Bug 100465

Summary: Crash in flexbox when removing absolutely positioned children
Product: WebKit Reporter: Abhishek Arya <inferno>
Component: MathMLAssignee: Tony Chang <tony>
Status: RESOLVED FIXED    
Severity: Normal CC: dbarton, eric, fred.wang, ojan, tony, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 62048    
Attachments:
Description Flags
Testcase - 3
none
reduced testcase
none
more minimal test case
none
Ojan's test case without MathML
none
Patch none

Abhishek Arya
Reported 2012-10-25 22:45:13 PDT
Created attachment 170818 [details] Testcase - 3 ==28198== ERROR: AddressSanitizer crashed on unknown address 0x000000000034 (pc 0x7fb6494d914b sp 0x7fff6f9185e0 bp 0x7fff6f9186b0 T0) AddressSanitizer can not provide additional info. #0 0x7fb6494d914a in WebCore::RenderObject::RenderObjectBitfields::positioned() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:1053 #1 0x7fb6494d8ff0 in WebCore::RenderObject::isOutOfFlowPositioned() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:529 #2 0x7fb64ffae5a7 in WebCore::RenderFlexibleBox::firstLineBoxBaseline() const third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:258 #3 0x7fb64ffaeb89 in WebCore::RenderFlexibleBox::firstLineBoxBaseline() const third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:276 #4 0x7fb65072f061 in WebCore::RenderMathMLBlock::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLBlock.cpp:208 #5 0x7fb64fa27425 in WebCore::InlineBox::baselinePosition(WebCore::FontBaseline) const third_party/WebKit/Source/WebCore/rendering/InlineBox.cpp:164 #6 0x7fb6506f3478 in WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const third_party/WebKit/Source/WebCore/rendering/RootInlineBox.cpp:744 #7 0x7fb64fa3f744 in WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/InlineFlowBox.cpp:565 #8 0x7fb6506e75cc in WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/RootInlineBox.cpp:275 #9 0x7fb64fd117ba in WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:966 #10 0x7fb64fd1304b in WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1198 #11 0x7fb64fd1c7f1 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1484 #12 0x7fb64fd1482e in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1372 #13 0x7fb64fd3afa1 in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1714 #14 0x7fb64fb12315 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1555 #15 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #16 0x7fb64fb42677 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485 #17 0x7fb64fb1b0cf in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421 #18 0x7fb64fb12396 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557 #19 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #20 0x7fb64fb42677 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485 #21 0x7fb64fb1b0cf in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421 #22 0x7fb64fb12396 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557 #23 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #24 0x7fb65064d64e in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:140 #25 0x7fb65064f5e2 in WebCore::RenderView::layout() third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:197 #26 0x7fb64f1d5590 in WebCore::FrameView::layout(bool) third_party/WebKit/Source/WebCore/page/FrameView.cpp:1191 #27 0x7fb64f1bf5a8 in WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView>*) third_party/WebKit/Source/WebCore/page/FrameView.cpp:2129 #28 0x7fb64f25b494 in WebCore::Timer<WebCore::FrameView>::fired() third_party/WebKit/Source/WebCore/platform/Timer.h:106 #29 0x7fb64b06d5e6 in WebCore::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:116 #30 0x7fb64b06c8a8 in WebCore::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:93 #31 0x7fb65cdeb0dc in webkit_glue::WebKitPlatformSupportImpl::DoTimeout() ./webkit/glue/webkitplatformsupport_impl.h:165 #32 0x7fb65cdf357f in base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:134 #33 0x7fb65cdf31ca in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void (webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:870 #34 0x7fb65cdf2ed7 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void (webkit_glue::WebKitPlatformSupportImpl*), void (base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void (webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1172 #35 0x7fb6749c151c in base::Callback<void ()>::Run() const ./base/callback.h:391 #36 0x7fb67500e03b in base::Timer::RunScheduledTask() base/timer.cc:181 #37 0x7fb67500e9f0 in base::BaseTimerTaskInternal::Run() base/timer.cc:46 #38 0x7fb67501154f in base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) ./base/bind_internal.h:134 #39 0x7fb67501119a in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void (base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) ./base/bind_internal.h:870 #40 0x7fb675010e93 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void (base::BaseTimerTaskInternal*), void (base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void (base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1172 #41 0x7fb6749c151c in base::Callback<void ()>::Run() const ./base/callback.h:391 #42 0x7fb674bdd59d in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:470 #43 0x7fb674bdf40a in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482 #44 0x7fb674bdfac5 in MessageLoop::DoWork() base/message_loop.cc:661 #45 0x7fb674c3171b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28 #46 0x7fb674bdb7c9 in MessageLoop::RunInternal() base/message_loop.cc:427 #47 0x7fb674bdb256 in MessageLoop::RunHandler() base/message_loop.cc:400 #48 0x7fb674da6d21 in base::RunLoop::Run() base/run_loop.cc:45 #49 0x7fb674bd8eda in MessageLoop::Run() base/message_loop.cc:307 #50 0x7fb666721691 in RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:239 #51 0x7fb6630204d9 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:402 #52 0x7fb6630216ed in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:456 #53 0x7fb663026a3b in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741 #54 0x7fb66301df3d in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35 #55 0x7fb675f43a5d in ChromeMain chrome/app/chrome_main.cc:32 #56 0x7fb675f4372a in main chrome/app/chrome_exe_main_gtk.cc:31 #57 0x7fb635fc976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 Stats: 6M malloced (33M for red zones) by 33079 calls Stats: 0M realloced by 88 calls Stats: 4M freed by 15527 calls Stats: 0M really freed by 0 calls Stats: 42M (10899 full pages) mmaped in 85 calls mmaps by size class: 10:32193; 11:765; 12:256; 13:128; 14:160; 15:48; 16:16; 17:12; 18:2; 19:1; mallocs by size class: 10:32057; 11:568; 12:183; 13:77; 14:129; 15:40; 16:12; 17:10; 18:2; 19:1; frees by size class: 10:14772; 11:460; 12:71; 13:63; 14:114; 15:33; 16:6; 17:6; 18:1; 19:1; rfrees by size class: Stats: malloc large: 65 small slow: 1150 ==28198== ABORTING
Attachments
Testcase - 3 (2.50 KB, image/svg+xml)
2012-10-25 22:45 PDT, Abhishek Arya 		no flags
Details
reduced testcase (485 bytes, text/html)
2012-10-26 10:42 PDT, Ojan Vafai 		no flags
Details
more minimal test case (457 bytes, text/html)
2012-10-26 11:12 PDT, Ojan Vafai 		no flags
Details
Ojan's test case without MathML (359 bytes, text/html)
2012-10-26 22:26 PDT, Dave Barton 		no flags
Details
Patch (7.06 KB, patch)
2012-11-14 13:53 PST, Tony Chang 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2012-10-25 22:57:22 PDT
More likely to be a flexbox bug than a MathML one. It also looks like this code may have changed since this bug was found. http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderFlexibleBox.cpp
Eric Seidel (no email)
Comment 2 2012-10-25 23:15:08 PDT
This managed to crash my release build from earlier today. I've not yet tried it in debug. So even though the stack doesn't seem to match the current code, this still seems to be a crasher.
Eric Seidel (no email)
Comment 3 2012-10-25 23:17:31 PDT
Here is a crash stack from my build: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000030 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010fa9dffd WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 429 (RenderObject.h:1065) 1 com.apple.WebCore 0x000000010fa9e159 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 777 (RenderFlexibleBox.cpp:280) 2 com.apple.WebCore 0x000000010fae3b41 WebCore::RenderMathMLBlock::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const + 49 (RenderMathMLBlock.cpp:208) 3 com.apple.WebCore 0x000000010fbabc79 WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const + 169 (RootInlineBox.cpp:744) 4 com.apple.WebCore 0x000000010f597d38 WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, int&, int&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) + 680 (InlineBox.h:184) 5 com.apple.WebCore 0x000000010fbaa572 WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 242 (FractionalLayoutUnit.h:176) 6 com.apple.WebCore 0x000000010fa636bb WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 75 (RefPtr.h:58) 7 com.apple.WebCore 0x000000010fa6387d WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) + 237 (RenderBlockLineLayout.cpp:1200) 8 com.apple.WebCore 0x000000010fa6583b WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 3979 (RenderBlockLineLayout.cpp:1485) 9 com.apple.WebCore 0x000000010fa63e3a WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1242 (RenderBlockLineLayout.cpp:1375) 10 com.apple.WebCore 0x000000010fa6a6c1 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1281 (Vector.h:527) 11 com.apple.WebCore 0x000000010fa44e52 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1010 (RenderBlock.cpp:1554) 12 com.apple.WebCore 0x000000010fa44450 WebCore::RenderBlock::layout() + 64 (RenderBlock.cpp:1386) 13 com.apple.WebCore 0x000000010fa4b4d8 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 856 (RenderBlock.cpp:2484) 14 com.apple.WebCore 0x000000010fa4657a WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 586 (RenderBlock.cpp:2397) 15 com.apple.WebCore 0x000000010fa44e6c WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1036 (RenderBlock.cpp:1559) 16 com.apple.WebCore 0x000000010fa44450 WebCore::RenderBlock::layout() + 64 (RenderBlock.cpp:1386) 17 com.apple.WebCore 0x000000010fa4b4d8 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 856 (RenderBlock.cpp:2484) 18 com.apple.WebCore 0x000000010fa4657a WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 586 (RenderBlock.cpp:2397) 19 com.apple.WebCore 0x000000010fa44e6c WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1036 (RenderBlock.cpp:1559) 20 com.apple.WebCore 0x000000010fa44450 WebCore::RenderBlock::layout() + 64 (RenderBlock.cpp:1386) 21 com.apple.WebCore 0x000000010fb86245 WebCore::RenderView::layout() + 917 (OwnPtr.h:78) 22 com.apple.WebCore 0x000000010f479b95 WebCore::FrameView::layout(bool) + 1733 (FrameView.cpp:1197) 23 com.apple.WebCore 0x000000010f47f7cd WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() + 141 (HashTable.h:391) 24 com.apple.WebKit2 0x000000010e79d624 WebKit::WebPage::layoutIfNeeded() + 34 (RefPtr.h:70)
Ojan Vafai
Comment 4 2012-10-26 10:42:23 PDT
Created attachment 170954 [details] reduced testcase
Ojan Vafai
Comment 5 2012-10-26 11:12:01 PDT
Created attachment 170964 [details] more minimal test case It looks like when the input gets removed from the msubsup element, we're left with an anonymous flexbox inside the msubsup element. We try to get the baseline of the msubsup, and then try to get the baseline of the anonymous flexbox and crash because it has no firstChild, but did the last time we laid it out.
