[Webkit-unassigned] [Bug 199018] New: [GTK] fast/mediastream/RTCPeerConnection-add-removeTrack.html and fast/mediastream/RTCPeerConnection-addTransceiver.html are crashing

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 19 11:03:12 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199018

            Bug ID: 199018
           Summary: [GTK]
                    fast/mediastream/RTCPeerConnection-add-removeTrack.htm
                    l and
                    fast/mediastream/RTCPeerConnection-addTransceiver.html
                    are crashing
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aboya at igalia.com
                CC: bugs-noreply at webkitgtk.org

fast/mediastream/RTCPeerConnection-add-removeTrack.html

Crashing since r246053:r246056

It seems the string is too long:

String String::fromUTF8(const LChar* stringStart, size_t length)
{
    if (length > MaxLength)
        CRASH();

Thread 1 (Thread 0x7f27550be9c0 (LWP 36070)):
#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:305
#1  0x00007f275ec97969 in WTF::String::fromUTF8(unsigned char const*, unsigned long) (stringStart="", length=139807294951298) at ../../Source/WTF/wtf/text/WTFString.cpp:846
#2  0x00007f276b014acb in WTF::String::fromUTF8(char const*, unsigned long) (characters=0x7fff1b898c00 "", length=139807294951298) at DerivedSources/ForwardingHeaders/wtf/text/WTFString.h:349
#3  0x00007f276ddbccdd in WebCore::fromStdString(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (value='\000' <repeats 24 times>, "\202\017'l'\177\000\000P\214\211\033\377\177\000\000\313J\001k'\177\000\000P\214\211\033\377\177\000\000\202\017'l'\177\000\000\000\214\211\033\377\177\000\000@\215\211\033\377\177\000\000\200\214\211\033\377\177\000\000\335\314\333m'\177\000\000\240\214\211\033\377\177\000\000@\215\211\033\377\177\000\000\275Ѳk'\177\000\000\275Ѳk'\177\000\000\340\214\211\033\377\177\000\000\205\310\333m'\177\000\000\240\225\022b&\177\000\000@\215\211\033\377\177\000\000\000\214\211\033\377\177\000\000\202\017'l'\177\000\000\000\000\000\000\000\000\000\000\240\063\000\354&\177\000\000\340\214\211\033\377\177\000\000"...) at ../../Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCUtils.h:57
#4  0x00007f276ddbc885 in WebCore::LibWebRTCRtpTransceiverBackend::mid() (this=0x7f26621295a0) at ../../Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpTransceiverBackend.cpp:67
#5  0x00007f276c26e4aa in WebCore::RTCRtpTransceiver::mid() const (this=0x7f26ec003360) at ../../Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp:55
#6  0x00007f276bb2d190 in WebCore::jsRTCRtpTransceiverMidGetter (state=..., thisObject=..., throwScope=...) at DerivedSources/WebCore/JSRTCRtpTransceiver.cpp:217
#7  0x00007f276bb4c95a in WebCore::IDLAttribute<WebCore::JSRTCRtpTransceiver>::get<WebCore::jsRTCRtpTransceiverMidGetter, (WebCore::CastedThisErrorBehavior)3> (state=..., thisValue=139805210572384, attributeName=0x7f276f989bda "mid") at ../../Source/WebCore/bindings/js/JSDOMAttribute.h:69
#8  0x00007f276bb2d1eb in WebCore::jsRTCRtpTransceiverMid(JSC::ExecState*, long, JSC::PropertyName) (state=0x7fff1b8991f0, thisValue=139805210572384) at DerivedSources/WebCore/JSRTCRtpTransceiver.cpp:223
#9  0x00007f275e9350c9 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (this=0x7fff1b899040, exec=0x7fff1b8991f0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:50
#10 0x00007f276b38f1c0 in JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const (this=0x7fff1b899040, exec=0x7fff1b8991f0, propertyName=...) at DerivedSources/ForwardingHeaders/JavaScriptCore/PropertySlot.h:414
#11 0x00007f276c5acb83 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const (this=0x7fff1b899088, exec=0x7fff1b8991f0, propertyName=..., slot=...) at DerivedSources/ForwardingHeaders/JavaScriptCore/JSCJSValueInlines.h:873
#12 0x00007f275e5de21a in JSC::LLInt::llint_slow_path_get_by_id (exec=0x7fff1b8991f0, pc=0x7f266211c33c) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:762
#13 0x00007f275e5c75ce in llint_op_get_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#14 0x0000000000000000 in ?? ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190619/8f09a015/attachment-0001.html>

More information about the webkit-unassigned mailing list