-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support surrogates in the DOM? #6564
Comments
As long as Acid3 is the only thing that hits this, I think we should keep the panic. |
How is panic ever a useful behavior? |
It alerts us to the fact that someone relies on it, so that we have something to base our decision on. Speaking of data, we should try to add instrumentation to Gecko. |
Crashing the browser seems very user-hostile, especially when there is no indication that a site would actually be unusable if unpaired surrogates are replaced. (Maybe it would just show � instead of something that looks like .) There’s also no guarantee that it’ll alert us. Should we add some kind of telemetry to Servo? |
I agree with @SimonSapin here. Crashing is not really acceptable for non-developer users. Telemetry is probably the correct way to solve this, but I'm guessing that will be a little while in coming. How would we go about adding telemetry to gecko to estimate impact of various things we could do? |
Replace surrogates in JS strings with U+FFFD instead of panicking. Fix #6519. See #6564. r? @pcwalton <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6595) <!-- Reviewable:end -->
I think we should not keep the panic; it's causing actual crashes that are preventing things like fuzzers from working. We should never deliberately keep a panic in; it's a terribly blunt debugging instrument. Here's a concrete compromise proposal. Replace surrogates with U+FFFD as in @SimonSapin's patch, but output a message with |
The plan for now per https://github.com/servo/servo/wiki/Meeting-2015-07-13 is to add a |
Add a `-Z replace-surrogates` command-line option. See #6564. r? @Ms2ger <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6614) <!-- Reviewable:end -->
Add a `-Z replace-surrogates` command-line option. See #6564. r? @Ms2ger <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6614) <!-- Reviewable:end -->
Add a `-Z replace-surrogates` command-line option. See #6564. r? @Ms2ger <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6614) <!-- Reviewable:end -->
Add a `-Z replace-surrogates` command-line option. See #6564. r? @Ms2ger <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6614) <!-- Reviewable:end -->
I get this error by testing acid3. thread 'ScriptTask PipelineId(0)' panicked at 'Found an unpaired surrogate in a DOM string. If you see this in real web content, please comment on #6564 Use |
@farodin91, that’s #6519. As the error message says, you can add that command line option to make Servo continue despite the error, and test 68 of Acid 3 will succeed. Many other Acid3 tests are currently failing, though, and we’re not actively trying to fix as Acid 3 is not very representative of real content. |
Fail on unrecognized debug option Refs: #7142 Ran some basic functional tests: ``` $ ./mach run -d -Z bubble-widths,disable-canvas-aa,trace-layout tests/ref/blur_ref.html $ ./mach run -d -Z help Usage: /Users/greg/servo/target/debug/servo debug option,[options,...] where options include Options: bubble-widths Bubble intrinsic widths separately like other engines. disable-text-aa Disable antialiasing of rendered text. disable-canvas-aa Disable antialiasing on the HTML canvas element. dump-flow-tree Print the flow tree after each layout. dump-display-list Print the display list after each layout. dump-display-list-json Print the display list in JSON form. dump-display-list-optimized Print optimized display list (at paint time). relayout-event Print notifications when there is a relayout. profile-tasks Instrument each task, writing the output to a file. show-compositor-borders Paint borders along layer and tile boundaries. show-fragment-borders Paint borders along fragment boundaries. show-parallel-paint Overlay tiles with colors showing which thread painted them. show-parallel-layout Mark which thread laid each flow out with colors. paint-flashing Overlay repainted areas with a random color. trace-layout Write layout trace to an external file for debugging. validate-display-list-geometry Display an error when display list geometry escapes overflow region. disable-share-style-cache Disable the style sharing cache. parallel-display-list-building Build display lists in parallel. replace-surrogates Replace unpaires surrogates in DOM strings with U+FFFD. See #6564 gc-profile Log GC passes and their durations. $ ./mach run -d -Z blah error: unrecognized debug option: blah Servo exited with return value 1 ``` Didn't check that setting debug flags actually did anything. Haven't written much Rust so this feels more verbose than necessary. Added `disable-canvas-aa` to debug options help. Should DebugOptions struct derive Clone like Opts does? <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/7165) <!-- Reviewable:end -->
