1840195 - Assertion failure: charIndex != startIndex (If the current character is in the middle of a cluster or ligature group, then charIndex must be different from startIndex), at /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:4418

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230621-b94f3d418f54 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: charIndex != startIndex (If the current character is in the middle of a cluster or ligature group, then charIndex must be different from startIndex), at /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:4418

#0 0x7fb11c664666 in mozilla::SVGTextFrame::AdjustPositionsForClusters() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:4415:7
#1 0x7fb11c666993 in mozilla::SVGTextFrame::DoGlyphPositioning() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:4894:3
#2 0x7fb11c6498f4 in UpdateGlyphPositioning /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:4960:5
#3 0x7fb11c6498f4 in mozilla::SVGTextFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:3237:3
#4 0x7fb11c62d7b1 in mozilla::SVGDisplayContainerFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:339:17
#5 0x7fb11c6507fa in mozilla::SVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/svg/SVGOuterSVGFrame.cpp:417:14
#6 0x7fb11c54ade1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:869:13
#7 0x7fb11c435edf in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4773:15
#8 0x7fb11c4350a9 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4575:5
#9 0x7fb11c430ff9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4449:9
#10 0x7fb11c42d2cd in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3433:5
#11 0x7fb11c42740a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2947:9
#12 0x7fb11c422689 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1505:3
#13 0x7fb11c433d84 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#14 0x7fb11c42fc67 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4086:11
#15 0x7fb11c42d37f in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3430:5
#16 0x7fb11c42740a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2947:9
#17 0x7fb11c422689 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1505:3
#18 0x7fb11c448159 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:893:14
#19 0x7fb11c4475a5 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:755:7
#20 0x7fb11c448159 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:893:14
#21 0x7fb11c49403e in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:937:3
#22 0x7fb11c494e4e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1070:3
#23 0x7fb11c499b0c in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1507:3
#24 0x7fb11c4162b7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:933:14
#25 0x7fb11c415a5f in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:385:7
#26 0x7fb11c302f57 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9616:11
#27 0x7fb11c32b61f in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9794:22
#28 0x7fb11c30ce9b in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9865:10
#29 0x7fb11c30ce9b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4346:11
#30 0x7fb11861312e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1464:5
#31 0x7fb11861312e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10878:16
#32 0x7fb117a2100e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
#33 0x7fb117a224d4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#34 0x7fb11da933bf in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13893:23
#35 0x7fb116c57f3f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#36 0x7fb116c59460 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#37 0x7fb11861835c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11666:18
#38 0x7fb1185fe074 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8114:3
#39 0x7fb1186ad629 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#40 0x7fb1186ad629 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#41 0x7fb1186ad629 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#42 0x7fb1186ad629 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#43 0x7fb1186ad629 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#44 0x7fb1186ad629 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#45 0x7fb1186ad629 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#46 0x7fb116a1a6c7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#47 0x7fb116a12331 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#48 0x7fb116a10cc7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#49 0x7fb116a11125 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#50 0x7fb116a1e546 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#51 0x7fb116a1e546 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#52 0x7fb116a34c8a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#53 0x7fb116a3ba4d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#54 0x7fb1176ec2e5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#55 0x7fb117605711 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#56 0x7fb117605711 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#57 0x7fb11bf24198 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#58 0x7fb11e24c75b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#59 0x7fb1176ed1c6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#60 0x7fb117605711 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#61 0x7fb117605711 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#62 0x7fb11e24c02a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#63 0x5606c9146526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x5606c9146526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#65 0x7fb12c629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#66 0x7fb12c629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#67 0x5606c911d7c8 in _start (/home/user/workspace/browsers/m-c-20230623092529-fuzzing-debug/firefox-bin+0x587c8) (BuildId: 04f6d112bdce125b7eb5f3038130a7d797a40438)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230623092529-750c24176cc2.
The bug appears to have been introduced in the following build range:

Start: 82f76cc93e6c58b39a417bd1fa6e22c17e5119ca (20230420080923)
End: b1f8bcf4f681b0d125461cd32e9d916679cdb207 (20230420084504)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=82f76cc93e6c58b39a417bd1fa6e22c17e5119ca&tochange=b1f8bcf4f681b0d125461cd32e9d916679cdb207

Comment 3

[Jonathan Kew [:jfkthame]]

The SVGTextFrame code is surprised when the first (only) character in the frame is a Unicode combining character, and so gets marked as a non-cluster-start in the textrun. It looks like this should be harmless enough -- we'll try to make adjustments as though it were attached to a preceding base character, but as the "base" (start) charcter will be the same as the current one, the adjustments will just be no-ops.

Still, we should fix up the code to not trip over this edge case. Probably easiest if we just make it assume that the first character of the frame always starts a cluster, for SVG glyph positioning purposes.

Comment 4

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1840195 - Don't try to treat the first character in an SVGTextFrame as a cluster extender, even if it's a combining char. r=#layout-reviewers

Comment 5

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f3fb80224414
Don't try to treat the first character in an SVGTextFrame as a cluster extender, even if it's a combining char. r=longsonr

Comment 6

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/f3fb80224414

Comment 7

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230626162305-147bbf0910da.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.