[webkit-changes] [88730] trunk

Mon, 13 Jun 2011 16:21:41 -0700

Title: [88730] trunk
Revision
88730
Author
[email protected]
Date
2011-06-13 16:20:47 -0700 (Mon, 13 Jun 2011)

Log Message

2011-06-13  Jeffrey Pfau  <[email protected]>

        Reviewed by Darin Adler.

        Crash in WebCore::RenderMathMLUnderOver::layout()
        https://bugs.webkit.org/show_bug.cgi?id=57900

        Added a test that tries to remove the children of munder, mover and munderover elements.

        * mathml/munderover-remove-children-expected.txt: Added.
        * mathml/munderover-remove-children.html: Added.
2011-06-13  Jeffrey Pfau  <[email protected]>

        Reviewed by Darin Adler.

        Crash in WebCore::RenderMathMLUnderOver::layout()
        https://bugs.webkit.org/show_bug.cgi?id=57900

        Add more null checks so that removing children in MathML elements does not cause crashes.
        Note that this only half fixes the third repro in the Bugzilla bug, as another bug will
        still crash that repro.

        Test: mathml/munderover-remove-children.html

        * rendering/mathml/RenderMathMLSubSup.cpp:
        (WebCore::RenderMathMLSubSup::stretchToHeight):
        * rendering/mathml/RenderMathMLUnderOver.cpp:
        (WebCore::RenderMathMLUnderOver::layout):
        (WebCore::RenderMathMLUnderOver::nonOperatorHeight):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (88729 => 88730)


--- trunk/LayoutTests/ChangeLog	2011-06-13 23:06:56 UTC (rev 88729)
+++ trunk/LayoutTests/ChangeLog	2011-06-13 23:20:47 UTC (rev 88730)
@@ -1,3 +1,15 @@
+2011-06-13  Jeffrey Pfau  <[email protected]>
+
+        Reviewed by Darin Adler.
+
+        Crash in WebCore::RenderMathMLUnderOver::layout()
+        https://bugs.webkit.org/show_bug.cgi?id=57900
+
+        Added a test that tries to remove the children of munder, mover and munderover elements.
+
+        * mathml/munderover-remove-children-expected.txt: Added.
+        * mathml/munderover-remove-children.html: Added.
+
 2011-06-13  Wyatt Carss  <[email protected]>
 
         Reviewed by Ryosuke Niwa.

Added: trunk/LayoutTests/mathml/munderover-remove-children-expected.txt (0 => 88730)


--- trunk/LayoutTests/mathml/munderover-remove-children-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/mathml/munderover-remove-children-expected.txt	2011-06-13 23:20:47 UTC (rev 88730)
@@ -0,0 +1 @@
+This test passes if this page has no other text.

Added: trunk/LayoutTests/mathml/munderover-remove-children.html (0 => 88730)


--- trunk/LayoutTests/mathml/munderover-remove-children.html	                        (rev 0)
+++ trunk/LayoutTests/mathml/munderover-remove-children.html	2011-06-13 23:20:47 UTC (rev 88730)
@@ -0,0 +1,57 @@
+<html xmlns='http://www.w3.org/1999/xhtml'>
+<head>
+<title>MathML munder/mover removing children test</title>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<math xmlns='http://www.w3.org/1998/Math/MathML'>
+    <mtext>This test passes if this page has no other text.</mtext>
+    <munder>
+        <mi id="m1">A</mi>
+        <mi id="m2">X</mi>
+    </munder>
+    <mover>
+        <mi id="m3">B</mi>
+        <mi id="m4">Y</mi>
+    </mover>
+    <munderover>
+        <mi id="m5">C</mi>
+        <mi id="m6">Z</mi>
+        <mi id="m7">W</mi>
+    </munderover>
+</math>
+<script>
+try {
+    var elem = document.getElementById("m1");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+try {
+    var elem = document.getElementById("m2");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+try {
+    var elem = document.getElementById("m3");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+try {
+    var elem = document.getElementById("m4");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+try {
+    var elem = document.getElementById("m7");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+try {
+    var elem = document.getElementById("m6");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+try {
+    var elem = document.getElementById("m5");
+    elem.parentNode.removeChild(elem);
+} catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (88729 => 88730)


