Bug 42894

Summary: RenderLayer crashes on page with MathML
Product: WebKit Reporter: Alex Milowski <alex>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, aroben, commit-queue, eric, hyatt, kenneth, mitz, sausset, webkit.review.bot
Priority: P4    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
Attachments:
Description Flags
Patch to fix crash
mitz: review-
Revised patch none

Alex Milowski
Reported 2010-07-23 06:46:29 PDT
Created attachment 62423 [details] Patch to fix crash The code in RenderLayer makes some assumptions about the rendering tree that turn out to not be true. As such, it does get a render object back in certain methods and causes an exception and crash due to a zero pointer. An example page that has this issue is: http://golem.ph.utexas.edu/wiki/instiki/show/Sandbox The attached patch fixes the crash.
Attachments
Patch to fix crash (2.85 KB, patch)
2010-07-23 06:46 PDT, Alex Milowski 		mitz: review-
DetailsFormatted DiffDiff
Revised patch (23.31 KB, patch)
2010-08-03 04:17 PDT, François Sausset 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kenneth Rohde Christiansen
Comment 1 2010-07-23 07:59:17 PDT
Comment on attachment 62423 [details] Patch to fix crash The patch seems OK, but why wasn't this needed before? I mean, maybe the code is correct assuming that we will have an actualRenderer and the bug is elsewhere. Would be nice if Hyatt could have a look.
Kenneth Rohde Christiansen
Comment 2 2010-07-23 07:59:48 PDT
Hyatt, can you have a look? Is the actualRenderer != 0 assumption wrong?
mitz
Comment 3 2010-07-23 08:01:11 PDT
Why isn't there a regression test?
Alex Milowski
Comment 4 2010-07-23 08:22:37 PDT
(In reply to comment #1) > (From update of attachment 62423 [details]) > The patch seems OK, but why wasn't this needed before? I mean, maybe the code is correct assuming that we will have an actualRenderer and the bug is elsewhere. Would be nice if Hyatt could have a look. It is unclear why this is happening except that the referenced page is much more complex than our tests. This must be coming from the combination of the styles used on the page in conjunction with the MathML rendering. The backtrace has this happening at the time that setStyle() is called the newly created RenderMathMLMath instance in the createRenderer() call on the MathMLMathElement. When the setStyle() is called, it causes a style difference to be calculated and that is when things go wrong. That code looks like: RenderObject* MathMLMathElement::createRenderer(RenderArena* arena, RenderStyle* style) { RenderMathMLMath* renderer = new (arena) RenderMathMLMath(this); renderer->setStyle(style); return renderer; }
Alex Milowski
Comment 5 2010-07-23 08:24:04 PDT
(In reply to comment #3) > Why isn't there a regression test? Good point but very hard to narrow down from that page. I'll see what I can do to create a test case.
Alex Milowski
Comment 6 2010-07-23 15:17:15 PDT
The layer is only created when someone has a CSS rule like: math { overflow: auto; } We don't have that in any of our tests but that website does. That's why we haven't seen this before. Oddly, the MathML code is the only code that calls setStyle() in createRenderer() and that is why this problem is localized to the MathML implementation.
Alex Milowski
Comment 7 2010-07-23 15:27:16 PDT
Removing the use of setStyle() in createRenderer() also fixes the crash.
François Sausset
Comment 8 2010-08-03 04:17:16 PDT
Created attachment 63320 [details] Revised patch New patch removing unnecessary calls to setStyle() plus a regression test (from Alex).
WebKit Commit Bot
Comment 9 2010-08-04 12:57:09 PDT
Comment on attachment 63320 [details] Revised patch Clearing flags on attachment: 63320 Committed r64668: <http://trac.webkit.org/changeset/64668>
WebKit Commit Bot
Comment 10 2010-08-04 12:57:14 PDT
All reviewed patches have been landed. Closing bug.
Adam Roben (:aroben)
Comment 11 2010-08-04 13:01:42 PDT
Seems like the regression test could have used dumpAsText in order to have cross-platform results. There's no need for a whole render tree dump when you just want to find out if you crashed or not.
WebKit Review Bot
Comment 12 2010-08-04 13:24:16 PDT
http://trac.webkit.org/changeset/64668 might have broken GTK Linux 64-bit Debug The following changes are on the blame list: http://trac.webkit.org/changeset/64667 http://trac.webkit.org/changeset/64668 http://trac.webkit.org/changeset/64669
Alex Milowski
Comment 13 2010-08-05 07:00:57 PDT
(In reply to comment #11) > Seems like the regression test could have used dumpAsText in order to have cross-platform results. There's no need for a whole render tree dump when you just want to find out if you crashed or not. I expect to expand the use of user styles directly on MathML 'math' element as this test case demonstrates. As such, having a pixel dump is a good thing. Otherwise, yes, I agree.
Eric Seidel (no email)
Comment 14 2010-08-05 09:16:25 PDT
(In reply to comment #13) > (In reply to comment #11) > > Seems like the regression test could have used dumpAsText in order to have cross-platform results. There's no need for a whole render tree dump when you just want to find out if you crashed or not. > > I expect to expand the use of user styles directly on MathML 'math' element as this test case demonstrates. As such, having a pixel dump is a good thing. > > Otherwise, yes, I agree. Generally each test has its own purpose. Are you suggesting you're going to modify this test later on and thus need pixel test results? I can't think of any reason for a crashing test to ever need pixel results, unless its crashing painting code. :)
Note You need to log in before you can comment on or make changes to this bug.