RESOLVED DUPLICATE of bug 99796 100464
MathML fuzzing bugs - 2
https://bugs.webkit.org/show_bug.cgi?id=100464
Summary MathML fuzzing bugs - 2
Abhishek Arya
Reported 2012-10-25 22:43:40 PDT
Created attachment 170817 [details] Testcase - 2 ==21356== ERROR: AddressSanitizer crashed on unknown address 0x000000000001 (pc 0x7f81358e4aac sp 0x7fff34118c00 bp 0x7fff34118cd0 T0) AddressSanitizer can not provide additional info. #0 0x7f81358e4aab in WebCore::LayoutState::isPaginated() const third_party/WebKit/Source/WebCore/rendering/LayoutState.h:78 #1 0x7f8135af39fd in WebCore::RenderView::pushLayoutState(WebCore::RenderBox*, WebCore::FractionalLayoutSize const&, WebCore::FractionalLayoutUnit, bool, WebCore::ColumnInfo*) third_party/WebKit/Source/WebCore/rendering/RenderView.h:229 #2 0x7f8135af33b5 in WebCore::LayoutStateMaintainer::push(WebCore::RenderBox*, WebCore::FractionalLayoutSize, WebCore::FractionalLayoutUnit, bool, WebCore::ColumnInfo*) third_party/WebKit/Source/WebCore/rendering/RenderView.h:377 #3 0x7f8135af2df6 in LayoutStateMaintainer third_party/WebKit/Source/WebCore/rendering/RenderView.h:355 #4 0x7f81359d254a in LayoutStateMaintainer third_party/WebKit/Source/WebCore/rendering/RenderView.h:356 #5 0x7f813628c2ec in WebCore::RenderTable::layout() third_party/WebKit/Source/WebCore/rendering/RenderTable.cpp:353 #6 0x7f81357d7630 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:672 #7 0x7f813652f06e in WebCore::RenderMathMLBlock::computeChildrenPreferredLogicalHeights() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLBlock.cpp:183 #8 0x7f813654881b in WebCore::RenderMathMLRow::computePreferredLogicalWidths() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLRow.cpp:57 #9 0x7f8135bcb094 in WebCore::RenderBox::maxPreferredLogicalWidth() const third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:673 #10 0x7f81360a0889 in WebCore::RenderMarquee::computePosition(WebCore::EMarqueeDirection, bool) third_party/WebKit/Source/WebCore/rendering/RenderMarquee.cpp:119 #11 0x7f81360a34b4 in WebCore::RenderMarquee::updateMarqueePosition() third_party/WebKit/Source/WebCore/rendering/RenderMarquee.cpp:202 #12 0x7f8135edf9b1 in WebCore::RenderLayer::updateLayerPositionsAfterScroll(unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:553 #13 0x7f8135ef8072 in WebCore::RenderLayer::scrollTo(int, int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:1724 #14 0x7f8135f04fe4 in WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:2061 #15 0x7f8130de4d34 in WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:147 #16 0x7f8130de612c in WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:192 #17 0x7f8130d84e73 in WebCore::ScrollAnimator::notifyPositionChanged() third_party/WebKit/Source/WebCore/platform/ScrollAnimator.cpp:149 #18 0x7f8130d81cb0 in WebCore::ScrollAnimator::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollAnimator.cpp:79 #19 0x7f8130de417b in WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:126 #20 0x7f8135ef6668 in WebCore::RenderLayer::scrollToOffset(WebCore::IntSize const&, WebCore::RenderLayer::ScrollOffsetClamping) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:1697 #21 0x7f8135c3b50b in WebCore::RenderLayer::scrollToXOffset(int, WebCore::RenderLayer::ScrollOffsetClamping) third_party/WebKit/Source/WebCore/rendering/RenderLayer.h:328 #22 0x7f8135bbcf2d in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:232 #23 0x7f81358f4845 in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:328 #24 0x7f81361804ec in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:1774 #25 0x7f813617e6a8 in WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:1675 #26 0x7f812f02f094 in WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>) third_party/WebKit/Source/WebCore/dom/Node.cpp:1427 #27 