Title: [88104] trunk
- Revision
- 88104
- Author
- commit-qu...@webkit.org
- Date
- 2011-06-04 03:32:26 -0700 (Sat, 04 Jun 2011)
Log Message
2011-06-04 Jeffrey Pfau <jp...@apple.com>
Reviewed by Beth Dakin.
Crash in WebCore::RenderMathMLSubSup::baselinePosition()
https://bugs.webkit.org/show_bug.cgi?id=57897
Added simple test that hits the relevant code.
* mathml/msubsup-remove-children-expected.txt: Added.
* mathml/msubsup-remove-children.xhtml: Added.
2011-06-04 Jeffrey Pfau <jp...@apple.com>
Reviewed by Beth Dakin.
Crash in WebCore::RenderMathMLSubSup::baselinePosition()
https://bugs.webkit.org/show_bug.cgi?id=57897
Simple patch adding NULL checks in each function.
Test: mathml/msubsup-remove-children.xhtml
* rendering/mathml/RenderMathMLSubSup.cpp:
(WebCore::RenderMathMLSubSup::stretchToHeight):
(WebCore::RenderMathMLSubSup::baselinePosition):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (88103 => 88104)
--- trunk/LayoutTests/ChangeLog 2011-06-04 10:24:13 UTC (rev 88103)
+++ trunk/LayoutTests/ChangeLog 2011-06-04 10:32:26 UTC (rev 88104)
@@ -1,3 +1,15 @@
+2011-06-04 Jeffrey Pfau <jp...@apple.com>
+
+ Reviewed by Beth Dakin.
+
+ Crash in WebCore::RenderMathMLSubSup::baselinePosition()
+ https://bugs.webkit.org/show_bug.cgi?id=57897
+
+ Added simple test that hits the relevant code.
+
+ * mathml/msubsup-remove-children-expected.txt: Added.
+ * mathml/msubsup-remove-children.xhtml: Added.
+
2011-06-03 Vangelis Kokkevis <vange...@chromium.org>
Unreviewed. Fixes test expectatations.
Added: trunk/LayoutTests/mathml/msubsup-remove-children-expected.txt (0 => 88104)
--- trunk/LayoutTests/mathml/msubsup-remove-children-expected.txt (rev 0)
+++ trunk/LayoutTests/mathml/msubsup-remove-children-expected.txt 2011-06-04 10:32:26 UTC (rev 88104)
@@ -0,0 +1 @@
+This test passes if the page has no other text.
Added: trunk/LayoutTests/mathml/msubsup-remove-children.xhtml (0 => 88104)
--- trunk/LayoutTests/mathml/msubsup-remove-children.xhtml (rev 0)
+++ trunk/LayoutTests/mathml/msubsup-remove-children.xhtml 2011-06-04 10:32:26 UTC (rev 88104)
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<html xmlns='http://www.w3.org/1999/xhtml'>
+ <head>
+ <title>Subscript and Superscripts</title>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ </head>
+ <body>
+ <math id="m1" xmlns='http://www.w3.org/1998/Math/MathML'>
+ <mtext>This test passes if the page has no other text.</mtext>
+ <msubsup id="m2">
+ <mi id="m3">Z</mi>
+ <mrow id="m4"><mi id="m5">x</mi><mo id="m6">+</mo><mi id="m7">y</mi><mo id="m8">+</mo><mi id="m9">z</mi></mrow>
+ <mi id="m10">j</mi>
+ </msubsup>
+ </math>
+ <script>
+ try {
+ document.getElementById("m2").textContent=undefined;
+ } catch(e) {document.write("Error: " + e.name + ": " + e.message + + " for " + i);}
+ </script>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (88103 => 88104)
--- trunk/Source/WebCore/ChangeLog 2011-06-04 10:24:13 UTC (rev 88103)
+++ trunk/Source/WebCore/ChangeLog 2011-06-04 10:32:26 UTC (rev 88104)
@@ -1,3 +1,17 @@
+2011-06-04 Jeffrey Pfau <jp...@apple.com>
+
+ Reviewed by Beth Dakin.
+
+ Crash in WebCore::RenderMathMLSubSup::baselinePosition()
+ https://bugs.webkit.org/show_bug.cgi?id=57897
+
+ Simple patch adding NULL checks in each function.
+ Test: mathml/msubsup-remove-children.xhtml
+
+ * rendering/mathml/RenderMathMLSubSup.cpp:
+ (WebCore::RenderMathMLSubSup::stretchToHeight):
+ (WebCore::RenderMathMLSubSup::baselinePosition):
+
2011-06-04 Nico Weber <tha...@chromium.org>
Reviewed by James Robinson.
Modified: trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp (88103 => 88104)
--- trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp 2011-06-04 10:24:13 UTC (rev 88103)
+++ trunk/Source/WebCore/rendering/mathml/RenderMathMLSubSup.cpp 2011-06-04 10:32:26 UTC (rev 88104)
@@ -106,7 +106,7 @@
void RenderMathMLSubSup::stretchToHeight(int height)
{
RenderObject* base = firstChild();
- if (!base)
+ if (!base || !base->firstChild())
return;
if (base->firstChild()->isRenderMathMLBlock()) {
@@ -185,6 +185,9 @@
switch (m_kind) {
case SubSup:
base = base->firstChild();
+ if (!base)
+ break;
+
if (m_scripts && base->isBoxModelObject()) {
RenderBoxModelObject* box = toRenderBoxModelObject(base);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
