1429191 - InvalidArrayIndex_CRASH in [@ SVGTextFrame::GetExtentOfChar], with SVG <text> and createShadowRoot() (and dom.webcomponents.enabled=true)

Status: RESOLVED WORKSFORME

(Core :: SVG, defect, P3)

Description

[Jesse Schwartzentruber (:truber)]

The attached testcase causes a crash in m-c rev 20180109-6f5fac320fcb.

==6110==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000056c9e8 bp 0x7fffb3fc49d0 sp 0x7fffb3fc4860 T0)
==6110==The signal is caused by a WRITE memory access.
==6110==Hint: address points to the zero page.
    #0 0x56c9e7 in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp:63:3
    #1 0x7f32cf5ed4ab in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:26:3
    #2 0x7f32d794d9cd in ElementAt /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1016:7
    #3 0x7f32d794d9cd in operator[] /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1054
    #4 0x7f32d794d9cd in SVGTextFrame::GetExtentOfChar(nsIContent*, unsigned int, mozilla::dom::SVGIRect**) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:4438
    #5 0x7f32d5f99645 in mozilla::dom::SVGTextContentElement::GetExtentOfChar(unsigned int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/svg/SVGTextContentElement.cpp:196:19
    #6 0x7f32d38f6781 in mozilla::dom::SVGTextContentElementBinding::getExtentOfChar(JSContext*, JS::Handle<JSObject*>, mozilla::dom::SVGTextContentElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bi
ndings/SVGTextContentElementBinding.cpp:276:60
    #7 0x7f32d49bca27 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
    #8 0x7f32db4e1934 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7f32db4e1934 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473

Comment 1

[Jesse Schwartzentruber (:truber)]

Attachment: testcase.html

Comment 2

[Daniel Holbert [:dholbert]]

You need to set dom.webcomponents.enabled to true in order to trigger the crash (or else the "createShadowRoot" call just triggers a JS error).

Comment 3

[Daniel Holbert [:dholbert]]

Before the crash, I see 3 copies of this assertion:
###!!! ASSERTION: expected a TextNodeCorrespondenceProperty on nsTextFrame used for SVG text: 'Not Reached', file layout/svg/SVGTextFrame.cpp, line 1339
...which incidentally we also hit in bug 903785 (but without a crash in that case).

Comment 4

[Daniel Holbert [:dholbert]]

We crash when indexing into mPositions in SVGTextFrame::GetExtentOfChar:
>  // The horizontal extent is the origin of the glyph plus the advance
>  // in the direction of the glyph's rotation.
>  gfxMatrix m;
>  m.PreTranslate(mPositions[startIndex].mPosition);
https://searchfox.org/mozilla-central/rev/cf149b7b63ff97023e28723167725e38cf5df757/layout/svg/SVGTextFrame.cpp#4438

Here, mPositions.Length() is 0. (startIndex is also 0, but the array is empty so it doesn't even have that first entry.)

Skimming around, it looks like there are some dedicated functions to initialize & update mPositions, and I'm guessing that code isn't getting called. heycam, this hasn't really been touched since Bug 655877 - you'd probably be the best person to take a look? (or jwatt, who reviewed that code)

Comment 5

[Cameron McCormack (:heycam)]

I haven't looked at this yet but I am not surprised at all that shadow trees could cause problems like this.

Comment 6

[Cameron McCormack (:heycam)]

Per the current spec, shadow trees cannot be attached to non-HTML elements, and Element::AttachShadow does implement that restriction.  So there's no longer a way to cause this problem for SVG <text>.