RESOLVED FIXED Bug 44804
Crashes in RenderMathMLRoot::layout() and RenderMathMLRoot::paint() 
https://bugs.webkit.org/show_bug.cgi?id=44804
Summary Crashes in RenderMathMLRoot::layout() and RenderMathMLRoot::paint()
Beth Dakin
Reported 2010-08-27 16:30:53 PDT
All of the calls to firstChild() and lastChild() in RenderMathMLRoot::layout() and RenderMathMLRoot::paint() need to be null checked. <rdar://problem/8342055>
Attachments
Test Case 1 (5.26 KB, application/xhtml+xml)
2010-08-27 16:31 PDT, Beth Dakin 		no flags
Details
Test Case 2 (5.24 KB, application/xhtml+xml)
2010-08-27 16:32 PDT, Beth Dakin 		no flags
Details
Patch (2.16 KB, patch)
2010-08-27 16:34 PDT, Beth Dakin 		sam: review+
DetailsFormatted DiffDiff
Reduced Test Case 1 (89 bytes, text/html)
2010-08-29 23:25 PDT, Daniel Bates 		no flags
Details
Reduced Test Case 2 (80 bytes, text/html)
2010-08-29 23:30 PDT, Daniel Bates 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Beth Dakin
Comment 1 2010-08-27 16:31:55 PDT
Created attachment 65783 [details] Test Case 1
Beth Dakin
Comment 2 2010-08-27 16:32:19 PDT
Created attachment 65784 [details] Test Case 2
Beth Dakin
Comment 3 2010-08-27 16:34:07 PDT
Created attachment 65785 [details] Patch The attached test cases need to be reduced into layout tests before this patch can be committed, but I am attaching it now anyway.
Sam Weinig
Comment 4 2010-08-27 19:23:36 PDT
Comment on attachment 65785 [details] Patch Please land with test.
Sam Weinig
Comment 5 2010-08-27 19:23:36 PDT
Comment on attachment 65785 [details] Patch Please land with test.
Beth Dakin
Comment 6 2010-08-28 12:56:38 PDT
Yay! Thanks Sam :-) I will hold off on landing for now until I reduce the test.
Daniel Bates
Comment 7 2010-08-29 23:25:55 PDT
Created attachment 65881 [details] Reduced Test Case 1 I was able to reduce the first test case <https://bugs.webkit.org/attachment.cgi?id=65783> to: <math> <mroot><mi></mi></mroot> </math> Without the patch, both this and <https://bugs.webkit.org/attachment.cgi?id=65783> crash at: int indexShift = indexBox->offsetWidth() + topStartShift; because indexBox is null.
Daniel Bates
Comment 8 2010-08-29 23:30:30 PDT
Created attachment 65882 [details] Reduced Test Case 2 I was able to reduce the second test case <https://bugs.webkit.org/attachment.cgi?id=65784> to: <math> <mroot></mroot> </math> Without the patch, both this and <https://bugs.webkit.org/attachment.cgi?id=65784> crash at: int maxHeight = toRenderBoxModelObject(lastChild())->offsetHeight(); because lastChild() returns a null pointer.
Beth Dakin
Comment 9 2010-08-30 10:37:19 PDT
Thanks Dan!! (And Darin!) I will be landing shortly.
Beth Dakin
Comment 10 2010-08-30 13:04:16 PDT
Fixed with http://trac.webkit.org/changeset/66403
Note You need to log in before you can comment on or make changes to this bug.