WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED DUPLICATE of
bug 87297
100466
MathML fuzzing bugs - 4
https://bugs.webkit.org/show_bug.cgi?id=100466
Summary
MathML fuzzing bugs - 4
Abhishek Arya
Reported
2012-10-25 22:50:03 PDT
Created
attachment 170821
[details]
Testcase - 4 ================================================================= ==7926== ERROR: AddressSanitizer crashed on unknown address 0x0000000000d8 (pc 0x7f0ed7faae2b sp 0x7f0eb2930220 bp 0x7f0eb29302f0 T16) AddressSanitizer can not provide additional info. #0 0x7f0ed7faae2a in WebCore::FractionalLayoutUnit::rawValue() const third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h:176 #1 0x7f0ed7faac6a in FractionalLayoutUnit third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h:101 #2 0x7f0ed7faaabf in FractionalLayoutUnit third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h:101 #3 0x7f0ee40c3b23 in WebCore::RenderLayer::staticInlinePosition() const third_party/WebKit/Source/WebCore/rendering/RenderLayer.h:586 #4 0x7f0ee4080dfb in WebCore::computeInlineStaticDistance(WebCore::Length&, WebCore::Length&, WebCore::RenderBox const*, WebCore::RenderBoxModelObject const*, WebCore::FractionalLayoutUnit, WebCore::RenderRegion*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:2519 #5 0x7f0ee405c26b in WebCore::RenderBox::computePositionedLogicalWidth(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*, WebCore::FractionalLayoutUnit) const third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:2635 #6 0x7f0ee405747e in WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*, WebCore::FractionalLayoutUnit) const third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:1652 #7 0x7f0ee4055e28 in WebCore::RenderBox::updateLogicalWidth() third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:1634 #8 0x7f0ee421dd85 in WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:303 #9 0x7f0ee3d7d87d in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #10 0x7f0ee49a49b7 in WebCore::RenderMathMLRoot::layout() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLRoot.cpp:149 #11 0x7f0ee3c47430 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:671 #12 0x7f0ee498e03e in WebCore::RenderMathMLBlock::computeChildrenPreferredLogicalHeights() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLBlock.cpp:183 #13 0x7f0ee49a77cb in WebCore::RenderMathMLRow::computePreferredLogicalWidths() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLRow.cpp:57 #14 0x7f0ee49a8633 in WebCore::RenderMathMLRow::layout() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLRow.cpp:92 #15 0x7f0ee3c47430 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:671 #16 0x7f0ee3faa25c in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1700 #17 0x7f0ee3d81cc5 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1555 #18 0x7f0ee3d7d87d in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #19 0x7f0ee4b4ca90 in WebCore::RenderSVGForeignObject::layout() third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:156 #20 0x7f0ee4cedb58 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) third_party/WebKit/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:243 #21 0x7f0ee4b51dff in WebCore::RenderSVGHiddenContainer::layout() third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGHiddenContainer.cpp:38 #22 0x7f0ee4ba78df in WebCore::RenderSVGResourceContainer::layout() third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp:61 #23 0x7f0ee4cedb58 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) third_party/WebKit/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:243 #24 0x7f0ee4c5c4d1 in WebCore::RenderSVGRoot::layout() third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:238 #25 0x7f0ee3c47430 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:671 #26 0x7f0ee3faa25c in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1700 #27 0x7f0ee3d81cc5 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1555 #28 0x7f0ee3d7d87d in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #29 0x7f0ee3db1fb7 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485 #30 0x7f0ee3d8aa7f in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421 #31 0x7f0ee3d81d46 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557 #32 0x7f0ee3d7d87d