Bug 141371

Summary:

[iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph()

Product:

WebKit

Reporter:

David Kilzer (:ddkilzer) <ddkilzer>

Component:

Text

Assignee:

Myles C. Maxfield <mmaxfield>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, dbarton, ddkilzer, dino, esprehn+autocc, fred.wang, glenn, kondapallykalyan, mmaxfield, mrobinson, simon.fraser, thorton, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Description David Kilzer (:ddkilzer) 2015-02-08 11:52:44 PST

The following layout tests crash in RenderMathMLOperator::advanceForGlyph() with WebKit2 (but not WebKit1):

mathml/opentype/horizontal.html
mathml/opentype/horizontal-munderover.html
mathml/opentype/large-operators.html
mathml/opentype/munderover-layout-resize.html
mathml/opentype/munderover-layout-resize-expected.html
mathml/presentation/mo-invisible.html

This layout test crashes in RenderMathMLOperator::boundsForGlyph() with WebKit2 (but not WebKit1), and looks like a dupe:

mathml/opentype/vertical.html

Example crash stack:

Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010dea0bd5 WebCore::RenderMathMLOperator::advanceForGlyph(WebCore::GlyphData const&) const + 21
1   com.apple.WebCore             	0x000000010dea010d WebCore::RenderMathMLOperator::updateStyle() + 445
2   com.apple.WebCore             	0x000000010dea255e WebCore::RenderMathMLOperator::rebuildTokenContent(WTF::String const&) + 350
3   com.apple.WebCore             	0x000000010de9ef2b WebCore::RenderMathMLOperator::updateTokenContent() + 43
4   com.apple.WebCore             	0x000000010de9f046 WebCore::RenderMathMLOperator::RenderMathMLOperator(WebCore::MathMLElement&, WTF::Ref<WebCore::RenderStyle>&&) + 182
5   com.apple.WebCore             	0x000000010dca0ddd WebCore::MathMLTextElement::createElementRenderer(WTF::Ref<WebCore::RenderStyle>&&) + 157
6   com.apple.WebCore             	0x000000010e0e301a WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1514
7   com.apple.WebCore             	0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
8   com.apple.WebCore             	0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
9   com.apple.WebCore             	0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
10  com.apple.WebCore             	0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
11  com.apple.WebCore             	0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
12  com.apple.WebCore             	0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
13  com.apple.WebCore             	0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
14  com.apple.WebCore             	0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
15  com.apple.WebCore             	0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
16  com.apple.WebCore             	0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
17  com.apple.WebCore             	0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
18  com.apple.WebCore             	0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
19  com.apple.WebCore             	0x000000010e0e0bca WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 682
20  com.apple.WebCore             	0x000000010e0e089e WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 334
21  com.apple.WebCore             	0x000000010d436c3d WebCore::Document::recalcStyle(WebCore::Style::Change) + 269
22  com.apple.WebCore             	0x000000010d443821 WebCore::Document::finishedParsing() + 369
23  com.apple.WebCore             	0x000000010d696609 WebCore::HTMLDocumentParser::prepareToStopParsing() + 169
24  com.apple.WebCore             	0x000000010d46d90f WebCore::DocumentWriter::end() + 63
25  com.apple.WebCore             	0x000000010d453ec0 WebCore::DocumentLoader::finishedLoading(double) + 464
26  com.apple.WebCore             	0x000000010d27f671 WebCore::CachedResource::checkNotify() + 353
27  com.apple.WebCore             	0x000000010d27afc5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 229
28  com.apple.WebCore             	0x000000010e0efd8d WebCore::SubresourceLoader::didFinishLoading(double) + 1069
29  com.apple.WebKit              	0x000000010a1e8df5 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 645 (WebResourceLoaderMessageReceiver.cpp:93)
30  com.apple.WebKit              	0x000000010a016774 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 102 (memory:2608)
31  com.apple.WebKit              	0x000000010a019120 IPC::Connection::dispatchOneMessage() + 114 (memory:2628)
32  JavaScriptCore                	0x000000010cb1f566 WTF::RunLoop::performWork() + 454 (RunLoop.cpp:106)
33  JavaScriptCore                	0x000000010cb1fe1a WTF::RunLoop::performWork(void*) + 26 (RunLoopCF.cpp:38)
34  com.apple.CoreFoundation      	0x0000000105d875a1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
35  com.apple.CoreFoundation      	0x0000000105d7d12d __CFRunLoopDoSources0 + 269
36  com.apple.CoreFoundation      	0x0000000105d7c6fb __CFRunLoopRun + 827
37  com.apple.CoreFoundation      	0x0000000105d7c13c CFRunLoopRunSpecific + 476
38  com.apple.Foundation          	0x00000001050d2772 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 275
39  com.apple.Foundation          	0x000000010515dd12 -[NSRunLoop(NSRunLoop) run] + 76
40  libxpc.dylib                  	0x0000000106c139c6 _xpc_objc_main + 380
41  libxpc.dylib                  	0x0000000106c15d6f xpc_main + 189
42  com.apple.WebKit.WebContent.Development	0x0000000105003280 main + 16 (XPCServiceMain.Development.mm:94)
43  libdyld.dylib                 	0x0000000106979a05 start + 1

Comment 1 David Kilzer (:ddkilzer) 2015-02-08 11:53:08 PST

<rdar://problem/19760282>

Comment 2 David Kilzer (:ddkilzer) 2015-02-08 12:23:19 PST

Marked tests as crashing in r179803: <http://trac.webkit.org/changeset/179803>

Comment 3 Myles C. Maxfield 2015-02-25 16:47:57 PST

Created attachment 247364 [details]
Patch

Comment 4 David Kilzer (:ddkilzer) 2015-02-25 17:00:18 PST

Comment on attachment 247364 [details]
Patch

Why doesn't this reproduce on Mac OS X?  Is it because the set of fonts is different?  Are we missing fonts for iOS?

Why are we passing in GlyphData objects that either have no font or no glyph on iOS?

Comment 5 Myles C. Maxfield 2015-02-26 06:53:40 PST

(In reply to comment #4)
> Comment on attachment 247364 [details]
> Patch
> 
> Why doesn't this reproduce on Mac OS X?  Is it because the set of fonts is
> different?  Are we missing fonts for iOS?
> 
> Why are we passing in GlyphData objects that either have no font or no glyph
> on iOS?

iOS doesn't have any fonts that have the glyphs that we are looking for. Afaict, it never did.

We are passing in the null items because we directly pass these functions the result of the font lookup code, which might return null. The correct way to deal with this is to check if the looked up font is null before progressing (which is what this patch does).

Comment 6 David Kilzer (:ddkilzer) 2015-02-27 14:23:18 PST

Comment on attachment 247364 [details]
Patch

Thanks for the explanation!  r=me (with a Windows build fix)

Comment 7 Myles C. Maxfield 2015-02-27 14:53:31 PST

Created attachment 247556 [details]
Patch

Comment 8 WebKit Commit Bot 2015-02-27 16:03:13 PST

Comment on attachment 247364 [details]
Patch

Clearing flags on attachment: 247364

Committed r180792: <http://trac.webkit.org/changeset/180792>

Comment 9 WebKit Commit Bot 2015-02-27 16:03:19 PST

All reviewed patches have been landed.  Closing bug.