Changeset 158198 in webkit
- Timestamp:
- Oct 29, 2013 10:40:52 AM (10 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r158195 r158198 1 2013-10-25 Brent Fulgham <bfulgham@apple.com> 2 3 [MathML] invalid cast in WebCore::toRenderMathMLBlock 4 https://bugs.webkit.org/show_bug.cgi?id=121728 5 6 Reviewed by Dean Jackson. 7 8 * mathml/arbitrary-markup-expected.txt: Added. 9 * mathml/arbitrary-markup.html: Added. 10 * mathml/mfenced-root-layer.html: Modified to avoid invalid 11 use of arbitrary markup inside mfenced element. 12 * mathml/mfenced-root-layer-expected.txt: Rebaselined. 13 1 14 2013-10-29 Chris Fleizach <cfleizach@apple.com> 2 15 -
trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt
r136554 r158198 1 Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML] 2 This test passes if it does not crash. 1 Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]. This test passes if it does not crash. -
trunk/LayoutTests/mathml/mfenced-root-layer.html
r136554 r158198 4 4 testRunner.dumpAsText(); 5 5 6 var m fenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");6 var mtext = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mtext"); 7 7 8 8 var docElt = document.documentElement; 9 9 docElt.parentNode.removeChild(docElt); 10 10 11 document.appendChild(mfenced); 11 var textNode = document.createTextNode("Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]. This test passes if it does not crash."); 12 mtext.appendChild(textNode); 12 13 13 var e = document.createElement("div"); 14 e.innerHTML = "<a href='https://bugs.webkit.org/show_bug.cgi?id=100764'>Bug 100764</a>: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]<br>This test passes if it does not crash."; 15 mfenced.appendChild(e); 14 document.appendChild(mtext); 16 15 </script> -
trunk/Source/WebCore/ChangeLog
r158197 r158198 1 2013-10-24 Brent Fulgham <bfulgham@apple.com> 2 3 Invalid cast in WebCore::toRenderMathMLBlock 4 https://bugs.webkit.org/show_bug.cgi?id=121728 5 rdar://problem/15046151 6 7 Reviewed by Dean Jackson. 8 9 Tested by: mathml/arbitrary-markup.html 10 11 * dom/Element.h: Expose childShouldCreateRenderer for 12 MathML as well as SVG builds. 13 * dom/Node.h: 14 (WebCore::Node::isMathMLElement): Added. 15 * mathml/MathMLElement.cpp: 16 (WebCore::MathMLElement::create): Create as MathML Element. 17 (WebCore::MathMLElement::childShouldCreateRenderer): 18 Only allow the child to emit a renderer if it is a 19 MathML element. 20 * mathml/MathMLElement.h: 21 1 22 2013-10-29 Andreas Kling <akling@apple.com> 2 23 -
trunk/Source/WebCore/dom/Element.h
r158097 r158198 453 453 DOMStringMap* dataset(); 454 454 455 #if ENABLE(MATHML)456 virtual bool isMathMLElement() const { return false; }457 #else458 static bool isMathMLElement() { return false; }459 #endif460 461 455 #if ENABLE(VIDEO) 462 456 virtual bool isMediaElement() const { return false; } … … 487 481 488 482 483 #if ENABLE(SVG) || ENABLE(MATHML) 484 virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE; 485 #endif 489 486 #if ENABLE(SVG) 490 virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;491 487 bool hasPendingResources() const; 492 488 void setHasPendingResources(); -
trunk/Source/WebCore/dom/Node.h
r157717 r158198 225 225 bool isHTMLElement() const { return getFlag(IsHTMLFlag); } 226 226 bool isSVGElement() const { return getFlag(IsSVGFlag); } 227 bool isMathMLElement() const { return getFlag(IsMathMLFlag); } 227 228 228 229 bool isPseudoElement() const { return pseudoId() != NOPSEUDO; } … … 597 598 NeedsNodeRenderingTraversalSlowPathFlag = 1 << 22, 598 599 IsInShadowTreeFlag = 1 << 23, 600 IsMathMLFlag = 1 << 24, 599 601 600 602 DefaultNodeFlags = IsParsingChildrenFinishedFlag … … 623 625 CreateInsertionPoint = CreateHTMLElement | NeedsNodeRenderingTraversalSlowPathFlag, 624 626 CreateEditingText = CreateText | IsEditingTextFlag, 627 CreateMathMLElement = CreateStyledElement | IsMathMLFlag, 625 628 }; 626 629 Node(Document*, ConstructionType); -
trunk/Source/WebCore/mathml/MathMLElement.cpp
r156622 r158198 40 40 41 41 MathMLElement::MathMLElement(const QualifiedName& tagName, Document& document) 42 : StyledElement(tagName, document, Create StyledElement)42 : StyledElement(tagName, document, CreateMathMLElement) 43 43 { 44 44 } … … 114 114 } 115 115 116 bool MathMLElement::childShouldCreateRenderer(const Node* child) const 117 { 118 // Only create renderers for MathML elements or text. MathML prohibits non-MathML markup inside a <math> element. 119 return child->isTextNode() || child->isMathMLElement(); 120 } 121 116 122 } 117 123 -
trunk/Source/WebCore/mathml/MathMLElement.h
r157385 r158198 42 42 int rowSpan() const; 43 43 44 virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE; 45 44 46 protected: 45 47 MathMLElement(const QualifiedName& tagName, Document&); … … 48 50 49 51 private: 50 virtual bool isMathMLElement() const { return true; }51 52 52 virtual bool isPresentationAttribute(const QualifiedName&) const OVERRIDE; 53 53 virtual void collectStyleForPresentationAttribute(const QualifiedName&, const AtomicString&, MutableStylePropertySet*) OVERRIDE; -
trunk/Source/WebCore/mathml/MathMLTextElement.cpp
r158097 r158198 74 74 } 75 75 76 bool MathMLTextElement::childShouldCreateRenderer(const Node* child) const 77 { 78 return child->isTextNode(); 79 } 80 76 81 } 77 82 -
trunk/Source/WebCore/mathml/MathMLTextElement.h
r158097 r158198 38 38 virtual void didAttachRenderers() OVERRIDE; 39 39 40 virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE; 41 40 42 private: 41 43 MathMLTextElement(const QualifiedName& tagName, Document&); -
trunk/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp
r158163 r158198 154 154 RenderObject* parent = beforeChild->parent(); 155 155 if (parent != this) { 156 RenderMathMLScriptsWrapper* wrapper = toRenderMathMLScriptsWrapper(parent); 157 wrapper->addChildInternal(false, child, beforeChild); 158 return; 156 RenderMathMLBlock* parentBlock = toRenderMathMLBlock(parent); 157 if (parentBlock->isRenderMathMLScriptsWrapper()) { 158 RenderMathMLScriptsWrapper* wrapper = toRenderMathMLScriptsWrapper(parentBlock); 159 wrapper->addChildInternal(false, child, beforeChild); 160 return; 161 } 159 162 } 160 163 }
Note: See TracChangeset
for help on using the changeset viewer.