0x7f812edfdba9 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1169 #28 0x7f812edfec0c in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1223 #29 0x7f812edfec0c in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1223 #30 0x7f812eab4f19 in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Document.cpp:1856 #31 0x7f812eab6870 in WebCore::Document::updateStyleIfNeeded() third_party/WebKit/Source/WebCore/dom/Document.cpp:1904 #32 0x7f812eab6f1e in WebCore::Document::updateLayout() third_party/WebKit/Source/WebCore/dom/Document.cpp:1927 #33 0x7f8135f34c70 in WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3511 #34 0x7f813644c964 in WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:96 #35 0x7f813644c62c in WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:91 #36 0x7f812eacc4af in WebCore::Document::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::FractionalLayoutPoint const&, WebCore::PlatformMouseEvent const&) third_party/WebKit/Source/WebCore/dom/Document.cpp:3073 #37 0x7f8134ec1ecf in WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) third_party/WebKit/Source/WebCore/page/EventHandler.cpp:2146 #38 0x7f8134ec4158 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) third_party/WebKit/Source/WebCore/page/EventHandler.cpp:1785 #39 0x7f8134ec248a in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) third_party/WebKit/Source/WebCore/page/EventHandler.cpp:1707 #40 0x7f8129c5c6ff in WebKit::PageWidgetEventHandler::handleMouseMove(WebCore::Frame&, WebKit::WebMouseEvent const&) third_party/WebKit/Source/WebKit/chromium/src/PageWidgetDelegate.cpp:197 #41 0x7f8129c5afcf in WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page*, WebKit::PageWidgetEventHandler&, WebKit::WebInputEvent const&) third_party/WebKit/Source/WebKit/chromium/src/PageWidgetDelegate.cpp:118 #42 0x7f812a183a36 in WebKit::WebViewImpl::handleInputEvent(WebKit::WebInputEvent const&) third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:1990 #43 0x7f814c52922e in content::RenderWidget::OnHandleInputEvent(IPC::Message const&) content/renderer/render_widget.cc:583 #44 0x7f814c55587e in bool IPC::Message::Dispatch<content::RenderWidget, content::RenderWidget>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void (content::RenderWidget::*)(IPC::Message const&)) ./ipc/ipc_message.h:170 #45 0x7f814c522a4b in content::RenderWidget::OnMessageReceived(IPC::Message const&) content/renderer/render_widget.cc:244 #46 0x7f814c3852c3 in content::RenderViewImpl::OnMessageReceived(IPC::Message const&) content/renderer/render_view_impl.cc:1064 #47 0x7f814b9821fa in MessageRouter::RouteMessage(IPC::Message const&) content/common/message_router.cc:47 #48 0x7f814b981dcb in MessageRouter::OnMessageReceived(IPC::Message const&) content/common/message_router.cc:39 #49 0x7f814acf5773 in ChildThread::OnMessageReceived(IPC::Message const&) content/common/child_thread.cc:275 #50 0x7f8146936322 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ipc/ipc_channel_proxy.cc:261 #51 0x7f814695d5b1 in base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>::Run(IPC::ChannelProxy::Context*, IPC::Message const&) ./base/bind_internal.h:190 #52 0x7f814695d147 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context* const&, IPC::Message const&)>::MakeItSo(base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, IPC::ChannelProxy::Context* const&, IPC::Message const&) ./base/bind_internal.h:898 #53 0x7f814695cd74 in base::internal::Invoker<2, base::internal::BindState<base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context*, IPC::Message const&), void (IPC::ChannelProxy::Context*, IPC::Message)>, void (IPC::ChannelProxy::Context*, IPC::Message const&)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1256 #54 0x7f815a8805ac in