<rdar://problem/8913108> Crashing test attached. 1 com.apple.WebCore 0x7fff943b52a9 WebCore::RenderMathMLSubSup::stretchToHeight(int) + 0x47 2 com.apple.WebCore 0x7fff943b43df WebCore::RenderMathMLRow::layout() + 0x1cf 3 com.apple.WebCore 0x7fff93bd49ad WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 0x423 4 com.apple.WebCore 0x7fff94388eee WebCore::RenderBlock::layoutBlock(bool, int) + 0x4dc 5 com.apple.WebCore 0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28 6 com.apple.WebCore 0x7fff93bd3b97 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db 7 com.apple.WebCore 0x7fff93bd319b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3 8 com.apple.WebCore 0x7fff94388f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7 9 com.apple.WebCore 0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28 10 com.apple.WebCore 0x7fff93bd3b97 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db 11 com.apple.WebCore 0x7fff93bd319b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3 12 com.apple.WebCore 0x7fff94388f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7 13 com.apple.WebCore 0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28 14 com.apple.WebCore 0x7fff93bd3b97 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 0x2db 15 com.apple.WebCore 0x7fff93bd319b WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 0x2b3 16 com.apple.WebCore 0x7fff94388f09 WebCore::RenderBlock::layoutBlock(bool, int) + 0x4f7 17 com.apple.WebCore 0x7fff93bd1dda WebCore::RenderBlock::layout() + 0x28 18 com.apple.WebCore 0x7fff93bd1cf5 WebCore::RenderView::layout() + 0x21f 19 com.apple.WebCore 0x7fff93bd0ef8 WebCore::FrameView::layout(bool) + 0x6c6 20 com.apple.WebCore 0x7fff93c15810 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 0x6e 21 com.apple.WebCore 0x7fff9402fa43 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 0x81 22 com.apple.WebCore 0x7fff93f8ae76 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 0x70 23 com.apple.WebCore 0x7fff941bc58b WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 0x1eb 24 0x000024a8d52001b8 0 + 40307548750264 25 com.apple.JavaScriptCore 0x7fff910c9269 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 0x22d 26 com.apple.JavaScriptCore 0x7fff9101595c JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 0xfc 27 com.apple.WebCore 0x7fff943ee345 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 0x1b5 28 com.apple.WebCore 0x7fff943ee73f WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 0x2f 29 com.apple.WebCore 0x7fff943efbb1 WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 0x51 30 com.apple.WebCore 0x7fff943f3487 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 0x57 31 com.apple.WebCore 0x7fff940d60f4 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition<WTF::OneBasedNumber> const&) + 0x2aa 32 com.apple.WebCore 0x7fff940d68b7 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) + 0x17 33 com.apple.WebCore 0x7fff940b3e69 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 0x57 34 com.apple.WebCore 0x7fff940b403c WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 0x16e 35 com.apple.WebCore 0x7fff940b44ce WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 0x96 36 com.apple.WebCore 0x7fff93f849c9 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) + 0x165 37 com.apple.WebCore 0x7fff93f95491 WebCore::DocumentLoader::commitData(char const*, int) + 0xa9 38 com.apple.WebKit 0x7fff8c43c9a2 -[WebHTMLRepresentation receivedData:withDataSource:] + 0x62 39 com.apple.WebKit 0x7fff8c43c8a0 -[WebDataSource(WebInternal) _receivedData:] + 0x50 40 com.apple.WebKit 0x7fff8c43c82b WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 0x69 41 com.apple.WebCore 0x7fff93be82b5 WebCore::DocumentLoader::commitLoad(char const*, int) + 0x8b 42 com.apple.WebCore 0x7fff93be7ed2 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 0x36 43 com.apple.WebCore 0x7fff93be7e2d WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 0x26b 44 com.apple.WebCore 0x7fff93be7b95 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 0x95 45 com.apple.Foundation 0x7fff8a4a61c9 ___NSURLConnectionDidReceiveData_block_invoke_1 + 0x90 46 com.apple.Foundation 0x7fff8a3c8882 _NSURLConnectionDidReceiveData + 0x56 47 com.apple.CFNetwork 0x7fff90100e4c URLConnectionClient::_clientDidReceiveData(__CFData const*, URLConnectionClient::ClientConnectionEventQueue*) + 0x110 48 com.apple.CFNetwork 0x7fff901b6c14 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0x14e 49 com.apple.CFNetwork 0x7fff901b6e44 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 0x37e 50 com.apple.CFNetwork 0x7fff900f336b URLConnectionClient::processEvents() + 0xc1 51 com.apple.CFNetwork 0x7fff900f3230 MultiplexerSource::perform() + 0xd4 52 com.apple.CoreFoundation 0x7fff8c6027ed __CFRunLoopDoSources0 + 0xfd 53 com.apple.CoreFoundation 0x7fff8c6021b9 __CFRunLoopRun + 0x389 54 com.apple.CoreFoundation 0x7fff8c601bf6 CFRunLoopRunSpecific + 0xe6 55 com.apple.HIToolbox 0x7fff8d298fef RunCurrentEventLoopInMode + 0x115 56 com.apple.HIToolbox 0x7fff8d298de9 ReceiveNextEventCommon + 0x163 57 com.apple.HIToolbox 0x7fff8d298c76 BlockUntilNextEventMatchingListInMode + 0x3e 58 com.apple.AppKit 0x7fff8ebca2b9 _DPSNextEvent + 0x293 59 com.apple.AppKit 0x7fff8ebc9bbe -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x87 60 com.apple.Safari.framework 0x7fff91c755fc -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0xab 61 com.apple.AppKit 0x7fff8eb8ea7d -[NSApplication run] + 0x1c8 62 com.apple.AppKit 0x7fff8eb87861 NSApplicationMain + 0x35c 63 com.apple.Safari.framework 0x7fff91dd68ca SafariMain + 0xc5 64 com.apple.Safari 0x10b00ff24 start + 0x0
Created attachment 88332 [details] Crashing test
This is the same issue as bug 57897 where the base or sub/superscript has been removed via javascript and violates the assumption that the RenderMathMLBlock instance added by the renderer always has a child. That's a bad assumption. *** This bug has been marked as a duplicate of bug 57897 ***