in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #33 0x7f0ee3db1fb7 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485 #34 0x7f0ee3d8aa7f in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421 #35 0x7f0ee3d81d46 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557 #36 0x7f0ee3d7d87d in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #37 0x7f0ee48adc9e in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:140 #38 0x7f0ee48afc32 in WebCore::RenderView::layout() third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:197 #39 0x7f0ee344c8f0 in WebCore::FrameView::layout(bool) third_party/WebKit/Source/WebCore/page/FrameView.cpp:1191 #40 0x7f0edcffd444 in WebCore::Document::implicitClose() third_party/WebKit/Source/WebCore/dom/Document.cpp:2542 #41 0x7f0ee2e9588a in WebCore::FrameLoader::checkCallImplicitClose() third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:811 #42 0x7f0ee2e946f2 in WebCore::FrameLoader::checkCompleted() third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:754 #43 0x7f0ee2e9014f in WebCore::FrameLoader::finishedParsing() third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:687 #44 0x7f0edd02fe1a in WebCore::Document::finishedParsing() third_party/WebKit/Source/WebCore/dom/Document.cpp:4530 #45 0x7f0edef90f8f in WebCore::HTMLTreeBuilder::finished() third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2701 #46 0x7f0edeea7e3e in WebCore::HTMLDocumentParser::end() third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:372 #47 0x7f0edeea4e5d in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:381 #48 0x7f0edeea46ff in WebCore::HTMLDocumentParser::prepareToStopParsing() third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:149 #49 0x7f0edeea8039 in WebCore::HTMLDocumentParser::attemptToEnd() third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:393 #50 0x7f0edeea817d in WebCore::HTMLDocumentParser::finish() third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:420 #51 0x7f0ee2e203e4 in WebCore::DocumentWriter::end() third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp:244 #52 0x7f0ee2d8abe8 in WebCore::DocumentLoader::finishedLoading() third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:299 #53 0x7f0ee2f3be65 in WebCore::MainResourceLoader::didFinishLoading(double) third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:525 #54 0x7f0ee2fcef6d in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:442 #55 0x7f0edfe13fd1 in WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader*, double) third_party/WebKit/Source/WebCore/platform/network/chromium/ResourceHandle.cpp:156 #56 0x7f0ef116b8db in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) webkit/glue/weburlloader_impl.cc:672 #57 0x7f0ef9e77f48 in content::ResourceDispatcher::OnRequestComplete(int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) content/common/resource_dispatcher.cc:464 #58 0x7f0ef9e85053 in void DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&), int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::TimeTicks>(content::ResourceDispatcher*, void (content::ResourceDispatcher::*)(int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&), Tuple5<int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::TimeTicks> const&) ./base/tuple.h:571 #59 0x7f0ef9e821bd in bool ResourceMsg_RequestComplete::Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)>(IPC::Message const*, content::ResourceDispatcher*, content::ResourceDispatcher*, void (content::ResourceDispatcher::*)(int, int, bool, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)) ./content/common/resource_messages.h:245 #60 0x7f0ef9e6eb74 in content::ResourceDispatcher::DispatchMessage(IPC::Message const&) content/common/resource_dispatcher.cc:557 #61 0x7f0ef9e6bcf9 in content::ResourceDispatcher::OnMessageReceived(IPC::Message const&) content/common/resource_dispatcher.cc:271 #62 0x7f0ef90f8ebb in ChildThread::OnMessageReceived(IPC::Message const&) content/common/child_thread.cc:242 #63 0x7f0ef6c04e72 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ipc/ipc_channel_proxy.cc:261 #64 0x7f0ef6c2c141 in base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>::Run(IPC::ChannelProxy::Context*, IPC::Message const&) ./base/bind_internal.h:190 #65 0x7f0ef6c2bcd7 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context* const&, IPC::Message