--- trunk/Source/WebCore/ChangeLog	2011-06-13 23:06:56 UTC (rev 88729)
+++ trunk/Source/WebCore/ChangeLog	2011-06-13 23:20:47 UTC (rev 88730)
@@ -1,3 +1,22 @@
+2011-06-13  Jeffrey Pfau  <[email protected]>
+
+        Reviewed by Darin Adler.
+
+        Crash in WebCore::RenderMathMLUnderOver::layout()
+        https://bugs.webkit.org/show_bug.cgi?id=57900
+
+        Add more null checks so that removing children in MathML elements does not cause crashes.
+        Note that this only half fixes the third repro in the Bugzilla bug, as another bug will
+        still crash that repro.
+
+        Test: mathml/munderover-remove-children.html
+
+        * rendering/mathml/RenderMathMLSubSup.cpp:
+        (WebCore::RenderMathMLSubSup::stretchToHeight):
+        * rendering/mathml/RenderMathMLUnderOver.cpp:
+        (WebCore::RenderMathMLUnderOver::layout):
+        (WebCore::RenderMathMLUnderOver::nonOperatorHeight):
+
 2011-06-13  Dmitry Lomov  <[email protected]>
 
         Reviewed by Adam Barth.

Modified: trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp (88729 => 88730)


--- trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp	2011-06-13 23:06:56 UTC (rev 88729)
+++ trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp	2011-06-13 23:20:47 UTC (rev 88730)
@@ -109,7 +109,7 @@
     if (!base || !base->firstChild())
         return;
     
-    if (base->firstChild()->isRenderMathMLBlock()) {
+    if (base->firstChild() && base->firstChild()->isRenderMathMLBlock()) {
         RenderMathMLBlock* block = toRenderMathMLBlock(base->firstChild());
         block->stretchToHeight(static_cast<int>(gSubSupStretch * height));

Modified: trunk/Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp (88729 => 88730)


--- trunk/Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp	2011-06-13 23:06:56 UTC (rev 88729)
+++ trunk/Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp	2011-06-13 23:20:47 UTC (rev 88730)
@@ -155,7 +155,7 @@
         if (over) {
             // FIXME: descending glyphs intrude into base (e.g. lowercase y over base)
             // FIXME: bases that ascend higher than the line box intrude into the over
-            if (!over->firstChild()->isBoxModelObject())
+            if (!over->firstChild() || !over->firstChild()->isBoxModelObject())
                 break;
             
             int overSpacing = static_cast<int>(gOverSpacingAdjustment * (getOffsetHeight(over) - toRenderBoxModelObject(over->firstChild())->baselinePosition(AlphabeticBaseline, true, HorizontalLine)));
@@ -183,7 +183,7 @@
             int baseHeight = getOffsetHeight(base);
             // actual base
             base = base->firstChild();
-            if (!base->isBoxModelObject())
+            if (!base || !base->isBoxModelObject())
                 break;
             
             // FIXME: We need to look at the space between a single maximum height of
@@ -207,7 +207,7 @@
         if (over) {
             // FIXME: descending glyphs intrude into base (e.g. lowercase y over base)
             // FIXME: bases that ascend higher than the line box intrude into the over
-            if (!over->firstChild()->isBoxModelObject())
+            if (!over->firstChild() || !over->firstChild()->isBoxModelObject())
                 break;
             int overSpacing = static_cast<int>(gOverSpacingAdjustment * (getOffsetHeight(over) - toRenderBoxModelObject(over->firstChild())->baselinePosition(AlphabeticBaseline, true, HorizontalLine)));
             
@@ -224,7 +224,7 @@
                 int baseHeight = getOffsetHeight(base);
                 // actual base
                 base = base->firstChild();
-                if (!base->isBoxModelObject())
+                if (!base || !base->isBoxModelObject())
                     break;
 
                 // FIXME: We need to look at the space between a single maximum height of
@@ -232,7 +232,7 @@
                 int underSpacing = baseHeight - toRenderBoxModelObject(base)->baselinePosition(AlphabeticBaseline, true, HorizontalLine);
                 
                 RenderObject* under = lastChild();
-                if (under && under->firstChild()->isRenderInline() && underSpacing > 0)
+                if (under && under->firstChild() && under->firstChild()->isRenderInline() && underSpacing > 0)
                     under->style()->setMarginTop(Length(-underSpacing, Fixed));
                 
             }
@@ -282,7 +282,7 @@
 {
     int nonOperators = 0;
     for (RenderObject* current = firstChild(); current; current = current->nextSibling()) {
-        if (current->firstChild()->isRenderMathMLBlock()) {
+        if (current->firstChild() && current->firstChild()->isRenderMathMLBlock()) {
             RenderMathMLBlock* block = toRenderMathMLBlock(current->firstChild());
             if (!block->isRenderMathMLOperator()) 
                 nonOperators += getOffsetHeight(current);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to