Changeset 88730 in webkit


Ignore:
Timestamp:
Jun 13, 2011 4:20:47 PM (13 years ago)
Author:
commit-queue@webkit.org
Message:

2011-06-13 Jeffrey Pfau <jpfau@apple.com>

Reviewed by Darin Adler.

Crash in WebCore::RenderMathMLUnderOver::layout()
https://bugs.webkit.org/show_bug.cgi?id=57900

Added a test that tries to remove the children of munder, mover and munderover elements.

  • mathml/munderover-remove-children-expected.txt: Added.
  • mathml/munderover-remove-children.html: Added.

2011-06-13 Jeffrey Pfau <jpfau@apple.com>

Reviewed by Darin Adler.

Crash in WebCore::RenderMathMLUnderOver::layout()
https://bugs.webkit.org/show_bug.cgi?id=57900

Add more null checks so that removing children in MathML elements does not cause crashes.
Note that this only half fixes the third repro in the Bugzilla bug, as another bug will
still crash that repro.

Test: mathml/munderover-remove-children.html

  • rendering/mathml/RenderMathMLSubSup.cpp: (WebCore::RenderMathMLSubSup::stretchToHeight):
  • rendering/mathml/RenderMathMLUnderOver.cpp: (WebCore::RenderMathMLUnderOver::layout): (WebCore::RenderMathMLUnderOver::nonOperatorHeight):
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r88717 r88730  
     12011-06-13  Jeffrey Pfau  <jpfau@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        Crash in WebCore::RenderMathMLUnderOver::layout()
     6        https://bugs.webkit.org/show_bug.cgi?id=57900
     7
     8        Added a test that tries to remove the children of munder, mover and munderover elements.
     9
     10        * mathml/munderover-remove-children-expected.txt: Added.
     11        * mathml/munderover-remove-children.html: Added.
     12
    1132011-06-13  Wyatt Carss  <wcarss@google.com>
    214

  • trunk/Source/WebCore/ChangeLog

    r88729 r88730  
     12011-06-13  Jeffrey Pfau  <jpfau@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        Crash in WebCore::RenderMathMLUnderOver::layout()
     6        https://bugs.webkit.org/show_bug.cgi?id=57900
     7
     8        Add more null checks so that removing children in MathML elements does not cause crashes.
     9        Note that this only half fixes the third repro in the Bugzilla bug, as another bug will
     10        still crash that repro.
     11
     12        Test: mathml/munderover-remove-children.html
     13
     14        * rendering/mathml/RenderMathMLSubSup.cpp:
     15        (WebCore::RenderMathMLSubSup::stretchToHeight):
     16        * rendering/mathml/RenderMathMLUnderOver.cpp:
     17        (WebCore::RenderMathMLUnderOver::layout):
     18        (WebCore::RenderMathMLUnderOver::nonOperatorHeight):
     19
    1202011-06-13  Dmitry Lomov  <dslomov@google.com>
    221

  • trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp

    r88104 r88730  
    110110        return;
    111111   
    112     if (base->firstChild()->isRenderMathMLBlock()) {
     112    if (base->firstChild() && base->firstChild()->isRenderMathMLBlock()) {
    113113        RenderMathMLBlock* block = toRenderMathMLBlock(base->firstChild());
    114114        block->stretchToHeight(static_cast<int>(gSubSupStretch * height));

  • trunk/Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp

    r75353 r88730  
    156156            // FIXME: descending glyphs intrude into base (e.g. lowercase y over base)
    157157            // FIXME: bases that ascend higher than the line box intrude into the over
    158             if (!over->firstChild()->isBoxModelObject())
     158            if (!over->firstChild() || !over->firstChild()->isBoxModelObject())
    159159                break;
    160160           
     
    184184            // actual base
    185185            base = base->firstChild();
    186             if (!base->isBoxModelObject())
     186            if (!base || !base->isBoxModelObject())
    187187                break;
    188188           
     
    208208            // FIXME: descending glyphs intrude into base (e.g. lowercase y over base)
    209209            // FIXME: bases that ascend higher than the line box intrude into the over
    210             if (!over->firstChild()->isBoxModelObject())
     210            if (!over->firstChild() || !over->firstChild()->isBoxModelObject())
    211211                break;
    212212            int overSpacing = static_cast<int>(gOverSpacingAdjustment * (getOffsetHeight(over) - toRenderBoxModelObject(over->firstChild())->baselinePosition(AlphabeticBaseline, true, HorizontalLine)));
     
    225225                // actual base
    226226                base = base->firstChild();
    227                 if (!base->isBoxModelObject())
     227                if (!base || !base->isBoxModelObject())
    228228                    break;
    229229
     
    233233               
    234234                RenderObject* under = lastChild();
    235                 if (under && under->firstChild()->isRenderInline() && underSpacing > 0)
     235                if (under && under->firstChild() && under->firstChild()->isRenderInline() && underSpacing > 0)
    236236                    under->style()->setMarginTop(Length(-underSpacing, Fixed));
    237237               
     
    283283    int nonOperators = 0;
    284284    for (RenderObject* current = firstChild(); current; current = current->nextSibling()) {
    285         if (current->firstChild()->isRenderMathMLBlock()) {
     285        if (current->firstChild() && current->firstChild()->isRenderMathMLBlock()) {
    286286            RenderMathMLBlock* block = toRenderMathMLBlock(current->firstChild());
    287287            if (!block->isRenderMathMLOperator())
Note: See TracChangeset for help on using the changeset viewer.