137502 – ASSERTION FAILED: underlyingStringIsValid()

RESOLVED FIXED 137502

ASSERTION FAILED: underlyingStringIsValid()

https://bugs.webkit.org/show_bug.cgi?id=137502

Summary ASSERTION FAILED: underlyingStringIsValid()

zalan

Reported 2014-10-07 15:32:59 PDT

0 com.apple.JavaScriptCore 0x0000000105da776a WTFCrash + 42 1 com.apple.WebCore 0x00000001072ea78f WTF::StringView::characters8() const + 127 (StringView.h:260) 2 com.apple.WebCore 0x0000000107c3c2c8 WebCore::TextRun::data8(unsigned int) const + 184 (TextRun.h:151) 3 com.apple.WebCore 0x00000001092b3c6f WebCore::WidthIterator::advance(int, WebCore::GlyphBuffer*) + 127 (WidthIterator.cpp:345) 4 com.apple.WebCore 0x0000000107ae19e7 WebCore::Font::getGlyphsAndAdvancesForSimpleText(WebCore::TextRun const&, int, int, WebCore::GlyphBuffer&, WebCore::Font::ForTextEmphasisOrNot) const + 231 (FontFastPath.cpp:141) 5 com.apple.WebCore 0x0000000107ae1b91 WebCore::Font::drawSimpleText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const + 113 (FontFastPath.cpp:164) 6 com.apple.WebCore 0x0000000107abb971 WebCore::Font::drawText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, WebCore::Font::CustomFontNotReadyAction) const + 289 (Font.cpp:348) 7 com.apple.WebCore 0x0000000107c33fde WebCore::GraphicsContext::drawText(WebCore::Font const&, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) + 110 (GraphicsContext.cpp:450) 8 com.apple.WebCore 0x0000000108e642df WebCore::SimpleLineLayout::paintFlow(WebCore::RenderBlockFlow const&, WebCore::SimpleLineLayout::Layout const&, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 959 (SimpleLineLayoutFunctions.cpp:96) 9 com.apple.WebCore 0x00000001089c0808 WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 136 (RenderBlockFlow.cpp:3402) 10 com.apple.WebCore 0x000000010897ab2c WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 140 (RenderBlock.cpp:1542) 11 com.apple.WebCore 0x000000010897b7fe WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 798 (RenderBlock.cpp:1687) 12 com.apple.WebCore 0x000000010897a96c WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 396 (RenderBlock.cpp:1523) 13 com.apple.WebCore 0x0000000108accf9e WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 654 (RenderLayer.cpp:4573) 14 com.apple.WebCore 0x0000000108acab25 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 741 (RenderLayer.cpp:4538) 15 com.apple.WebCore 0x0000000108ac6db2 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2450 (RenderLayer.cpp:4161) 16 com.apple.WebCore 0x0000000108ac641a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 266 (RenderLayer.cpp:3851) 17 com.apple.WebCore 0x0000000108ac5143 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2531 (RenderLayer.cpp:3833) 18 com.apple.WebCore 0x0000000108aca813 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow>*, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 195 (RenderLayer.cpp:4250) 19 com.apple.WebCore 0x0000000108ac6e8b WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2667 (RenderLayer.cpp:4171) 20 com.apple.WebCore 0x0000000108ac641a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 266 (RenderLayer.cpp:3851) 21 com.apple.WebCore 0x0000000108ac5143 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2531 (RenderLayer.cpp:3833) 22 com.apple.WebCore 0x0000000108aca813 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow>*, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 195 (RenderLayer.cpp:4250) 23 com.apple.WebCore 0x0000000108ac6e8b WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2667 (RenderLayer.cpp:4171) 24 com.apple.WebCore 0x0000000108ac641a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 266 (RenderLayer.cpp:3851) 25 com.apple.WebCore 0x0000000108ac5143 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2531 (RenderLayer.cpp:3833) 26 com.apple.WebCore 0x0000000108ac46a1 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) + 177 (RenderLayer.cpp:3633) 27 com.apple.WebCore 0x0000000107be63ff WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) + 959 (FrameView.cpp:3812) 28 com.apple.WebKitLegacy 0x0000000104e42b47 -[WebFrame(WebInternal) _drawRect:contentsOnly:] + 823 (WebFrame.mm:659) 29 com.apple.WebKitLegacy 0x0000000104e9742e -[WebHTMLView drawSingleRect:] + 782 (WebHTMLView.mm:3480) 30 com.apple.WebKitLegacy 0x0000000104e97b24 -[WebHTMLView drawRect:] + 548 (WebHTMLView.mm:3554) 31 com.apple.AppKit 0x00007fff84eedc39 -[NSView(NSInternal) _recursive:displayRectIgnoringOpacity:inGraphicsContext:CGContext:topView:shouldChangeFontReferenceColor:] + 1186 32 com.apple.WebKitLegacy 0x0000000104e8b848 -[WebHTMLView(WebPrivate) _recursive:displayRectIgnoringOpacity:inGraphicsContext:CGContext:topView:shouldChangeFontReferenceColor:] + 264 (WebHTMLView.mm:1489) 33 com.apple.AppKit 0x00007fff84eed688 __46-[NSView(NSLayerKitGlue) drawLayer:inContext:]_block_invoke + 218 34 com.apple.AppKit 0x00007fff84eed421 -[NSView(NSLayerKitGlue) _drawViewBackingLayer:inContext:drawingHandler:] + 2407 35 com.apple.AppKit 0x00007fff84eecaa3 -[NSView(NSLayerKitGlue) drawLayer:inContext:] + 108 36 com.apple.WebKitLegacy 0x0000000104ea27bf -[WebHTMLView(WebInternal) drawLayer:inContext:] + 191 (WebHTMLView.mm:5963) 37 com.apple.QuartzCore 0x00007fff8c2c3153 CABackingStoreUpdate_ + 3306 38 com.apple.QuartzCore 0x00007fff8c2c2463 ___ZN2CA5Layer8display_Ev_block_invoke + 59 39 com.apple.QuartzCore 0x00007fff8c2c241f x_blame_allocations + 81 40 com.apple.QuartzCore 0x00007fff8c2c1f1c CA::Layer::display_() + 1546 41 com.apple.AppKit 0x00007fff84eec97f _NSBackingLayerDisplay + 617 42 com.apple.AppKit 0x00007fff84ec2736 -[_NSViewBackingLayer display] + 834 43 com.apple.QuartzCore 0x00007fff8c2c1641 CA::Layer::display_if_needed(CA::Transaction*) + 603

Attachments
Test case (557 bytes, text/html) 2014-10-07 15:33 PDT, zalan	no flags	Details
Patch (6.42 KB, patch) 2014-10-07 21:49 PDT, Darin Adler	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

zalan

Comment 1 2014-10-07 15:33:23 PDT

Created attachment 239436 [details] Test case

Darin Adler

Comment 2 2014-10-07 21:21:36 PDT

An obvious bug: TextRun textRun(run.text()); The result of run.text() is a String, which is destroyed after changing TextRun to point to it. We need to put the string into a local variable. But also, run.text() should return a StringView, not a String.

Darin Adler

Comment 3 2014-10-07 21:49:35 PDT

Created attachment 239453 [details] Patch

Darin Adler

Comment 4 2014-10-07 21:50:45 PDT

I now understand why I didn’t hit this crash during my testing. The refactoring to use StringView in TextRun was done after my testing, and I think it introduced this bug.

Anders Carlsson

Comment 5 2014-10-08 06:20:27 PDT

Comment on attachment 239453 [details] Patch Very nice!

WebKit Commit Bot

Comment 6 2014-10-08 06:25:16 PDT

Comment on attachment 239453 [details] Patch Clearing flags on attachment: 239453 Committed r174451: <http://trac.webkit.org/changeset/174451>

WebKit Commit Bot

Comment 7 2014-10-08 06:25:21 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Darin Adler

Reported

2014-10-07 15:32 PDT

Modified

2014-10-08 06:25 PDT History

CC List

7 users Show

URL

Keywords

Depends on

Blocks