137502 – ASSERTION FAILED: underlyingStringIsValid()

Bug 137502 - ASSERTION FAILED: underlyingStringIsValid()

Summary: ASSERTION FAILED: underlyingStringIsValid()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Darin Adler

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-07 15:32 PDT by zalan
Modified:	2014-10-08 06:25 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Test case (557 bytes, text/html) 2014-10-07 15:33 PDT, zalan	no flags	Details
Patch (6.42 KB, patch) 2014-10-07 21:49 PDT, Darin Adler	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zalan 2014-10-07 15:32:59 PDT

0   com.apple.JavaScriptCore      	0x0000000105da776a WTFCrash + 42
1   com.apple.WebCore             	0x00000001072ea78f WTF::StringView::characters8() const + 127 (StringView.h:260)
2   com.apple.WebCore             	0x0000000107c3c2c8 WebCore::TextRun::data8(unsigned int) const + 184 (TextRun.h:151)
3   com.apple.WebCore             	0x00000001092b3c6f WebCore::WidthIterator::advance(int, WebCore::GlyphBuffer*) + 127 (WidthIterator.cpp:345)
4   com.apple.WebCore             	0x0000000107ae19e7 WebCore::Font::getGlyphsAndAdvancesForSimpleText(WebCore::TextRun const&, int, int, WebCore::GlyphBuffer&, WebCore::Font::ForTextEmphasisOrNot) const + 231 (FontFastPath.cpp:141)
5   com.apple.WebCore             	0x0000000107ae1b91 WebCore::Font::drawSimpleText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const + 113 (FontFastPath.cpp:164)
6   com.apple.WebCore             	0x0000000107abb971 WebCore::Font::drawText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, WebCore::Font::CustomFontNotReadyAction) const + 289 (Font.cpp:348)
7   com.apple.WebCore             	0x0000000107c33fde WebCore::GraphicsContext::drawText(WebCore::Font const&, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) + 110 (GraphicsContext.cpp:450)
8   com.apple.WebCore             	0x0000000108e642df WebCore::SimpleLineLayout::paintFlow(WebCore::RenderBlockFlow const&, WebCore::SimpleLineLayout::Layout const&, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 959 (SimpleLineLayoutFunctions.cpp:96)
9   com.apple.WebCore             	0x00000001089c0808 WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 136 (RenderBlockFlow.cpp:3402)
10  com.apple.WebCore             	0x000000010897ab2c WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 140 (RenderBlock.cpp:1542)
11  com.apple.WebCore             	0x000000010897b7fe WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 798 (RenderBlock.cpp:1687)
12  com.apple.WebCore             	0x000000010897a96c WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 396 (RenderBlock.cpp:1523)
13  com.apple.WebCore             	0x0000000108accf9e WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 654 (RenderLayer.cpp:4573)
14  com.apple.WebCore             	0x0000000108acab25 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 741 (RenderLayer.cpp:4538)
15  com.apple.WebCore             	0x0000000108ac6db2 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2450 (RenderLayer.cpp:4161)
16  com.apple.WebCore             	0x0000000108ac641a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 266 (RenderLayer.cpp:3851)
17  com.apple.WebCore             	0x0000000108ac5143 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2531 (RenderLayer.cpp:3833)
18  com.apple.WebCore             	0x0000000108aca813 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow>*, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 195 (RenderLayer.cpp:4250)
19  com.apple.WebCore             	0x0000000108ac6e8b WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2667 (RenderLayer.cpp:4171)
20  com.apple.WebCore             	0x0000000108ac641a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 266 (RenderLayer.cpp:3851)
21  com.apple.WebCore             	0x0000000108ac5143 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2531 (RenderLayer.cpp:3833)
