[Webkit-unassigned] [Bug 100465] MathML fuzzing bugs - 3

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 26 22:25:24 PDT 2012


https://bugs.webkit.org/show_bug.cgi?id=100465





--- Comment #8 from Dave Barton <dbarton at mathscribe.com>  2012-10-26 22:26:35 PST ---
Created an attachment (id=171073)
 --> (https://bugs.webkit.org/attachment.cgi?id=171073&action=review)
Ojan's test case without MathML

I like both Eric's and Ojan's analysis and reduced test cases (thanks!). However, I counter-argue and claim it's still a flexbox bug. :) Here's an attachment that seems to cause the same crash, just using <div> elements and -webkit-inline-flex like MathML (msubsup) uses them.

My flexbox code may be a few days old, but here's my stack trace:

crash log for DumpRenderTree (pid 99385):
STDOUT: <empty>
STDERR: [99385:-1603631808:383108477912945:ERROR:process_util_posix.cc(144)] Received signal 10
STDERR:     0   DumpRenderTree                      0x5db65f2f base::debug::StackTrace::StackTrace() + 63
STDERR:     1   DumpRenderTree                      0x5db65ecb base::debug::StackTrace::StackTrace() + 43
STDERR:     2   DumpRenderTree                      0x5dc23487 base::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, __darwin_ucontext*) + 295
STDERR:     3   libSystem.B.dylib                   0x9588405b _sigtramp + 43
STDERR:     4   ???                                 0xffffffff 0x0 + 4294967295
STDERR:     5   DumpRenderTree                      0x6078dc12 WebCore::RenderObject::isOutOfFlowPositioned() const + 50
STDERR:     6   DumpRenderTree                      0x608006e3 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 275
STDERR:     7   DumpRenderTree                      0x608008c5 WebCore::RenderFlexibleBox::firstLineBoxBaseline() const + 757
STDERR:     8   DumpRenderTree                      0x6080039f WebCore::RenderFlexibleBox::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const + 79
STDERR:     9   DumpRenderTree                      0x606a6f6d WebCore::InlineBox::baselinePosition(WebCore::FontBaseline) const + 173
STDERR:     10  DumpRenderTree                      0x609d2de3 WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const + 307
STDERR:     11  DumpRenderTree                      0x606abe54 WebCore::InlineFlowBox::computeLogicalBoxHeights(WebCore::RootInlineBox*, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&, int&, int&, bool&, bool&, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::FontBaseline, WebCore::VerticalPositionCache&) + 820
STDERR:     12  DumpRenderTree                      0x609cf5b5 WebCore::RootInlineBox::alignBoxesInBlockDirection(WebCore::FractionalLayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 517
STDERR:     13  DumpRenderTree                      0x60745607 WebCore::RenderBlock::computeBlockDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&) + 135
STDERR:     14  DumpRenderTree                      0x60745ad1 WebCore::RenderBlock::createLineBoxesFromBidiRuns(WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul>&) + 497
STDERR:     15  DumpRenderTree                      0x60747f6d WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 3357
STDERR:     16  DumpRenderTree                      0x6074617e WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1406
STDERR:     17  DumpRenderTree                      0x6074eaa6 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1798
STDERR:     18  DumpRenderTree                      0x606d03fd WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1501
STDERR:     19  DumpRenderTree                      0x606cf0f3 WebCore::RenderBlock::layout() + 163
STDERR:     20  DumpRenderTree                      0x606dcc0d WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1117
STDERR:     21  DumpRenderTree                      0x606d2c6b WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1499
STDERR:     22  DumpRenderTree                      0x606d0427 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1543
STDERR:     23  DumpRenderTree                      0x606cf0f3 WebCore::RenderBlock::layout() + 163
STDERR:     24  DumpRenderTree                      0x606dcc0d WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1117
STDERR:     25  DumpRenderTree                      0x606d2c6b WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1499
STDERR:     26  DumpRenderTree                      0x606d0427 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1543
