141371 – [iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph()

RESOLVED FIXED 141371

[iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph()

https://bugs.webkit.org/show_bug.cgi?id=141371

Summary [iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or b...

David Kilzer (:ddkilzer)

Reported 2015-02-08 11:52:44 PST

The following layout tests crash in RenderMathMLOperator::advanceForGlyph() with WebKit2 (but not WebKit1): mathml/opentype/horizontal.html mathml/opentype/horizontal-munderover.html mathml/opentype/large-operators.html mathml/opentype/munderover-layout-resize.html mathml/opentype/munderover-layout-resize-expected.html mathml/presentation/mo-invisible.html This layout test crashes in RenderMathMLOperator::boundsForGlyph() with WebKit2 (but not WebKit1), and looks like a dupe: mathml/opentype/vertical.html Example crash stack: Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010dea0bd5 WebCore::RenderMathMLOperator::advanceForGlyph(WebCore::GlyphData const&) const + 21 1 com.apple.WebCore 0x000000010dea010d WebCore::RenderMathMLOperator::updateStyle() + 445 2 com.apple.WebCore 0x000000010dea255e WebCore::RenderMathMLOperator::rebuildTokenContent(WTF::String const&) + 350 3 com.apple.WebCore 0x000000010de9ef2b WebCore::RenderMathMLOperator::updateTokenContent() + 43 4 com.apple.WebCore 0x000000010de9f046 WebCore::RenderMathMLOperator::RenderMathMLOperator(WebCore::MathMLElement&, WTF::Ref<WebCore::RenderStyle>&&) + 182 5 com.apple.WebCore 0x000000010dca0ddd WebCore::MathMLTextElement::createElementRenderer(WTF::Ref<WebCore::RenderStyle>&&) + 157 6 com.apple.WebCore 0x000000010e0e301a WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1514 7 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 8 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 9 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 10 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 11 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 12 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 13 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 14 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 15 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 16 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 17 com.apple.WebCore 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176 18 com.apple.WebCore 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279 19 com.apple.WebCore 0x000000010e0e0bca WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 682 20 com.apple.WebCore 0x000000010e0e089e WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 334 21 com.apple.WebCore 0x000000010d436c3d WebCore::Document::recalcStyle(WebCore::Style::Change) + 269 22 com.apple.WebCore 0x000000010d443821 WebCore::Document::finishedParsing() + 369 23 com.apple.WebCore 0x000000010d696609 WebCore::HTMLDocumentParser::prepareToStopParsing() + 169 24 com.apple.WebCore 0x000000010d46d90f WebCore::DocumentWriter::end() + 63 25 com.apple.WebCore 0x000000010d453ec0 WebCore::DocumentLoader::finishedLoading(double) + 464 26 com.apple.WebCore 0x000000010d27f671 WebCore::CachedResource::checkNotify() + 353 27 com.apple.WebCore 0x000000010d27afc5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 229 28 com.apple.WebCore 0x000000010e0efd8d WebCore::SubresourceLoader::didFinishLoading(double) + 1069 29 com.apple.WebKit 0x000000010a1e8df5 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 645 (WebResourceLoaderMessageReceiver.cpp:93) 30 com.apple.WebKit 0x000000010a016774 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 102 (memory:2608) 31 com.apple.WebKit 0x000000010a019120 IPC::Connection::dispatchOneMessage() + 114 (memory:2628) 32 JavaScriptCore 0x000000010cb1f566 WTF::RunLoop::performWork() + 454 (RunLoop.cpp:106) 33 JavaScriptCore 0x000000010cb1fe1a WTF::RunLoop::performWork(void*) + 26 (RunLoopCF.cpp:38) 34 com.apple.CoreFoundation 0x0000000105d875a1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 35 com.apple.CoreFoundation 0x0000000105d7d12d __CFRunLoopDoSources0 + 269 36 com.apple.CoreFoundation 0x0000000105d7c6fb __CFRunLoopRun + 827 37 com.apple.CoreFoundation 0x0000000105d7c13c CFRunLoopRunSpecific + 476 38 com.apple.Foundation 0x00000001050d2772 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 275 39 com.apple.Foundation 0x000000010515dd12 -[NSRunLoop(NSRunLoop) run] + 76 40 libxpc.dylib 0x0000000106c139c6 _xpc_objc_main + 380 41 libxpc.dylib 0x0000000106c15d6f xpc_main + 189 42 com.apple.WebKit.WebContent.Development 0x0000000105003280 main + 16 (XPCServiceMain.Development.mm:94) 43 libdyld.dylib 0x0000000106979a05 start + 1

Attachments
Patch (54.26 KB, patch) 2015-02-25 16:47 PST, Myles C. Maxfield	no flags	Details Formatted Diff Diff
Patch (54.24 KB, patch) 2015-02-27 14:53 PST, Myles C. Maxfield	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2015-02-08 11:53:08 PST

<rdar://problem/19760282>

David Kilzer (:ddkilzer)

Comment 2 2015-02-08 12:23:19 PST

Marked tests as crashing in r179803: <http://trac.webkit.org/changeset/179803>

Myles C. Maxfield

Comment 3 2015-02-25 16:47:57 PST

Created attachment 247364 [details] Patch

David Kilzer (:ddkilzer)

Comment 4 2015-02-25 17:00:18 PST

Comment on attachment 247364 [details] Patch Why doesn't this reproduce on Mac OS X? Is it because the set of fonts is different? Are we missing fonts for iOS? Why are we passing in GlyphData objects that either have no font or no glyph on iOS?

Myles C. Maxfield

Comment 5 2015-02-26 06:53:40 PST

(In reply to comment #4) > Comment on attachment 247364 [details] > Patch > > Why doesn't this reproduce on Mac OS X? Is it because the set of fonts is > different? Are we missing fonts for iOS? > > Why are we passing in GlyphData objects that either have no font or no glyph > on iOS? iOS doesn't have any fonts that have the glyphs that we are looking for. Afaict, it never did. We are passing in the null items because we directly pass these functions the result of the font lookup code, which might return null. The correct way to deal with this is to check if the looked up font is null before progressing (which is what this patch does).

David Kilzer (:ddkilzer)

Comment 6 2015-02-27 14:23:18 PST

Comment on attachment 247364 [details] Patch Thanks for the explanation! r=me (with a Windows build fix)

Myles C. Maxfield

Comment 7 2015-02-27 14:53:31 PST

Created attachment 247556 [details] Patch

WebKit Commit Bot

Comment 8 2015-02-27 16:03:13 PST

Comment on attachment 247364 [details] Patch Clearing flags on attachment: 247364 Committed r180792: <http://trac.webkit.org/changeset/180792>

WebKit Commit Bot

Comment 9 2015-02-27 16:03:19 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Text

Assignee

Myles C. Maxfield

Reported

2015-02-08 11:52 PST

Modified

2015-02-27 16:03 PST History

CC List

14 users Show

URL

Keywords InRadar

Depends on

Blocks