22  com.apple.WebCore             	0x0000000108aca813 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow>*, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 195 (RenderLayer.cpp:4250)
23  com.apple.WebCore             	0x0000000108ac6e8b WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2667 (RenderLayer.cpp:4171)
24  com.apple.WebCore             	0x0000000108ac641a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 266 (RenderLayer.cpp:3851)
25  com.apple.WebCore             	0x0000000108ac5143 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2531 (RenderLayer.cpp:3833)
26  com.apple.WebCore             	0x0000000108ac46a1 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) + 177 (RenderLayer.cpp:3633)
27  com.apple.WebCore             	0x0000000107be63ff WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) + 959 (FrameView.cpp:3812)
28  com.apple.WebKitLegacy        	0x0000000104e42b47 -[WebFrame(WebInternal) _drawRect:contentsOnly:] + 823 (WebFrame.mm:659)
29  com.apple.WebKitLegacy        	0x0000000104e9742e -[WebHTMLView drawSingleRect:] + 782 (WebHTMLView.mm:3480)
30  com.apple.WebKitLegacy        	0x0000000104e97b24 -[WebHTMLView drawRect:] + 548 (WebHTMLView.mm:3554)
31  com.apple.AppKit              	0x00007fff84eedc39 -[NSView(NSInternal) _recursive:displayRectIgnoringOpacity:inGraphicsContext:CGContext:topView:shouldChangeFontReferenceColor:] + 1186
32  com.apple.WebKitLegacy        	0x0000000104e8b848 -[WebHTMLView(WebPrivate) _recursive:displayRectIgnoringOpacity:inGraphicsContext:CGContext:topView:shouldChangeFontReferenceColor:] + 264 (WebHTMLView.mm:1489)
33  com.apple.AppKit              	0x00007fff84eed688 __46-[NSView(NSLayerKitGlue) drawLayer:inContext:]_block_invoke + 218
34  com.apple.AppKit              	0x00007fff84eed421 -[NSView(NSLayerKitGlue) _drawViewBackingLayer:inContext:drawingHandler:] + 2407
35  com.apple.AppKit              	0x00007fff84eecaa3 -[NSView(NSLayerKitGlue) drawLayer:inContext:] + 108
36  com.apple.WebKitLegacy        	0x0000000104ea27bf -[WebHTMLView(WebInternal) drawLayer:inContext:] + 191 (WebHTMLView.mm:5963)
37  com.apple.QuartzCore          	0x00007fff8c2c3153 CABackingStoreUpdate_ + 3306
38  com.apple.QuartzCore          	0x00007fff8c2c2463 ___ZN2CA5Layer8display_Ev_block_invoke + 59
39  com.apple.QuartzCore          	0x00007fff8c2c241f x_blame_allocations + 81
40  com.apple.QuartzCore          	0x00007fff8c2c1f1c CA::Layer::display_() + 1546
41  com.apple.AppKit              	0x00007fff84eec97f _NSBackingLayerDisplay + 617
42  com.apple.AppKit              	0x00007fff84ec2736 -[_NSViewBackingLayer display] + 834
43  com.apple.QuartzCore          	0x00007fff8c2c1641 CA::Layer::display_if_needed(CA::Transaction*) + 603

Comment 1 zalan 2014-10-07 15:33:23 PDT

Created attachment 239436 [details]
Test case

Comment 2 Darin Adler 2014-10-07 21:21:36 PDT

An obvious bug:

        TextRun textRun(run.text());

The result of run.text() is a String, which is destroyed after changing TextRun to point to it. We need to put the string into a local variable. But also, run.text() should return a StringView, not a String.

Comment 3 Darin Adler 2014-10-07 21:49:35 PDT

Created attachment 239453 [details]
Patch

Comment 4 Darin Adler 2014-10-07 21:50:45 PDT

I now understand why I didn’t hit this crash during my testing. The refactoring to use StringView in TextRun was done after my testing, and I think it introduced this bug.

Comment 5 Anders Carlsson 2014-10-08 06:20:27 PDT

Comment on attachment 239453 [details]
Patch

Very nice!

Comment 6 WebKit Commit Bot 2014-10-08 06:25:16 PDT

Comment on attachment 239453 [details]
Patch

Clearing flags on attachment: 239453

Committed r174451: <http://trac.webkit.org/changeset/174451>

Comment 7 WebKit Commit Bot 2014-10-08 06:25:21 PDT

All reviewed patches have been landed.  Closing bug.