Bug 174131 - ASSERTION FAILED: !needsLayout() in WebCore::RenderMathMLScripts::firstLineBaseline
Summary: ASSERTION FAILED: !needsLayout() in WebCore::RenderMathMLScripts::firstLineBa...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: MathML (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Frédéric Wang (:fredw)
URL:
Keywords: InRadar
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2017-07-04 08:11 PDT by Renata Hodovan
Modified: 2017-11-21 01:19 PST (History)
9 users (show)

See Also:

Attachments
Test (32 bytes, application/octet-stream)
2017-07-04 08:11 PDT, Renata Hodovan 		no flags Details
Testcase (using mtr, invalid markup) (66 bytes, text/html)
2017-11-14 09:22 PST, Frédéric Wang (:fredw) 		no flags Details
Testcase (using HTML table, display math) (199 bytes, text/html)
2017-11-14 09:24 PST, Frédéric Wang (:fredw) 		no flags Details
Testcase (using HTML table and grid) (835 bytes, text/html)
2017-11-15 01:23 PST, Frédéric Wang (:fredw) 		no flags Details
Patch (4.42 KB, patch)
2017-11-15 01:50 PST, Frédéric Wang (:fredw) 		alex: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2017-07-04 08:11:48 PDT 
Load the attached test with debug WebKitTestRunner:

Checked version: 52ec9f7
OS: macOS Sierra (10.12.5)

<math><mtr><mtd><mi></mtd><msub>

Backtrace:

