[Webkit-unassigned] [Bug 100464] New: MathML fuzzing bugs - 2
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 25 22:42:31 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=100464
Summary: MathML fuzzing bugs - 2
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: MathML
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: inferno at chromium.org
CC: eric at webkit.org, dbarton at mathscribe.com
Created an attachment (id=170817)
--> (https://bugs.webkit.org/attachment.cgi?id=170817&action=review)
Testcase - 2
==21356== ERROR: AddressSanitizer crashed on unknown address 0x000000000001 (pc 0x7f81358e4aac sp 0x7fff34118c00 bp 0x7fff34118cd0 T0)
AddressSanitizer can not provide additional info.
#0 0x7f81358e4aab in WebCore::LayoutState::isPaginated() const third_party/WebKit/Source/WebCore/rendering/LayoutState.h:78
#1 0x7f8135af39fd in WebCore::RenderView::pushLayoutState(WebCore::RenderBox*, WebCore::FractionalLayoutSize const&, WebCore::FractionalLayoutUnit, bool, WebCore::ColumnInfo*) third_party/WebKit/Source/WebCore/rendering/RenderView.h:229
#2 0x7f8135af33b5 in WebCore::LayoutStateMaintainer::push(WebCore::RenderBox*, WebCore::FractionalLayoutSize, WebCore::FractionalLayoutUnit, bool, WebCore::ColumnInfo*) third_party/WebKit/Source/WebCore/rendering/RenderView.h:377
#3 0x7f8135af2df6 in LayoutStateMaintainer third_party/WebKit/Source/WebCore/rendering/RenderView.h:355
#4 0x7f81359d254a in LayoutStateMaintainer third_party/WebKit/Source/WebCore/rendering/RenderView.h:356
#5 0x7f813628c2ec in WebCore::RenderTable::layout() third_party/WebKit/Source/WebCore/rendering/RenderTable.cpp:353
#6 0x7f81357d7630 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:672
#7 0x7f813652f06e in WebCore::RenderMathMLBlock::computeChildrenPreferredLogicalHeights() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLBlock.cpp:183
#8 0x7f813654881b in WebCore::RenderMathMLRow::computePreferredLogicalWidths() third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLRow.cpp:57
#9 0x7f8135bcb094 in WebCore::RenderBox::maxPreferredLogicalWidth() const third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:673
#10 0x7f81360a0889 in WebCore::RenderMarquee::computePosition(WebCore::EMarqueeDirection, bool) third_party/WebKit/Source/WebCore/rendering/RenderMarquee.cpp:119
#11 0x7f81360a34b4 in WebCore::RenderMarquee::updateMarqueePosition() third_party/WebKit/Source/WebCore/rendering/RenderMarquee.cpp:202
#12 0x7f8135edf9b1 in WebCore::RenderLayer::updateLayerPositionsAfterScroll(unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:553
#13 0x7f8135ef8072 in WebCore::RenderLayer::scrollTo(int, int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:1724
#14 0x7f8135f04fe4 in WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:2061
#15 0x7f8130de4d34 in WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:147
#16 0x7f8130de612c in WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:192
#17 0x7f8130d84e73 in WebCore::ScrollAnimator::notifyPositionChanged() third_party/WebKit/Source/WebCore/platform/ScrollAnimator.cpp:149
#18 0x7f8130d81cb0 in WebCore::ScrollAnimator::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollAnimator.cpp:79
#19 0x7f8130de417b in WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:126
#20 0x7f8135ef6668 in WebCore::RenderLayer::scrollToOffset(WebCore::IntSize const&, WebCore::RenderLayer::ScrollOffsetClamping) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:1697
#21 0x7f8135c3b50b in WebCore::RenderLayer::scrollToXOffset(int, WebCore::RenderLayer::ScrollOffsetClamping) third_party/WebKit/Source/WebCore/rendering/RenderLayer.h:328
#22 0x7f8135bbcf2d in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:232
#23 0x7f81358f4845 in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:328
#24 0x7f81361804ec in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:1774
#25 0x7f813617e6a8 in WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:1675
#26 0x7f812f02f094 in WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>) third_party/WebKit/Source/WebCore/dom/Node.cpp:1427
#27 0x7f812edfdba9 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1169
#28 0x7f812edfec0c in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1223
#29 0x7f812edfec0c in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1223
#30 0x7f812eab4f19 in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Document.cpp:1856
#31 0x7f812eab6870 in WebCore::Document::updateStyleIfNeeded() third_party/WebKit/Source/WebCore/dom/Document.cpp:1904
#32 0x7f812eab6f1e in WebCore::Document::updateLayout() third_party/WebKit/Source/WebCore/dom/Document.cpp:1927
#33 0x7f8135f34c70 in WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3511
#34 0x7f813644c964 in WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:96
#35 0x7f813644c62c in WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:91
