RESOLVED FIXED Bug 57901
Crash in RenderMathMLUnderOver::nonOperatorHeight() 
https://bugs.webkit.org/show_bug.cgi?id=57901
Summary Crash in RenderMathMLUnderOver::nonOperatorHeight()
Beth Dakin
Reported 2011-04-05 16:12:40 PDT
<rdar://problem/8908482> Crashing test attached. 1 com.apple.WebCore 0x7fff8c6725c0 WebCore::RenderMathMLUnderOver::nonOperatorHeight() const + 0x5c 2 com.apple.WebCore 0x7fff8c6712ea WebCore::RenderMathMLRow::layout() + 0xda 3 com.apple.WebCore 0x7fff8be91a7d WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 0x423 4 com.apple.WebCore 0x7fff8c645eee WebCore::RenderBlock::layoutBlock(bool, int) + 0x4dc 5 com.apple.WebCore 0x7fff8be8eeaa WebCore::RenderBlock::layout() + 0x28 6 com.apple.WebCore 0x7fff8be90c67 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db 7 com.apple.WebCore 0x7fff8be9026b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3 8 com.apple.WebCore 0x7fff8c645f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7 9 com.apple.WebCore 0x7fff8be8eeaa WebCore::RenderBlock::layout() + 0x28 10 com.apple.WebCore 0x7fff8be90c67 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db 11 com.apple.WebCore 0x7fff8be9026b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3 12 com.apple.WebCore 0x7fff8c645f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7 13 com.apple.WebCore 0x7fff8be8eeaa WebCore::RenderBlock::layout() + 0x28 14 com.apple.WebCore 0x7fff8be90c67 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db 15 com.apple.WebCore 0x7fff8be9026b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3 16 com.apple.WebCore 0x7fff8c645f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7 17 com.apple.WebCore 0x7fff8be8eeaa WebCore::RenderBlock::layout() + 0x28 18 com.apple.WebCore 0x7fff8be8edc5 WebCore::RenderView::layout() + 0x21f 19 com.apple.WebCore 0x7fff8be8dfc8 WebCore::FrameView::layout(bool) + 0x6c6 20 com.apple.WebCore 0x7fff8be846ac WebCore::Document::implicitClose() + 0x306 21 com.apple.WebCore 0x7fff8be8424f WebCore::FrameLoader::checkCompleted() + 0x121 22 com.apple.WebCore 0x7fff8be83fca WebCore::FrameLoader::finishedParsing() + 0x56 23 com.apple.WebCore 0x7fff8be81ff7 WebCore::Document::finishedParsing() + 0x10b 24 com.apple.WebCore 0x7fff8c371795 WebCore::HTMLDocumentParser::prepareToStopParsing() + 0xa1 25 com.apple.WebCore 0x7fff8be464c1 WebCore::DocumentWriter::endIfNotLoadingMainResource() + 0x6b 26 com.apple.WebCore 0x7fff8bebac82 WebCore::FrameLoader::finishedLoading() + 0x48 27 com.apple.WebCore 0x7fff8c60053d WebCore::MainResourceLoader::didFinishLoading(double) + 0x6f 28 com.apple.Foundation 0x7fff9651a0e6 ___NSURLConnectionDidFinishLoading_block_invoke_1 + 0x7a 29 com.apple.Foundation 0x7fff9643ce7d _NSURLConnectionDidFinishLoading + 0x51 30 com.apple.CFNetwork 0x7fff928f8748 URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 0x148 31 com.apple.CFNetwork 0x7fff929acc37 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0x171 32 com.apple.CFNetwork 0x7fff929ace44 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0x37e 33 com.apple.CFNetwork 0x7fff928e936b URLConnectionClient::processEvents() + 0xc1 34 com.apple.CFNetwork 0x7fff928e9230 MultiplexerSource::perform() + 0xd4 35 com.apple.CoreFoundation 0x107011bdc __CFRunLoopDoSources0 + 0x1bc 36 com.apple.CoreFoundation 0x1070114e9 __CFRunLoopRun + 0x389 37 com.apple.CoreFoundation 0x107010f26 CFRunLoopRunSpecific + 0xe6 38 com.apple.HIToolbox 0x7fff9032b067 RunCurrentEventLoopInMode + 0x115 39 com.apple.HIToolbox 0x7fff9032adb3 ReceiveNextEventCommon + 0xb5 40 com.apple.HIToolbox 0x7fff9032acee BlockUntilNextEventMatchingListInMode + 0x3e 41 com.apple.AppKit 0x7fff8e9fa3e5 _DPSNextEvent + 0x293 42 com.apple.AppKit 0x7fff8e9f9cea -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x87 43 com.apple.Safari.framework 0x7fff8d65e5a4 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0xab 44 com.apple.AppKit 0x7fff8e9bebad -[NSApplication run] + 0x1c8 45 com.apple.AppKit 0x7fff8e9b7988 NSApplicationMain + 0x35c 46 com.apple.Safari.framework 0x7fff8d7bf8ea SafariMain + 0xc5 47 com.apple.Safari 0x106fc2f24 start + 0x0
Attachments
Crashing test (82.18 KB, text/html)
2011-04-05 16:13 PDT, Beth Dakin 		no flags
Details
The fix including test baselines (138.47 KB, patch)
2011-06-20 11:14 PDT, Alex Milowski 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Beth Dakin
Comment 1 2011-04-05 16:13:01 PDT
Created attachment 88330 [details] Crashing test
Alex Milowski
Comment 2 2011-06-20 11:02:01 PDT
This example now crashes due to anonymous blocks not being marked as such (as pointed out by Jeffrey Pfau). There is very little change to the rendering when they are marked as such. I'm am preparing a patch that marks the blocks as anonymous.
Alex Milowski
Comment 3 2011-06-20 11:14:28 PDT
Created attachment 97825 [details] The fix including test baselines
Vicki Pfau
Comment 4 2011-06-20 12:02:34 PDT
This patch only sets one of the blocks used anonymously as anonymous. However, several places in the code create RenderMathMLBlocks that are used as anonymous blocks. I'm working on a patch that incorporates fixes for all of the instances I've found, but I have yet to add test cases.
WebKit Review Bot
Comment 5 2011-06-20 12:17:40 PDT
Comment on attachment 97825 [details] The fix including test baselines Clearing flags on attachment: 97825 Committed r89268: <http://trac.webkit.org/changeset/89268>
WebKit Review Bot
Comment 6 2011-06-20 12:17:45 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.