ASSERTION FAILED: !needsLayout()
WebKit/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp(476) : virtual std::optional<int> WebCore::RenderMathMLScripts::firstLineBaseline() const
1   0x12e8cbf11 WTFCrash
2   0x11592b665 WebCore::RenderMathMLScripts::firstLineBaseline() const
3   0x11536d439 WebCore::RenderBlock::firstLineBaseline() const
4   0x11543d4ff WebCore::RenderBlockFlow::firstLineBaseline() const
5   0x115c01bbe WebCore::RenderTableCell::cellBaselinePosition() const
6   0x115c029a6 WebCore::RenderTableCell::layout()
7   0x115c2241d WebCore::RenderTableRow::layout()
8   0x111371a2c WebCore::RenderElement::layoutIfNeeded()
9   0x115c2a961 WebCore::RenderTableSection::layout()
10  0x111371a2c WebCore::RenderElement::layoutIfNeeded()
11  0x115bd94c3 WebCore::RenderTable::layout()
12  0x111371a2c WebCore::RenderElement::layoutIfNeeded()
13  0x11547d0e8 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
14  0x1153f78f4 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
15  0x1153f4201 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
16  0x1153344d4 WebCore::RenderBlock::layout()
17  0x111371a2c WebCore::RenderElement::layoutIfNeeded()
18  0x11591b53d WebCore::RenderMathMLRow::computeLineVerticalStretch(WebCore::LayoutUnit&, WebCore::LayoutUnit&)
19  0x11591f264 WebCore::RenderMathMLRow::layoutBlock(bool, WebCore::LayoutUnit)
20  0x1153344d4 WebCore::RenderBlock::layout()
21  0x111371a2c WebCore::RenderElement::layoutIfNeeded()
22  0x11547d0e8 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
23  0x1153f78f4 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
24  0x1153f4201 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
25  0x1153344d4 WebCore::RenderBlock::layout()
26  0x115401744 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
27  0x1153f808f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
28  0x1153f4278 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
29  0x1153344d4 WebCore::RenderBlock::layout()
30  0x115401744 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
31  0x1153f808f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
ASAN:DEADLYSIGNAL
=================================================================
==20026==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00012e8cbf49 bp 0x7fff58cf8f10 sp 0x7fff58cf8f00 T0)
    #0 0x12e8cbf48 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3554f48)
    #1 0x11592b664 in WebCore::RenderMathMLScripts::firstLineBaseline() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e49664)
    #2 0x11536d438 in WebCore::RenderBlock::firstLineBaseline() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x588b438)
    #3 0x11543d4fe in WebCore::RenderBlockFlow::firstLineBaseline() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x595b4fe)
    #4 0x115c01bbd in WebCore::RenderTableCell::cellBaselinePosition() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611fbbd)
    #5 0x115c029a5 in WebCore::RenderTableCell::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x61209a5)
    #6 0x115c2241c in WebCore::RenderTableRow::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x614041c)
    #7 0x111371a2b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x188fa2b)
    #8 0x115c2a960 in WebCore::RenderTableSection::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6148960)
    #9 0x111371a2b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x188fa2b)
    #10 0x115bd94c2 in WebCore::RenderTable::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f74c2)
    #11 0x111371a2b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x188fa2b)
    #12 0x11547d0e7 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x599b0e7)
    #13 0x1153f78f3 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x59158f3)
    #14 0x1153f4200 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5912200)
    #15 0x1153344d3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x58524d3)
    #16 0x111371a2b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x188fa2b)
    #17 0x11591b53c in WebCore::RenderMathMLRow::computeLineVerticalStretch(WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e3953c)
    #18 0x11591f263 in WebCore::RenderMathMLRow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e3d263)
    #19 0x1153344d3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x58524d3)
    #20 0x111371a2b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x188fa2b)
    #21 0x11547d0e7 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x599b0e7)
    #22 0x1153f78f3 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x59158f3)
    #23 0x1153f4200 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5912200)
    #24 0x1153344d3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x58524d3)
    #25 0x115401743 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x591f743)
    #26 0x1153f808e in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x591608e)
    #27 0x1153f4277 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5912277)
    #28 0x1153344d3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x58524d3)
    #29 0x115401743 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x591f743)
    #30 0x1153f808e in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x591608e)
    #31 0x1153f4277 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5912277)
    #32 0x1153344d3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x58524d3)
    #33 0x115d3ac75 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6258c75)
    #34 0x115d3d0d5 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x625b0d5)
    #35 0x111707847 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1c25847)
    #36 0x110cf56fe in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12136fe)
    #37 0x111681482 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b9f482)
    #38 0x111680c02 in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b9ec02)
    #39 0x11167ccbb in WebCore::FrameLoader::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b9acbb)
    #40 0x110d27ecc in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1245ecc)
    #41 0x111adef95 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ffcf95)
    #42 0x111df5f27 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2313f27)
    #43 0x111b5983b in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x207783b)
    #44 0x111b53f06 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2071f06)
    #45 0x111b53abd in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2071abd)
    #46 0x111b5995b in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x207795b)
    #47 0x111b59a97 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2077a97)
    #48 0x110efe7af in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x141c7af)
    #49 0x110e49696 in WebCore::DocumentLoader::finishedLoading() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1367696)
    #50 0x110e49092 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1367092)
    #51 0x1100fc2e3 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x61a2e3)
    #52 0x1100fc973 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x61a973)
    #53 0x1100ed401 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60b401)
    #54 0x1167957e1 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6cb37e1)
    #55 0x108e4d56b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f3956b)
    #56 0x108e5a2b9 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f462b9)
    #57 0x108e59ec4 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f45ec4)
    #58 0x108e56f68 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f42f68)
    #59 0x108e5512a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f4112a)
    #60 0x1077cb2ac in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x8b72ac)
    #61 0x10711faaa in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20baaa)
    #62 0x107104104 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f0104)
    #63 0x107120795 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20c795)
    #64 0x10715f39c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x24b39c)
    #65 0x10715f2c8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x24b2c8)
    #66 0x12e956a30 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x35dfa30)
    #67 0x12e9a57d0 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x362e7d0)
    #68 0x12e9a6801 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x362f801)
    #69 0x7fffabc81320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7320)
    #70 0x7fffabc6221c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8821c)
    #71 0x7fffabc61715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87715)
    #72 0x7fffabc61113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87113)
    #73 0x7fffab1c2ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30ebb)
    #74 0x7fffab1c2cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30cf0)
    #75 0x7fffab1c2b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b25)
    #76 0x7fffa975ba53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46a53)
    #77 0x7fffa9ed77ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c27ed)
    #78 0x7fffa97503da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b3da)
    #79 0x7fffa971ae0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x5e0d)
    #80 0x7fffc16348c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
    #81 0x7fffc16332e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
    #82 0x106ef9f22 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f22)
    #83 0x7fffc13db234 in start (/usr/lib/system/libdyld.dylib+0x5234)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3554f48) in WTFCrash
==20026==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 20026)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy
Comment 1 Renata Hodovan 2017-07-04 08:11:49 PDT 
Created attachment 314565 [details]
Test
Comment 2 Frédéric Wang (:fredw) 2017-11-14 02:12:53 PST 
OK, I hit it with the torture test https://mdn.mozillademos.org/en-US/docs/Mozilla/MathML_Project/MathML_Torture_Test$samples/MathML_Torture_Test ; I obtain the following trace:

