[Webkit-unassigned] [Bug 197181] New: Assertion fires when calling getSubStringLength() for a fragmented <text> element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 22 16:18:05 PDT 2019


https://bugs.webkit.org/show_bug.cgi?id=197181

            Bug ID: 197181
           Summary: Assertion fires when calling getSubStringLength() for
                    a fragmented <text> element
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 367991

  --> https://bugs.webkit.org/attachment.cgi?id=367991&action=review

test case

Open the attached test case. The following assertion will fire:

0x00000001b2ae79b0 in ::WTFCrash() at Source/WTF/wtf/Assertions.cpp:305
0x00000001a000e75b in WTFCrashWithInfo(int, char const*, char const*, int) at WebKitBuild/Debug/usr/local/include/wtf/Assertions.h:566
0x00000001a3ba3e7d in WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&, unsigned int&, unsigned int&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:140
0x00000001a3ba450c in WebCore::SVGTextQuery::subStringLengthCallback(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:291
0x00000001a3ba3d9c in WebCore::SVGTextQuery::executeQuery(WebCore::SVGTextQuery::Data*, bool (WebCore::SVGTextQuery::*)(WebCore::SVGTextQuery::Data*, WebCore::SVGTextFragment const&) const) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:125
0x00000001a3ba4627 in WebCore::SVGTextQuery::subStringLength(unsigned int, unsigned int) const at Source/WebCore/rendering/svg/SVGTextQuery.cpp:305
0x00000001a3f34490 in WebCore::SVGTextContentElement::getSubStringLength(unsigned int, unsigned int) at Source/WebCore/./svg/SVGTextContentElement.cpp:75
0x00000001a12c5d00 in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:295
0x00000001a12ba6d0 in long long WebCore::IDLOperation<WebCore::JSSVGTextContentElement>::call<&(WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLengthBody(JSC::ExecState*, WebCore::JSSVGTextContentElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at Source/WebCore/bindings/js/JSDOMOperation.h:53
0x00000001a12ba3bc in WebCore::jsSVGTextContentElementPrototypeFunctionGetSubStringLength(JSC::ExecState*) at WebKitBuild/Debug/DerivedSources/WebCore/JSSVGTextContentElement.cpp:300

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190422/59ec4872/attachment.html>


More information about the webkit-unassigned mailing list