[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

bdakin at apple.com bdakin at apple.com
Wed Dec 22 12:18:59 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 1246c62f27502c1d977756865c939239625a80dc
Author: bdakin at apple.com <bdakin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Aug 19 00:26:20 2010 +0000

    WebCore: Fix for https://bugs.webkit.org/show_bug.cgi?id=44207 Empty mfrac
    and empty munderover cause crashes
           -and corresponding-
    <rdar://problem/8325160>
    
    Reviewed by Sam Weinig.
    
    This is just a  matter of adding null checks in the right places.
    * mathml/RenderMathMLFraction.cpp:
    (WebCore::RenderMathMLFraction::baselinePosition):
    * mathml/RenderMathMLUnderOver.cpp:
    (WebCore::RenderMathMLUnderOver::baselinePosition):
    
    LayoutTests: Tests for https://bugs.webkit.org/show_bug.cgi?id=44207 Empty mfrac
    and empty munderover cause crashes
           -and corresponding-
    <rdar://problem/8325160>
    * mathml/EmptyMFracCrash-expected.txt: Added.
    * mathml/EmptyMFracCrash.xhtml: Added.
    * mathml/EmptyMunderOverCrash-expected.txt: Added.
    * mathml/EmptyMunderOverCrash.xhtml: Added.
    
    Reviewed by Sam Weinig.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65646 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6ccf90c..b352105 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-08-18  Beth Dakin  <bdakin at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Tests for https://bugs.webkit.org/show_bug.cgi?id=44207 Empty mfrac 
+        and empty munderover cause crashes
+       -and corresponding-
+        <rdar://problem/8325160>
+        * mathml/EmptyMFracCrash-expected.txt: Added.
+        * mathml/EmptyMFracCrash.xhtml: Added.
+        * mathml/EmptyMunderOverCrash-expected.txt: Added.
+        * mathml/EmptyMunderOverCrash.xhtml: Added.
+
 2010-08-18  Fady Samuel  <fsamuel at chromium.org>
 
         Reviewed by Dimitri Glazkov.
diff --git a/LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt b/LayoutTests/mathml/EmptyMFracCrash-expected.txt
similarity index 100%
copy from LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt
copy to LayoutTests/mathml/EmptyMFracCrash-expected.txt
diff --git a/LayoutTests/mathml/EmptyMFracCrash.xhtml b/LayoutTests/mathml/EmptyMFracCrash.xhtml
new file mode 100644
index 0000000..1bc3edf
--- /dev/null
+++ b/LayoutTests/mathml/EmptyMFracCrash.xhtml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:m="http://www.w3.org/1998/Math/MathML" xml:lang="en">
+<head>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+    <math xmlns="http://www.w3.org/1998/Math/MathML"> 
+        <mtext>This test passes if it does not crash.</mtext>
+        <mrow> 
+            <mfrac></mfrac> 
+        </mrow> 
+    </math>
+</body>
+</html>
diff --git a/LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt b/LayoutTests/mathml/EmptyMunderOverCrash-expected.txt
similarity index 100%
copy from LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt
copy to LayoutTests/mathml/EmptyMunderOverCrash-expected.txt
diff --git a/LayoutTests/mathml/EmptyMunderOverCrash.xhtml b/LayoutTests/mathml/EmptyMunderOverCrash.xhtml
new file mode 100644
index 0000000..e897c8c
--- /dev/null
+++ b/LayoutTests/mathml/EmptyMunderOverCrash.xhtml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:m="http://www.w3.org/1998/Math/MathML" xml:lang="en">
+<head>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<math xmlns="http://www.w3.org/1998/Math/MathML"> 
+    <mtext>This test passes if it does not crash.</mtext> 
+    <mrow> 
+        <munderover></munderover> 
+    </mrow> 
+</math>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 819f561..3eb1223 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-08-18  Beth Dakin  <bdakin at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=44207 Empty mfrac 
+        and empty munderover cause crashes
+       -and corresponding-
+        <rdar://problem/8325160>
+
+        This is just a  matter of adding null checks in the right places.
+        * mathml/RenderMathMLFraction.cpp:
+        (WebCore::RenderMathMLFraction::baselinePosition):
+        * mathml/RenderMathMLUnderOver.cpp:
+        (WebCore::RenderMathMLUnderOver::baselinePosition):
+
 2010-08-18  Jian Li  <jianli at chromium.org>
 
         Reviewed by David Levin.
diff --git a/WebCore/mathml/RenderMathMLFraction.cpp b/WebCore/mathml/RenderMathMLFraction.cpp
index 72f7298..914f6fe 100644
--- a/WebCore/mathml/RenderMathMLFraction.cpp
+++ b/WebCore/mathml/RenderMathMLFraction.cpp
@@ -176,7 +176,7 @@ void RenderMathMLFraction::paint(PaintInfo& info, int tx, int ty)
 
 int RenderMathMLFraction::baselinePosition(bool firstLine, bool isRootLineBox) const
 {
-    if (firstChild()->isRenderMathMLBlock()) {
+    if (firstChild() && firstChild()->isRenderMathMLBlock()) {
         RenderMathMLBlock* numerator = toRenderMathMLBlock(firstChild());
         // FIXME: the baseline should adjust so the fraction line aligns
         // relative certain operators (e.g. aligns with the horizontal
diff --git a/WebCore/mathml/RenderMathMLUnderOver.cpp b/WebCore/mathml/RenderMathMLUnderOver.cpp
index ad32d59..f015054 100644
--- a/WebCore/mathml/RenderMathMLUnderOver.cpp
+++ b/WebCore/mathml/RenderMathMLUnderOver.cpp
@@ -236,35 +236,35 @@ void RenderMathMLUnderOver::layout()
 
 int RenderMathMLUnderOver::baselinePosition(bool firstLine, bool isRootLineBox) const
 {
+    RenderObject* current = firstChild();
+    if (!current)
+        return RenderBlock::baselinePosition(firstLine, isRootLineBox);
+
     int baseline = 0;
-    RenderObject* current = 0;
     switch (m_kind) {
     case UnderOver:
     case Over:
-        current = firstChild();
         baseline += getOffsetHeight(current);
         current = current->nextSibling();
         if (current) {
             // actual base
             RenderObject* base = current->firstChild();
+            if (!base)
+                break;
             baseline += base->baselinePosition(firstLine, isRootLineBox);
             // added the negative top margin
             baseline += current->style()->marginTop().value();
-            // FIXME: Where is the extra 2-3px adjusted for zoom coming from?
-            float zoomFactor = style()->effectiveZoom();
-            baseline += static_cast<int>((zoomFactor > 1.25 ? 2 : 3) * zoomFactor);
         }
         break;
     case Under:
-        current = firstChild();
-        if (current) {
-            RenderObject* base = current->firstChild();
+        RenderObject* base = current->firstChild();
+        if (base)
             baseline += base->baselinePosition(true);
-            // FIXME: Where is the extra 2-3px adjusted for zoom coming from?
-            float zoomFactor = style()->effectiveZoom();
-            baseline += static_cast<int>((zoomFactor > 1.25 ? 2 : 3) * zoomFactor);
-        }
     }
+
+    // FIXME: Where is the extra 2-3px adjusted for zoom coming from?
+    float zoomFactor = style()->effectiveZoom();
+    baseline += static_cast<int>((zoomFactor > 1.25 ? 2 : 3) * zoomFactor);
     return baseline;
 }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list