Bug 100465

Summary: Crash in flexbox when removing absolutely positioned children
Product: WebKit Reporter: Abhishek Arya <inferno>
Component: MathMLAssignee: Tony Chang <tony>
Status: RESOLVED FIXED    
Severity: Normal CC: dbarton, eric, fred.wang, ojan, tony, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 62048    
Attachments:
Description Flags
Testcase - 3
none
reduced testcase
none
more minimal test case
none
Ojan's test case without MathML
none
Patch none

Description Abhishek Arya 2012-10-25 22:45:13 PDT 
Created attachment 170818 [details]
Testcase - 3

==28198== ERROR: AddressSanitizer crashed on unknown address 0x000000000034 (pc 0x7fb6494d914b sp 0x7fff6f9185e0 bp 0x7fff6f9186b0 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fb6494d914a in WebCore::RenderObject::RenderObjectBitfields::positioned() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:1053
    #1 0x7fb6494d8ff0 in WebCore::RenderObject::isOutOfFlowPositioned() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:529
    #2 0x7fb64ffae5a7 in WebCore::RenderFlexibleBox::firstLineBoxBaseline() const third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:258
    #3 0x7fb64ffaeb89 in WebCore::RenderFlexibleBox::firstLineBoxBaseline() const third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:276
    #4 0x7fb65072f061 in WebCore::RenderMathMLBlock::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLBlock.cpp:208
    #5 0x7fb64fa27425 in WebCore::InlineBox::baselinePosition(WebCore::FontBaseline) const third_party/WebKit/Source/WebCore/rendering/InlineBox.cpp:164
    #6 0x7fb6506f3478 in WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const third_party/WebKit/Source/WebCore/rendering/RootInlineBox.cpp:744
    #7 0x7fb64fa3f744 in WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/InlineFlowBox.cpp:565
    #8 0x7fb6506e75cc in WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/RootInlineBox.cpp:275
    #9 0x7fb64fd117ba in WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:966
    #10 0x7fb64fd1304b in WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1198
    #11 0x7fb64fd1c7f1 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1484
    #12 0x7fb64fd1482e in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1372
    #13 0x7fb64fd3afa1 in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1714
    #14 0x7fb64fb12315 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1555
    #15 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
    #16 0x7fb64fb42677 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485
    #17 0x7fb64fb1b0cf in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421
    #18 0x7fb64fb12396 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557
    #19 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
    #20 0x7fb64fb42677 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485
    #21 0x7fb64fb1b0cf in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421
    #22 0x7fb64fb12396 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557
    #23 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
    #24 0x7fb65064d64e in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:140
    #25 0x7fb65064f5e2 in WebCore::RenderView::layout() third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:197
    #26 0x7fb64f1d5590 in WebCore::FrameView::layout(bool) third_party/WebKit/Source/WebCore/page/FrameView.cpp:1191
    #27 0x7fb64f1bf5a8 in WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView>*) third_party/WebKit/Source/WebCore/page/FrameView.cpp:2129
    #28 0x7fb64f25b494 in WebCore::Timer<WebCore::FrameView>::fired() third_party/WebKit/Source/WebCore/platform/Timer.h:106
    #29 0x7fb64b06d5e6 in WebCore::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:116
    #30 0x7fb64b06c8a8 in WebCore::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:93
    #31 0x7fb65cdeb0dc in webkit_glue::WebKitPlatformSupportImpl::DoTimeout() ./webkit/glue/webkitplatformsupport_impl.h:165
    #32 0x7fb65cdf357f in base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:134
    #33 0x7fb65cdf31ca in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void (webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:870
    #34 0x7fb65cdf2ed7 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void (webkit_glue::WebKitPlatformSupportImpl*), void (base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void (webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1172
    #35 0x7fb6749c151c in base::Callback<void ()>::Run() const ./base/callback.h:391
    #36 0x7fb67500e03b in base::Timer::RunScheduledTask() base/timer.cc:181
    #37 0x7fb67500e9f0 in base::BaseTimerTaskInternal::Run() base/timer.cc:46
    #38 0x7fb67501154f in base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) ./base/bind_internal.h:134
    #39 0x7fb67501119a in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void (base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) ./base/bind_internal.h:870
    #40 0x7fb675010e93 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void (base::BaseTimerTaskInternal*), void (base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void (base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1172
    #41 0x7fb6749c151c in base::Callback<void ()>::Run() const ./base/callback.h:391
    #42 0x7fb674bdd59d in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:470
    #43 0x7fb674bdf40a in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482
    #44 0x7fb674bdfac5 in MessageLoop::DoWork() base/message_loop.cc:661
    #45 0x7fb674c3171b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28
    #46 0x7fb674bdb7c9 in MessageLoop::RunInternal() base/message_loop.cc:427
    #47 0x7fb674bdb256 in MessageLoop::RunHandler() base/message_loop.cc:400
    #48 0x7fb674da6d21 in base::RunLoop::Run() base/run_loop.cc:45
    #49 0x7fb674bd8eda in MessageLoop::Run() base/message_loop.cc:307
    #50 0x7fb666721691 in RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:239
    #51 0x7fb6630204d9 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:402
    #52 0x7fb6630216ed in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:456
    #53 0x7fb663026a3b in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741
    #54 0x7fb66301df3d in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35
    #55 0x7fb675f43a5d in ChromeMain chrome/app/chrome_main.cc:32
    #56 0x7fb675f4372a in main chrome/app/chrome_exe_main_gtk.cc:31
    #57 0x7fb635fc976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
Stats: 6M malloced (33M for red zones) by 33079 calls
Stats: 0M realloced by 88 calls
Stats: 4M freed by 15527 calls
Stats: 0M really freed by 0 calls
Stats: 42M (10899 full pages) mmaped in 85 calls
  mmaps   by size class: 10:32193; 11:765; 12:256; 13:128; 14:160; 15:48; 16:16; 17:12; 18:2; 19:1;
  mallocs by size class: 10:32057; 11:568; 12:183; 13:77; 14:129; 15:40; 16:12; 17:10; 18:2; 19:1;
  frees   by size class: 10:14772; 11:460; 12:71; 13:63; 14:114; 15:33; 16:6; 17:6; 18:1; 19:1;
  rfrees  by size class:
Stats: malloc large: 65 small slow: 1150
==28198== ABORTING
Comment 1 Eric Seidel (no email) 2012-10-25 22:57:22 PDT 
More likely to be a flexbox bug than a MathML one.

