[Webkit-unassigned] [Bug 154863] New: WebKitTestRunner and DumpRenderTree do not handle dangling surrogate characters

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 1 10:41:33 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=154863

            Bug ID: 154863
           Summary: WebKitTestRunner and DumpRenderTree do not handle
                    dangling surrogate characters
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Tools / Tests
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com
                CC: lforschler at apple.com

Created attachment 272574
  --> https://bugs.webkit.org/attachment.cgi?id=272574&action=review
Crashing test

If your run the attached test with DumpRenderTree it doesn’t provide any test output:
Content-Type: text/plain
DumpMalloc: 53440512
ERROR: nil result from [documentElement innerText]#EOF
#EOF

If you run WebKitTestRunner with the test, it crashes:
1   0x106169ad0 WTFCrash
2   0x1061dfdcf WTF::String::fromUTF8(unsigned char const*, unsigned long)
3   0x1061e010f WTF::String::fromUTF8WithLatin1Fallback(unsigned char const*, unsigned long)
4   0x11729c394 WTF::String::fromUTF8WithLatin1Fallback(char const*, unsigned long)
5   0x11729c158 WTR::toWTFString(OpaqueWKString const*)
6   0x117298b5f WTR::toWTFString(WebKit::WKRetainPtr<OpaqueWKString const*> const&)
7   0x1172c6102 WTR::dumpFrameText(OpaqueWKBundleFrame const*, WTF::StringBuilder&)
8   0x1172c6625 WTR::InjectedBundlePage::dump()
9   0x1172c5da2 WTR::InjectedBundlePage::frameDidChangeLocation(OpaqueWKBundleFrame const*, bool)
10  0x1172c4607 WTR::InjectedBundlePage::didFinishLoadForFrame(OpaqueWKBundleFrame const*)
11  0x1172c32e8 WTR::InjectedBundlePage::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*)
12  0x1020c0906 WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&)
13  0x10252e89d WebKit::WebFrameLoaderClient::dispatchDidFinishLoad()
14  0x108c84c2a WebCore::FrameLoader::checkLoadCompleteForThisFrame()
15  0x108c7c6be WebCore::FrameLoader::checkLoadComplete()
16  0x108c7c1cc WebCore::FrameLoader::checkCompleted()
17  0x108c7c1f5 WebCore::FrameLoader::loadDone()
18  0x10849a609 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool)
19  0x10a418935 WebCore::SubresourceLoader::notifyDone()
20  0x10a41855a WebCore::SubresourceLoader::didFinishLoading(double)
21  0x10280f827 WebKit::WebResourceLoader::didFinishResourceLoad(double)
22  0x102814d93 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>)
23  0x102814ce8 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double))
24  0x102813e02 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double))
25  0x10281357c WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&)
26  0x10222b990 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&)
27  0x101fca993 IPC::Connection::dispatchMessage(IPC::MessageDecoder&)
28  0x101fc1811 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)
29  0x101fcaf8f IPC::Connection::dispatchOneMessage()
30  0x101fdc2fd IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const
31  0x101fdc2cd void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&)
#CRASHED - com.apple.WebKit.WebContent.Development (pid 89331)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy

For WebKitTestRunner, we set “strict” to true when calling convertUTF16ToUTF8(), via the call to WKStringGetUTF8CString(), which will return 0.  We pass that stringLength - 1 which underflows to uint64_max to String::fromUTF8WithLatin1Fallback().

Here is the code:

inline WTF::String toWTFString(WKStringRef string)
{
    size_t bufferSize = WKStringGetMaximumUTF8CStringSize(string);
    auto buffer = std::make_unique<char[]>(bufferSize);
    size_t stringLength = WKStringGetUTF8CString(string, buffer.get(), bufferSize);
    return WTF::String::fromUTF8WithLatin1Fallback(buffer.get(), stringLength - 1);
}


-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160301/3bfa1764/attachment-0001.html>

More information about the webkit-unassigned mailing list