[Webkit-unassigned] [Bug 100465] New: MathML fuzzing bugs - 3
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 25 22:44:04 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=100465
Summary: MathML fuzzing bugs - 3
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: MathML
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: inferno at chromium.org
Created an attachment (id=170818)
--> (https://bugs.webkit.org/attachment.cgi?id=170818&action=review)
Testcase - 3
==28198== ERROR: AddressSanitizer crashed on unknown address 0x000000000034 (pc 0x7fb6494d914b sp 0x7fff6f9185e0 bp 0x7fff6f9186b0 T0)
AddressSanitizer can not provide additional info.
#0 0x7fb6494d914a in WebCore::RenderObject::RenderObjectBitfields::positioned() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:1053
#1 0x7fb6494d8ff0 in WebCore::RenderObject::isOutOfFlowPositioned() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:529
#2 0x7fb64ffae5a7 in WebCore::RenderFlexibleBox::firstLineBoxBaseline() const third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:258
#3 0x7fb64ffaeb89 in WebCore::RenderFlexibleBox::firstLineBoxBaseline() const third_party/WebKit/Source/WebCore/rendering/RenderFlexibleBox.cpp:276
#4 0x7fb65072f061 in WebCore::RenderMathMLBlock::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const third_party/WebKit/Source/WebCore/rendering/mathml/RenderMathMLBlock.cpp:208
#5 0x7fb64fa27425 in WebCore::InlineBox::baselinePosition(WebCore::FontBaseline) const third_party/WebKit/Source/WebCore/rendering/InlineBox.cpp:164
#6 0x7fb6506f3478 in WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const third_party/WebKit/Source/WebCore/rendering/RootInlineBox.cpp:744
#7 0x7fb64fa3f744 in WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/InlineFlowBox.cpp:565
#8 0x7fb6506e75cc in WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/RootInlineBox.cpp:275
#9 0x7fb64fd117ba in WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:966
#10 0x7fb64fd1304b in WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1198
#11 0x7fb64fd1c7f1 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1484
#12 0x7fb64fd1482e in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1372
#13 0x7fb64fd3afa1 in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1714
#14 0x7fb64fb12315 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1555
#15 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
#16 0x7fb64fb42677 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485
#17 0x7fb64fb1b0cf in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421
#18 0x7fb64fb12396 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557
#19 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
#20 0x7fb64fb42677 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2485
#21 0x7fb64fb1b0cf in WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2421
#22 0x7fb64fb12396 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1557
#23 0x7fb64fb0debd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
#24 0x7fb65064d64e in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:140
#25 0x7fb65064f5e2 in WebCore::RenderView::layout() third_party/WebKit/Source/WebCore/rendering/RenderView.cpp:197
#26 0x7fb64f1d5590 in WebCore::FrameView::layout(bool) third_party/WebKit/Source/WebCore/page/FrameView.cpp:1191
#27 0x7fb64f1bf5a8 in WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView>*) third_party/WebKit/Source/WebCore/page/FrameView.cpp:2129
#28 0x7fb64f25b494 in WebCore::Timer<WebCore::FrameView>::fired() third_party/WebKit/Source/WebCore/platform/Timer.h:106
#29 0x7fb64b06d5e6 in WebCore::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:116
#30 0x7fb64b06c8a8 in WebCore::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:93
#31 0x7fb65cdeb0dc in webkit_glue::WebKitPlatformSupportImpl::DoTimeout() ./webkit/glue/webkitplatformsupport_impl.h:165
#32 0x7fb65cdf357f in base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:134
#33 0x7fb65cdf31ca in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void (webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:870
#34 0x7fb65cdf2ed7 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void (webkit_glue::WebKitPlatformSupportImpl*), void (base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void (webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1172
#35 0x7fb6749c151c in base::Callback<void ()>::Run() const ./base/callback.h:391
#36 0x7fb67500e03b in base::Timer::RunScheduledTask() base/timer.cc:181
#37 0x7fb67500e9f0 in base::BaseTimerTaskInternal::Run() base/timer.cc:46
#38 0x7fb67501154f in base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) ./base/bind_internal.h:134
#39 0x7fb67501119a in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void (base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) ./base/bind_internal.h:870
#40 0x7fb675010e93 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void (base::BaseTimerTaskInternal*), void (base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void (base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1172
#41 0x7fb6749c151c in base::Callback<void ()>::Run() const ./base/callback.h:391
#42 0x7fb674bdd59d in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:470
#43 0x7fb674bdf40a in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482
#44 0x7fb674bdfac5 in MessageLoop::DoWork() base/message_loop.cc:661
#45 0x7fb674c3171b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28
#46 0x7fb674bdb7c9 in MessageLoop::RunInternal() base/message_loop.cc:427
#47 0x7fb674bdb256 in MessageLoop::RunHandler() base/message_loop.cc:400
#48 0x7fb674da6d21 in base::RunLoop::Run() base/run_loop.cc:45
#49 0x7fb674bd8eda in MessageLoop::Run() base/message_loop.cc:307
#50 0x7fb666721691 in RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:239
#51 0x7fb6630204d9 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:402
#52 0x7fb6630216ed in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:456
#53 0x7fb663026a3b in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741
#54 0x7fb66301df3d in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35
#55 0x7fb675f43a5d in ChromeMain chrome/app/chrome_main.cc:32
#56 0x7fb675f4372a in main chrome/app/chrome_exe_main_gtk.cc:31
#57 0x7fb635fc976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
Stats: 6M malloced (33M for red zones) by 33079 calls
Stats: 0M realloced by 88 calls
Stats: 4M freed by 15527 calls
Stats: 0M really freed by 0 calls
Stats: 42M (10899 full pages) mmaped in 85 calls
mmaps by size class: 10:32193; 11:765; 12:256; 13:128; 14:160; 15:48; 16:16; 17:12; 18:2; 19:1;
mallocs by size class: 10:32057; 11:568; 12:183; 13:77; 14:129; 15:40; 16:12; 17:10; 18:2; 19:1;
frees by size class: 10:14772; 11:460; 12:71; 13:63; 14:114; 15:33; 16:6; 17:6; 18:1; 19:1;
rfrees by size class:
Stats: malloc large: 65 small slow: 1150
==28198== ABORTING
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list