STDERR:     27  DumpRenderTree                      0x606cf0f3 WebCore::RenderBlock::layout() + 163
STDERR:     28  DumpRenderTree                      0x609a9531 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) + 161
STDERR:     29  DumpRenderTree                      0x609a9dd9 WebCore::RenderView::layout() + 1353
STDERR:     30  DumpRenderTree                      0x604c9632 WebCore::FrameView::layout(bool) + 3778
STDERR:     31  DumpRenderTree                      0x5d90f9df WebCore::Document::implicitClose() + 1071
STDERR:     32  DumpRenderTree                      0x6034e522 WebCore::FrameLoader::checkCallImplicitClose() + 178
STDERR:     33  DumpRenderTree                      0x6034e09e WebCore::FrameLoader::checkCompleted() + 366
STDERR:     34  DumpRenderTree                      0x6034ca23 WebCore::FrameLoader::finishedParsing() + 195
STDERR:     35  DumpRenderTree                      0x5d91d51b WebCore::Document::finishedParsing() + 651
STDERR:     36  DumpRenderTree                      0x5f4320c9 WebCore::HTMLTreeBuilder::finished() + 185
STDERR:     37  DumpRenderTree                      0x5f3f787b WebCore::HTMLDocumentParser::end() + 283
STDERR:     38  DumpRenderTree                      0x5f3f6659 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 329
STDERR:     39  DumpRenderTree                      0x5f3f6398 WebCore::HTMLDocumentParser::prepareToStopParsing() + 312
STDERR:     40  DumpRenderTree                      0x5f3f6ff1 WebCore::HTMLDocumentParser::endIfDelayed() + 129
STDERR:     41  DumpRenderTree                      0x5f3f6f3b WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 91
STDERR:     42  DumpRenderTree                      0x5f40c704 WebCore::HTMLParserScheduler::continueNextChunkTimerFired(WebCore::Timer<WebCore::HTMLParserScheduler>*) + 228
STDERR:     43  DumpRenderTree                      0x5f40cdb7 WebCore::Timer<WebCore::HTMLParserScheduler>::fired() + 135
STDERR:     44  DumpRenderTree                      0x5f51c96b WebCore::ThreadTimers::sharedTimerFiredInternal() + 347
STDERR:     45  DumpRenderTree                      0x5f51c6ef WebCore::ThreadTimers::sharedTimerFired() + 47
STDERR:     46  DumpRenderTree                      0x616afd59 webkit_glue::WebKitPlatformSupportImpl::DoTimeout() + 73
STDERR:     47  DumpRenderTree                      0x616b0954 base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) + 132
STDERR:     48  DumpRenderTree                      0x616b0853 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) + 67
STDERR:     49  DumpRenderTree                      0x616b0793 base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*), void ()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) + 115
STDERR:     50  DumpRenderTree                      0x5dbd20fb base::Callback<void ()()>::Run() const + 75
STDERR:     51  DumpRenderTree                      0x5dca7a50 base::Timer::RunScheduledTask() + 368
STDERR:     52  DumpRenderTree                      0x5dca7c59 base::BaseTimerTaskInternal::Run() + 89
STDERR:     53  DumpRenderTree                      0x5dca8524 base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) + 132
STDERR:     54  DumpRenderTree                      0x5dca8423 base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) + 67
STDERR:     55  DumpRenderTree                      0x5dca835e base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*), void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void ()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) + 110
STDERR:     56  DumpRenderTree                      0x5dbd20fb base::Callback<void ()()>::Run() const + 75
STDERR:     57  DumpRenderTree                      0x5dbcf657 MessageLoop::RunTask(base::PendingTask const&) + 1159
STDERR:     58  DumpRenderTree                      0x5dbcfb52 MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) + 98
STDERR:     59  DumpRenderTree                      0x5dbcfd52 MessageLoop::DoWork() + 322
STDERR:     60  DumpRenderTree                      0x5db3bccb base::MessagePumpCFRunLoopBase::RunWork() + 107
STDERR:     61  DumpRenderTree                      0x5db3b482 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 50
STDERR: ax: a069e4c0, bx: 41e201, cx: 1c, dx: f7cdcf89
STDERR: di: 41e2bc, si: 0, bp: bfff9dd8, sp: bfff9dc0, ss: 1f, flags: 10286
STDERR: ip: 607a3767, cs: 17, ds: 1f, es: 1f, fs: 0, gs: 37

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the webkit-unassigned mailing list