Skip to site navigation (Press enter)

[webkit-changes] [137696] branches/chromium/1312

cevans Thu, 13 Dec 2012 18:22:27 -0800

Title: [137696] branches/chromium/1312

Revision: 137696
Author: [email protected]
Date: 2012-12-13 18:24:13 -0800 (Thu, 13 Dec 2012)

Log Message

Merge 136554
BUG=158533
Review URL: https://codereview.chromium.org/11569024


Modified Paths

branches/chromium/1312/Source/WebCore/rendering/RenderLayer.cpp


Added Paths

branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer-expected.txt
branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer.html

Diff

Copied: branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer-expected.txt (from rev 136554, trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt) (0 => 137696)


--- branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer-expected.txt	                        (rev 0)
+++ branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer-expected.txt	2012-12-14 02:24:13 UTC (rev 137696)
@@ -0,0 +1,2 @@
+Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
+This test passes if it does not crash.

Copied: branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer.html (from rev 136554, trunk/LayoutTests/mathml/mfenced-root-layer.html) (0 => 137696)


--- branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer.html	                        (rev 0)
+++ branches/chromium/1312/LayoutTests/mathml/mfenced-root-layer.html	2012-12-14 02:24:13 UTC (rev 137696)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    var mfenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");
+
+    var docElt = document.documentElement;
+    docElt.parentNode.removeChild(docElt);
+
+    document.appendChild(mfenced);
+
+    var e = document.createElement("div");
+    e.innerHTML = "<a href=''>Bug 100764</a>: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]<br>This test passes if it does not crash.";
+    mfenced.appendChild(e);
+</script>

Modified: branches/chromium/1312/Source/WebCore/rendering/RenderLayer.cpp (137695 => 137696)


--- branches/chromium/1312/Source/WebCore/rendering/RenderLayer.cpp	2012-12-14 02:13:33 UTC (rev 137695)
+++ branches/chromium/1312/Source/WebCore/rendering/RenderLayer.cpp	2012-12-14 02:24:13 UTC (rev 137696)
@@ -960,8 +960,10 @@
 RenderLayer* RenderLayer::stackingContext() const
 {
     RenderLayer* layer = parent();
-    while (layer && !layer->isRootLayer() && !layer->renderer()->isRoot() && layer->renderer()->style()->hasAutoZIndex())
+    while (layer && !layer->isStackingContext())
         layer = layer->parent();
+
+    ASSERT(!layer || layer->isStackingContext());
     return layer;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes