Title: [94455] trunk
- Revision
- 94455
- Author
- m...@apple.com
- Date
- 2011-09-02 15:22:16 -0700 (Fri, 02 Sep 2011)
Log Message
<rdar://problem/9755843> anonymous RenderMathMLOperator sets itself as the renderer of its parent mfenced node
Reviewed by Darin Adler.
Source/WebCore:
Test: mathml/operator-hijacks-fenced-node.xhtml
* rendering/mathml/RenderMathMLOperator.cpp:
(WebCore::RenderMathMLOperator::updateFromElement): Rather than unconditionally setting the
node’s renderer to this, just restore it to whatever it was before calling destroyLeftoverChildren().
LayoutTests:
* mathml/operator-hijacks-fenced-node-expected.txt: Added.
* mathml/operator-hijacks-fenced-node.xhtml: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (94454 => 94455)
--- trunk/LayoutTests/ChangeLog 2011-09-02 22:21:07 UTC (rev 94454)
+++ trunk/LayoutTests/ChangeLog 2011-09-02 22:22:16 UTC (rev 94455)
@@ -1,3 +1,12 @@
+2011-09-02 Dan Bernstein <m...@apple.com>
+
+ <rdar://problem/9755843> anonymous RenderMathMLOperator sets itself as the renderer of its parent mfenced node
+
+ Reviewed by Darin Adler.
+
+ * mathml/operator-hijacks-fenced-node-expected.txt: Added.
+ * mathml/operator-hijacks-fenced-node.xhtml: Added.
+
2011-09-02 Tom Sepez <tse...@chromium.org>
Add LayoutTest for the case where long strings are processed by the XSSAuditor.
Added: trunk/LayoutTests/mathml/operator-hijacks-fenced-node-expected.txt (0 => 94455)
--- trunk/LayoutTests/mathml/operator-hijacks-fenced-node-expected.txt (rev 0)
+++ trunk/LayoutTests/mathml/operator-hijacks-fenced-node-expected.txt 2011-09-02 22:22:16 UTC (rev 94455)
@@ -0,0 +1,3 @@
+This tests that an anonymous operator created by mfenced does not set itself as the mfenced node’s renderer.
+
+The test passes if it does not crash or cause an assertion failure.
Added: trunk/LayoutTests/mathml/operator-hijacks-fenced-node.xhtml (0 => 94455)
--- trunk/LayoutTests/mathml/operator-hijacks-fenced-node.xhtml (rev 0)
+++ trunk/LayoutTests/mathml/operator-hijacks-fenced-node.xhtml 2011-09-02 22:22:16 UTC (rev 94455)
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:m="http://www.w3.org/1998/Math/MathML">
+<body>
+ <p>
+ This tests that an anonymous operator created by mfenced does not
+ set itself as the mfenced node’s renderer.
+ </p>
+ <p>
+ The test passes if it does not crash or cause an assertion failure.
+ </p>
+ <div id="container">
+ <m:math><span><m:mfenced id="target"><m:mo></m:mo></m:mfenced></span></m:math>
+ </div>
+ <script><![CDATA[
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ document.body.offsetTop;
+ document.getElementById("target").parentNode.insertBefore(document.createElement("div"), document.getElementById("target"));
+ document.body.offsetTop;
+ document.getElementById("container").style.display = "none";
+ ]]></script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (94454 => 94455)
--- trunk/Source/WebCore/ChangeLog 2011-09-02 22:21:07 UTC (rev 94454)
+++ trunk/Source/WebCore/ChangeLog 2011-09-02 22:22:16 UTC (rev 94455)
@@ -1,3 +1,15 @@
+2011-09-02 Dan Bernstein <m...@apple.com>
+
+ <rdar://problem/9755843> anonymous RenderMathMLOperator sets itself as the renderer of its parent mfenced node
+
+ Reviewed by Darin Adler.
+
+ Test: mathml/operator-hijacks-fenced-node.xhtml
+
+ * rendering/mathml/RenderMathMLOperator.cpp:
+ (WebCore::RenderMathMLOperator::updateFromElement): Rather than unconditionally setting the
+ node’s renderer to this, just restore it to whatever it was before calling destroyLeftoverChildren().
+
2011-09-02 Mark Hahnenberg <mhahnenb...@apple.com>
Incorporate newer, faster dtoa library
Modified: trunk/Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp (94454 => 94455)
--- trunk/Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp 2011-09-02 22:21:07 UTC (rev 94454)
+++ trunk/Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp 2011-09-02 22:22:16 UTC (rev 94455)
@@ -124,12 +124,14 @@
void RenderMathMLOperator::updateFromElement()
{
+ RenderObject* savedRenderer = node()->renderer();
+
// Destroy our current children
children()->destroyLeftoverChildren();
- // Since we share a node with our children, destroying our children will set our node's
- // renderer to 0, so we need to re-set it back to this.
- node()->setRenderer(this);
+ // Since we share a node with our children, destroying our children may set our node's
+ // renderer to 0, so we need to restore it.
+ node()->setRenderer(savedRenderer);
// If the operator is fixed, it will be contained in m_operator
UChar firstChar = m_operator;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes