Bug 57902 - Crash in RenderMathMLSubSup::stretchToHeight()
Summary: Crash in RenderMathMLSubSup::stretchToHeight()
Status: RESOLVED DUPLICATE of bug 57897
Alias: None
Product: WebKit
Classification: Unclassified
Component: MathML (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2011-04-05 16:19 PDT by Beth Dakin
Modified: 2011-05-06 16:23 PDT (History)
2 users (show)

See Also:


Attachments
Crashing test (15.79 KB, text/html)
2011-04-05 16:19 PDT, Beth Dakin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Beth Dakin 2011-04-05 16:19:06 PDT
<rdar://problem/8913108>

Crashing test attached.


  1 com.apple.WebCore              0x7fff943b52a9 WebCore::RenderMathMLSubSup::stretchToHeight(int) + 0x47
   2 com.apple.WebCore              0x7fff943b43df WebCore::RenderMathMLRow::layout() + 0x1cf
   3 com.apple.WebCore              0x7fff93bd49ad WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 0x423
   4 com.apple.WebCore              0x7fff94388eee WebCore::RenderBlock::layoutBlock(bool, int) + 0x4dc
   5 com.apple.WebCore              0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28
   6 com.apple.WebCore              0x7fff93bd3b97 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db
   7 com.apple.WebCore              0x7fff93bd319b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3
   8 com.apple.WebCore              0x7fff94388f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7
   9 com.apple.WebCore              0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28
  10 com.apple.WebCore              0x7fff93bd3b97 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db
  11 com.apple.WebCore              0x7fff93bd319b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3
  12 com.apple.WebCore              0x7fff94388f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7
  13 com.apple.WebCore              0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28
  14 com.apple.WebCore              0x7fff93bd3b97 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db
  15 com.apple.WebCore              0x7fff93bd319b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3
  16 com.apple.WebCore              0x7fff94388f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7
  17 com.apple.WebCore              0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28
  18 com.apple.WebCore              0x7fff93bd1cf5 WebCore::RenderView::layout() + 0x21f
  19 com.apple.WebCore              0x7fff93bd0ef8 WebCore::FrameView::layout(bool) + 0x6c6
  20 com.apple.WebCore              0x7fff93c15810 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 0x6e
  21 com.apple.WebCore              0x7fff9402fa43 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 0x81
  22 com.apple.WebCore              0x7fff93f8ae76 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 0x70
  23 com.apple.WebCore              0x7fff941bc58b WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 0x1eb
  24                                0x000024a8d52001b8 0 + 40307548750264
  25 com.apple.JavaScriptCore       0x7fff910c9269 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 0x22d
  26 com.apple.JavaScriptCore       0x7fff9101595c JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 0xfc
  27 com.apple.WebCore              0x7fff943ee345 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 0x1b5
  28 com.apple.WebCore              0x7fff943ee73f WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 0x2f
  29 com.apple.WebCore              0x7fff943efbb1 WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 0x51
  30 com.apple.WebCore              0x7fff943f3487 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 0x57
  31 com.apple.WebCore              0x7fff940d60f4 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition<WTF::OneBasedNumber> const&) + 0x2aa
  32 com.apple.WebCore              0x7fff940d68b7 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) + 0x17
  33 com.apple.WebCore              0x7fff940b3e69 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 0x57
  34 com.apple.WebCore              0x7fff940b403c WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 0x16e
  35 com.apple.WebCore              0x7fff940b44ce WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 0x96
  36 com.apple.WebCore              0x7fff93f849c9 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) + 0x165
  37 com.apple.WebCore              0x7fff93f95491 WebCore::DocumentLoader::commitData(char const*, int) + 0xa9
  38 com.apple.WebKit               0x7fff8c43c9a2 -[WebHTMLRepresentation receivedData:withDataSource:] + 0x62
  39 com.apple.WebKit               0x7fff8c43c8a0 -[WebDataSource(WebInternal) _receivedData:] + 0x50
  40 com.apple.WebKit               0x7fff8c43c82b WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 0x69
  41 com.apple.WebCore              0x7fff93be82b5 WebCore::DocumentLoader::commitLoad(char const*, int) + 0x8b
  42 com.apple.WebCore              0x7fff93be7ed2 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 0x36
  43 com.apple.WebCore              0x7fff93be7e2d WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 0x26b
  44 com.apple.WebCore              0x7fff93be7b95 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 0x95
  45 com.apple.Foundation           0x7fff8a4a61c9 ___NSURLConnectionDidReceiveData_block_invoke_1 + 0x90
  46 com.apple.Foundation           0x7fff8a3c8882 _NSURLConnectionDidReceiveData + 0x56
  47 com.apple.CFNetwork            0x7fff90100e4c URLConnectionClient::_clientDidReceiveData(__CFData const*, URLConnectionClient::ClientConnectionEventQueue*) + 0x110
  48 com.apple.CFNetwork            0x7fff901b6c14 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0x14e
  49 com.apple.CFNetwork            0x7fff901b6e44 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0x37e
  50 com.apple.CFNetwork            0x7fff900f336b URLConnectionClient::processEvents() + 0xc1
  51 com.apple.CFNetwork            0x7fff900f3230 MultiplexerSource::perform() + 0xd4
  52 com.apple.CoreFoundation       0x7fff8c6027ed __CFRunLoopDoSources0 + 0xfd
  53 com.apple.CoreFoundation       0x7fff8c6021b9 __CFRunLoopRun + 0x389
  54 com.apple.CoreFoundation       0x7fff8c601bf6 CFRunLoopRunSpecific + 0xe6
  55 com.apple.HIToolbox            0x7fff8d298fef RunCurrentEventLoopInMode + 0x115
  56 com.apple.HIToolbox            0x7fff8d298de9 ReceiveNextEventCommon + 0x163
  57 com.apple.HIToolbox            0x7fff8d298c76 BlockUntilNextEventMatchingListInMode + 0x3e
  58 com.apple.AppKit               0x7fff8ebca2b9 _DPSNextEvent + 0x293
  59 com.apple.AppKit               0x7fff8ebc9bbe -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x87
  60 com.apple.Safari.framework     0x7fff91c755fc -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0xab
  61 com.apple.AppKit               0x7fff8eb8ea7d -[NSApplication run] + 0x1c8
  62 com.apple.AppKit               0x7fff8eb87861 NSApplicationMain + 0x35c
  63 com.apple.Safari.framework     0x7fff91dd68ca SafariMain + 0xc5
  64 com.apple.Safari               0x10b00ff24 start + 0x0
Comment 1 Beth Dakin 2011-04-05 16:19:27 PDT
Created attachment 88332 [details]
Crashing test
Comment 2 Alex Milowski 2011-05-06 16:23:14 PDT
This is the same issue as bug 57897 where the base or sub/superscript has been removed via javascript and violates the assumption that the RenderMathMLBlock instance added by the renderer always has a child.  That's a bad assumption.

*** This bug has been marked as a duplicate of bug 57897 ***