| Summary: | Crashes in RenderMathMLRoot::layout() and RenderMathMLRoot::paint() | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Beth Dakin <bdakin> | ||||||||||||
| Component: | MathML | Assignee: | Nobody <webkit-unassigned> | ||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||
| Severity: | Normal | CC: | bdakin, dbates | ||||||||||||
| Priority: | P2 | Keywords: | HasReduction, InRadar | ||||||||||||
| Version: | 528+ (Nightly build) | ||||||||||||||
| Hardware: | PC | ||||||||||||||
| OS: | OS X 10.5 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Beth Dakin
2010-08-27 16:30:53 PDT
Created attachment 65783 [details]
Test Case 1
Created attachment 65784 [details]
Test Case 2
Created attachment 65785 [details]
Patch
The attached test cases need to be reduced into layout tests before this patch can be committed, but I am attaching it now anyway.
Comment on attachment 65785 [details]
Patch
Please land with test.
Comment on attachment 65785 [details]
Patch
Please land with test.
Yay! Thanks Sam :-) I will hold off on landing for now until I reduce the test. Created attachment 65881 [details] Reduced Test Case 1 I was able to reduce the first test case <https://bugs.webkit.org/attachment.cgi?id=65783> to: <math> <mroot><mi></mi></mroot> </math> Without the patch, both this and <https://bugs.webkit.org/attachment.cgi?id=65783> crash at: int indexShift = indexBox->offsetWidth() + topStartShift; because indexBox is null. Created attachment 65882 [details] Reduced Test Case 2 I was able to reduce the second test case <https://bugs.webkit.org/attachment.cgi?id=65784> to: <math> <mroot></mroot> </math> Without the patch, both this and <https://bugs.webkit.org/attachment.cgi?id=65784> crash at: int maxHeight = toRenderBoxModelObject(lastChild())->offsetHeight(); because lastChild() returns a null pointer. Thanks Dan!! (And Darin!) I will be landing shortly. Fixed with http://trac.webkit.org/changeset/66403 |