (this=0x7fffffffbe60, sheet=0x7d2ae0, string=..., startLineNumber=8, ruleSourceDataResult=0x0, logErrors=true)
    at /home/martin/Data/WebKit2/Source/WebCore/css/CSSParser.cpp:440
#7  0x00007ffff0b22d23 in WebCore::StyleSheetContents::parseStringAtLine (this=0x7d2ae0, sheetText=..., startLineNumber=8, createdByParser=true)
    at /home/martin/Data/WebKit2/Source/WebCore/css/StyleSheetContents.cpp:326
#8  0x00007ffff0c07060 in WebCore::InlineStyleSheetOwner::createSheet (this=0x779558, element=..., text=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/InlineStyleSheetOwner.cpp:147
#9  0x00007ffff0c06b18 in WebCore::InlineStyleSheetOwner::createSheetFromTextContents (this=0x779558, element=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/InlineStyleSheetOwner.cpp:97
#10 0x00007ffff0c06ad5 in WebCore::InlineStyleSheetOwner::finishParsingChildren (this=0x779558, element=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/InlineStyleSheetOwner.cpp:91
#11 0x00007ffff0dff7f9 in WebCore::HTMLStyleElement::finishParsingChildren (this=0x7794f0) at /home/martin/Data/WebKit2/Source/WebCore/html/HTMLStyleElement.cpp:90
#12 0x00007ffff0ea1452 in WebCore::HTMLElementStack::popCommon (this=0x624e88) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLElementStack.cpp:578
#13 0x00007ffff0e9fe76 in WebCore::HTMLElementStack::pop (this=0x624e88) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLElementStack.cpp:214
#14 0x00007ffff0ec9569 in WebCore::HTMLTreeBuilder::processEndTag (this=0x624e50, token=0x7fffffffd290) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2179
#15 0x00007ffff0ebfd60 in WebCore::HTMLTreeBuilder::processToken (this=0x624e50, token=0x7fffffffd290) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:386
#16 0x00007ffff0ebfb72 in WebCore::HTMLTreeBuilder::constructTree (this=0x624e50, token=0x7fffffffd290) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:354
#17 0x00007ffff0e996fc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x71bf50, rawToken=...) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:352
#18 0x00007ffff0e99383 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x71bf50, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:309
#19 0x00007ffff0e98b89 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x71bf50, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:189
#20 0x00007ffff0e99c43 in WebCore::HTMLDocumentParser::append (this=0x71bf50, inputSource=...) at /home/martin/Data/WebKit2/Source/WebCore/html/parser/HTMLDocumentParser.cpp:428
#21 0x00007ffff0b7c661 in WebCore::DecodedDataDocumentParser::flush (this=0x71bf50, writer=...) at /home/martin/Data/WebKit2/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#22 0x00007ffff0fe8217 in WebCore::DocumentWriter::end (this=0x791360) at /home/martin/Data/WebKit2/Source/WebCore/loader/DocumentWriter.cpp:247
#23 0x00007ffff0fd28f9 in WebCore::DocumentLoader::finishedLoading (this=0x7912c0, finishTime=0) at /home/martin/Data/WebKit2/Source/WebCore/loader/DocumentLoader.cpp:441
#24 0x00007ffff0fd2662 in WebCore::DocumentLoader::notifyFinished (this=0x7912c0, resource=0x7ac4f0) at /home/martin/Data/WebKit2/Source/WebCore/loader/DocumentLoader.cpp:375
#25 0x00007ffff107fc42 in WebCore::CachedResource::checkNotify (this=0x7ac4f0) at /home/martin/Data/WebKit2/Source/WebCore/loader/cache/CachedResource.cpp:334
#26 0x00007ffff107fd28 in WebCore::CachedResource::finishLoading (this=0x7ac4f0) at /home/martin/Data/WebKit2/Source/WebCore/loader/cache/CachedResource.cpp:350
#27 0x00007ffff107cd26 in WebCore::CachedRawResource::finishLoading (this=0x7ac4f0, data=0x64bf20) at /home/martin/Data/WebKit2/Source/WebCore/loader/cache/CachedRawResource.cpp:98
#28 0x00007ffff1032d1e in WebCore::SubresourceLoader::didFinishLoading (this=0x7aca50, finishTime=0) at /home/martin/Data/WebKit2/Source/WebCore/loader/SubresourceLoader.cpp:310
#29 0x00007ffff102efef in WebCore::ResourceLoader::didFinishLoading (this=0x7aca50, finishTime=0) at /home/martin/Data/WebKit2/Source/WebCore/loader/ResourceLoader.cpp:517
#30 0x00007ffff193e23f in WebCore::readCallback (asyncResult=0x7b09c0, data=0x7ad0d0) at /home/martin/Data/WebKit2/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302
#31 0x00007fffebef3aaa in async_ready_callback_wrapper (source_object=0x6851b0, res=0x7b09c0, user_data=0x7ad0d0) at ginputstream.c:519
#32 0x00007fffebf1347b in g_task_return_now (task=0x7b09c0) at gtask.c:1108
#33 0x00007fffebf13499 in complete_in_idle_cb (task=0x7b09c0) at gtask.c:1117
#34 0x00007fffeb963536 in g_main_dispatch (context=0x67f760) at gmain.c:3065
#35 g_main_context_dispatch (context=context@entry=0x67f760) at gmain.c:3641
#36 0x00007fffeccd95c0 in _ecore_glib_select__locked (ecore_timeout=<optimized out>, efds=<optimized out>, wfds=0x7fffffffd9b0, rfds=0x7fffffffd930, ecore_fds=8, ctx=<optimized out>)
    at lib/ecore/ecore_glib.c:172
#37 _ecore_glib_select (ecore_fds=8, rfds=0x7fffffffd930, wfds=0x7fffffffd9b0, efds=<optimized out>, ecore_timeout=<optimized out>) at lib/ecore/ecore_glib.c:204
#38 0x00007fffeccdc0a4 in _ecore_main_select (timeout=<optimized out>) at lib/ecore/ecore_main.c:1579
#39 0x00007fffeccdcc45 in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at lib/ecore/ecore_main.c:2007
#40 0x00007fffeccdcd07 in ecore_main_loop_begin () at lib/ecore/ecore_main.c:1042
#41 0x00007ffff7678933 in WTF::RunLoop::run () at /home/martin/Data/WebKit2/Source/WTF/wtf/efl/RunLoopEfl.cpp:51
#42 0x00007ffff75fd5fe in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffde58)
    at /home/martin/Data/WebKit2/Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#43 0x00007ffff75fd3db in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffde58) at /home/martin/Data/WebKit2/Source/WebKit2/WebProcess/efl/WebProcessMainEfl.cpp:128
#44 0x0000000000400840 in main (argc=2, argv=0x7fffffffde58) at /home/martin/Data/WebKit2/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32
Comment 1 Martin Hodovan 2014-07-04 06:13:16 PDT
Created attachment 234405 [details]
Proposed patch