base::Callback<void ()>::Run() const ./base/callback.h:391 #55 0x7f815aa9c76d in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:470 #56 0x7f815aa9e5da in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482 #57 0x7f815aa9ec95 in MessageLoop::DoWork() base/message_loop.cc:661 #58 0x7f815aaf08eb in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28 #59 0x7f815aa9a999 in MessageLoop::RunInternal() base/message_loop.cc:427 #60 0x7f815aa9a426 in MessageLoop::RunHandler() base/message_loop.cc:400 #61 0x7f815ac662b1 in base::RunLoop::Run() base/run_loop.cc:45 #62 0x7f815aa980aa in MessageLoop::Run() base/message_loop.cc:307 #63 0x7f814c5ed591 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:241 #64 0x7f8148ef5669 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:402 #65 0x7f8148ef687d in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:456 #66 0x7f8148efbbcb in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741 #67 0x7f8148ef30cd in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35 #68 0x7f815be03abd in ChromeMain chrome/app/chrome_main.cc:32 #69 0x7f815be0378a in main chrome/app/chrome_exe_main_gtk.cc:31 #70 0x7f811bd6876c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 Stats: 7M malloced (34M for red zones) by 33069 calls Stats: 0M realloced by 99 calls Stats: 4M freed by 15578 calls Stats: 0M really freed by 0 calls Stats: 44M (11286 full pages) mmaped in 88 calls mmaps by size class: 10:32193; 11:765; 12:256; 13:128; 14:160; 15:48; 16:16; 17:16; 18:4; 19:2; mallocs by size class: 10:32056; 11:558; 12:179; 13:78; 14:129; 15:37; 16:14; 17:13; 18:3; 19:2; frees by size class: 10:14830; 11:453; 12:69; 13:63; 14:114; 15:29; 16:8; 17:8; 18:2; 19:2; rfrees by size class: Stats: malloc large: 69 small slow: 1149 ==21356== ABORTING
Attachments
Testcase - 2 (3.15 KB, text/xml)
2012-10-25 22:43 PDT, Abhishek Arya
no flags
Eric Seidel (no email)
Comment 1 2012-10-25 23:05:01 PDT
Ah, RenderMarquee. :) bool pushLayoutState(RenderBox* renderer, const LayoutSize& offset, LayoutUnit pageHeight = 0, bool pageHeightChanged = false, ColumnInfo* colInfo = 0) Assumes that there is already a LayoutState when it's called. Presumaly RenderTable assumes that its parent has always created a layout state for it. I guess this is an artifact of re-using the RenderTable renderer for MathML.
Eric Seidel (no email)
Comment 2 2012-10-25 23:05:41 PDT
To be clear. RenderView::m_layoutState is null when pushLayoutState is being called. That code seems to find that unexpected.
Eric Seidel (no email)
Comment 3 2012-10-25 23:12:48 PDT
This is just systemic from our use of RenderTable in an environment it's not expecting. It's easy to add LayoutState support to RenderMathMLBlock, or to add an early return to the push function. I'm not sure which is a better approach. Simon or Mitz may have an opinion (both have worked on LayoutState, iirc.)
Dave Barton
Comment 4 2012-10-26 12:20:59 PDT
I'm guessing this is a dup of bug 99796, which I'm going to upload a patch for soon.
Dave Barton
Comment 5 2012-12-13 11:17:41 PST
This definitely looks to me like a duplicate of bug 99796, and the fix for that bug does appear to fix this one. Actually, I could never get Abhishek's test case to file in DRT, which is why I'm not adding any tests to layout-tests. However, it did fail for me in Chrome Canary before the fix for bug 99796 landed, and it doesn't fail for me in Chrome Canary any more. So I'm marking this bug as a duplicate, and maybe Abhishek can confirm this if his fuzzer doesn't fail any more. If anyone disagrees, please re-open this bug. (I don't believe you require extra tests for duplicate bug reports.) *** This bug has been marked as a duplicate of bug 99796 ***
Note You need to log in before you can comment on or make changes to this bug.