RESOLVED DUPLICATE of bug 162166162215
[Debug] imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-support.htm is crashing 
https://bugs.webkit.org/show_bug.cgi?id=162215
Summary [Debug] imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-d...
Chris Dumez
Reported 2016-09-19 12:08:40 PDT
New imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-support.htm layout test introduced in Bug 162166 is crashing on debug builds with the following backtrace: xception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000102d4a000-0000000102e0c000 [ 776K] r-x/rwx SM=COW /Volumes/VOLUME/* Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001043a05d7 WTFCrash + 39 1 com.apple.WebCore 0x000000010bc7bd2c WebCore::convertUTF16EntityToUTF8(unsigned short const*, unsigned long, char*, unsigned long) + 188 (XMLDocumentParserLibxml2.cpp:1216) 2 com.apple.WebCore 0x000000010bc7bbed WebCore::getXHTMLEntity(unsigned char const*) + 157 (XMLDocumentParserLibxml2.cpp:1229) 3 com.apple.WebCore 0x000000010bc7a577 WebCore::getEntityHandler(void*, unsigned char const*) + 295 (XMLDocumentParserLibxml2.cpp:1276) 4 libxml2.2.dylib 0x00007fff891300a8 xmlParseEntityRef + 225 5 libxml2.2.dylib 0x00007fff8912f79b xmlParseReference + 194 6 libxml2.2.dylib 0x00007fff891368ef xmlParseTryOrFinish + 5405 7 libxml2.2.dylib 0x00007fff891351dd xmlParseChunk + 901 8 com.apple.WebCore 0x000000010bc77ca8 WebCore::XMLDocumentParser::doWrite(WTF::String const&) + 408 (XMLDocumentParserLibxml2.cpp:690) 9 com.apple.WebCore 0x000000010bc74988 WebCore::XMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) + 312 (XMLDocumentParser.cpp:122) 10 com.apple.WebCore 0x0000000109ac7a4c WebCore::Document::setContent(WTF::String const&) + 108 (Document.cpp:1402) 11 com.apple.WebCore 0x0000000109b9c4bd WebCore::DOMParser::parseFromString(WTF::String const&, WTF::String const&, int&) + 285 (DOMParser.cpp:40) 12 com.apple.WebCore 0x000000010a5628ae WebCore::jsDOMParserPrototypeFunctionParseFromString(JSC::ExecState*) + 1038 (JSDOMParser.cpp:187)
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-09-19 12:13:52 PDT
Looks like the code that is crashing was added in Bug 107459.
Chris Dumez
Comment 2 2016-09-19 12:51:33 PDT
When I hit the assertion: target: &?? (is null terminated? 1) ASSERTION FAILED: target > originalTarget + 1 So target is null terminated and the function was called with the string "&??\0" it seems.
Chris Dumez
Comment 3 2016-09-19 12:55:40 PDT
(In reply to comment #2) > When I hit the assertion: > target: &?? (is null terminated? 1) > ASSERTION FAILED: target > originalTarget + 1 > > So target is null terminated and the function was called with the string > "&??\0" it seems. target: 0x117627af5, originalTarget + 1: 0x117627af5 So target is equal to originalTarget + 1.
Chris Dumez
Comment 4 2016-09-19 13:15:00 PDT
(In reply to comment #3) > (In reply to comment #2) > > When I hit the assertion: > > target: &?? (is null terminated? 1) > > ASSERTION FAILED: target > originalTarget + 1 > > > > So target is null terminated and the function was called with the string > > "&??\0" it seems. > > target: 0x117627af5, originalTarget + 1: 0x117627af5 > > So target is equal to originalTarget + 1. So the test provides \u0026 as input and we put "&\0" in the target which seems correct.
Chris Dumez
Comment 5 2016-09-19 13:24:51 PDT
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > When I hit the assertion: > > > target: &?? (is null terminated? 1) > > > ASSERTION FAILED: target > originalTarget + 1 > > > > > > So target is null terminated and the function was called with the string > > > "&??\0" it seems. > > > > target: 0x117627af5, originalTarget + 1: 0x117627af5 > > > > So target is equal to originalTarget + 1. > > So the test provides \u0026 as input and we put "&\0" in the target which > seems correct. So the assertion is: ASSERT(target > originalTarget + 1); Which means it expects more than 1 characters to be written by WTF::Unicode::convertUTF16ToUTF8() into target. However, some some input such as '\u0026', the conversion to UTF-8 is '&', which is only 1 character. Therefore, I believe this assertion is wrong.
Chris Dumez
Comment 6 2016-09-19 14:13:27 PDT
*** This bug has been marked as a duplicate of bug 162166 ***
Note You need to log in before you can comment on or make changes to this bug.