Diff
Modified: trunk/LayoutTests/ChangeLog (158197 => 158198)
--- trunk/LayoutTests/ChangeLog 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/LayoutTests/ChangeLog 2013-10-29 17:40:52 UTC (rev 158198)
@@ -1,3 +1,16 @@
+2013-10-25 Brent Fulgham <[email protected]>
+
+ [MathML] invalid cast in WebCore::toRenderMathMLBlock
+ https://bugs.webkit.org/show_bug.cgi?id=121728
+
+ Reviewed by Dean Jackson.
+
+ * mathml/arbitrary-markup-expected.txt: Added.
+ * mathml/arbitrary-markup.html: Added.
+ * mathml/mfenced-root-layer.html: Modified to avoid invalid
+ use of arbitrary markup inside mfenced element.
+ * mathml/mfenced-root-layer-expected.txt: Rebaselined.
+
2013-10-29 Chris Fleizach <[email protected]>
AX: elements with explicit tabindex should expose AXFocused as writable, since mouse clicks can focus it
Added: trunk/LayoutTests/mathml/arbitrary-markup-expected.txt (0 => 158198)
--- trunk/LayoutTests/mathml/arbitrary-markup-expected.txt (rev 0)
+++ trunk/LayoutTests/mathml/arbitrary-markup-expected.txt 2013-10-29 17:40:52 UTC (rev 158198)
@@ -0,0 +1,2 @@
+b
+
Added: trunk/LayoutTests/mathml/arbitrary-markup.html (0 => 158198)
--- trunk/LayoutTests/mathml/arbitrary-markup.html (rev 0)
+++ trunk/LayoutTests/mathml/arbitrary-markup.html 2013-10-29 17:40:52 UTC (rev 158198)
@@ -0,0 +1,38 @@
+<html xmlns='http://www.w3.org/1999/xhtml'>
+<head>
+ <title>MathML: inserting arbitrary markup</title>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+</head>
+<body>
+<table>
+ <tr>
+ <td><math id="math"></math></td>
+ </tr>
+ <tr>
+ <td>
+ <math xmlns="http://www.w3.org/1998/Math/MathML">
+ <msub>
+ <mi id="mi1">a</mi>
+ <mi id="mi2">b</mi>
+ </msub>
+ </math>
+ </td>
+ </tr>
+</table>
+<script>
+var elem = document.getElementById("mi2");
+var parent = elem.parentNode;
+var new_elem = document.createElement("wbr");
+parent.insertBefore(new_elem, elem);
+node = document.getElementById("math").appendChild(document.createElement("object")).lastElementChild;
+elem = document.getElementById("mi1");
+parent = elem.parentNode;
+new_elem = document.createElement("strong");
+parent.insertBefore(new_elem, elem);
+parent.removeChild(elem);
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt (158197 => 158198)
--- trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt 2013-10-29 17:40:52 UTC (rev 158198)
@@ -1,2 +1 @@
-Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
-This test passes if it does not crash.
+Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]. This test passes if it does not crash.
Modified: trunk/LayoutTests/mathml/mfenced-root-layer.html (158197 => 158198)
--- trunk/LayoutTests/mathml/mfenced-root-layer.html 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/LayoutTests/mathml/mfenced-root-layer.html 2013-10-29 17:40:52 UTC (rev 158198)
@@ -3,14 +3,13 @@
if (window.testRunner)
testRunner.dumpAsText();
- var mfenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");
+ var mtext = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mtext");
var docElt = document.documentElement;
docElt.parentNode.removeChild(docElt);
- document.appendChild(mfenced);
+ var textNode = document.createTextNode("Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]. This test passes if it does not crash.");
+ mtext.appendChild(textNode);
- var e = document.createElement("div");
- e.innerHTML = "<a href=''>Bug 100764</a>: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]<br>This test passes if it does not crash.";
- mfenced.appendChild(e);
+ document.appendChild(mtext);
</script>
Modified: trunk/Source/WebCore/ChangeLog (158197 => 158198)
--- trunk/Source/WebCore/ChangeLog 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/ChangeLog 2013-10-29 17:40:52 UTC (rev 158198)
@@ -1,3 +1,24 @@
+2013-10-24 Brent Fulgham <[email protected]>
+
+ Invalid cast in WebCore::toRenderMathMLBlock
+ https://bugs.webkit.org/show_bug.cgi?id=121728
+ rdar://problem/15046151
+
+ Reviewed by Dean Jackson.
+
+ Tested by: mathml/arbitrary-markup.html
+
+ * dom/Element.h: Expose childShouldCreateRenderer for
+ MathML as well as SVG builds.
+ * dom/Node.h:
+ (WebCore::Node::isMathMLElement): Added.
+ * mathml/MathMLElement.cpp:
+ (WebCore::MathMLElement::create): Create as MathML Element.
+ (WebCore::MathMLElement::childShouldCreateRenderer):
+ Only allow the child to emit a renderer if it is a
+ MathML element.
+ * mathml/MathMLElement.h:
+
2013-10-29 Andreas Kling <[email protected]>
SVG: applyStrokeStyleToContext should take a RenderElement&.
