Permalink
Browse files

Merge WebKit at branches/chromium/742 r89068: Initial merge by Git.

Take us to top of Chrome 12 release branch (12.0.742.130)

Change-Id: I4408a97e343a118cf4a1bb9d71367bcc2c16ae48
  • Loading branch information...
1 parent 65b45b3 commit d0147a863b872ecaa451ab0dce2a348760e99e2c Ben Murdoch committed Jul 13, 2011
@@ -220,17 +220,27 @@ inline int clampToPositiveInteger(double d)
return static_cast<int>(std::max<double>(std::min(d, maxIntAsDouble), 0));
}
-inline int clampToInteger(float d)
+inline int clampToInteger(float x)
{
- const float minIntAsFloat = static_cast<float>(std::numeric_limits<int>::min());
- const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max());
- return static_cast<int>(std::max(std::min(d, maxIntAsFloat), minIntAsFloat));
+ static const int s_intMax = std::numeric_limits<int>::max();
+ static const int s_intMin = std::numeric_limits<int>::min();
+
+ if (x >= static_cast<float>(s_intMax))
+ return s_intMax;
+ if (x < static_cast<float>(s_intMin))
+ return s_intMin;
+ return static_cast<int>(x);
}
-inline int clampToPositiveInteger(float d)
+inline int clampToPositiveInteger(float x)
{
- const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max());
- return static_cast<int>(std::max<float>(std::min(d, maxIntAsFloat), 0));
+ static const int s_intMax = std::numeric_limits<int>::max();
+
+ if (x >= static_cast<float>(s_intMax))
+ return s_intMax;
+ if (x < 0)
+ return 0;
+ return static_cast<int>(x);
}
inline int clampToInteger(unsigned value)
@@ -1274,6 +1274,7 @@ __ZNK7WebCore8Document20cacheDocumentElementEv
__ZNK7WebCore8Document31displayStringModifiedByEncodingERKN3WTF6StringE
__ZNK7WebCore8Document4bodyEv
__ZNK7WebCore8Document6domainEv
+__ZNK7WebCore8Document6loaderEv
__ZNK7WebCore8IntPointcv7CGPointEv
__ZNK7WebCore8IntPointcv8_NSPointEv
__ZNK7WebCore8Position10downstreamENS_27EditingBoundaryCrossingRuleE
@@ -2490,7 +2490,7 @@ VisiblePosition AccessibilityRenderObject::visiblePositionForIndex(int index) co
int AccessibilityRenderObject::indexForVisiblePosition(const VisiblePosition& pos) const
{
if (isNativeTextControl())
- return toRenderTextControl(m_renderer)->indexForVisiblePosition(pos);
+ return RenderTextControl::indexForVisiblePosition(toRenderTextControl(m_renderer)->innerTextElement(), pos);
if (!isTextControl())
return 0;
@@ -107,9 +107,15 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
// FIXME: We should always replace the document, but doing so
// synchronously can cause crashes:
// http://bugs.webkit.org/show_bug.cgi?id=16782
- if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL)
- m_frame->document()->loader()->writer()->replaceDocument(scriptResult);
-
+ if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
+ // We're still in a frame, so there should be a DocumentLoader.
+ ASSERT(m_frame->document()->loader());
+
+ // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+ // so protect it with a RefPtr.
+ if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
+ loader->writer()->replaceDocument(scriptResult);
+ }
return true;
}
@@ -6027,6 +6027,9 @@ int CSSParser::lex(void* yylvalWithoutType)
case FUNCTION:
case ANYFUNCTION:
case NOTFUNCTION:
+ case CALCFUNCTION:
+ case MINFUNCTION:
+ case MAXFUNCTION:
yylval->string.characters = t;
yylval->string.length = length;
break;
@@ -460,7 +460,6 @@ Document::Document(Frame* frame, const KURL& url, bool isXHTML, bool isHTML)
m_ignoreAutofocus = false;
m_frame = frame;
- m_documentLoader = frame ? frame->loader()->activeDocumentLoader() : 0;
// We depend on the url getting immediately set in subframes, but we
// also depend on the url NOT getting immediately set in opened windows.
@@ -601,12 +600,6 @@ void Document::removedLastRef()
#if ENABLE(FULLSCREEN_API)
m_fullScreenElement = 0;
#endif
- m_styleSelector.clear();
- m_styleSheets.clear();
- m_elemSheet.clear();
- m_mappedElementSheet.clear();
- m_pageUserSheet.clear();
- m_pageGroupUserSheets.clear();
// removeAllChildren() doesn't always unregister IDs,
// so tear down scope information upfront to avoid having stale references in the map.
@@ -2013,11 +2006,21 @@ HTMLElement* Document::body() const
void Document::setBody(PassRefPtr<HTMLElement> newBody, ExceptionCode& ec)
{
- if (!newBody || !documentElement()) {
+ ec = 0;
+
+ if (!newBody || !documentElement() || !newBody->hasTagName(bodyTag)) {
ec = HIERARCHY_REQUEST_ERR;
return;
}
+ if (newBody->document() && newBody->document() != this) {
+ RefPtr<Node> node = importNode(newBody.get(), true, ec);
+ if (ec)
+ return;
+
+ newBody = toHTMLElement(node.get());
+ }
+
HTMLElement* b = body();
if (!b)
documentElement()->appendChild(newBody, ec);
@@ -3783,7 +3786,9 @@ String Document::lastModified() const