#36 0x7f812eacc4af in WebCore::Document::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::FractionalLayoutPoint const&, WebCore::PlatformMouseEvent const&) third_party/WebKit/Source/WebCore/dom/Document.cpp:3073
#37 0x7f8134ec1ecf in WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) third_party/WebKit/Source/WebCore/page/EventHandler.cpp:2146
#38 0x7f8134ec4158 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) third_party/WebKit/Source/WebCore/page/EventHandler.cpp:1785
#39 0x7f8134ec248a in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) third_party/WebKit/Source/WebCore/page/EventHandler.cpp:1707
#40 0x7f8129c5c6ff in WebKit::PageWidgetEventHandler::handleMouseMove(WebCore::Frame&, WebKit::WebMouseEvent const&) third_party/WebKit/Source/WebKit/chromium/src/PageWidgetDelegate.cpp:197
#41 0x7f8129c5afcf in WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page*, WebKit::PageWidgetEventHandler&, WebKit::WebInputEvent const&) third_party/WebKit/Source/WebKit/chromium/src/PageWidgetDelegate.cpp:118
#42 0x7f812a183a36 in WebKit::WebViewImpl::handleInputEvent(WebKit::WebInputEvent const&) third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:1990
#43 0x7f814c52922e in content::RenderWidget::OnHandleInputEvent(IPC::Message const&) content/renderer/render_widget.cc:583
#44 0x7f814c55587e in bool IPC::Message::Dispatch<content::RenderWidget, content::RenderWidget>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void (content::RenderWidget::*)(IPC::Message const&)) ./ipc/ipc_message.h:170
#45 0x7f814c522a4b in content::RenderWidget::OnMessageReceived(IPC::Message const&) content/renderer/render_widget.cc:244
#46 0x7f814c3852c3 in content::RenderViewImpl::OnMessageReceived(IPC::Message const&) content/renderer/render_view_impl.cc:1064
#47 0x7f814b9821fa in MessageRouter::RouteMessage(IPC::Message const&) content/common/message_router.cc:47
#48 0x7f814b981dcb in MessageRouter::OnMessageReceived(IPC::Message const&) content/common/message_router.cc:39
#49 0x7f814acf5773 in ChildThread::OnMessageReceived(IPC::Message const&) content/common/child_thread.cc:275
#50 0x7f8146936322 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ipc/ipc_channel_proxy.cc:261
#51 0x7f814695d5b1 in base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>::Run(IPC::ChannelProxy::Context*, IPC::Message const&) ./base/bind_internal.h:190
#52 0x7f814695d147 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context* const&, IPC::Message const&)>::MakeItSo(base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, IPC::ChannelProxy::Context* const&, IPC::Message const&) ./base/bind_internal.h:898
#53 0x7f814695cd74 in base::internal::Invoker<2, base::internal::BindState<base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context*, IPC::Message const&), void (IPC::ChannelProxy::Context*, IPC::Message)>, void (IPC::ChannelProxy::Context*, IPC::Message const&)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1256
#54 0x7f815a8805ac in base::Callback<void ()>::Run() const ./base/callback.h:391
#55 0x7f815aa9c76d in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:470
#56 0x7f815aa9e5da in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482
#57 0x7f815aa9ec95 in MessageLoop::DoWork() base/message_loop.cc:661
#58 0x7f815aaf08eb in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28
#59 0x7f815aa9a999 in MessageLoop::RunInternal() base/message_loop.cc:427
#60 0x7f815aa9a426 in MessageLoop::RunHandler() base/message_loop.cc:400
#61 0x7f815ac662b1 in base::RunLoop::Run() base/run_loop.cc:45
#62 0x7f815aa980aa in MessageLoop::Run() base/message_loop.cc:307
#63 0x7f814c5ed591 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:241
#64 0x7f8148ef5669 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:402
#65 0x7f8148ef687d in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:456
#66 0x7f8148efbbcb in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741
#67 0x7f8148ef30cd in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35
#68 0x7f815be03abd in ChromeMain chrome/app/chrome_main.cc:32
#69 0x7f815be0378a in main chrome/app/chrome_exe_main_gtk.cc:31
#70 0x7f811bd6876c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
Stats: 7M malloced (34M for red zones) by 33069 calls
Stats: 0M realloced by 99 calls
Stats: 4M freed by 15578 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11286 full pages) mmaped in 88 calls
mmaps by size class: 10:32193; 11:765; 12:256; 13:128; 14:160; 15:48; 16:16; 17:16; 18:4; 19:2;
mallocs by size class: 10:32056; 11:558; 12:179; 13:78; 14:129; 15:37; 16:14; 17:13; 18:3; 19:2;
frees by size class: 10:14830; 11:453; 12:69; 13:63; 14:114; 15:29; 16:8; 17:8; 18:2; 19:2;
rfrees by size class:
Stats: malloc large: 69 small slow: 1149
==21356== ABORTING
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list