286905 – [Win, Apple] "std::span::operator[]" raises "span index out of range" error in ComplexTextController::adjustGlyphsAndAdvances for fast/text/word-break-letter-spacing-utf16-surrogates.html

RESOLVED FIXED286905

[Win, Apple] "std::span::operator[]" raises "span index out of range" error in ComplexTextController::adjustGlyphsAndAdvances for fast/text/word-break-letter-spacing-utf16-surrogates.html

https://bugs.webkit.org/show_bug.cgi?id=286905

Summary [Win, Apple] "std::span::operator[]" raises "span index out of range" error i...

Fujii Hironori

Reported 2025-02-02 21:17:44 PST

This patch changed to use Debug CRT for Windows Debug build. https://github.com/WebKit/WebKit/commit/f60c50cc4705a69df96dcd29e47d2ea4927b6d5e With this patch, Windows Debug builds crashes for fast/text/word-break-letter-spacing-utf16-surrogates.html. > Program: C:\webkit\wb\webkitbuild\debug\bin\WebCore.dll > File: C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.42.34433\include\span > Line: 454 > > Expression: span index out of range Callstack: WebCore!std::span<const char16_t,18446744073709551615>::operator[]+0x70 WebCore!WebCore::ComplexTextController::adjustGlyphsAndAdvances+0x8fa WebCore!WebCore::ComplexTextController::finishConstruction+0x2d WebCore!WebCore::ComplexTextController::ComplexTextController+0x206 WebCore!WebCore::FontCascade::widthForComplexText+0x6a WebCore!WebCore::FontCascade::width+0x2cd WebCore!WebCore::Layout::TextUtil::width+0x512 WebCore!WebCore::Layout::TextUtil::width+0x341 WebCore!WebCore::Layout::InlineItemsBuilder::computeContentAttributesAndInlineTextItemWidths+0x39a WebCore!WebCore::Layout::InlineItemsBuilder::build+0x146 WebCore!WebCore::Layout::InlineFormattingContext::rebuildInlineItemListIfNeeded+0x118 WebCore!WebCore::Layout::InlineFormattingContext::layout+0x70 WebCore!WebCore::LayoutIntegration::LineLayout::layout+0x2b3 WebCore!WebCore::RenderBlockFlow::layoutInlineContent+0x60f WebCore!WebCore::RenderBlockFlow::layoutInlineChildren+0x62 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x1dd WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderBlockFlow::layoutBlockChild+0x35b WebCore!WebCore::RenderBlockFlow::layoutBlockChildren+0x399 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x239 WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderBlockFlow::layoutBlockChild+0x35b WebCore!WebCore::RenderBlockFlow::layoutBlockChildren+0x399 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x239 WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderBlockFlow::layoutBlockChild+0x35b WebCore!WebCore::RenderBlockFlow::layoutBlockChildren+0x399 WebCore!WebCore::RenderBlockFlow::layoutInFlowChildren+0x239 WebCore!WebCore::RenderBlockFlow::layoutBlock+0x4ba WebCore!WebCore::RenderBlock::layout+0x5e WebCore!WebCore::RenderView::layout+0x444 WebCore!WebCore::LocalFrameViewLayoutContext::performLayout+0xa95 WebCore!WebCore::LocalFrameViewLayoutContext::layout+0x18a WebCore!WebCore::Document::implicitClose+0x539 WebCore!WebCore::FrameLoader::checkCallImplicitClose+0xc8 WebCore!WebCore::FrameLoader::checkCompleted+0x20a WebCore!WebCore::FrameLoader::finishedParsing+0x11f WebCore!WebCore::Document::finishedParsing+0x3c8 WebCore!WebCore::HTMLConstructionSite::finishedParsing+0x39 WebCore!WebCore::HTMLTreeBuilder::finished+0x10f WebCore!WebCore::HTMLDocumentParser::end+0x102 WebCore!WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd+0x127 WebCore!WebCore::HTMLDocumentParser::prepareToStopParsing+0x149 WebCore!WebCore::HTMLDocumentParser::attemptToEnd+0x36 WebCore!WebCore::HTMLDocumentParser::finish+0x3e WebCore!WebCore::DocumentWriter::end+0x1bf WebCore!WebCore::DocumentLoader::finishedLoading+0x332 WebCore!WebCore::DocumentLoader::notifyFinished+0x241 WebCore!WebCore::CachedResource::checkNotify+0x90 WebCore!WebCore::CachedResource::finishLoading+0x44 WebCore!WebCore::CachedRawResource::finishLoading+0x172 WebCore!WebCore::SubresourceLoader::didFinishLoading+0x4bd WebKit2!WebKit::WebResourceLoader::didFinishResourceLoad+0x22b WebKit2!IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (WebCore::NetworkLoadMetrics &&),std::tuple<WebCore::NetworkLoadMetrics> >::<lambda_1>::operator()<WebCore::NetworkLoadMetrics>+0x30 WebKit2!std::invoke<`lambda at C:\webkit\wb\Source\WebKit\Platform\IPC\HandleMessage.h:132:9',WebCore::NetworkLoadMetrics>+0x1d WebKit2!std::_Apply_impl<`lambda at C:\webkit\wb\Source\WebKit\Platform\IPC\HandleMessage.h:132:9',std::tuple<WebCore::NetworkLoadMetrics>,0>+0x2a WebKit2!std::apply<`lambda at C:\webkit\wb\Source\WebKit\Platform\IPC\HandleMessage.h:132:9',std::tuple<WebCore::NetworkLoadMetrics> >+0x22 WebKit2!IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (WebCore::NetworkLoadMetrics &&),std::tuple<WebCore::NetworkLoadMetrics> >+0x4f WebKit2!IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad,IPC::Connection,WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (WebCore::NetworkLoadMetrics &&)>+0xd0 WebKit2!WebKit::WebResourceLoader::didReceiveMessage+0x28a WebKit2!WebKit::NetworkProcessConnection::dispatchMessage+0xcf WebKit2!WebKit::NetworkProcessConnection::didReceiveMessage+0x3d7 WebKit2!IPC::Connection::dispatchMessage+0x189 WebKit2!IPC::Connection::dispatchMessage+0x253