It also looks like this code may have changed since this bug was found.
http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderFlexibleBox.cpp
Comment 2 Eric Seidel (no email) 2012-10-25 23:15:08 PDT 
This managed to crash my release build from earlier today.  I've not yet tried it in debug.  So even though the stack doesn't seem to match the current code, this still seems to be a crasher.
Comment 3 Eric Seidel (no email) 2012-10-25 23:17:31 PDT 
Here is a crash stack from my build:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000030

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010fa9dffd WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 429 (RenderObject.h:1065)
1   com.apple.WebCore             	0x000000010fa9e159 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 777 (RenderFlexibleBox.cpp:280)
2   com.apple.WebCore             	0x000000010fae3b41 WebCore::RenderMathMLBlock::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const + 49 (RenderMathMLBlock.cpp:208)
3   com.apple.WebCore             	0x000000010fbabc79 WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const + 169 (RootInlineBox.cpp:744)
4   com.apple.WebCore             	0x000000010f597d38 WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, int&, int&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) + 680 (InlineBox.h:184)
5   com.apple.WebCore             	0x000000010fbaa572 WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 242 (FractionalLayoutUnit.h:176)
6   com.apple.WebCore             	0x000000010fa636bb WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 75 (RefPtr.h:58)
7   com.apple.WebCore             	0x000000010fa6387d WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) + 237 (RenderBlockLineLayout.cpp:1200)
8   com.apple.WebCore             	0x000000010fa6583b WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 3979 (RenderBlockLineLayout.cpp:1485)
9   com.apple.WebCore             	0x000000010fa63e3a WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1242 (RenderBlockLineLayout.cpp:1375)
10  com.apple.WebCore             	0x000000010fa6a6c1 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1281 (Vector.h:527)
11  com.apple.WebCore             	0x000000010fa44e52 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1010 (RenderBlock.cpp:1554)
12  com.apple.WebCore             	0x000000010fa44450 WebCore::RenderBlock::layout() + 64 (RenderBlock.cpp:1386)
13  com.apple.WebCore             	0x000000010fa4b4d8 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 856 (RenderBlock.cpp:2484)
14  com.apple.WebCore             	0x000000010fa4657a WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 586 (RenderBlock.cpp:2397)
15  com.apple.WebCore             	0x000000010fa44e6c WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1036 (RenderBlock.cpp:1559)
16  com.apple.WebCore             	0x000000010fa44450 WebCore::RenderBlock::layout() + 64 (RenderBlock.cpp:1386)
17  com.apple.WebCore             	0x000000010fa4b4d8 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 856 (RenderBlock.cpp:2484)
18  com.apple.WebCore             	0x000000010fa4657a WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 586 (RenderBlock.cpp:2397)
19  com.apple.WebCore             	0x000000010fa44e6c WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1036 (RenderBlock.cpp:1559)
20  com.apple.WebCore             	0x000000010fa44450 WebCore::RenderBlock::layout() + 64 (RenderBlock.cpp:1386)
21  com.apple.WebCore             	0x000000010fb86245 WebCore::RenderView::layout() + 917 (OwnPtr.h:78)
22  com.apple.WebCore             	0x000000010f479b95 WebCore::FrameView::layout(bool) + 1733 (FrameView.cpp:1197)
23  com.apple.WebCore             	0x000000010f47f7cd WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() + 141 (HashTable.h:391)
24  com.apple.WebKit2             	0x000000010e79d624 WebKit::WebPage::layoutIfNeeded() + 34 (RefPtr.h:70)
Comment 4 Ojan Vafai 2012-10-26 10:42:23 PDT 
Created attachment 170954 [details]
reduced testcase
Comment 5 Ojan Vafai 2012-10-26 11:12:01 PDT 
Created attachment 170964 [details]
more minimal test case

It looks like when the input gets removed from the msubsup element, we're left with an anonymous flexbox inside the msubsup element. We try to get the baseline of the msubsup, and then try to get the baseline of the anonymous flexbox and crash because it has no firstChild, but did the last time we laid it out.
Comment 6 Ojan Vafai 2012-10-26 11:17:39 PDT 
Looks like this is in fact a MathML issue. RenderMathMLSubSup::addChild creates wrappers, but doesn't remove them when the children are removed. I'll leave this in dbarton's hands.
Comment 7 Eric Seidel (no email) 2012-10-26 11:48:05 PDT 
This may be fixed by bug 98791.
Comment 8 Dave Barton 2012-10-26 22:26:35 PDT 
Created attachment 171073 [details]
Ojan's test case without MathML

I like both Eric's and Ojan's analysis and reduced test cases (thanks!). However, I counter-argue and claim it's still a flexbox bug. :) Here's an attachment that seems to cause the same crash, just using <div> elements and -webkit-inline-flex like MathML (msubsup) uses them.

My flexbox code may be a few days old, but here's my stack trace:

crash log for DumpRenderTree (pid 99385):
STDOUT: <empty>
STDERR: [99385:-1603631808:383108477912945:ERROR:process_util_posix.cc(144)] Received signal 10
STDERR: 	0   DumpRenderTree                      0x5db65f2f base::debug::StackTrace::StackTrace() + 63
STDERR: 	1   DumpRenderTree                      0x5db65ecb base::debug::StackTrace::StackTrace() + 43
STDERR: 	2   DumpRenderTree                      0x5dc23487 base::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, __darwin_ucontext*) + 295
STDERR: 	3   libSystem.B.dylib                   0x9588405b _sigtramp + 43
STDERR: 	4   ???                                 0xffffffff 0x0 + 4294967295
STDERR: 	5   DumpRenderTree                      0x6078dc12 WebCore::RenderObject::isOutOfFlowPositioned() const + 50
STDERR: 	6   DumpRenderTree                      0x608006e3 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 275
STDERR: 	7   DumpRenderTree                      0x608008c5 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 757
STDERR: 	8   DumpRenderTree                      0x6080039f WebCore::RenderFlexibleBox::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const + 79
STDERR: 	9   DumpRenderTree                      0x606a6f6d WebCore::InlineBox::baselinePosition(WebCore::FontBaseline) const + 173
STDERR: 	10  DumpRenderTree                      0x609d2de3 WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const + 307
STDERR: 	11  DumpRenderTree                      0x606abe54 WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, int&, int&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) + 820
STDERR: 	12  DumpRenderTree                      0x609cf5b5 WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 517
STDERR: 	13  DumpRenderTree                      0x60745607 WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 135
STDERR: 	14  DumpRenderTree                      0x60745ad1 WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) + 497
STDERR: 	15  DumpRenderTree                      0x60747f6d WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 3357
STDERR: 	16  DumpRenderTree                      0x6074617e WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1406
STDERR: 	17  DumpRenderTree                      0x6074eaa6 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1798
STDERR: 	18  DumpRenderTree                      0x606d03fd WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1501
STDERR: 	19  DumpRenderTree                      0x606cf0f3 WebCore::RenderBlock::layout() + 163
STDERR: 	20  DumpRenderTree                      0x606dcc0d WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1117
STDERR: 	21  DumpRenderTree                      0x606d2c6b WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1499
STDERR: 	22  DumpRenderTree                      0x606d0427 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1543
STDERR: 	23  DumpRenderTree                      0x606cf0f3 WebCore::RenderBlock::layout() + 163
STDERR: 	24  DumpRenderTree                      0x606dcc0d WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1117
STDERR: 	25  DumpRenderTree                      0x606d2c6b WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1499
STDERR: 	26  DumpRenderTree                      0x606d0427 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1543
STDERR: 	27  DumpRenderTree                      0x606cf0f3 WebCore::RenderBlock::layout() + 163
STDERR: 	28  DumpRenderTree                      0x609a9531 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) + 161
STDERR: 	29  DumpRenderTree                      0x609a9dd9 WebCore::RenderView::layout() + 1353
STDERR: 	30  DumpRenderTree                      0x604c9632 WebCore::FrameView::layout(bool) + 3778
STDERR: 	31  DumpRenderTree                      0x5d90f9df WebCore::Document::implicitClose() + 1071
STDERR: 	32  DumpRenderTree                      0x6034e522 WebCore::FrameLoader::checkCallImplicitClose() + 178
STDERR: 	33  DumpRenderTree                      0x6034e09e WebCore::FrameLoader::checkCompleted() + 366
STDERR: 	34  DumpRenderTree                      0x6034ca23 WebCore::FrameLoader::finishedParsing() + 195
STDERR: 	35  DumpRenderTree                      0x5d91d51b WebCore::Document::finishedParsing() + 651
STDERR: 	36  DumpRenderTree                      0x5f4320c9 WebCore::HTMLTreeBuilder::finished() + 185
STDERR: 	37  DumpRenderTree                      0x5f3f787b WebCore::HTMLDocumentParser::end() + 283
STDERR: 	38  DumpRenderTree                      0x5f3f6659 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 329
STDERR: 	39  DumpRenderTree                      0x5f3f6398 WebCore::HTMLDocumentParser::prepareToStopParsing() + 312
STDERR: 	40  DumpRenderTree                      0x5f3f6ff1 WebCore::HTMLDocumentParser::endIfDelayed() + 129
STDERR: 	41  DumpRenderTree                      0x5f3f6f3b WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 91
STDERR: 	42  DumpRenderTree                      0x5f40c704 WebCore::HTMLParserScheduler::continueNextChunkTimerFired(WebCore::Timer<WebCore::HTMLParserScheduler>*) + 228
STDERR: 	43  DumpRenderTree                      0x5f40cdb7 WebCore::Timer<WebCore::HTMLParserScheduler>::fired() + 135
STDERR: 	44  DumpRenderTree                      0x5f51c96b WebCore::ThreadTimers::sharedTimerFiredInternal() + 347
STDERR: 	45  DumpRenderTree                      0x5f51c6ef WebCore::ThreadTimers::sharedTimerFired() + 47
STDERR: 	46  DumpRenderTree                      0x616afd59 webkit_glue::WebKitPlatformSupportImpl::DoTimeout() + 73
STDERR: 	47  DumpRenderTree                      0x616b0954 base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) + 132
STDERR: 	48  DumpRenderTree                      0x616b0853 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) + 67
STDERR: 	49  DumpRenderTree                      0x616b0793 base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*), void ()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) + 115
STDERR: 	50  DumpRenderTree                      0x5dbd20fb base::Callback<void ()()>::Run() const + 75
STDERR: 	51  DumpRenderTree                      0x5dca7a50 base::Timer::RunScheduledTask() + 368
STDERR: 	52  DumpRenderTree                      0x5dca7c59 base::BaseTimerTaskInternal::Run() + 89
STDERR: 	53  DumpRenderTree                      0x5dca8524 base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) + 132
STDERR: 	54  DumpRenderTree                      0x5dca8423 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) + 67
STDERR: 	55  DumpRenderTree                      0x5dca835e base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*), void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void ()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) + 110
STDERR: 	56  DumpRenderTree                      0x5dbd20fb base::Callback<void ()()>::Run() const + 75
STDERR: 	57  DumpRenderTree                      0x5dbcf657 MessageLoop::RunTask(base::PendingTask const&) + 1159
STDERR: 	58  DumpRenderTree                      0x5dbcfb52 MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) + 98
STDERR: 	59  DumpRenderTree                      0x5dbcfd52 MessageLoop::DoWork() + 322
STDERR: 	60  DumpRenderTree                      0x5db3bccb base::MessagePumpCFRunLoopBase::RunWork() + 107
STDERR: 	61  DumpRenderTree                      0x5db3b482 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 50
STDERR: ax: a069e4c0, bx: 41e201, cx: 1c, dx: f7cdcf89
STDERR: di: 41e2bc, si: 0, bp: bfff9dd8, sp: bfff9dc0, ss: 1f, flags: 10286
STDERR: ip: 607a3767, cs: 17, ds: 1f, es: 1f, fs: 0, gs: 37
Comment 9 Ojan Vafai 2012-10-27 08:50:27 PDT 
Yikes. I swear I tried that! Anyways, I stand corrected. I'll take a look at this Monday.
Comment 10 Tony Chang 2012-11-14 13:53:33 PST 
Created attachment 174250 [details]
Patch
Comment 11 WebKit Review Bot 2012-11-14 15:36:37 PST 
Comment on attachment 174250 [details]
Patch

Clearing flags on attachment: 174250

Committed r134683: <http://trac.webkit.org/changeset/134683>
Comment 12 WebKit Review Bot 2012-11-14 15:36:42 PST 
All reviewed patches have been landed.  Closing bug.