Bug 197181 - Assertion fires when calling getSubStringLength() for a fragmented <text> element
Summary: Assertion fires when calling getSubStringLength() for a fragmented <text> ele...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-22 16:18 PDT by Said Abou-Hallawa
Modified: 2019-04-22 16:19 PDT (History)
2 users (show)

See Also:


Attachments
test case (232 bytes, image/svg+xml)
2019-04-22 16:18 PDT, Said Abou-Hallawa
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Said Abou-Hallawa 2019-04-22 16:18:05 PDT
Created attachment 367991 [details]
test case

Open the attached test case. The following assertion will fire:

0x00000001b2ae79b0 in ::WTFCrash() at Source/WTF/wtf/Assertions.cpp:305
0x00000001a000e75b in WTFCrashWithInfo(int, char const*, char const*, int) at WebKitBuild/Debug/usr/local/include/wtf/Assertions.h:566
0x00000001a3ba3e7d in WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&, unsigned int&, unsigned int&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:140
0x00000001a3ba450c in WebCore::SVGTextQuery::subStringLengthCallback(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:291
0x00000001a3ba3d9c in WebCore::SVGTextQuery::executeQuery(WebCore::SVGTextQuery::Data*, bool (WebCore::SVGTextQuery::*)(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:125
0x00000001a3ba4627 in WebCore::SVGTextQuery::subStringLength(unsigned int, unsigned int) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:305
0x00000001a3f34490 in WebCore::SVGTextContentElement::getSubStringLength(unsigned int, unsigned int) at Source/WebCore/./svg/SVGTextContentElement.cpp:75
0x00000001a12c5d00 in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:295
0x00000001a12ba6d0 in long long WebCore::IDLOperation<WebCore::JSSVGTextContentElement>::call<&(WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at Source/WebCore/bindings/js/JSDOMOperation.h:53
0x00000001a12ba3bc in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLength(JSC::ExecState*) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:300
Comment 1 Said Abou-Hallawa 2019-04-22 16:19:38 PDT
<rdar://problem/50109006>