Backported from Chromium: https://codereview.chromium.org/241053002
Comment 2 Darin Adler 2014-07-04 12:00:13 PDT
Comment on attachment 234405 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=234405&action=review

> Source/WebCore/css/CSSParser.cpp:11231
> +            // The standard enables unicode escapes in at-rules. In this case only the resultString will contain the
> +            // correct identifier, hence we have to use it to determine its length instead of the usual pointer arithmetic.

The bug is in parseIdentifier, which needs to bump the result pointer even in the 16-bit slow case. Not doing that will cause many other problems, so just changing this code path to quiet the assertion is wrong. The line of code that should be added to parseIdentifer is:

    result += result16 - start16;

The reason it’s important to fix the bug in parseIdentifier is that multiple call sites of parseIdentifier are affected by this, not just this one code path.

But also, the 16-bit code path in parseIdentifier doesn’t really need to switch to parsing 16-bit input. It’s only the output string that needs to be 16-bit, and the way it currently does things is unnecessarily inefficient. This code is made terribly confusing by using the name "result" for a pointer to the next character to be parsed. We should call this current, not result, and we should also investigate using a const pointer for it and eliminating code that writes into it. But that’s beyond the scope of this.
Comment 3 Martin Hodovan 2014-07-29 07:25:13 PDT
Created attachment 235687 [details]
Proposed patch

Thank you for the complete solution and sorry about the delay. I updated the patch.

(I am making a follow-up patch to rename the confusing 'result' pointer to 'current'.)
Comment 4 Build Bot 2014-07-29 11:29:47 PDT
Comment on attachment 235687 [details]
Proposed patch

Attachment 235687 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5421317947916288

New failing tests:
media/media-fragments/TC0001.html
Comment 5 Build Bot 2014-07-29 11:29:51 PDT
Created attachment 235697 [details]
Archive of layout-test-results from webkit-ews-09 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-09  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5
Comment 6 Martin Hodovan 2014-08-05 04:08:13 PDT
Created attachment 236025 [details]
Proposed patch
Comment 7 WebKit Commit Bot 2014-08-05 11:14:50 PDT
Comment on attachment 236025 [details]
Proposed patch

Clearing flags on attachment: 236025

Committed r172036: <http://trac.webkit.org/changeset/172036>
Comment 8 WebKit Commit Bot 2014-08-05 11:14:56 PDT
All reviewed patches have been landed.  Closing bug.