[Webkit-unassigned] [Bug 100465] MathML fuzzing bugs - 3

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 26 11:10:50 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=100465


Ojan Vafai <ojan at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #170818|0                           |1
        is obsolete|                            |
 Attachment #170954|0                           |1
        is obsolete|                            |




--- Comment #5 from Ojan Vafai <ojan at chromium.org>  2012-10-26 11:12:01 PST ---
Created an attachment (id=170964)
 --> (https://bugs.webkit.org/attachment.cgi?id=170964&action=review)
more minimal test case

It looks like when the input gets removed from the msubsup element, we're left with an anonymous flexbox inside the msubsup element. We try to get the baseline of the msubsup, and then try to get the baseline of the anonymous flexbox and crash because it has no firstChild, but did the last time we laid it out.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list