Changeset 158198 in webkit


Ignore:
Timestamp:
Oct 29, 2013 10:40:52 AM (10 years ago)
Author:
Brent Fulgham
Message:

Source/WebCore: Invalid cast in WebCore::toRenderMathMLBlock
https://bugs.webkit.org/show_bug.cgi?id=121728
rdar://problem/15046151

Reviewed by Dean Jackson.

Tested by: mathml/arbitrary-markup.html

  • dom/Element.h: Expose childShouldCreateRenderer for

MathML as well as SVG builds.

  • dom/Node.h:

(WebCore::Node::isMathMLElement): Added.

  • mathml/MathMLElement.cpp:

(WebCore::MathMLElement::create): Create as MathML Element.
(WebCore::MathMLElement::childShouldCreateRenderer):
Only allow the child to emit a renderer if it is a
MathML element.

  • mathml/MathMLElement.h:

LayoutTests: [MathML] invalid cast in WebCore::toRenderMathMLBlock
https://bugs.webkit.org/show_bug.cgi?id=121728

Reviewed by Dean Jackson.

  • mathml/arbitrary-markup-expected.txt: Added.
  • mathml/arbitrary-markup.html: Added.
  • mathml/mfenced-root-layer.html: Modified to avoid invalid

use of arbitrary markup inside mfenced element.

  • mathml/mfenced-root-layer-expected.txt: Rebaselined.
Location:
trunk
Files:
2 added
11 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r158195 r158198  
     12013-10-25  Brent Fulgham  <bfulgham@apple.com>
     2
     3        [MathML] invalid cast in WebCore::toRenderMathMLBlock
     4        https://bugs.webkit.org/show_bug.cgi?id=121728
     5
     6        Reviewed by Dean Jackson.
     7
     8        * mathml/arbitrary-markup-expected.txt: Added.
     9        * mathml/arbitrary-markup.html: Added.
     10        * mathml/mfenced-root-layer.html: Modified to avoid invalid
     11        use of arbitrary markup inside mfenced element.
     12        * mathml/mfenced-root-layer-expected.txt: Rebaselined.
     13
    1142013-10-29  Chris Fleizach  <cfleizach@apple.com>
    215
  • trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt

    r136554 r158198  
    1 Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
    2 This test passes if it does not crash.
     1Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]. This test passes if it does not crash.
  • trunk/LayoutTests/mathml/mfenced-root-layer.html

    r136554 r158198  
    44        testRunner.dumpAsText();
    55
    6     var mfenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");
     6    var mtext = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mtext");
    77
    88    var docElt = document.documentElement;
    99    docElt.parentNode.removeChild(docElt);
    1010
    11     document.appendChild(mfenced);
     11    var textNode = document.createTextNode("Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]. This test passes if it does not crash.");
     12    mtext.appendChild(textNode);
    1213
    13     var e = document.createElement("div");
    14     e.innerHTML = "<a href='https://bugs.webkit.org/show_bug.cgi?id=100764'>Bug 100764</a>: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]<br>This test passes if it does not crash.";
    15     mfenced.appendChild(e);
     14    document.appendChild(mtext);
    1615</script>
  • trunk/Source/WebCore/ChangeLog

    r158197 r158198  
     12013-10-24  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Invalid cast in WebCore::toRenderMathMLBlock
     4        https://bugs.webkit.org/show_bug.cgi?id=121728
     5        rdar://problem/15046151
     6
     7        Reviewed by Dean Jackson.
     8
     9        Tested by: mathml/arbitrary-markup.html
     10
     11        * dom/Element.h: Expose childShouldCreateRenderer for
     12        MathML as well as SVG builds.
     13        * dom/Node.h:
     14        (WebCore::Node::isMathMLElement): Added.
     15        * mathml/MathMLElement.cpp:
     16        (WebCore::MathMLElement::create): Create as MathML Element.
     17        (WebCore::MathMLElement::childShouldCreateRenderer):
     18        Only allow the child to emit a renderer if it is a
     19        MathML element.
     20        * mathml/MathMLElement.h:
     21
    1222013-10-29  Andreas Kling  <akling@apple.com>
    223
  • trunk/Source/WebCore/dom/Element.h

    r158097 r158198  
    453453    DOMStringMap* dataset();
    454454
    455 #if ENABLE(MATHML)
    456     virtual bool isMathMLElement() const { return false; }
    457 #else
    458     static bool isMathMLElement() { return false; }
    459 #endif
    460 
    461455#if ENABLE(VIDEO)
    462456    virtual bool isMediaElement() const { return false; }
     