DateComponents date;
bool foundDate = false;
if (m_frame) {
- String httpLastModified = m_documentLoader->response().httpHeaderField("Last-Modified");
+ String httpLastModified;
+ if (DocumentLoader* documentLoader = loader())
+ httpLastModified = documentLoader->response().httpHeaderField("Last-Modified");
if (!httpLastModified.isEmpty()) {
date.setMillisecondsSinceEpochForDateTime(parseDate(httpLastModified));
foundDate = true;
@@ -4264,7 +4269,7 @@ void Document::finishedParsing()
if (!m_documentTiming.domContentLoadedEventEnd)
m_documentTiming.domContentLoadedEventEnd = currentTime();
- if (Frame* f = frame()) {
+ if (RefPtr<Frame> f = frame()) {
// FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all
// resource loads are complete. HTMLObjectElements can start loading their resources from
// post attach callbacks triggered by recalcStyle(). This means if we parse out an <object>
@@ -4276,7 +4281,7 @@ void Document::finishedParsing()
f->loader()->finishedParsing();
- InspectorInstrumentation::domContentLoadedEventFired(f, url());
+ InspectorInstrumentation::domContentLoadedEventFired(f.get(), url());
}
}
@@ -4491,7 +4496,9 @@ void Document::initSecurityContext()
// load local resources. See https://bugs.webkit.org/show_bug.cgi?id=16756
// and https://bugs.webkit.org/show_bug.cgi?id=19760 for further
// discussion.
- if (m_documentLoader->substituteData().isValid())
+
+ DocumentLoader* documentLoader = loader();
+ if (documentLoader && documentLoader->substituteData().isValid())
securityOrigin()->grantLoadLocalResources();
}
@@ -4572,7 +4579,9 @@ void Document::updateURLForPushOrReplaceState(const KURL& url)
setURL(url);
f->loader()->setOutgoingReferrer(url);
- m_documentLoader->replaceRequestURLForSameDocumentNavigation(url);
+
+ if (DocumentLoader* documentLoader = loader())
+ documentLoader->replaceRequestURLForSameDocumentNavigation(url);
}
void Document::statePopped(SerializedScriptValue* stateObject)
@@ -5038,4 +5047,19 @@ PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const
}
#endif
+DocumentLoader* Document::loader() const
+{
+ if (!m_frame)
+ return 0;
+
+ DocumentLoader* loader = m_frame->loader()->activeDocumentLoader();
+ if (!loader)
+ return 0;
+
+ if (m_frame->document() != this)
+ return 0;
+
+ return loader;
+}
+
} // namespace WebCore
@@ -553,8 +553,7 @@ class Document : public TreeScope, public ScriptExecutionContext {
void setVisuallyOrdered();
bool visuallyOrdered() const { return m_visuallyOrdered; }
- void setDocumentLoader(DocumentLoader* documentLoader) { m_documentLoader = documentLoader; }
- DocumentLoader* loader() const { return m_documentLoader; }
+ DocumentLoader* loader() const;
void open(Document* ownerDocument = 0);
void implicitOpen();
@@ -1156,7 +1155,6 @@ class Document : public TreeScope, public ScriptExecutionContext {
mutable RefPtr<CSSPrimitiveValueCache> m_cssPrimitiveValueCache;
Frame* m_frame;
- DocumentLoader* m_documentLoader;
OwnPtr<CachedResourceLoader> m_cachedResourceLoader;
RefPtr<DocumentParser> m_parser;
bool m_wellFormed;
@@ -90,7 +90,13 @@ class StyleSelectorParentPusher {
if (!m_pushedStyleSelector)
return;
+
+ // This tells us that our pushed style selector is in a bad state,
+ // so we should just bail out in that scenario.
ASSERT(m_pushedStyleSelector == m_parent->document()->styleSelector());
+ if (m_pushedStyleSelector != m_parent->document()->styleSelector())
+ return;
+
m_pushedStyleSelector->popParent(m_parent);
}
@@ -198,6 +198,14 @@ bool ScriptElement::prepareScript(const TextPosition1& scriptStartPosition, Lega
if (!m_element->document()->frame()->script()->canExecuteScripts(AboutToExecuteScript))
return false;
+ // FIXME: This is non-standard. Remove this after https://bugs.webkit.org/show_bug.cgi?id=62412.
+ Node* ancestor = m_element->parentNode();
+ while (ancestor) {
+ if (ancestor->isSVGShadowRoot())
+ return false;
+ ancestor = ancestor->parentNode();
+ }
+
if (!isScriptForEventSupported())
return false;
@@ -88,6 +88,8 @@ void WebKitBlobBuilder::append(const String& text, ExceptionCode& ec)
#if ENABLE(BLOB)
void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)
{
+ if (!arrayBuffer)
+ return;
Vector<char>& buffer = getBuffer();
size_t oldSize = buffer.size();
buffer.append(static_cast<const char*>(arrayBuffer->data()), arrayBuffer->byteLength());
@@ -97,6 +99,8 @@ void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)
void WebKitBlobBuilder::append(Blob* blob)
{
+ if (!blob)
+ return;
if (blob->isFile()) {
// If the blob is file that is not snapshoted, capture the snapshot now.
// FIXME: This involves synchronous file operation. We need to figure out how to make it asynchronous.
@@ -372,17 +372,21 @@ PassRefPtr<ImageData> HTMLCanvasElement::getImageData()
IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
{
- float left = floorf(logicalRect.x() * m_pageScaleFactor);
- float top = floorf(logicalRect.y() * m_pageScaleFactor);
- float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
- float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-
+ // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+ int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+ int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+ int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+ int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
}
IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
{
- return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+ // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+ float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+ float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+ return convertToValidDeviceSize(width, height);
}
IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const
@@ -209,7 +209,11 @@ void MediaDocument::replaceMediaElementTimerFired(Timer<MediaDocument>*)
embedElement->setAttribute(heightAttr, "100%");
embedElement->setAttribute(nameAttr, "plugin");
embedElement->setAttribute(srcAttr, url().string());
- embedElement->setAttribute(typeAttr, loader()->writer()->mimeType());
+
+ DocumentLoader* documentLoader = loader();
+ ASSERT(documentLoader);
+ if (documentLoader)
+ embedElement->setAttribute(typeAttr, documentLoader->writer()->mimeType());
ExceptionCode ec;
videoElement->parentNode()->replaceChild(embedElement, videoElement, ec);
@@ -92,7 +92,11 @@ void PluginDocumentParser::createDocumentStructure()
m_embedElement->setAttribute(nameAttr, "plugin");
m_embedElement->setAttribute(srcAttr, document()->url().string());
- m_embedElement->setAttribute(typeAttr, document()->loader()->writer()->mimeType());
+
+ DocumentLoader* loader = document()->loader();
+ ASSERT(loader);
+ if (loader)
+ m_embedElement->setAttribute(typeAttr, loader->writer()->mimeType());
static_cast<PluginDocument*>(document())->setPluginNode(m_embedElement);
@@ -1632,6 +1632,10 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::createImageData(float sw, float
if (scaledSize.height() < 1)
scaledSize.setHeight(1);
+ float area = 4.0f * scaledSize.width() * scaledSize.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
return createEmptyImageData(scaledSize);
}
@@ -1668,7 +1672,12 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::getImageData(float sx, float sy,
ImageBuffer* buffer = canvas()->buffer();
if (!buffer)
return createEmptyImageData(scaledRect.size());
- return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+ RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+ if (!byteArray)
+ return 0;
+
+ return ImageData::create(scaledRect.size(), byteArray.release());
}
void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)
@@ -83,13 +83,14 @@ bool causesFosterParenting(const QualifiedName& tagName)
} // namespace
template<typename ChildType>
-PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild)
+PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)
{
RefPtr<ChildType> child = prpChild;
+ RefPtr<ContainerNode> parent = rawParent;
// FIXME: It's confusing that HTMLConstructionSite::attach does the magic
// redirection to the foster parent but HTMLConstructionSite::attachAtSite
- // doesn't. It feels like we're missing a concept somehow.
+ // doesn't. It feels like we're missing a concept somehow.
if (shouldFosterParent()) {
fosterParent(child.get());
ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached());
@@ -103,11 +104,6 @@ PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRe
if (!child->parentNode())
return child.release();
- // It's slightly unfortunate that we need to hold a reference to child
- // here to call attach(). We should investigate whether we can rely on
- // |parent| to hold a ref at this point. In the common case (at least
- // for elements), however, we'll get to use this ref in the stack of
- // open elements.
if (parent->attached() && !child->attached())
child->attach();
return child.release();
@@ -278,7 +278,7 @@ void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode)
}
m_treeBuilder->constructTreeFromToken(m_token);
- m_token.clear();
+ ASSERT(m_token.isUninitialized());
}
// Ensure we haven't been totally deref'ed after pumping. Any caller of this
@@ -73,6 +73,8 @@ class HTMLToken {
m_data.clear();
}
+ bool isUninitialized() { return m_type == Uninitialized; }
+
int startIndex() const { return m_range.m_start; }
int endIndex() const { return m_range.m_end; }
Oops, something went wrong.

0 comments on commit d0147a8

Please sign in to comment.