Bug 47745

Summary: Focus on MathML in page causes crash
Product: WebKit Reporter: Alex Milowski <alex>
Component: MathMLAssignee: Alex Milowski <alex>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: cfleizach, darin, donggwan.kim, fred.wang, sausset
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Smallest Example of Crash
none
Another example with a second non-mathml child in the anchor none

Alex Milowski
Reported 2010-10-15 15:46:30 PDT
After waiting quite awhile for this page to render: https://eyeasme.com/Joe/MathML/MathML_browser_test right click on any MathML content piece to attempt to get the web inspector and an assertion fails: ASSERTION FAILED: !renderer()->needsLayout() (/Users/alex/workspace/WebKit/WebCore/dom/Node.cpp:793 virtual bool WebCore::Node::isFocusable() const) I assume this means the MathML is still rendering somehow. While the MathML should not take this long to render, I'm not certain that we should get a crash from the focus check.
Attachments
Smallest Example of Crash (205 bytes, application/xhtml+xml)
2010-10-15 16:51 PDT, Alex Milowski 		no flags
Details
Another example with a second non-mathml child in the anchor (241 bytes, application/xhtml+xml)
2010-10-18 13:02 PDT, Alex Milowski 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alex Milowski
Comment 1 2010-10-15 16:51:52 PDT
Created attachment 70920 [details] Smallest Example of Crash
Alex Milowski
Comment 2 2010-10-15 16:52:52 PDT
This crash is caused by an anchor wrapping the MathML.
Alex Milowski
Comment 3 2010-10-16 14:28:09 PDT
After a bit of testing and debugging, the crash is coming from the anchor element (a) being marked for layout. When the focus event happens, the crash asserts that the element shouldn't need layout. I'm not sure why the anchor element needs layout but it is probably due to something from the child MathML element.
Alex Milowski
Comment 4 2010-10-17 11:48:45 PDT
Digging a bit further I find that the inline renderer for anchor has m_normalChildNeedsLayout set to true but none of the children are marked as needing layout.
Alex Milowski
Comment 5 2010-10-17 12:35:43 PDT
Bug 47781 may be related to this. In that case, the MathML overflows the table cell so the table cell may also have unfinished layouts.
François Sausset
Comment 6 2010-10-18 05:44:05 PDT
I just tried with r69946 and no crash occurs on the mentioned webpage or with the test case, even when using the Web Inspector.
Alex Milowski
Comment 7 2010-10-18 12:28:14 PDT
(In reply to comment #6) > I just tried with r69946 and no crash occurs on the mentioned webpage or with the test case, even when using the Web Inspector. The crash only happens in the debug build.
Darin Adler
Comment 8 2010-10-18 12:45:04 PDT
This “crash” is an assertion. Assertions are in debug builds only. Some assertions detect theoretical inconsistencies that are not always practical problems. One possibility is that there is a different approach to layout here, and we just have to teach the assertion about the special objects that will always think they need layout. Another possibility is that we can make some simple adjustment so these objects will be marked as not needing layout.
Alex Milowski
Comment 9 2010-10-18 12:52:15 PDT
(In reply to comment #8) > This “crash” is an assertion. Assertions are in debug builds only. Some assertions detect theoretical inconsistencies that are not always practical problems. > > One possibility is that there is a different approach to layout here, and we just have to teach the assertion about the special objects that will always think they need layout. > > Another possibility is that we can make some simple adjustment so these objects will be marked as not needing layout. OK. That makes sense. Somehow I thought assertions were always on. Nevertheless, what doesn't make sense is all the children are marked as not needing layout but the parent thinks that a child needs layout. That is, m_normalChildNeedsLayout is true. If you change the wrapping anchor to a block (i.e. a { display: block }) in the test, everything works as expected. There is something odd going on.
Alex Milowski
Comment 10 2010-10-18 13:02:47 PDT
Created attachment 71074 [details] Another example with a second non-mathml child in the anchor Clicking on 'bingo' also crashs in debug builds.
Alex Milowski
Comment 11 2010-10-18 13:04:37 PDT
As expected, if you remove the MathML math element, the assertion doesn't fail. Somehow MathML rendering must be notifying its parent that it needs to relayout its children yet the layout is never scheduled.
Alex Milowski
Comment 12 2013-02-12 08:13:14 PST
I don't think this crash exists anymore. I cannot reproduce it in the latest version. What's the process for closing this?
chris fleizach
Comment 13 2013-07-22 23:38:06 PDT
Moving to resolved based on Alex's comments
Note You need to log in before you can comment on or make changes to this bug.