[Webkit-unassigned] [Bug 141371] New: [iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Feb 8 11:52:44 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=141371

            Bug ID: 141371
           Summary: [iOS] Some MathML tests crash in
                    RenderMathMLOperator::advanceForGlyph() or
                    boundsForGlyph()
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Text
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: mmaxfield at apple.com

The following layout tests crash in RenderMathMLOperator::advanceForGlyph() with WebKit2 (but not WebKit1):

mathml/opentype/horizontal.html
mathml/opentype/horizontal-munderover.html
mathml/opentype/large-operators.html
mathml/opentype/munderover-layout-resize.html
mathml/opentype/munderover-layout-resize-expected.html
mathml/presentation/mo-invisible.html

This layout test crashes in RenderMathMLOperator::boundsForGlyph() with WebKit2 (but not WebKit1), and looks like a dupe:

mathml/opentype/vertical.html

Example crash stack:

Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x000000010dea0bd5 WebCore::RenderMathMLOperator::advanceForGlyph(WebCore::GlyphData const&) const + 21
1   com.apple.WebCore                 0x000000010dea010d WebCore::RenderMathMLOperator::updateStyle() + 445
2   com.apple.WebCore                 0x000000010dea255e WebCore::RenderMathMLOperator::rebuildTokenContent(WTF::String const&) + 350
3   com.apple.WebCore                 0x000000010de9ef2b WebCore::RenderMathMLOperator::updateTokenContent() + 43
4   com.apple.WebCore                 0x000000010de9f046 WebCore::RenderMathMLOperator::RenderMathMLOperator(WebCore::MathMLElement&, WTF::Ref<WebCore::RenderStyle>&&) + 182
5   com.apple.WebCore                 0x000000010dca0ddd WebCore::MathMLTextElement::createElementRenderer(WTF::Ref<WebCore::RenderStyle>&&) + 157
6   com.apple.WebCore                 0x000000010e0e301a WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1514
7   com.apple.WebCore                 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
8   com.apple.WebCore                 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
9   com.apple.WebCore                 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
10  com.apple.WebCore                 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
11  com.apple.WebCore                 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
12  com.apple.WebCore                 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
13  com.apple.WebCore                 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
14  com.apple.WebCore                 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
15  com.apple.WebCore                 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
16  com.apple.WebCore                 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
17  com.apple.WebCore                 0x000000010e0e33c0 WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 176
18  com.apple.WebCore                 0x000000010e0e2f2f WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 1279
19  com.apple.WebCore                 0x000000010e0e0bca WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 682
20  com.apple.WebCore                 0x000000010e0e089e WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 334
21  com.apple.WebCore                 0x000000010d436c3d WebCore::Document::recalcStyle(WebCore::Style::Change) + 269
22  com.apple.WebCore                 0x000000010d443821 WebCore::Document::finishedParsing() + 369
23  com.apple.WebCore                 0x000000010d696609 WebCore::HTMLDocumentParser::prepareToStopParsing() + 169
24  com.apple.WebCore                 0x000000010d46d90f WebCore::DocumentWriter::end() + 63
25  com.apple.WebCore                 0x000000010d453ec0 WebCore::DocumentLoader::finishedLoading(double) + 464
26  com.apple.WebCore                 0x000000010d27f671 WebCore::CachedResource::checkNotify() + 353
27  com.apple.WebCore                 0x000000010d27afc5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 229
28  com.apple.WebCore                 0x000000010e0efd8d WebCore::SubresourceLoader::didFinishLoading(double) + 1069
29  com.apple.WebKit                  0x000000010a1e8df5 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 645 (WebResourceLoaderMessageReceiver.cpp:93)
30  com.apple.WebKit                  0x000000010a016774 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 102 (memory:2608)
31  com.apple.WebKit                  0x000000010a019120 IPC::Connection::dispatchOneMessage() + 114 (memory:2628)
32  JavaScriptCore                    0x000000010cb1f566 WTF::RunLoop::performWork() + 454 (RunLoop.cpp:106)
33  JavaScriptCore                    0x000000010cb1fe1a WTF::RunLoop::performWork(void*) + 26 (RunLoopCF.cpp:38)
34  com.apple.CoreFoundation          0x0000000105d875a1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
35  com.apple.CoreFoundation          0x0000000105d7d12d __CFRunLoopDoSources0 + 269
36  com.apple.CoreFoundation          0x0000000105d7c6fb __CFRunLoopRun + 827
37  com.apple.CoreFoundation          0x0000000105d7c13c CFRunLoopRunSpecific + 476
38  com.apple.Foundation              0x00000001050d2772 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 275
39  com.apple.Foundation              0x000000010515dd12 -[NSRunLoop(NSRunLoop) run] + 76
40  libxpc.dylib                      0x0000000106c139c6 _xpc_objc_main + 380
41  libxpc.dylib                      0x0000000106c15d6f xpc_main + 189
42  com.apple.WebKit.WebContent.Development    0x0000000105003280 main + 16 (XPCServiceMain.Development.mm:94)
43  libdyld.dylib                     0x0000000106979a05 start + 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150208/981f22bb/attachment-0002.html>

More information about the webkit-unassigned mailing list