Attachments
Add attachment proposed patch, testcase, etc.

Fujii Hironori

Comment 1 2025-02-02 21:24:13 PST

ComplexTextController::adjustGlyphsAndAdvances has this line. > bool isLastCharacter = characterIndexInRun + 1 == m_run.length() || (U16_IS_LEAD(character) && characterIndexInRun + 2 == m_run.length() && U16_IS_TRAIL(charactersSpan[characterIndex + 1])); https://github.com/WebKit/WebKit/blob/1e0659534b435300efb8da173e0c6a79db7adf96/Source/WebCore/platform/graphics/ComplexTextController.cpp#L760 In "charactersSpan[characterIndex + 1]", charactersSpan's size was 1 and characterIndex was 0 in case of the error. 288340@main introduced std::span for this expression.

Fujii Hironori

Comment 2 2025-02-02 22:10:33 PST

Pull request: https://github.com/WebKit/WebKit/pull/39896

EWS

Comment 3 2025-02-04 10:03:44 PST

Committed 289794@main (5757471893c3): <https://commits.webkit.org/289794@main> Reviewed commits have been landed. Closing PR #39896 and removing active labels.

Radar WebKit Bug Importer

Comment 4 2025-02-04 10:04:15 PST

<rdar://problem/144170042>

Brent Fulgham

Comment 5 2025-02-26 12:30:06 PST

This code path is used in Apple builds, too, so refining the title slightly.

EWS

Comment 6 2025-02-28 07:10:57 PST

Committed 289651.197@safari-7621-branch (6e6e5ba5c2be): <https://commits.webkit.org/289651.197@safari-7621-branch> Reviewed commits have been landed. Closing PR #2686 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Fujii Hironori

Reported

2025-02-02 21:17 PST

Modified

2025-02-28 07:10 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks