44801 – Crash in RenderMathMLSubSup::layout()

Bug 44801 - Crash in RenderMathMLSubSup::layout()

Summary: Crash in RenderMathMLSubSup::layout()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	MathML (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC OS X 10.5

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2010-08-27 16:00 PDT by Beth Dakin
Modified:	2010-08-30 13:04 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Test case that crashed (41.41 KB, application/xhtml+xml) 2010-08-27 16:01 PDT, Beth Dakin	no flags	Details
Patch (1.41 KB, patch) 2010-08-27 16:02 PDT, Beth Dakin	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Beth Dakin 2010-08-27 16:00:29 PDT

<rdar://problem/8325203>

Process:         Safari [63532]
Path:            /Applications/Safari.app/Contents/MacOS/Safari
Identifier:      org.webkit.nightly.WebKit
Version:         r65398 (65398)
Code Type:       X86-64 (Native)
Parent Process:  exc_handler [63530]

Date/Time:       2010-08-18 07:45:54.110 -0700
OS Version:      Mac OS X 10.6.4 (10F569)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Crashed Thread:  0



Crashed Thread:
0   com.apple.WebCore             	0x000000010153b32c WebCore::RenderMathMLSubSup::layout() + 1196
1   com.apple.WebCore             	0x00000001014d7b00 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1056
2   com.apple.WebCore             	0x00000001014c921b WebCore::RenderBlock::layoutBlock(bool) + 779
3   com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
4   com.apple.WebCore             	0x0000000101538c09 WebCore::RenderMathMLRow::layout() + 25
5   com.apple.WebCore             	0x00000001014d7b00 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1056
6   com.apple.WebCore             	0x00000001014c921b WebCore::RenderBlock::layoutBlock(bool) + 779
7   com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
8   com.apple.WebCore             	0x00000001014c82f1 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 369
9   com.apple.WebCore             	0x00000001014c8923 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 547
10  com.apple.WebCore             	0x00000001014c981f WebCore::RenderBlock::layoutBlock(bool) + 2319
11  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
12  com.apple.WebCore             	0x000000010153544d WebCore::RenderMathMLFraction::layout() + 93
13  com.apple.WebCore             	0x00000001014d7b00 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1056
14  com.apple.WebCore             	0x00000001014c921b WebCore::RenderBlock::layoutBlock(bool) + 779
15  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
16  com.apple.WebCore             	0x0000000101538c09 WebCore::RenderMathMLRow::layout() + 25
17  com.apple.WebCore             	0x00000001014d7b00 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1056
18  com.apple.WebCore             	0x00000001014c921b WebCore::RenderBlock::layoutBlock(bool) + 779
19  com.apple.WebCore             	0x0000000101575c00 WebCore::RenderTableCell::layout() + 32
20  com.apple.WebCore             	0x0000000101578738 WebCore::RenderTableRow::layout() + 152
21  com.apple.WebCore             	0x000000010157c85c WebCore::RenderTableSection::layout() + 140
22  com.apple.WebCore             	0x000000010157245c WebCore::RenderTable::layout() + 1004
23  com.apple.WebCore             	0x00000001014d7b00 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1056
24  com.apple.WebCore             	0x00000001014c921b WebCore::RenderBlock::layoutBlock(bool) + 779
25  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
26  com.apple.WebCore             	0x0000000101538c09 WebCore::RenderMathMLRow::layout() + 25
27  com.apple.WebCore             	0x00000001014d7b00 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1056
28  com.apple.WebCore             	0x00000001014c921b WebCore::RenderBlock::layoutBlock(bool) + 779
29  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
30  com.apple.WebCore             	0x00000001014c82f1 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 369
31  com.apple.WebCore             	0x00000001014c8923 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 547
32  com.apple.WebCore             	0x00000001014c981f WebCore::RenderBlock::layoutBlock(bool) + 2319
33  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
34  com.apple.WebCore             	0x00000001014c82f1 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 369
35  com.apple.WebCore             	0x00000001014c8923 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 547
36  com.apple.WebCore             	0x00000001014c981f WebCore::RenderBlock::layoutBlock(bool) + 2319
37  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
38  com.apple.WebCore             	0x00000001014c82f1 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 369
39  com.apple.WebCore             	0x00000001014c8923 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 547
40  com.apple.WebCore             	0x00000001014c981f WebCore::RenderBlock::layoutBlock(bool) + 2319
41  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
42  com.apple.WebCore             	0x00000001014c82f1 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 369
43  com.apple.WebCore             	0x00000001014c8923 WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 547
44  com.apple.WebCore             	0x00000001014c981f WebCore::RenderBlock::layoutBlock(bool) + 2319
45  com.apple.WebCore             	0x00000001014b7773 WebCore::RenderBlock::layout() + 35
46  com.apple.WebCore             	0x00000001015a3977 WebCore::RenderView::layout() + 279
47  com.apple.WebCore             	0x0000000100f0719e WebCore::FrameView::layout(bool) + 1134
48  com.apple.WebCore             	0x0000000100dbacc8 WebCore::Document::implicitClose() + 616
49  com.apple.WebCore             	0x0000000100eed3bf WebCore::FrameLoader::checkCompleted() + 159
50  com.apple.WebCore             	0x000000010142eff0 WebCore::Loader::Host::didFail(WebCore::SubresourceLoader*, bool) + 368
51  com.apple.WebCore             	0x00000001016388ee WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 62
52  com.apple.WebCore             	0x00000001015b69fe -[WebCoreResourceHandleAsDelegate connection:didFailWithError:] + 206
53  com.apple.Foundation          	0x7fff8163c812 _NSURLConnectionDidFail + 123 (/SourceCache/Foundation/Foundation-751.29/URL.subproj/Connection.subproj/NSURLConnection.m:886)
54  com.apple.CFNetwork           	0x7fff84aa18bb URLConnectionClient::_clientDidFailWithError(__CFError*, URLConnectionClient::ClientConnectionEventQueue*) + 605 (/SourceCache/CFNetwork/CFNetwork-454.9.7/Connection/URLConnectionClient.cpp:1342)
55  com.apple.CFNetwork           	0x7fff84aa13f8 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 276 (/SourceCache/CFNetwork/CFNetwork-454.9.7/Connection/URLConnectionClient.cpp:1684)
56  com.apple.CFNetwork           	0x7fff84a2879f URLConnectionClient::processEvents() + 121 (/SourceCache/CFNetwork/CFNetwork-454.9.7/Connection/ConnectionEventQueue.h:177)
57  com.apple.CFNetwork           	0x7fff84a2857c MultiplexerSource::perform() + 160 (/SourceCache/CFNetwork/CFNetwork-454.9.7/SharedCode/ThreadSupportMach.h:34)
58  com.apple.CoreFoundation      	0x7fff869dde91 __CFRunLoopDoSources0 + 1361 (/SourceCache/CF/CF-550.29/RunLoop.subproj/CFRunLoop.c:1656)
59  com.apple.CoreFoundation      	0x7fff869dc089 __CFRunLoopRun + 873 (/SourceCache/CF/CF-550.29/RunLoop.subproj/CFRunLoop.c:2050)
60  com.apple.CoreFoundation      	0x7fff869db84f CFRunLoopRunSpecific + 575 (/SourceCache/CF/CF-550.29/RunLoop.subproj/CFRunLoop.c:2383)
61  com.apple.HIToolbox           	0x7fff8707b91a RunCurrentEventLoopInMode + 333 (Events/EventsCore/EventLoop.c:737)
62  com.apple.HIToolbox           	0x7fff8707b71f ReceiveNextEventCommon + 310 (Events/EventsCore/EventBlocking.c:456)
63  com.apple.HIToolbox           	0x7fff8707b5d8 BlockUntilNextEventMatchingListInMode + 59 (Events/EventsCore/EventBlocking.c:362)
64  com.apple.AppKit              	0x7fff84f2229e _DPSNextEvent + 708 (/SourceCache/AppKit/AppKit-1038.32/GraphicsContext.subproj/CGDPSReplacement.m:451)
65  com.apple.AppKit              	0x7fff84f21bed -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 (/SourceCache/AppKit/AppKit-1038.32/AppKit.subproj/NSApplication.m:3759)
66  com.apple.Safari              	0x100015940 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 177 (/SourceCache/WebBrowser/WebBrowser-7533.17.8/mac/BrowserApplication.mm:411)
67  com.apple.AppKit              	0x7fff84ee78d3 -[NSApplication run] + 395 (/SourceCache/AppKit/AppKit-1038.32/AppKit.subproj/NSApplication.m:2598)
68  com.apple.AppKit              	0x7fff84ee05f8 NSApplicationMain + 364 (/SourceCache/AppKit/AppKit-1038.32/AppKit.subproj/NSApplication.m:7159)
69  com.apple.Safari              	0x10000980c start + 52

Comment 1 Beth Dakin 2010-08-27 16:01:16 PDT

Created attachment 65779 [details]
Test case that crashed

This is a test that crashes. It needs to be reduced into a small enough test to be a layout test.

Comment 2 Beth Dakin 2010-08-27 16:02:37 PDT

Created attachment 65780 [details]
Patch

This cannot be committed until the test case is reduced into a layout test, but I am attaching it anyway.

Comment 3 Darin Adler 2010-08-29 11:47:05 PDT

Comment on attachment 65780 [details]
Patch

Please land this along with a regression test, as you said you planned to do.

Comment 4 Beth Dakin 2010-08-30 11:56:24 PDT

I have a test for this now. Will land shortly.

Comment 5 Beth Dakin 2010-08-30 12:57:51 PDT

Fixed with http://trac.webkit.org/changeset/66402

I forgot to check in the test with that revision, so I will check in the test momentarily.

Comment 6 Beth Dakin 2010-08-30 13:04:32 PDT

Test committed with http://trac.webkit.org/changeset/66403