const&)>::MakeItSo(base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, IPC::ChannelProxy::Context* const&, IPC::Message const&) ./base/bind_internal.h:898 #66 0x7f0ef6c2b904 in base::internal::Invoker<2, base::internal::BindState<base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context*, IPC::Message const&), void (IPC::ChannelProxy::Context*, IPC::Message)>, void (IPC::ChannelProxy::Context*, IPC::Message const&)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1256 #67 0x7f0f08b0254c in base::Callback<void ()>::Run() const ./base/callback.h:391 #68 0x7f0f08d1fcad in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:470 #69 0x7f0f08d21b1a in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482 #70 0x7f0f08d221d5 in MessageLoop::DoWork() base/message_loop.cc:661 #71 0x7f0f08d7397b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28 #72 0x7f0f08d1ded9 in MessageLoop::RunInternal() base/message_loop.cc:427 #73 0x7f0f08d1d966 in MessageLoop::RunHandler() base/message_loop.cc:400 #74 0x7f0f08ee8fe1 in base::RunLoop::Run() base/run_loop.cc:45 #75 0x7f0f08d1b5ea in MessageLoop::Run() base/message_loop.cc:307 #76 0x7f0f0912b60c in base::Thread::Run(MessageLoop*) base/threading/thread.cc:133 #77 0x7f0f0912bd77 in base::Thread::ThreadMain() base/threading/thread.cc:169 #78 0x7f0f090c303e in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:65 #79 0x7f0f178d68ca in __asan::AsanThread::ThreadStart() Thread T16 created by T0 here: #0 0x7f0f178cff24 in __interceptor_pthread_create #1 0x7f0f090c1e0c in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*, base::ThreadPriority) base/threading/platform_thread_posix.cc:127 #2 0x7f0f090c15e7 in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) base/threading/platform_thread_posix.cc:247 #3 0x7f0f0912a749 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:74 #4 0x7f0ef87ec082 in content::RenderProcessHostImpl::Init() content/browser/renderer_host/render_process_host_impl.cc:496 #5 0x7f0ef8896efc in content::RenderViewHostImpl::CreateRenderView(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, int, int, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) content/browser/renderer_host/render_view_host_impl.cc:238 #6 0x7f0ef8eaebdc in WebContentsImpl::CreateRenderViewForRenderManager(content::RenderViewHost*, int) content/browser/web_contents/web_contents_impl.cc:3314 #7 0x7f0ef8eaf114 in non-virtual thunk to WebContentsImpl::CreateRenderViewForRenderManager(content::RenderViewHost*, int) content/browser/web_contents/web_contents_impl.cc:3333 #8 0x7f0ef8e213fb in RenderViewHostManager::InitRenderView(content::RenderViewHost*, int) content/browser/web_contents/render_view_host_manager.cc:675 #9 0x7f0ef8e1d746 in RenderViewHostManager::Navigate(content::NavigationEntryImpl const&) content/browser/web_contents/render_view_host_manager.cc:129 #10 0x7f0ef8e84a4a in WebContentsImpl::NavigateToEntry(content::NavigationEntryImpl const&, content::NavigationController::ReloadType) content/browser/web_contents/web_contents_impl.cc:1598 #11 0x7f0ef8e843ef in WebContentsImpl::NavigateToPendingEntry(content::NavigationController::ReloadType) content/browser/web_contents/web_contents_impl.cc:1579 #12 0x7f0ef8dc8941 in NavigationControllerImpl::NavigateToPendingEntry(content::NavigationController::ReloadType) content/browser/web_contents/navigation_controller_impl.cc:1495 #13 0x7f0ef8dcac67 in NavigationControllerImpl::LoadEntry(content::NavigationEntryImpl*) content/browser/web_contents/navigation_controller_impl.cc:414 #14 0x7f0ef8dd3ca6 in NavigationControllerImpl::LoadURLWithParams(content::NavigationController::LoadURLParams const&) content/browser/web_contents/navigation_controller_impl.cc:700 #15 0x7f0f13679d08 in (anonymous namespace)::LoadURLInContents(content::WebContents*, GURL const&, chrome::NavigateParams*) chrome/browser/ui/browser_navigator.cc:238 #16 0x7f0f136740aa in chrome::Navigate(chrome::NavigateParams*) chrome/browser/ui/browser_navigator.cc:501 #17 0x7f0f13cd057b in StartupBrowserCreatorImpl::OpenTabsInBrowser(Browser*, bool, std::vector<StartupTab, std::allocator<StartupTab> > const&) chrome/browser/ui/startup/startup_browser_creator_impl.cc:862 #18 0x7f0f13cca02c in StartupBrowserCreatorImpl::ProcessSpecifiedURLs(std::vector<GURL, std::allocator<GURL> > const&) chrome/browser/ui/startup/startup_browser_creator_impl.cc:757 #19 0x7f0f13cc8e04 in StartupBrowserCreatorImpl::ProcessStartupURLs(std::vector<GURL, std::allocator<GURL> > const&) chrome/browser/ui/startup/startup_browser_creator_impl.cc:698 #20 0x7f0f13cc3571 in StartupBrowserCreatorImpl::ProcessLaunchURLs(bool, std::vector<GURL, std::allocator<GURL> > const&) chrome/browser/ui/startup/startup_browser_creator_impl.cc:585 #21 0x7f0f13cbd1d9 in StartupBrowserCreatorImpl::Launch(Profile*, std::vector<GURL, std::allocator<GURL> > const&, bool) chrome/browser/ui/startup/startup_browser_creator_impl.cc:388 #22 0x7f0f13c9e149 in StartupBrowserCreator::LaunchBrowser(CommandLine const&, Profile*, FilePath const&, chrome::startup::IsProcessStartup, chrome::startup::IsFirstRun, int*) chrome/browser/ui/startup/startup_browser_creator.cc:201 #23 0x7f0f13ca43d3 in StartupBrowserCreator::ProcessCmdLineImpl(CommandLine const&, FilePath const&, bool, Profile*, std::vector<Profile*, std::allocator<Profile*> > const&, int*, StartupBrowserCreator*) chrome/browser/ui/startup/startup_browser_creator.cc:481 #24 0x7f0f0ccc1b4a in StartupBrowserCreator::Start(CommandLine const&, FilePath const&, Profile*, std::vector<Profile*, std::allocator<Profile*> > const&, int*) ./chrome/browser/ui/startup/startup_browser_creator.h:46 #25 0x7f0f0ccb53b8 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() chrome/browser/chrome_browser_main.cc:1401 #26 0x7f0f0ccb117e in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:902 #27 0x7f0ef747666e in content::BrowserMainLoop::CreateThreads() content/browser/browser_main_loop.cc:449 #28 0x7f0ef7490651 in (anonymous namespace)::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:109 #29 0x7f0ef74716c9 in BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:17 #30 0x7f0ef73229db in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:448 #31 0x7f0ef7327ebb in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741 #32 0x7f0ef731f3bd in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35 #33 0x7f0f0a07af9d in ChromeMain chrome/app/chrome_main.cc:32 #34 0x7f0f0a07ac6a in main chrome/app/chrome_exe_main_gtk.cc:31 #35 0x7f0eca45176c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 Stats: 64M malloced (309M for red zones) by 338171 calls Stats: 1M realloced by 5921 calls Stats: 54M freed by 262144 calls Stats: 2M really freed by 24993 calls Stats: 376M (96271 full pages) mmaped in 94 calls mmaps by size class: 10:311220; 11:6141; 12:3072; 13:1024; 14:512; 15:128; 16:256; 17:32; 18:16; 19:8; mallocs by size class: 10:330760; 11:3780; 12:2312; 13:566; 14:374; 15:130; 16:210; 17:23; 18:14; 19:2; frees by size class: 10:256038; 11:3197; 12:1882; 13:423; 14:330; 15:72; 16:178; 17:13; 18:9; 19:2; rfrees by size class: 10:24677; 11:173; 12:100; 13:24; 14:1; 15:14; 16:4; Stats: malloc large: 39 small slow: 2984 ==7926== ABORTING
Attachments
Testcase - 4
(126 bytes, text/html)
2012-10-25 22:50 PDT
,
Abhishek Arya
no flags
Details
no mathml or flexbox
(69 bytes, text/html)
2012-10-26 10:39 PDT
,
Tony Chang
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1
2012-10-25 23:02:24 PDT
Trying to access a null layer? I assume that m_staticInlinePosition is at offet 0xd8 from the start of the RenderLayer object:
http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderLayer.h#L586
This code clearly assumes that child has a layer. :)
http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderBox.cpp#L2526
Maybe the RenderMathMLRoot doesn't have a layer even though it's positioned?
Eric Seidel (no email)
Comment 2
2012-10-25 23:19:54 PDT
What!? This is MathML inside SVG?? Specifically inside an SVGHiddenContainer (which isn't rendered?) Of course it doesn't have a layer! This may be just another flex-box issue unearthed by MathML.
Tony Chang
Comment 3
2012-10-26 10:39:32 PDT
Created
attachment 170953
[details]
no mathml or flexbox This doesn't seem to be specific to mathml or flexbox. Here's a repro with a position:fixed div.
Tony Chang
Comment 4
2012-10-26 11:33:17 PDT
*** This bug has been marked as a duplicate of
bug 87297
***
Dave Barton
Comment 5
2012-10-26 11:57:14 PDT
Thanks very much Eric & Tony! I know little about layers or svg yet.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug