Bug 141371

Summary: [iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph()
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: TextAssignee: Myles C. Maxfield <mmaxfield>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, dbarton, ddkilzer, dino, esprehn+autocc, fred.wang, glenn, kondapallykalyan, mmaxfield, mrobinson, simon.fraser, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

David Kilzer (:ddkilzer)
Reported 2015-02-08 11:52:44 PST
The following layout tests crash in RenderMathMLOperator::advanceForGlyph() with WebKit2 (but not WebKit1): mathml/opentype/horizontal.html mathml/opentype/horizontal-munderover.html mathml/opentype/large-operators.html mathml/opentype/munderover-layout-resize.html mathml/opentype/munderover-layout-resize-expected.html mathml/presentation/mo-invisible.html This layout test crashes in RenderMathMLOperator::boundsForGlyph() with WebKit2 (but not WebKit1), and looks like a dupe: mathml/opentype/vertical.html Example crash stack: Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010dea0bd5 WebCore::RenderMathMLOperator::advanceForGlyph(WebCore::GlyphData const&) const + 21 1 com.apple.WebCore 0x000000010dea010d WebCore::RenderMathMLOperator::updateStyle() + 445 2 com.apple.WebCore 0x000000010dea255e WebCore::RenderMathMLOperator::rebuildTokenContent(WTF::String const&) + 350 3 com.apple.WebCore 0x000000010de9ef2b WebCore::RenderMathMLOperator::updateTokenContent() + 43 4 com.apple.WebCore 0x000000010de9f046 WebCore::RenderMathMLOperator::RenderMathMLOperator(WebCore::MathMLElement&, WTF::Ref<WebCore::RenderStyle>&&) + 182 5 com.apple.WebCore 0x000000010dca0ddd WebCore::MathMLTextElement::createElementRenderer(WTF::Ref<WebCore::RenderStyle>&&) + 157 6 com.apple.WebCore 0x000000010e0e301a WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1514 7 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 8 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 9 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 10 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 11 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 12 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 13 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 14 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 15 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 16 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 17 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 18 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 19 com.apple.WebCore 0x000000010e0e0bca WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 682 20 com.apple.WebCore 0x000000010e0e089e WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 334 21 com.apple.WebCore 0x000000010d436c3d WebCore::Document::recalcStyle(WebCore::Style::Change) + 269 22 com.apple.WebCore 0x000000010d443821 WebCore::Document::finishedParsing() + 369 23 com.apple.WebCore 0x000000010d696609 WebCore::HTMLDocumentParser::prepareToStopParsing() + 169 24 com.apple.WebCore 0x000000010d46d90f WebCore::DocumentWriter::end() + 63 25 com.apple.WebCore 0x000000010d453ec0 WebCore::DocumentLoader::finishedLoading(double) + 464 26 com.apple.WebCore 0x000000010d27f671 WebCore::CachedResource::checkNotify() + 353 27 com.apple.WebCore 0x000000010d27afc5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 229 28 com.apple.WebCore 0x000000010e0efd8d WebCore::SubresourceLoader::didFinishLoading(double) + 1069 29 com.apple.WebKit 0x000000010a1e8df5 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 645 (WebResourceLoaderMessageReceiver.cpp:93) 30 com.apple.WebKit 0x000000010a016774 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 102 (memory:2608) 31 com.apple.WebKit 0x000000010a019120 IPC::Connection::dispatchOneMessage() + 114 (memory:2628) 32 JavaScriptCore 0x000000010cb1f566 WTF::RunLoop::performWork() + 454 (RunLoop.cpp:106) 33 JavaScriptCore 0x000000010cb1fe1a WTF::RunLoop::performWork(void*) + 26 (RunLoopCF.cpp:38) 34 com.apple.CoreFoundation 0x0000000105d875a1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 35 com.apple.CoreFoundation 0x0000000105d7d12d __CFRunLoopDoSources0 + 269 36 com.apple.CoreFoundation 0x0000000105d7c6fb __CFRunLoopRun + 827 37 com.apple.CoreFoundation 0x0000000105d7c13c CFRunLoopRunSpecific + 476 38 com.apple.Foundation 0x00000001050d2772 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 275 39 com.apple.Foundation 0x000000010515dd12 -[NSRunLoop(NSRunLoop) run] + 76 40 libxpc.dylib 0x0000000106c139c6 _xpc_objc_main + 380 41 libxpc.dylib 0x0000000106c15d6f xpc_main + 189 42 com.apple.WebKit.WebContent.Development 0x0000000105003280 main + 16 (XPCServiceMain.Development.mm:94) 43 libdyld.dylib 0x0000000106979a05 start + 1
Attachments
Patch (54.26 KB, patch)
2015-02-25 16:47 PST, Myles C. Maxfield 		no flags
DetailsFormatted DiffDiff
Patch (54.24 KB, patch)
2015-02-27 14:53 PST, Myles C. Maxfield 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2015-02-08 11:53:08 PST
<rdar://problem/19760282>
David Kilzer (:ddkilzer)
Comment 2 2015-02-08 12:23:19 PST
Marked tests as crashing in r179803: <http://trac.webkit.org/changeset/179803>
Myles C. Maxfield
Comment 3 2015-02-25 16:47:57 PST
Created attachment 247364 [details] Patch
David Kilzer (:ddkilzer)
Comment 4 2015-02-25 17:00:18 PST
Comment on attachment 247364 [details] Patch Why doesn't this reproduce on Mac OS X? Is it because the set of fonts is different? Are we missing fonts for iOS? Why are we passing in GlyphData objects that either have no font or no glyph on iOS?
Myles C. Maxfield
Comment 5 2015-02-26 06:53:40 PST
(In reply to comment #4) > Comment on attachment 247364 [details] > Patch > > Why doesn't this reproduce on Mac OS X? Is it because the set of fonts is > different? Are we missing fonts for iOS? > > Why are we passing in GlyphData objects that either have no font or no glyph > on iOS? iOS doesn't have any fonts that have the glyphs that we are looking for. Afaict, it never did. We are passing in the null items because we directly pass these functions the result of the font lookup code, which might return null. The correct way to deal with this is to check if the looked up font is null before progressing (which is what this patch does).
David Kilzer (:ddkilzer)
Comment 6 2015-02-27 14:23:18 PST
Comment on attachment 247364 [details] Patch Thanks for the explanation! r=me (with a Windows build fix)
Myles C. Maxfield
Comment 7 2015-02-27 14:53:31 PST
Created attachment 247556 [details] Patch
WebKit Commit Bot
Comment 8 2015-02-27 16:03:13 PST
Comment on attachment 247364 [details] Patch Clearing flags on attachment: 247364 Committed r180792: <http://trac.webkit.org/changeset/180792>
WebKit Commit Bot
Comment 9 2015-02-27 16:03:19 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.