Closed Bug 1429191 Opened 2 years ago Closed 2 years ago

InvalidArrayIndex_CRASH in [@ SVGTextFrame::GetExtentOfChar], with SVG <text> and createShadowRoot() (and dom.webcomponents.enabled=true)

Categories

(Core :: SVG, defect, P3, critical)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox59 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

The attached testcase causes a crash in m-c rev 20180109-6f5fac320fcb.

==6110==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000056c9e8 bp 0x7fffb3fc49d0 sp 0x7fffb3fc4860 T0)
==6110==The signal is caused by a WRITE memory access.
==6110==Hint: address points to the zero page.
    #0 0x56c9e7 in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp:63:3
    #1 0x7f32cf5ed4ab in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:26:3
    #2 0x7f32d794d9cd in ElementAt /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1016:7
    #3 0x7f32d794d9cd in operator[] /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1054
    #4 0x7f32d794d9cd in SVGTextFrame::GetExtentOfChar(nsIContent*, unsigned int, mozilla::dom::SVGIRect**) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:4438
    #5 0x7f32d5f99645 in mozilla::dom::SVGTextContentElement::GetExtentOfChar(unsigned int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/svg/SVGTextContentElement.cpp:196:19
    #6 0x7f32d38f6781 in mozilla::dom::SVGTextContentElementBinding::getExtentOfChar(JSContext*, JS::Handle<JSObject*>, mozilla::dom::SVGTextContentElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bi
ndings/SVGTextContentElementBinding.cpp:276:60
    #7 0x7f32d49bca27 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
    #8 0x7f32db4e1934 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7f32db4e1934 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
Attached file testcase.html
You need to set dom.webcomponents.enabled to true in order to trigger the crash (or else the "createShadowRoot" call just triggers a JS error).
Summary: InvalidArrayIndex_CRASH in [@ SVGTextFrame::GetExtentOfChar] → InvalidArrayIndex_CRASH in [@ SVGTextFrame::GetExtentOfChar], with SVG <text> and createShadowRoot()
Before the crash, I see 3 copies of this assertion:
###!!! ASSERTION: expected a TextNodeCorrespondenceProperty on nsTextFrame used for SVG text: 'Not Reached', file layout/svg/SVGTextFrame.cpp, line 1339
...which incidentally we also hit in bug 903785 (but without a crash in that case).
See Also: → 903785
We crash when indexing into mPositions in SVGTextFrame::GetExtentOfChar:
>  // The horizontal extent is the origin of the glyph plus the advance
>  // in the direction of the glyph's rotation.
>  gfxMatrix m;
>  m.PreTranslate(mPositions[startIndex].mPosition);
https://searchfox.org/mozilla-central/rev/cf149b7b63ff97023e28723167725e38cf5df757/layout/svg/SVGTextFrame.cpp#4438

Here, mPositions.Length() is 0. (startIndex is also 0, but the array is empty so it doesn't even have that first entry.)

Skimming around, it looks like there are some dedicated functions to initialize & update mPositions, and I'm guessing that code isn't getting called. heycam, this hasn't really been touched since Bug 655877 - you'd probably be the best person to take a look? (or jwatt, who reviewed that code)
Flags: needinfo?(cam)
Priority: -- → P3
Summary: InvalidArrayIndex_CRASH in [@ SVGTextFrame::GetExtentOfChar], with SVG <text> and createShadowRoot() → InvalidArrayIndex_CRASH in [@ SVGTextFrame::GetExtentOfChar], with SVG <text> and createShadowRoot() (and dom.webcomponents.enabled=true)
I haven't looked at this yet but I am not surprised at all that shadow trees could cause problems like this.
Per the current spec, shadow trees cannot be attached to non-HTML elements, and Element::AttachShadow does implement that restriction.  So there's no longer a way to cause this problem for SVG <text>.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(cam)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.