[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

bdakin at apple.com bdakin at apple.com
Wed Dec 22 12:48:11 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 304a0042f6d2986217a49f8dd07883c26f980c0e
Author: bdakin at apple.com <bdakin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Aug 30 20:03:20 2010 +0000

    WebCore: Fix for https://bugs.webkit.org/show_bug.cgi?id=44804 Crashes in
    RenderMathMLRoot::layout() and RenderMathMLRoot::paint()
    -and corresponding-
    <rdar://problem/8342055>
    
    Reviewed by Sam Weinig.
    
    All of the calls to firstChild() and lastChild() in
    RenderMathMLRoot::layout() and RenderMathMLRoot::paint() need to be
    null checked.
    
    * mathml/RenderMathMLRoot.cpp:
    (WebCore::RenderMathMLRoot::paint):
    (WebCore::RenderMathMLRoot::layout):
    
    LayoutTests: Tests for https://bugs.webkit.org/show_bug.cgi?id=44804 Crashes in
    RenderMathMLRoot::layout() and RenderMathMLRoot::paint()
    -and-
    https://bugs.webkit.org/show_bug.cgi?id=44801 Crash in
    RenderMathMLSubSup::layout()
    
    Reviewed by Sam Weinig.
    
    * mathml/empty-mroot-crash-expected.txt: Added.
    * mathml/empty-mroot-crash.xhtml: Added.
    * mathml/msubsup-no-grandchild-expected.txt: Added.
    * mathml/msubsup-no-grandchild.xhtml: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66403 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cfff6dc..5c1b404 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2010-08-30  Beth Dakin  <bdakin at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Tests for https://bugs.webkit.org/show_bug.cgi?id=44804 Crashes in 
+        RenderMathMLRoot::layout() and RenderMathMLRoot::paint()
+        -and-
+        https://bugs.webkit.org/show_bug.cgi?id=44801 Crash in 
+        RenderMathMLSubSup::layout()
+
+        * mathml/empty-mroot-crash-expected.txt: Added.
+        * mathml/empty-mroot-crash.xhtml: Added.
+        * mathml/msubsup-no-grandchild-expected.txt: Added.
+        * mathml/msubsup-no-grandchild.xhtml: Added.
+
 2010-08-30  Martin Robinson  <mrobinson at igalia.com>
 
         Unskip passing philip canvas tests and unskip and add results for some more shadow tests.
diff --git a/LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt b/LayoutTests/mathml/empty-mroot-crash-expected.txt
similarity index 100%
copy from LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt
copy to LayoutTests/mathml/empty-mroot-crash-expected.txt
diff --git a/LayoutTests/mathml/empty-mroot-crash.xhtml b/LayoutTests/mathml/empty-mroot-crash.xhtml
new file mode 100644
index 0000000..f4f2bbb
--- /dev/null
+++ b/LayoutTests/mathml/empty-mroot-crash.xhtml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:m="http://www.w3.org/1998/Math/MathML" xml:lang="en">
+<head>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<math xmlns="http://www.w3.org/1998/Math/MathML">
+    <mtext>This test passes if it does not crash.</mtext> 
+    <mroot></mroot>
+</math>
+</body>
+</html>
diff --git a/LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt b/LayoutTests/mathml/msubsup-no-grandchild-expected.txt
similarity index 100%
copy from LayoutTests/editing/pasteboard/copy-crash-with-extraneous-attribute-expected.txt
copy to LayoutTests/mathml/msubsup-no-grandchild-expected.txt
diff --git a/LayoutTests/mathml/msubsup-no-grandchild.xhtml b/LayoutTests/mathml/msubsup-no-grandchild.xhtml
new file mode 100644
index 0000000..f624a3e
--- /dev/null
+++ b/LayoutTests/mathml/msubsup-no-grandchild.xhtml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:m="http://www.w3.org/1998/Math/MathML" xml:lang="en">
+<head>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<math xmlns="http://www.w3.org/1998/Math/MathML">
+    <mtext>This test passes if it does not crash.</mtext> 
+    <msubsup> 
+        <mi></mi> 
+    </msubsup> 
+</math>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e1b67da..8f55d70 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,5 +1,22 @@
 2010-08-30  Beth Dakin  <bdakin at apple.com>
 
+        Reviewed by Sam Weinig.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=44804 Crashes in 
+        RenderMathMLRoot::layout() and RenderMathMLRoot::paint()
+        -and corresponding-
+        <rdar://problem/8342055>
+
+        All of the calls to firstChild() and lastChild() in 
+        RenderMathMLRoot::layout() and RenderMathMLRoot::paint() need to be 
+        null checked.
+
+        * mathml/RenderMathMLRoot.cpp:
+        (WebCore::RenderMathMLRoot::paint):
+        (WebCore::RenderMathMLRoot::layout):
+
+2010-08-30  Beth Dakin  <bdakin at apple.com>
+
         Reviewed by Darin Adler.
 
         Fix for https://bugs.webkit.org/show_bug.cgi?id=44801 Crash in 
diff --git a/WebCore/mathml/RenderMathMLRoot.cpp b/WebCore/mathml/RenderMathMLRoot.cpp
index 4ed8c19..da303c9 100644
--- a/WebCore/mathml/RenderMathMLRoot.cpp
+++ b/WebCore/mathml/RenderMathMLRoot.cpp
@@ -99,7 +99,10 @@ void RenderMathMLRoot::paint(PaintInfo& info, int tx, int ty)
     
     if (info.context->paintingDisabled())
         return;
-    
+
+    if (!firstChild() || !lastChild())
+        return;
+
     tx += x();
     ty += y();
     
@@ -203,11 +206,15 @@ void RenderMathMLRoot::paint(PaintInfo& info, int tx, int ty)
 void RenderMathMLRoot::layout()
 {
     RenderBlock::layout();
-    
+
+    if (!firstChild() || !lastChild())
+        return;
+
     int maxHeight = toRenderBoxModelObject(lastChild())->offsetHeight();
     
     RenderObject* current = lastChild()->firstChild();
-    current->style()->setVerticalAlign(BASELINE);
+    if (current)
+        current->style()->setVerticalAlign(BASELINE);
     
     if (!maxHeight)
         maxHeight = style()->fontSize();
@@ -228,6 +235,8 @@ void RenderMathMLRoot::layout()
     
     // Positioning of the index
     RenderBoxModelObject* indexBox = toRenderBoxModelObject(firstChild()->firstChild());
+    if (!indexBox)
+        return;
     
     int indexShift = indexBox->offsetWidth() + topStartShift;
     int radicalHeight = static_cast<int>((1 - gRadicalTopLeftPointYPos) * maxHeight);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list