<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ASSERTION FAILED: !isAnonymous() in WebCore::RenderMathMLOperator::updateTokenContent"
href="https://bugs.webkit.org/show_bug.cgi?id=166011">166011</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ASSERTION FAILED: !isAnonymous() in WebCore::RenderMathMLOperator::updateTokenContent
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>MathML
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>hodovan@inf.u-szeged.hu
</td>
</tr></table>
<p>
<div>
<pre>Load the attached test with debug WebKitTestRunner:
Checked version: f368f1d
OS: Darwin-15.6.0-x86_64-i386-64bit
<math display="block"><mfenced><mfrac>
Backtrace:
ASSERTION FAILED: !isAnonymous()
WebKit/Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp(257) : virtual void WebCore::RenderMathMLOperator::updateTokenContent()
1 0x118fc6c71 WTFCrash
2 0x122e34756 WebCore::RenderMathMLOperator::updateTokenContent()
3 0x121f0babd WebCore::MathMLStyle::updateStyleIfNeeded(WebCore::RenderObject*, bool, WebCore::MathMLElement::MathVariant)
4 0x121f0b2a7 WebCore::MathMLStyle::resolveMathMLStyle(WebCore::RenderObject*)
5 0x121f0ae9a WebCore::MathMLStyle::resolveMathMLStyleTree(WebCore::RenderObject*)
6 0x121ef7d03 WebCore::MathMLMathElement::didAttachRenderers()
7 0x12324d0af WebCore::RenderTreeUpdater::popParent()
8 0x12324b24f WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int)
9 0x12324ac8a WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)
10 0x12324a2bf WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >)
11 0x11e77e3a9 WebCore::Document::recalcStyle(WebCore::Style::Change)
12 0x11e7688cb WebCore::Document::updateStyleIfNeeded()
13 0x11f55ed4f WebCore::HTMLEmbedElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&)
14 0x11eb54fd1 WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason)
15 0x123b44e4f WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason)
16 0x11eb56963 WebCore::Element::parserSetAttributes(WTF::Vector<WebCore::Attribute, 0ul, WTF::CrashOnOverflow, 16ul> const&)
17 0x11f493dad WebCore::setAttributes(WebCore::Element&, WTF::Vector<WebCore::Attribute, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ParserContentPolicy)
18 0x11f490656 WebCore::setAttributes(WebCore::Element&, WebCore::AtomicHTMLToken&, WebCore::ParserContentPolicy)
19 0x11f49393c WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**)
20 0x11f492102 WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&)
21 0x11f493f1c WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement(WebCore::AtomicHTMLToken&&)
22 0x11f7a496f WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&)
23 0x11f79c511 WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&)
24 0x11f79b265 WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&&)
25 0x11f79a069 WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&)
26 0x11f509cb8 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&)
27 0x11f509a03 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)
28 0x11f5075e3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
29 0x11f506fa0 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
30 0x11f50b1dc WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&)
31 0x11e65e74c WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long)
ASAN:DEADLYSIGNAL
=================================================================
==41182==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000118fc6ca9 bp 0x7fff509b3960 sp 0x7fff509b3950 T0)
#0 0x118fc6ca8 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8)
#1 0x122e34755 in WebCore::RenderMathMLOperator::updateTokenContent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5897755)
#2 0x121f0babc in WebCore::MathMLStyle::updateStyleIfNeeded(WebCore::RenderObject*, bool, WebCore::MathMLElement::MathVariant) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x496eabc)
#3 0x121f0b2a6 in WebCore::MathMLStyle::resolveMathMLStyle(WebCore::RenderObject*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x496e2a6)
#4 0x121f0ae99 in WebCore::MathMLStyle::resolveMathMLStyleTree(WebCore::RenderObject*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x496de99)
#5 0x121ef7d02 in WebCore::MathMLMathElement::didAttachRenderers() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x495ad02)
#6 0x12324d0ae in WebCore::RenderTreeUpdater::popParent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cb00ae)
#7 0x12324b24e in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cae24e)
#8 0x12324ac89 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cadc89)
#9 0x12324a2be in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cad2be)
#10 0x11e77e3a8 in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11e13a8)
#11 0x11e7688ca in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11cb8ca)
#12 0x11f55ed4e in WebCore::HTMLEmbedElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fc1d4e)
#13 0x11eb54fd0 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x15b7fd0)
#14 0x123b44e4e in WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x65a7e4e)
#15 0x11eb56962 in WebCore::Element::parserSetAttributes(WTF::Vector<WebCore::Attribute, 0ul, WTF::CrashOnOverflow, 16ul> const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x15b9962)
#16 0x11f493dac in WebCore::setAttributes(WebCore::Element&, WTF::Vector<WebCore::Attribute, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ParserContentPolicy) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef6dac)
#17 0x11f490655 in WebCore::setAttributes(WebCore::Element&, WebCore::AtomicHTMLToken&, WebCore::ParserContentPolicy) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef3655)
#18 0x11f49393b in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef693b)
#19 0x11f492101 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef5101)
#20 0x11f493f1b in WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement(WebCore::AtomicHTMLToken&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef6f1b)
#21 0x11f7a496e in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x220796e)
#22 0x11f79c510 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21ff510)
#23 0x11f79b264 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21fe264)
#24 0x11f79a068 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21fd068)
#25 0x11f509cb7 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6ccb7)
#26 0x11f509a02 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6ca02)
#27 0x11f5075e2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6a5e2)
#28 0x11f506f9f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f69f9f)
#29 0x11f50b1db in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6e1db)
#30 0x11e65e74b in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10c174b)
#31 0x11e988ab1 in WebCore::DocumentWriter::addData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x13ebab1)
#32 0x11e8cfff5 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1332ff5)
#33 0x11038ae9d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x112be9d)
#34 0x11e8d5186 in WebCore::DocumentLoader::commitLoad(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1338186)
#35 0x11e8d4eca in WebCore::DocumentLoader::dataReceived(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1337eca)
#36 0x11e8d5568 in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1338568)
#37 0x11db84f71 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e7f71)
#38 0x11db84c20 in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e7c20)
#39 0x123c9114a in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66f414a)
#40 0x123c90a80 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66f3a80)
#41 0x110d7ab3a in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1bb3a)
#42 0x110d88ae3 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b29ae3)
#43 0x110d885e4 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::DataReference, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b295e4)
#44 0x110d85cf1 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b26cf1)
#45 0x110d84280 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25280)
#46 0x10fa24629 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c5629)
#47 0x10f43830a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d930a)
#48 0x10f422184 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c3184)
#49 0x10f438ff5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d9ff5)
#50 0x10f4495ac in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1ea5ac)
#51 0x10f4494d8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1ea4d8)
#52 0x11904cb60 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3007b60)
#53 0x11908f5b6 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x304a5b6)
#54 0x119090781 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x304b781)
#55 0x7fff94efd7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#56 0x7fff94edcf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#57 0x7fff94edc43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#58 0x7fff94edbe37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#59 0x7fff93297934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#60 0x7fff9329776e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#61 0x7fff932975ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#62 0x7fff98137df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#63 0x7fff98137225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#64 0x7fff9812bd7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#65 0x7fff980f5367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#66 0x7fff8beec193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#67 0x7fff8beeabbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#68 0x10f242f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
#69 0x7fff9ecd85ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#70 0x0 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8) in WTFCrash
==41182==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 41182)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>