RESOLVED FIXED 150253
WTFCrash loading Mozilla layout test mozilla/layout/mathml/crashtests/443089-1.xhtml 
https://bugs.webkit.org/show_bug.cgi?id=150253
Summary WTFCrash loading Mozilla layout test mozilla/layout/mathml/crashtests/443089-...
Jon Honeycutt
Reported 2015-10-16 13:49:25 PDT
Created attachment 263322 [details] crashing test WTFCrash loading Mozilla layout test mozilla/layout/mathml/crashtests/443089-1.xhtml. Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000106eae000-0000000106f48000 [ 616K] r-x/rwx SM=COW /Users/USER/* Application Specific Information: CRASHING TEST: mozilla/layout/mathml/crashtests/443089-1.xhtml ================================================================ ==34156==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010805a870 bp 0x7fff58d4e4c0 sp 0x7fff58d4e4b0 T0) #0 0x10805a86f in WTFCrash Assertions.cpp:321 #1 0x10e4b919c in WTF::VectorBufferBase<WebCore::RenderTableSection::RowStruct>::allocateBuffer(unsigned long) Vector.h:266 #2 0x10e4b90c3 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) Vector.h:1094 #3 0x10e4b66c4 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul, WTF::CrashOnOverflow, 16ul>::grow(unsigned long) Vector.h:1035 #4 0x10e4aad72 in WebCore::RenderTableSection::ensureRows(unsigned int) RenderTableSection.cpp:188 #5 0x10e4ab1c6 in WebCore::RenderTableSection::addCell(WebCore::RenderTableCell*, WebCore::RenderTableRow*) RenderTableSection.cpp:220 #6 0x10e4a967b in WebCore::RenderTableRow::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderTableRow.cpp:150 #7 0x10e245f92 in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderElement.cpp:517 #8 0x10e142e7e in WebCore::RenderBlock::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) RenderBlock.cpp:492 #9 0x10e8a51b4 in WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) StyleResolveTree.cpp:220 #10 0x10e8a4076 in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) StyleResolveTree.cpp:517 #11 0x10e8a57e0 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) StyleResolveTree.cpp:356 #12 0x10e8a4187 in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) StyleResolveTree.cpp:534 #13 0x10e8a57e0 in WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::RenderTreePosition&) StyleResolveTree.cpp:356 #14 0x10e8a4187 in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) StyleResolveTree.cpp:534 #15 0x10e8a30c0 in WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:685 #16 0x10e8a1c97 in WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WebCore::Style::Change) StyleResolveTree.cpp:911 #17 0x10e8a1a5b in WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) StyleResolveTree.cpp:971 #18 0x10cc6dc97 in WebCore::Document::recalcStyle(WebCore::Style::Change) Document.cpp:1841 #19 0x10cc688d9 in WebCore::Document::styleResolverChanged(WebCore::StyleResolverUpdateFlag) Document.cpp:3624 #20 0x10ece0b1e in WebCore::XMLDocumentParser::end() XMLDocumentParser.cpp:195 #21 0x10cd1295c in WebCore::DocumentWriter::end() DocumentWriter.cpp:247 #22 0x10ccdab67 in WebCore::DocumentLoader::finishedLoading(double) DocumentLoader.cpp:437 #23 0x10c839ca7 in WebCore::CachedResource::checkNotify() CachedResource.cpp:297 #24 0x10c834ff9 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) CachedRawResource.cpp:103 #25 0x10e8c2588 in WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:372 #26 0x7fff8c4a3850 in __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e850) #27 0x7fff8c4a3765 in -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e765) #28 0x7fff8c4a366a in -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e66a) #29 0x7fff8c4a8491 in ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x33491) #30 0x7fff8c63c976 in ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x1c7976) #31 0x7fff9a99c3c2 in _dispatch_client_callout (/usr/lib/system/libdispatch.dylib+0x23c2) #32 0x7fff9a9aa0bd in _dispatch_block_invoke (/usr/lib/system/libdispatch.dylib+0x100bd) #33 0x7fff8c4a3527 in RunloopBlockContext::_invoke_block(void const*, void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e527) #34 0x7fff96f5ce63 in CFArrayApplyFunction (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x4ce63) #35 0x7fff8c4a3420 in RunloopBlockContext::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e420) #36 0x7fff8c4a32c1 in MultiplexerSource::perform() (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e2c1) #37 0x7fff8c4a30e3 in MultiplexerSource::_perform(void*) (/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork+0x2e0e3) #38 0x7fff96fba8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #39 0x7fff96f9a0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #40 0x7fff96f995ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #41 0x7fff96f98fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #42 0x106ed098d in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2030 #43 0x106ecff39 in runTestingServerLoop() DumpRenderTree.mm:1180 #44 0x106ecf267 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1288 #45 0x106ed12b1 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1418 #46 0x7fff931e95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #47 0x1 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV Assertions.cpp:321 WTFCrash abort() called
Attachments
crashing test (162 bytes, application/xhtml+xml)
2015-10-16 13:49 PDT, Jon Honeycutt 		no flags
Details
Patch (4.96 KB, patch)
2016-03-14 02:44 PDT, Frédéric Wang (:fredw) 		mrobinson: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2015-10-16 13:56:35 PDT
<rdar://problem/23149774>
Frédéric Wang (:fredw)
Comment 2 2016-03-14 02:44:08 PDT
Created attachment 273946 [details] Patch
Frédéric Wang (:fredw)
Comment 3 2016-03-14 08:19:05 PDT
Committed r198129: <http://trac.webkit.org/changeset/198129>
Darin Adler
Comment 4 2016-03-14 09:57:09 PDT
Comment on attachment 273946 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=273946&action=review > Source/WebCore/mathml/MathMLElement.cpp:210 > + static const unsigned maxRowspan = 8190; // This constant comes from HTMLTableCellElement. Can we put this in HTMLTableCellElement.h or some other header so we don’t have two copies that keep getting out of sync?
Darin Adler
Comment 5 2016-03-14 09:57:40 PDT
Comment on attachment 273946 [details] Patch I think we should seek a way to share code rather than maintaining two sets of identical functions.
Frédéric Wang (:fredw)
Comment 6 2016-03-14 10:01:02 PDT
(In reply to comment #5) > Comment on attachment 273946 [details] > Patch > > I think we should seek a way to share code rather than maintaining two sets > of identical functions.s I agree with that. I think the idea would be to create a MathMLTableCellElement class that inherits from HTMLTableCellElement. However, I didn't know if that would have had other consequences and just wanted to fix the WTFCrash for now.
Note You need to log in before you can comment on or make changes to this bug.