Ojan Vafai
Comment 6 2012-10-26 11:17:39 PDT
Looks like this is in fact a MathML issue. RenderMathMLSubSup::addChild creates wrappers, but doesn't remove them when the children are removed. I'll leave this in dbarton's hands.
Eric Seidel (no email)
Comment 7 2012-10-26 11:48:05 PDT
This may be fixed by bug 98791.
Dave Barton
Comment 8 2012-10-26 22:26:35 PDT
Created attachment 171073 [details] Ojan's test case without MathML I like both Eric's and Ojan's analysis and reduced test cases (thanks!). However, I counter-argue and claim it's still a flexbox bug. :) Here's an attachment that seems to cause the same crash, just using <div> elements and -webkit-inline-flex like MathML (msubsup) uses them. My flexbox code may be a few days old, but here's my stack trace: crash log for DumpRenderTree (pid 99385): STDOUT: <empty> STDERR: [99385:-1603631808:383108477912945:ERROR:process_util_posix.cc(144)] Received signal 10 STDERR: 0 DumpRenderTree 0x5db65f2f base::debug::StackTrace::StackTrace() + 63 STDERR: 1 DumpRenderTree 0x5db65ecb base::debug::StackTrace::StackTrace() + 43 STDERR: 2 DumpRenderTree 0x5dc23487 base::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, __darwin_ucontext*) + 295 STDERR: 3 libSystem.B.dylib 0x9588405b _sigtramp + 43 STDERR: 4 ??? 0xffffffff 0x0 + 4294967295 STDERR: 5 DumpRenderTree 0x6078dc12 WebCore::RenderObject::isOutOfFlowPositioned() const + 50 STDERR: 6 DumpRenderTree 0x608006e3 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 275 STDERR: 7 DumpRenderTree 0x608008c5 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 757 STDERR: 8 DumpRenderTree 0x6080039f WebCore::RenderFlexibleBox::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const + 79 STDERR: 9 DumpRenderTree 0x606a6f6d WebCore::InlineBox::baselinePosition(WebCore::FontBaseline) const + 173 STDERR: 10 DumpRenderTree 0x609d2de3 WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const + 307 STDERR: 11 DumpRenderTree 0x606abe54 WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, int&, int&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) + 820 STDERR: 12 DumpRenderTree 0x609cf5b5 WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 517 STDERR: 13 DumpRenderTree 0x60745607 WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 135 STDERR: 14 DumpRenderTree 0x60745ad1 WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) + 497 STDERR: 15 DumpRenderTree 0x60747f6d WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 3357 STDERR: 16 DumpRenderTree 0x6074617e WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1406 STDERR: 17 DumpRenderTree 0x6074eaa6 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1798 STDERR: 18 DumpRenderTree 0x606d03fd WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1501 STDERR: 19 DumpRenderTree 0x606cf0f3 WebCore::RenderBlock::layout() + 163 STDERR: 20 DumpRenderTree 0x606dcc0d WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1117 STDERR: 21 DumpRenderTree 0x606d2c6b WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1499 STDERR: 22 DumpRenderTree 0x606d0427 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1543 STDERR: 23 DumpRenderTree 0x606cf0f3 WebCore::RenderBlock::layout() + 163 STDERR: 24 DumpRenderTree 0x606dcc0d WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1117 STDERR: 25 DumpRenderTree 0x606d2c6b WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1499 STDERR: 26 DumpRenderTree 0x606d0427 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1543 STDERR: 27 DumpRenderTree 0x606cf0f3 WebCore::RenderBlock::layout() + 163 STDERR: 28 DumpRenderTree 0x609a9531 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) + 161 STDERR: 29 DumpRenderTree 0x609a9dd9 WebCore::RenderView::layout() + 1353 STDERR: 30 DumpRenderTree 