As suggested by Servo when it crashed on real web content, reporting here: Accessing https://vector.im (and bypassing the "Your browser is not supported" message, due to Servo failing its tests for flexbox and objectfit), Servo crashes with the following text:
Note that https://vector.im gets updated over time, and accesses a chat system ( https://matrix.org ), and so the content may change. However, the code of vector.im at this time is release 0.2.0, so that at least can be reproduced. |
There are various Unicode-related bugs in the project that are getting fixed: matrix-org/matrix-react-sdk#177 The last one seems to be the culprit here, given it happens when loading the list of rooms etc. |
So far, we've gotten Vector and Acid3. Replacing with FFFD seems like an acceptable choice in both cases (Acid3 allows it, and it's as good as any other way to deal with Vector). |
Stylo bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1355101 Spec issue to change CSSOM: w3c/csswg-drafts#1217 |
w3c/csswg-drafts#1217 is resolved with w3c/csswg-drafts#1266: the spec introduces a |
…ctor-debug-options); r=ms2ger Refs: servo/servo#7142 Ran some basic functional tests: ``` $ ./mach run -d -Z bubble-widths,disable-canvas-aa,trace-layout tests/ref/blur_ref.html $ ./mach run -d -Z help Usage: /Users/greg/servo/target/debug/servo debug option,[options,...] where options include Options: bubble-widths Bubble intrinsic widths separately like other engines. disable-text-aa Disable antialiasing of rendered text. disable-canvas-aa Disable antialiasing on the HTML canvas element. dump-flow-tree Print the flow tree after each layout. dump-display-list Print the display list after each layout. dump-display-list-json Print the display list in JSON form. dump-display-list-optimized Print optimized display list (at paint time). relayout-event Print notifications when there is a relayout. profile-tasks Instrument each task, writing the output to a file. show-compositor-borders Paint borders along layer and tile boundaries. show-fragment-borders Paint borders along fragment boundaries. show-parallel-paint Overlay tiles with colors showing which thread painted them. show-parallel-layout Mark which thread laid each flow out with colors. paint-flashing Overlay repainted areas with a random color. trace-layout Write layout trace to an external file for debugging. validate-display-list-geometry Display an error when display list geometry escapes overflow region. disable-share-style-cache Disable the style sharing cache. parallel-display-list-building Build display lists in parallel. replace-surrogates Replace unpaires surrogates in DOM strings with U+FFFD. See servo/servo#6564 gc-profile Log GC passes and their durations. $ ./mach run -d -Z blah error: unrecognized debug option: blah Servo exited with return value 1 ``` Didn't check that setting debug flags actually did anything. Haven't written much Rust so this feels more verbose than necessary. Added `disable-canvas-aa` to debug options help. Should DebugOptions struct derive Clone like Opts does? Source-Repo: https://github.com/servo/servo Source-Revision: f5e97ef1b54b7f85d9c5a55712e802dd70a89f8e
Got that error after login in Slack: Found an unpaired surrogate in a DOM string. If you see this in real web content, please comment on #6564 Use URL:Servo Version:Servo 0.0.1-10779f0 Backtrace:
|
Is it any team, or a particular team? For those not in the know, Slack is a multitenant program; naturally, every "team" (read: "tenant") has a lot of configuration that they can change. If it's a particular team, then can a Servo dev join it? We're trying to answer the question of how Servo needs to handle the ill-formed UTF-16 to work. |
We have no immediate plan to support lone surrogates any time soon. Meanwhile, that Servo crashes on that on Slack means there is a bug on Slack somewhere. |
I hit this issue after following some links on Twitter. To reproduce, go to http://twitter.com/chrisledlin and scroll down a few screens worth. EDIT (2017-09-10): Also affects mp3party.net, with no user interaction |
…ctor-debug-options); r=ms2ger Refs: servo/servo#7142 Ran some basic functional tests: ``` $ ./mach run -d -Z bubble-widths,disable-canvas-aa,trace-layout tests/ref/blur_ref.html $ ./mach run -d -Z help Usage: /Users/greg/servo/target/debug/servo debug option,[options,...] where options include Options: bubble-widths Bubble intrinsic widths separately like other engines. disable-text-aa Disable antialiasing of rendered text. disable-canvas-aa Disable antialiasing on the HTML canvas element. dump-flow-tree Print the flow tree after each layout. dump-display-list Print the display list after each layout. dump-display-list-json Print the display list in JSON form. dump-display-list-optimized Print optimized display list (at paint time). relayout-event Print notifications when there is a relayout. profile-tasks Instrument each task, writing the output to a file. show-compositor-borders Paint borders along layer and tile boundaries. show-fragment-borders Paint borders along fragment boundaries. show-parallel-paint Overlay tiles with colors showing which thread painted them. show-parallel-layout Mark which thread laid each flow out with colors. paint-flashing Overlay repainted areas with a random color. trace-layout Write layout trace to an external file for debugging. validate-display-list-geometry Display an error when display list geometry escapes overflow region. disable-share-style-cache Disable the style sharing cache. parallel-display-list-building Build display lists in parallel. replace-surrogates Replace unpaires surrogates in DOM strings with U+FFFD. See servo/servo#6564 gc-profile Log GC passes and their durations. $ ./mach run -d -Z blah error: unrecognized debug option: blah Servo exited with return value 1 ``` Didn't check that setting debug flags actually did anything. Haven't written much Rust so this feels more verbose than necessary. Added `disable-canvas-aa` to debug options help. Should DebugOptions struct derive Clone like Opts does? Source-Repo: https://github.com/servo/servo Source-Revision: f5e97ef1b54b7f85d9c5a55712e802dd70a89f8e UltraBlame original commit: 303fdd818d2c935023e269881fc349dd0a25bc29
…ctor-debug-options); r=ms2ger Refs: servo/servo#7142 Ran some basic functional tests: ``` $ ./mach run -d -Z bubble-widths,disable-canvas-aa,trace-layout tests/ref/blur_ref.html $ ./mach run -d -Z help Usage: /Users/greg/servo/target/debug/servo debug option,[options,...] where options include Options: bubble-widths Bubble intrinsic widths separately like other engines. disable-text-aa Disable antialiasing of rendered text. disable-canvas-aa Disable antialiasing on the HTML canvas element. dump-flow-tree Print the flow tree after each layout. dump-display-list Print the display list after each layout. dump-display-list-json Print the display list in JSON form. dump-display-list-optimized Print optimized display list (at paint time). relayout-event Print notifications when there is a relayout. profile-tasks Instrument each task, writing the output to a file. show-compositor-borders Paint borders along layer and tile boundaries. show-fragment-borders Paint borders along fragment boundaries. show-parallel-paint Overlay tiles with colors showing which thread painted them. show-parallel-layout Mark which thread laid each flow out with colors. paint-flashing Overlay repainted areas with a random color. trace-layout Write layout trace to an external file for debugging. validate-display-list-geometry Display an error when display list geometry escapes overflow region. disable-share-style-cache Disable the style sharing cache. parallel-display-list-building Build display lists in parallel. replace-surrogates Replace unpaires surrogates in DOM strings with U+FFFD. See servo/servo#6564 gc-profile Log GC passes and their durations. $ ./mach run -d -Z blah error: unrecognized debug option: blah Servo exited with return value 1 ``` Didn't check that setting debug flags actually did anything. Haven't written much Rust so this feels more verbose than necessary. Added `disable-canvas-aa` to debug options help. Should DebugOptions struct derive Clone like Opts does? Source-Repo: https://github.com/servo/servo Source-Revision: f5e97ef1b54b7f85d9c5a55712e802dd70a89f8e UltraBlame original commit: 303fdd818d2c935023e269881fc349dd0a25bc29