Modified: trunk/Source/WebCore/dom/Element.h (158197 => 158198)
--- trunk/Source/WebCore/dom/Element.h 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/dom/Element.h 2013-10-29 17:40:52 UTC (rev 158198)
@@ -452,12 +452,6 @@
DOMStringMap* dataset();
-#if ENABLE(MATHML)
- virtual bool isMathMLElement() const { return false; }
-#else
- static bool isMathMLElement() { return false; }
-#endif
-
#if ENABLE(VIDEO)
virtual bool isMediaElement() const { return false; }
#endif
@@ -486,8 +480,10 @@
virtual bool isDisabledFormControl() const { return false; }
-#if ENABLE(SVG)
+#if ENABLE(SVG) || ENABLE(MATHML)
virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
+#endif
+#if ENABLE(SVG)
bool hasPendingResources() const;
void setHasPendingResources();
void clearHasPendingResources();
Modified: trunk/Source/WebCore/dom/Node.h (158197 => 158198)
--- trunk/Source/WebCore/dom/Node.h 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/dom/Node.h 2013-10-29 17:40:52 UTC (rev 158198)
@@ -224,6 +224,7 @@
bool isTextNode() const { return getFlag(IsTextFlag); }
bool isHTMLElement() const { return getFlag(IsHTMLFlag); }
bool isSVGElement() const { return getFlag(IsSVGFlag); }
+ bool isMathMLElement() const { return getFlag(IsMathMLFlag); }
bool isPseudoElement() const { return pseudoId() != NOPSEUDO; }
bool isBeforePseudoElement() const { return pseudoId() == BEFORE; }
@@ -596,6 +597,7 @@
HasEventTargetDataFlag = 1 << 21,
NeedsNodeRenderingTraversalSlowPathFlag = 1 << 22,
IsInShadowTreeFlag = 1 << 23,
+ IsMathMLFlag = 1 << 24,
DefaultNodeFlags = IsParsingChildrenFinishedFlag
};
@@ -622,6 +624,7 @@
CreateDocument = CreateContainer | InDocumentFlag,
CreateInsertionPoint = CreateHTMLElement | NeedsNodeRenderingTraversalSlowPathFlag,
CreateEditingText = CreateText | IsEditingTextFlag,
+ CreateMathMLElement = CreateStyledElement | IsMathMLFlag,
};
Node(Document*, ConstructionType);
Modified: trunk/Source/WebCore/mathml/MathMLElement.cpp (158197 => 158198)
--- trunk/Source/WebCore/mathml/MathMLElement.cpp 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/mathml/MathMLElement.cpp 2013-10-29 17:40:52 UTC (rev 158198)
@@ -39,7 +39,7 @@
using namespace MathMLNames;
MathMLElement::MathMLElement(const QualifiedName& tagName, Document& document)
- : StyledElement(tagName, document, CreateStyledElement)
+ : StyledElement(tagName, document, CreateMathMLElement)
{
}
@@ -113,6 +113,12 @@
}
}
+bool MathMLElement::childShouldCreateRenderer(const Node* child) const
+{
+ // Only create renderers for MathML elements or text. MathML prohibits non-MathML markup inside a <math> element.
+ return child->isTextNode() || child->isMathMLElement();
}
+}
+
#endif // ENABLE(MATHML)
Modified: trunk/Source/WebCore/mathml/MathMLElement.h (158197 => 158198)
--- trunk/Source/WebCore/mathml/MathMLElement.h 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/mathml/MathMLElement.h 2013-10-29 17:40:52 UTC (rev 158198)
@@ -41,14 +41,14 @@
int colSpan() const;
int rowSpan() const;
+ virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
+
protected:
MathMLElement(const QualifiedName& tagName, Document&);
virtual void parseAttribute(const QualifiedName&, const AtomicString&) OVERRIDE;
private:
- virtual bool isMathMLElement() const { return true; }
-
virtual bool isPresentationAttribute(const QualifiedName&) const OVERRIDE;
virtual void collectStyleForPresentationAttribute(const QualifiedName&, const AtomicString&, MutableStylePropertySet*) OVERRIDE;
};
Modified: trunk/Source/WebCore/mathml/MathMLTextElement.cpp (158197 => 158198)
--- trunk/Source/WebCore/mathml/MathMLTextElement.cpp 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/mathml/MathMLTextElement.cpp 2013-10-29 17:40:52 UTC (rev 158198)
@@ -73,6 +73,11 @@
return MathMLElement::createRenderer(std::move(style));
}
+bool MathMLTextElement::childShouldCreateRenderer(const Node* child) const
+{
+ return child->isTextNode();
}
+}
+
#endif // ENABLE(MATHML)
Modified: trunk/Source/WebCore/mathml/MathMLTextElement.h (158197 => 158198)
--- trunk/Source/WebCore/mathml/MathMLTextElement.h 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/mathml/MathMLTextElement.h 2013-10-29 17:40:52 UTC (rev 158198)
@@ -37,6 +37,8 @@
static PassRefPtr<MathMLTextElement> create(const QualifiedName& tagName, Document&);
virtual void didAttachRenderers() OVERRIDE;
+ virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
+
private:
MathMLTextElement(const QualifiedName& tagName, Document&);
Modified: trunk/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp (158197 => 158198)
--- trunk/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp 2013-10-29 17:17:22 UTC (rev 158197)
+++ trunk/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp 2013-10-29 17:40:52 UTC (rev 158198)
@@ -153,9 +153,12 @@
// beforeChild may be a grandchild, so we call the addChild function of the corresponding wrapper instead.
RenderObject* parent = beforeChild->parent();
if (parent != this) {
- RenderMathMLScriptsWrapper* wrapper = toRenderMathMLScriptsWrapper(parent);
- wrapper->addChildInternal(false, child, beforeChild);
- return;
+ RenderMathMLBlock* parentBlock = toRenderMathMLBlock(parent);
+ if (parentBlock->isRenderMathMLScriptsWrapper()) {
+ RenderMathMLScriptsWrapper* wrapper = toRenderMathMLScriptsWrapper(parentBlock);
+ wrapper->addChildInternal(false, child, beforeChild);
+ return;
+ }
}
}