0x604c9632 WebCore::FrameView::layout(bool) + 3778 STDERR: 31 DumpRenderTree 0x5d90f9df WebCore::Document::implicitClose() + 1071 STDERR: 32 DumpRenderTree 0x6034e522 WebCore::FrameLoader::checkCallImplicitClose() + 178 STDERR: 33 DumpRenderTree 0x6034e09e WebCore::FrameLoader::checkCompleted() + 366 STDERR: 34 DumpRenderTree 0x6034ca23 WebCore::FrameLoader::finishedParsing() + 195 STDERR: 35 DumpRenderTree 0x5d91d51b WebCore::Document::finishedParsing() + 651 STDERR: 36 DumpRenderTree 0x5f4320c9 WebCore::HTMLTreeBuilder::finished() + 185 STDERR: 37 DumpRenderTree 0x5f3f787b WebCore::HTMLDocumentParser::end() + 283 STDERR: 38 DumpRenderTree 0x5f3f6659 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 329 STDERR: 39 DumpRenderTree 0x5f3f6398 WebCore::HTMLDocumentParser::prepareToStopParsing() + 312 STDERR: 40 DumpRenderTree 0x5f3f6ff1 WebCore::HTMLDocumentParser::endIfDelayed() + 129 STDERR: 41 DumpRenderTree 0x5f3f6f3b WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 91 STDERR: 42 DumpRenderTree 0x5f40c704 WebCore::HTMLParserScheduler::continueNextChunkTimerFired(WebCore::Timer<WebCore::HTMLParserScheduler>*) + 228 STDERR: 43 DumpRenderTree 0x5f40cdb7 WebCore::Timer<WebCore::HTMLParserScheduler>::fired() + 135 STDERR: 44 DumpRenderTree 0x5f51c96b WebCore::ThreadTimers::sharedTimerFiredInternal() + 347 STDERR: 45 DumpRenderTree 0x5f51c6ef WebCore::ThreadTimers::sharedTimerFired() + 47 STDERR: 46 DumpRenderTree 0x616afd59 webkit_glue::WebKitPlatformSupportImpl::DoTimeout() + 73 STDERR: 47 DumpRenderTree 0x616b0954 base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) + 132 STDERR: 48 DumpRenderTree 0x616b0853 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) + 67 STDERR: 49 DumpRenderTree 0x616b0793 base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*), void ()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) + 115 STDERR: 50 DumpRenderTree 0x5dbd20fb base::Callback<void ()()>::Run() const + 75 STDERR: 51 DumpRenderTree 0x5dca7a50 base::Timer::RunScheduledTask() + 368 STDERR: 52 DumpRenderTree 0x5dca7c59 base::BaseTimerTaskInternal::Run() + 89 STDERR: 53 DumpRenderTree 0x5dca8524 base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) + 132 STDERR: 54 DumpRenderTree 0x5dca8423 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) + 67 STDERR: 55 DumpRenderTree 0x5dca835e base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*), void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void ()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) + 110 STDERR: 56 DumpRenderTree 0x5dbd20fb base::Callback<void ()()>::Run() const + 75 STDERR: 57 DumpRenderTree 0x5dbcf657 MessageLoop::RunTask(base::PendingTask const&) + 1159 STDERR: 58 DumpRenderTree 0x5dbcfb52 MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) + 98 STDERR: 59 DumpRenderTree 0x5dbcfd52 MessageLoop::DoWork() + 322 STDERR: 60 DumpRenderTree 0x5db3bccb base::MessagePumpCFRunLoopBase::RunWork() + 107 STDERR: 61 DumpRenderTree 0x5db3b482 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 50 STDERR: ax: a069e4c0, bx: 41e201, cx: 1c, dx: f7cdcf89 STDERR: di: 41e2bc, si: 0, bp: bfff9dd8, sp: bfff9dc0, ss: 1f, flags: 10286 STDERR: ip: 607a3767, cs: 17, ds: 1f, es: 1f, fs: 0, gs: 37
Ojan Vafai
Comment 9 2012-10-27 08:50:27 PDT
Yikes. I swear I tried that! Anyways, I stand corrected. I'll take a look at this Monday.
Tony Chang
Comment 10 2012-11-14 13:53:33 PST
Created attachment 174250 [details] Patch
WebKit Review Bot
Comment 11 2012-11-14 15:36:37 PST
Comment on attachment 174250 [details] Patch Clearing flags on attachment: 174250 Committed r134683: <http://trac.webkit.org/changeset/134683>
WebKit Review Bot
Comment 12 2012-11-14 15:36:42 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.