https://bugs.webkit.org/show_bug.cgi?id=80773
Patch by Jacky Jiang <zhajiang@rim.com> on 2012-03-13
Reviewed by Julien Chaffraix.
Source/WebCore:
When adding child for msub render, if the child is mtr or mtd render,
we will creat an anonymous render as the container. As the anonymous
render's node is 0, accessing it directly can cause crash.
We should do a valid check of the node before using. In addition to
that, for msub, attach the anonymous render and it's children to render
tree. For msubsup, such kind of situation should never happen based on
the current codebase.
Test: mathml/msub-anonymous-child-render-crash.html
* rendering/mathml/RenderMathMLSubSup.cpp:
(WebCore::RenderMathMLSubSup::addChild):
LayoutTests:
* mathml/msub-anonymous-child-render-crash-expected.txt: Added.
* mathml/msub-anonymous-child-render-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@110640
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-03-13 Jacky Jiang <zhajiang@rim.com>
+
+ MathML crash in WebCore::Node::previousSibling()
+ https://bugs.webkit.org/show_bug.cgi?id=80773
+
+ Reviewed by Julien Chaffraix.
+
+ * mathml/msub-anonymous-child-render-crash-expected.txt: Added.
+ * mathml/msub-anonymous-child-render-crash.html: Added.
+
2012-03-13 Mihnea Ovidenie <mihnea@adobe.com>
[CSSRegions]NamedFlow::getRegionsByContentNode should not return a live NodeList
--- /dev/null
+This test passes if it does not crash.
+
+X
+3
+Y3X
+3
+2Y32
--- /dev/null
+<html>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<body>
+<p>This test passes if it does not crash.</p>
+<math xmlns="http://www.w3.org/1998/Math/MathML">
+ <msub>
+ <mi>X</mi>
+ <mtr>3</mtr>
+ </msub>
+ <msub>
+ <mi>Y</mi>
+ <mtd>3</mtd>
+ </msub>
+ <msubsup>
+ <mi>X</mi>
+ <mtr>3</mtr>
+ <mn>2</mn>
+ </msubsup>
+ <msubsup>
+ <mi>Y</mi>
+ <mtd>3</mtd>
+ <mn>2</mn>
+ </msubsup>
+</math>
+</body>
+</html>
+2012-03-13 Jacky Jiang <zhajiang@rim.com>
+
+ MathML crash in WebCore::Node::previousSibling()
+ https://bugs.webkit.org/show_bug.cgi?id=80773
+
+ Reviewed by Julien Chaffraix.
+
+ When adding child for msub render, if the child is mtr or mtd render,
+ we will creat an anonymous render as the container. As the anonymous
+ render's node is 0, accessing it directly can cause crash.
+ We should do a valid check of the node before using. In addition to
+ that, for msub, attach the anonymous render and it's children to render
+ tree. For msubsup, such kind of situation should never happen based on
+ the current codebase.
+
+ Test: mathml/msub-anonymous-child-render-crash.html
+
+ * rendering/mathml/RenderMathMLSubSup.cpp:
+ (WebCore::RenderMathMLSubSup::addChild):
+
2012-03-13 Mihnea Ovidenie <mihnea@adobe.com>
[CSSRegions]NamedFlow::getRegionsByContentNode should not return a live NodeList
// Note: The RenderMathMLBlock only allows element children to be added.
Element* childElement = toElement(child->node());
- if (!childElement->previousElementSibling()) {
+ if (childElement && !childElement->previousElementSibling()) {
// Position 1 is always the base of the msub/msup/msubsup.
RenderMathMLBlock* wrapper = new (renderArena()) RenderMathMLBlock(node());
RefPtr<RenderStyle> wrapperStyle = RenderStyle::create();
}
} else {
if (m_kind == SubSup) {
+ ASSERT(childElement);
+ if (!childElement)
+ return;
+
RenderBlock* script = new (renderArena()) RenderMathMLBlock(node());
RefPtr<RenderStyle> scriptStyle = RenderStyle::create();
scriptStyle->inheritFrom(m_scripts->style());
projects / profile / ivi / webkit-efl.git / commitdiff