ASSERTION FAILED: !needsLayout()
/Users/fred/WebKit/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp(479) : virtual std::optional<int> WebCore::RenderMathMLScripts::firstLineBaseline() const
1   0x10eeed24d WTFCrash
2   0x11639fbac WebCore::RenderMathMLScripts::firstLineBaseline() const
3   0x11638b0d8 WebCore::RenderMathMLBlock::ascentForChild(WebCore::RenderBox const&)
4   0x11639b909 WebCore::RenderMathMLRow::firstLineBaseline() const
5   0x11638b0d8 WebCore::RenderMathMLBlock::ascentForChild(WebCore::RenderBox const&)
6   0x11639b909 WebCore::RenderMathMLRow::firstLineBaseline() const
7   0x115ff77a4 WebCore::RenderBlock::firstLineBaseline() const
8   0x116019045 WebCore::RenderBlockFlow::firstLineBaseline() const
9   0x11629a8e6 WebCore::RenderTableCell::cellBaselinePosition() const
10  0x11629ab1b WebCore::RenderTableCell::layout()
11  0x1162b8dcd WebCore::RenderTableRow::layout()
12  0x115f8cdfc WebCore::RenderElement::layoutIfNeeded()
13  0x1162bd020 WebCore::RenderTableSection::layout()
14  0x115f8cdfc WebCore::RenderElement::layoutIfNeeded()
15  0x1162913ba WebCore::RenderTable::layout()

This ASSERT was added in bug 153918 and was not present in RenderMathMLScripts::firstLineBaseline before. I wonder whether it is actually valid, none of the other firstLineBaseline functions have it.
Comment 3 Frédéric Wang (:fredw) 2017-11-14 09:22:07 PST 
Created attachment 326883 [details]
Testcase (using mtr, invalid markup)

This is like attachment 314565 [details], but with the mtd removed and the open/close markup explicit. This is invalid MathML.
Comment 4 Frédéric Wang (:fredw) 2017-11-14 09:24:01 PST 
Created attachment 326884 [details]
Testcase (using HTML table, display math)

This is a testcase extracted from the MathML torture test. It is different from the initial testcase since it uses a HTML table and display math. Also, it is valid MathML markup.
Comment 5 Frédéric Wang (:fredw) 2017-11-15 01:23:42 PST 
Created attachment 326973 [details]
Testcase (using HTML table and grid)

This testcase follows similar path as attachment 326884 [details] but arrives on RenderGrid::firstLineBaseline() with needsLayout() == true. So I think this situation is not specific to MathML... RenderMathMLScripts seems to be the only firstLineBaseline implementation requiring needsLayout and I suspect I was a bit too strict when I added that in bug 153918.
Comment 6 Frédéric Wang (:fredw) 2017-11-15 01:50:57 PST 
Created attachment 326974 [details]
Patch
Comment 7 Frédéric Wang (:fredw) 2017-11-16 01:44:30 PST 
I moved the more general issue to bug 179754.
Comment 8 Alejandro G. Castro 2017-11-21 00:33:02 PST 
Comment on attachment 326974 [details]
Patch

LGTM, we probably made the mistake of adding the assert trying to be too protective.
Comment 9 Frédéric Wang (:fredw) 2017-11-21 00:38:07 PST 
Committed r225069: <https://trac.webkit.org/changeset/225069>
Comment 10 Radar WebKit Bug Importer 2017-11-21 00:39:20 PST 
<rdar://problem/35654156>
Comment 11 Frédéric Wang (:fredw) 2017-11-21 01:19:24 PST 
Committed r225070: <https://trac.webkit.org/changeset/225070>