    487481
    488482
     483#if ENABLE(SVG) || ENABLE(MATHML)
     484    virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
     485#endif
    489486#if ENABLE(SVG)
    490     virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
    491487    bool hasPendingResources() const;
    492488    void setHasPendingResources();
  • trunk/Source/WebCore/dom/Node.h

    r157717 r158198  
    225225    bool isHTMLElement() const { return getFlag(IsHTMLFlag); }
    226226    bool isSVGElement() const { return getFlag(IsSVGFlag); }
     227    bool isMathMLElement() const { return getFlag(IsMathMLFlag); }
    227228
    228229    bool isPseudoElement() const { return pseudoId() != NOPSEUDO; }
     
    597598        NeedsNodeRenderingTraversalSlowPathFlag = 1 << 22,
    598599        IsInShadowTreeFlag = 1 << 23,
     600        IsMathMLFlag = 1 << 24,
    599601
    600602        DefaultNodeFlags = IsParsingChildrenFinishedFlag
     
    623625        CreateInsertionPoint = CreateHTMLElement | NeedsNodeRenderingTraversalSlowPathFlag,
    624626        CreateEditingText = CreateText | IsEditingTextFlag,
     627        CreateMathMLElement = CreateStyledElement | IsMathMLFlag,
    625628    };
    626629    Node(Document*, ConstructionType);
  • trunk/Source/WebCore/mathml/MathMLElement.cpp

    r156622 r158198  
    4040   
    4141MathMLElement::MathMLElement(const QualifiedName& tagName, Document& document)
    42     : StyledElement(tagName, document, CreateStyledElement)
     42    : StyledElement(tagName, document, CreateMathMLElement)
    4343{
    4444}
     
    114114}
    115115
     116bool MathMLElement::childShouldCreateRenderer(const Node* child) const
     117{
     118    // Only create renderers for MathML elements or text. MathML prohibits non-MathML markup inside a <math> element.
     119    return child->isTextNode() || child->isMathMLElement();
     120}
     121
    116122}
    117123
  • trunk/Source/WebCore/mathml/MathMLElement.h

    r157385 r158198  
    4242    int rowSpan() const;
    4343
     44    virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
     45
    4446protected:
    4547    MathMLElement(const QualifiedName& tagName, Document&);
     
    4850
    4951private:   
    50     virtual bool isMathMLElement() const { return true; }
    51 
    5252    virtual bool isPresentationAttribute(const QualifiedName&) const OVERRIDE;
    5353    virtual void collectStyleForPresentationAttribute(const QualifiedName&, const AtomicString&, MutableStylePropertySet*) OVERRIDE;
  • trunk/Source/WebCore/mathml/MathMLTextElement.cpp

    r158097 r158198  
    7474}
    7575
     76bool MathMLTextElement::childShouldCreateRenderer(const Node* child) const
     77{
     78    return child->isTextNode();
     79}
     80
    7681}
    7782
  • trunk/Source/WebCore/mathml/MathMLTextElement.h

    r158097 r158198  
    3838    virtual void didAttachRenderers() OVERRIDE;
    3939
     40    virtual bool childShouldCreateRenderer(const Node*) const OVERRIDE;
     41
    4042private:
    4143    MathMLTextElement(const QualifiedName& tagName, Document&);
  • trunk/Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp

    r158163 r158198  
    154154        RenderObject* parent = beforeChild->parent();
    155155        if (parent != this) {
    156             RenderMathMLScriptsWrapper* wrapper = toRenderMathMLScriptsWrapper(parent);
    157             wrapper->addChildInternal(false, child, beforeChild);
    158             return;
     156            RenderMathMLBlock* parentBlock = toRenderMathMLBlock(parent);
     157            if (parentBlock->isRenderMathMLScriptsWrapper()) {
     158                RenderMathMLScriptsWrapper* wrapper = toRenderMathMLScriptsWrapper(parentBlock);
     159                wrapper->addChildInternal(false, child, beforeChild);
     160                return;
     161            }
    159162        }
    160163    }
Note: See TracChangeset for help on using the changeset viewer.