<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - WebKitTestRunner and DumpRenderTree do not handle dangling surrogate characters"

   href="https://bugs.webkit.org/show_bug.cgi?id=154863">154863</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>WebKitTestRunner and DumpRenderTree do not handle dangling surrogate characters

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Tools / Tests

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>msaboff&#64;apple.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>lforschler&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=272574" name="attach_272574" title="Crashing test">attachment 272574</a> <a href="attachment.cgi?id=272574&amp;action=edit" title="Crashing test">[details]</a></span>

Crashing test

If your run the attached test with DumpRenderTree it doesn’t provide any test output:

Content-Type: text/plain

DumpMalloc: 53440512

ERROR: nil result from [documentElement innerText]#EOF

#EOF

If you run WebKitTestRunner with the test, it crashes:

1   0x106169ad0 WTFCrash

2   0x1061dfdcf WTF::String::fromUTF8(unsigned char const*, unsigned long)

3   0x1061e010f WTF::String::fromUTF8WithLatin1Fallback(unsigned char const*, unsigned long)

4   0x11729c394 WTF::String::fromUTF8WithLatin1Fallback(char const*, unsigned long)

5   0x11729c158 WTR::toWTFString(OpaqueWKString const*)

6   0x117298b5f WTR::toWTFString(WebKit::WKRetainPtr&lt;OpaqueWKString const*&gt; const&amp;)

7   0x1172c6102 WTR::dumpFrameText(OpaqueWKBundleFrame const*, WTF::StringBuilder&amp;)

8   0x1172c6625 WTR::InjectedBundlePage::dump()

9   0x1172c5da2 WTR::InjectedBundlePage::frameDidChangeLocation(OpaqueWKBundleFrame const*, bool)

10  0x1172c4607 WTR::InjectedBundlePage::didFinishLoadForFrame(OpaqueWKBundleFrame const*)

11  0x1172c32e8 WTR::InjectedBundlePage::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*)

12  0x1020c0906 WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr&lt;API::Object&gt;&amp;)

13  0x10252e89d WebKit::WebFrameLoaderClient::dispatchDidFinishLoad()

14  0x108c84c2a WebCore::FrameLoader::checkLoadCompleteForThisFrame()

15  0x108c7c6be WebCore::FrameLoader::checkLoadComplete()

16  0x108c7c1cc WebCore::FrameLoader::checkCompleted()

17  0x108c7c1f5 WebCore::FrameLoader::loadDone()

18  0x10849a609 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool)

19  0x10a418935 WebCore::SubresourceLoader::notifyDone()

20  0x10a41855a WebCore::SubresourceLoader::didFinishLoading(double)

21  0x10280f827 WebKit::WebResourceLoader::didFinishResourceLoad(double)

22  0x102814d93 void IPC::callMemberFunctionImpl&lt;WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple&lt;double&gt;, 0ul&gt;(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple&lt;double&gt;&amp;&amp;, std::index_sequence&lt;0ul&gt;)

23  0x102814ce8 void IPC::callMemberFunction&lt;WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple&lt;double&gt;, std::make_index_sequence&lt;1ul&gt; &gt;(std::__1::tuple&lt;double&gt;&amp;&amp;, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double))

24  0x102813e02 void IPC::handleMessage&lt;Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)&gt;(IPC::MessageDecoder&amp;, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double))

25  0x10281357c WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&amp;, IPC::MessageDecoder&amp;)

26  0x10222b990 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&amp;, IPC::MessageDecoder&amp;)

27  0x101fca993 IPC::Connection::dispatchMessage(IPC::MessageDecoder&amp;)

28  0x101fc1811 IPC::Connection::dispatchMessage(std::__1::unique_ptr&lt;IPC::MessageDecoder, std::__1::default_delete&lt;IPC::MessageDecoder&gt; &gt;)

29  0x101fcaf8f IPC::Connection::dispatchOneMessage()

30  0x101fdc2fd IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr&lt;IPC::MessageDecoder, std::__1::default_delete&lt;IPC::MessageDecoder&gt; &gt;)::$_10::operator()() const

31  0x101fdc2cd void std::__1::__invoke_void_return_wrapper&lt;void&gt;::__call&lt;IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr&lt;IPC::MessageDecoder, std::__1::default_delete&lt;IPC::MessageDecoder&gt; &gt;)::$_10&amp;&gt;(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr&lt;IPC::MessageDecoder, std::__1::default_delete&lt;IPC::MessageDecoder&gt; &gt;)::$_10&amp;&amp;&amp;)

#CRASHED - com.apple.WebKit.WebContent.Development (pid 89331)

LEAK: 1 WebProcessPool

LEAK: 1 WebPageProxy

For WebKitTestRunner, we set “strict” to true when calling convertUTF16ToUTF8(), via the call to WKStringGetUTF8CString(), which will return 0.  We pass that stringLength - 1 which underflows to uint64_max to String::fromUTF8WithLatin1Fallback().

Here is the code:

inline WTF::String toWTFString(WKStringRef string)

{

    size_t bufferSize = WKStringGetMaximumUTF8CStringSize(string);

    auto buffer = std::make_unique&lt;char[]&gt;(bufferSize);

    size_t stringLength = WKStringGetUTF8CString(string, buffer.get(), bufferSize);

    return WTF::String::fromUTF8WithLatin1Fallback(buffer.get(), stringLength - 1);

}

</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>