…ctor-debug-options); r=ms2ger Refs: servo/servo#7142 Ran some basic functional tests: ``` $ ./mach run -d -Z bubble-widths,disable-canvas-aa,trace-layout tests/ref/blur_ref.html $ ./mach run -d -Z help Usage: /Users/greg/servo/target/debug/servo debug option,[options,...] where options include Options: bubble-widths Bubble intrinsic widths separately like other engines. disable-text-aa Disable antialiasing of rendered text. disable-canvas-aa Disable antialiasing on the HTML canvas element. dump-flow-tree Print the flow tree after each layout. dump-display-list Print the display list after each layout. dump-display-list-json Print the display list in JSON form. dump-display-list-optimized Print optimized display list (at paint time). relayout-event Print notifications when there is a relayout. profile-tasks Instrument each task, writing the output to a file. show-compositor-borders Paint borders along layer and tile boundaries. show-fragment-borders Paint borders along fragment boundaries. show-parallel-paint Overlay tiles with colors showing which thread painted them. show-parallel-layout Mark which thread laid each flow out with colors. paint-flashing Overlay repainted areas with a random color. trace-layout Write layout trace to an external file for debugging. validate-display-list-geometry Display an error when display list geometry escapes overflow region. disable-share-style-cache Disable the style sharing cache. parallel-display-list-building Build display lists in parallel. replace-surrogates Replace unpaires surrogates in DOM strings with U+FFFD. See servo/servo#6564 gc-profile Log GC passes and their durations. $ ./mach run -d -Z blah error: unrecognized debug option: blah Servo exited with return value 1 ``` Didn't check that setting debug flags actually did anything. Haven't written much Rust so this feels more verbose than necessary. Added `disable-canvas-aa` to debug options help. Should DebugOptions struct derive Clone like Opts does? Source-Repo: https://github.com/servo/servo Source-Revision: f5e97ef1b54b7f85d9c5a55712e802dd70a89f8e UltraBlame original commit: 303fdd818d2c935023e269881fc349dd0a25bc29
https://discoverthreejs.com/ produces
|
Do we have a way to make that panic message print a JavaScript stack trace? |
If we add some code that replicates https://searchfox.org/mozilla-central/source/js/xpconnect/src/XPCDebug.cpp#37-60, yes. |
JavaScript strings are potentially ill-formed UTF-16 (arbitrary
Vec<u16>
) and can contain unpaired surrogates. Rust’sString
type is well-formed UTF-8 and can not contain any surrogate. Surrogates are never emitted when decoding bytes from the network, but they can sneak in throughdocument.write
, theElement.innerHtml
setter, or other DOM APIs.https://simonsapin.github.io/wtf-8/#motivation has some background and definitions.
This has been discussed before, but let’s try to centralize discussion here.
The status quo as of this writing is that
DOMString
in Servo isString
, andjsstring_to_str
panics and crashes the browser when encountering surrogates. This happens in Acid 3: #6519.To align with the current spec and other implementations, we can make
DOMString
potentially ill-formed UTF-16 or WTF-8 (https://github.com/SimonSapin/rust-wtf8). This is a bunch of work in (at least) string-cache, html5ever, and Servo. (html5ever already uses Tendril which supports multiple encodings including UTF-8 and WTF-8, but html5ever is still hard-coded toStrTendril = Tendril<UTF8>
.)Another option is to willfully violate the spec and replace unpaired surrogates with U+FFFD when converting to UTF-8: #6541. (
String::from_utf16_lossy
in the Rust standard library does this.) Acid 3 tests for this and considers it an acceptable behavior in its # 68 test. @Ms2ger commented in #6541 that "This is definitely the wrong fix." but I’m not so sure. I think we should do this until we have evidence of real content that relies on surrogates being preserved.For what it’s worth, WebKit/Blink preserve unpaired surrogates in the DOM, but fail to render text in a given
TextNode
after the first unpaired surrogate.The text was updated successfully, but these errors were encountered: