Merge WebKit at branches/chromium/742 r89068: Initial merge by Git.

Take us to top of Chrome 12 release branch (12.0.742.130) Change-Id: I4408a97e343a118cf4a1bb9d71367bcc2c16ae48
AOKP · Jul 13, 2011 · d0147a8 · d0147a8
1 parent 65b45b3
commit d0147a8
Show file tree

Hide file tree

Showing 27 changed files with 181 additions and 81 deletions.
diff --git a/Source/JavaScriptCore/wtf/MathExtras.h b/Source/JavaScriptCore/wtf/MathExtras.h
@@ -220,17 +220,27 @@ inline int clampToPositiveInteger(double d)
     return static_cast<int>(std::max<double>(std::min(d, maxIntAsDouble), 0));
 }
 
-inline int clampToInteger(float d)
+inline int clampToInteger(float x)
 {
-    const float minIntAsFloat = static_cast<float>(std::numeric_limits<int>::min());
-    const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max());
-    return static_cast<int>(std::max(std::min(d, maxIntAsFloat), minIntAsFloat));
+    static const int s_intMax = std::numeric_limits<int>::max();
+    static const int s_intMin = std::numeric_limits<int>::min();
+
+    if (x >= static_cast<float>(s_intMax))
+        return s_intMax;
+    if (x < static_cast<float>(s_intMin))
+        return s_intMin;
+    return static_cast<int>(x);
 }
 
-inline int clampToPositiveInteger(float d)
+inline int clampToPositiveInteger(float x)
 {
-    const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max());
-    return static_cast<int>(std::max<float>(std::min(d, maxIntAsFloat), 0));
+    static const int s_intMax = std::numeric_limits<int>::max();
+
+    if (x >= static_cast<float>(s_intMax))
+        return s_intMax;
+    if (x < 0)
+        return 0;
+    return static_cast<int>(x);
 }
 
 inline int clampToInteger(unsigned value)

diff --git a/Source/WebCore/WebCore.exp.in b/Source/WebCore/WebCore.exp.in
@@ -1274,6 +1274,7 @@ __ZNK7WebCore8Document20cacheDocumentElementEv
 __ZNK7WebCore8Document31displayStringModifiedByEncodingERKN3WTF6StringE
 __ZNK7WebCore8Document4bodyEv
 __ZNK7WebCore8Document6domainEv
+__ZNK7WebCore8Document6loaderEv
 __ZNK7WebCore8IntPointcv7CGPointEv
 __ZNK7WebCore8IntPointcv8_NSPointEv
 __ZNK7WebCore8Position10downstreamENS_27EditingBoundaryCrossingRuleE

diff --git a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp
@@ -2490,7 +2490,7 @@ VisiblePosition AccessibilityRenderObject::visiblePositionForIndex(int index) co
 int AccessibilityRenderObject::indexForVisiblePosition(const VisiblePosition& pos) const
 {
     if (isNativeTextControl())
-        return toRenderTextControl(m_renderer)->indexForVisiblePosition(pos);
+        return RenderTextControl::indexForVisiblePosition(toRenderTextControl(m_renderer)->innerTextElement(), pos);
 
     if (!isTextControl())
         return 0;

diff --git a/Source/WebCore/bindings/ScriptControllerBase.cpp b/Source/WebCore/bindings/ScriptControllerBase.cpp
@@ -107,9 +107,15 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
     // FIXME: We should always replace the document, but doing so
     //        synchronously can cause crashes:
     //        http://bugs.webkit.org/show_bug.cgi?id=16782
-    if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL)
-        m_frame->document()->loader()->writer()->replaceDocument(scriptResult);
-
+    if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
+        // We're still in a frame, so there should be a DocumentLoader.
+        ASSERT(m_frame->document()->loader());
+
+        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+        // so protect it with a RefPtr.
+        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
+            loader->writer()->replaceDocument(scriptResult);
+    }
     return true;
 }
 

diff --git a/Source/WebCore/css/CSSParser.cpp b/Source/WebCore/css/CSSParser.cpp
@@ -6027,6 +6027,9 @@ int CSSParser::lex(void* yylvalWithoutType)
     case FUNCTION:
     case ANYFUNCTION:
     case NOTFUNCTION:
+    case CALCFUNCTION:
+    case MINFUNCTION:
+    case MAXFUNCTION:
         yylval->string.characters = t;
         yylval->string.length = length;
         break;

diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
@@ -460,7 +460,6 @@ Document::Document(Frame* frame, const KURL& url, bool isXHTML, bool isHTML)
     m_ignoreAutofocus = false;
 
     m_frame = frame;
-    m_documentLoader = frame ? frame->loader()->activeDocumentLoader() : 0;
 
     // We depend on the url getting immediately set in subframes, but we
     // also depend on the url NOT getting immediately set in opened windows.
@@ -601,12 +600,6 @@ void Document::removedLastRef()
 #if ENABLE(FULLSCREEN_API)
         m_fullScreenElement = 0;
 #endif
-        m_styleSelector.clear();
-        m_styleSheets.clear();
-        m_elemSheet.clear();
-        m_mappedElementSheet.clear();
-        m_pageUserSheet.clear();
-        m_pageGroupUserSheets.clear();
 
         // removeAllChildren() doesn't always unregister IDs,
         // so tear down scope information upfront to avoid having stale references in the map.
@@ -2013,11 +2006,21 @@ HTMLElement* Document::body() const
 
 void Document::setBody(PassRefPtr<HTMLElement> newBody, ExceptionCode& ec)
 {
-    if (!newBody || !documentElement()) { 
+    ec = 0;
+
+    if (!newBody || !documentElement() || !newBody->hasTagName(bodyTag)) { 
         ec = HIERARCHY_REQUEST_ERR;
         return;
     }
 
+    if (newBody->document() && newBody->document() != this) {
+        RefPtr<Node> node = importNode(newBody.get(), true, ec);
+        if (ec)
+            return;
+
+        newBody = toHTMLElement(node.get());
+    }
+
     HTMLElement* b = body();
     if (!b)
         documentElement()->appendChild(newBody, ec);
@@ -3783,7 +3786,9 @@ String Document::lastModified() const
     DateComponents date;
     bool foundDate = false;
     if (m_frame) {
-        String httpLastModified = m_documentLoader->response().httpHeaderField("Last-Modified");
+        String httpLastModified;
+        if (DocumentLoader* documentLoader = loader()) 
+            httpLastModified = documentLoader->response().httpHeaderField("Last-Modified");
         if (!httpLastModified.isEmpty()) {
             date.setMillisecondsSinceEpochForDateTime(parseDate(httpLastModified));
             foundDate = true;
@@ -4264,7 +4269,7 @@ void Document::finishedParsing()
     if (!m_documentTiming.domContentLoadedEventEnd)
         m_documentTiming.domContentLoadedEventEnd = currentTime();
 
-    if (Frame* f = frame()) {
+    if (RefPtr<Frame> f = frame()) {
         // FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all
         // resource loads are complete. HTMLObjectElements can start loading their resources from
         // post attach callbacks triggered by recalcStyle().  This means if we parse out an <object>
@@ -4276,7 +4281,7 @@ void Document::finishedParsing()
 
         f->loader()->finishedParsing();
 
-        InspectorInstrumentation::domContentLoadedEventFired(f, url());
+        InspectorInstrumentation::domContentLoadedEventFired(f.get(), url());
     }
 }
 
@@ -4491,7 +4496,9 @@ void Document::initSecurityContext()
         // load local resources.  See https://bugs.webkit.org/show_bug.cgi?id=16756
         // and https://bugs.webkit.org/show_bug.cgi?id=19760 for further
         // discussion.
-        if (m_documentLoader->substituteData().isValid())
+
+        DocumentLoader* documentLoader = loader();
+        if (documentLoader && documentLoader->substituteData().isValid())
             securityOrigin()->grantLoadLocalResources();
     }
 
@@ -4572,7 +4579,9 @@ void Document::updateURLForPushOrReplaceState(const KURL& url)
 
     setURL(url);
     f->loader()->setOutgoingReferrer(url);
-    m_documentLoader->replaceRequestURLForSameDocumentNavigation(url);
+
+    if (DocumentLoader* documentLoader = loader())
+        documentLoader->replaceRequestURLForSameDocumentNavigation(url);
 }
 
 void Document::statePopped(SerializedScriptValue* stateObject)
@@ -5038,4 +5047,19 @@ PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const
 }
 #endif
 
+DocumentLoader* Document::loader() const
+{
+    if (!m_frame)
+        return 0;
+
+    DocumentLoader* loader = m_frame->loader()->activeDocumentLoader();
+    if (!loader)
+        return 0;
+
+    if (m_frame->document() != this)
+        return 0;
+
+    return loader;
+}
+
 } // namespace WebCore
diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h
@@ -553,8 +553,7 @@ class Document : public TreeScope, public ScriptExecutionContext {
     void setVisuallyOrdered();
     bool visuallyOrdered() const { return m_visuallyOrdered; }
 
-    void setDocumentLoader(DocumentLoader* documentLoader) { m_documentLoader = documentLoader; }
-    DocumentLoader* loader() const { return m_documentLoader; }
+    DocumentLoader* loader() const;
 
     void open(Document* ownerDocument = 0);
     void implicitOpen();
@@ -1156,7 +1155,6 @@ class Document : public TreeScope, public ScriptExecutionContext {
     mutable RefPtr<CSSPrimitiveValueCache> m_cssPrimitiveValueCache;
 
     Frame* m_frame;
-    DocumentLoader* m_documentLoader;
     OwnPtr<CachedResourceLoader> m_cachedResourceLoader;
     RefPtr<DocumentParser> m_parser;
     bool m_wellFormed;

diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp
@@ -90,7 +90,13 @@ class StyleSelectorParentPusher {
 
         if (!m_pushedStyleSelector)
             return;
+
+        // This tells us that our pushed style selector is in a bad state,
+        // so we should just bail out in that scenario.
         ASSERT(m_pushedStyleSelector == m_parent->document()->styleSelector());
+        if (m_pushedStyleSelector != m_parent->document()->styleSelector())
+            return;
+
         m_pushedStyleSelector->popParent(m_parent); 
     }
 

diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
@@ -198,6 +198,14 @@ bool ScriptElement::prepareScript(const TextPosition1& scriptStartPosition, Lega
     if (!m_element->document()->frame()->script()->canExecuteScripts(AboutToExecuteScript))
         return false;
 
+    // FIXME: This is non-standard. Remove this after https://bugs.webkit.org/show_bug.cgi?id=62412.
+    Node* ancestor = m_element->parentNode();
+    while (ancestor) {
+        if (ancestor->isSVGShadowRoot())
+            return false;
+        ancestor = ancestor->parentNode();
+    }
+
     if (!isScriptForEventSupported())
         return false;
 

diff --git a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp
@@ -88,6 +88,8 @@ void WebKitBlobBuilder::append(const String& text, ExceptionCode& ec)
 #if ENABLE(BLOB)
 void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)
 {
+    if (!arrayBuffer)
+        return;
     Vector<char>& buffer = getBuffer();
     size_t oldSize = buffer.size();
     buffer.append(static_cast<const char*>(arrayBuffer->data()), arrayBuffer->byteLength());
@@ -97,6 +99,8 @@ void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)
 
 void WebKitBlobBuilder::append(Blob* blob)
 {
+    if (!blob)
+        return;
     if (blob->isFile()) {
         // If the blob is file that is not snapshoted, capture the snapshot now.
         // FIXME: This involves synchronous file operation. We need to figure out how to make it asynchronous.

diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp
@@ -372,17 +372,21 @@ PassRefPtr<ImageData> HTMLCanvasElement::getImageData()
 
 IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
 {
-    float left = floorf(logicalRect.x() * m_pageScaleFactor);
-    float top = floorf(logicalRect.y() * m_pageScaleFactor);
-    float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
-    float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-
+    // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+    int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+    int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+    int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+    int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
     return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
 }
 
 IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
 {
-    return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+    // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+    float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+    float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+    return convertToValidDeviceSize(width, height);
 }
 
 IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const

diff --git a/Source/WebCore/html/MediaDocument.cpp b/Source/WebCore/html/MediaDocument.cpp
@@ -209,7 +209,11 @@ void MediaDocument::replaceMediaElementTimerFired(Timer<MediaDocument>*)
         embedElement->setAttribute(heightAttr, "100%");
         embedElement->setAttribute(nameAttr, "plugin");
         embedElement->setAttribute(srcAttr, url().string());
-        embedElement->setAttribute(typeAttr, loader()->writer()->mimeType());
+
+        DocumentLoader* documentLoader = loader();
+        ASSERT(documentLoader);
+        if (documentLoader)
+            embedElement->setAttribute(typeAttr, documentLoader->writer()->mimeType());
 
         ExceptionCode ec;
         videoElement->parentNode()->replaceChild(embedElement, videoElement, ec);

diff --git a/Source/WebCore/html/PluginDocument.cpp b/Source/WebCore/html/PluginDocument.cpp
@@ -92,7 +92,11 @@ void PluginDocumentParser::createDocumentStructure()
 
     m_embedElement->setAttribute(nameAttr, "plugin");
     m_embedElement->setAttribute(srcAttr, document()->url().string());
-    m_embedElement->setAttribute(typeAttr, document()->loader()->writer()->mimeType());
+
+    DocumentLoader* loader = document()->loader();
+    ASSERT(loader);
+    if (loader)
+        m_embedElement->setAttribute(typeAttr, loader->writer()->mimeType());
 
     static_cast<PluginDocument*>(document())->setPluginNode(m_embedElement);
 

diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1632,6 +1632,10 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::createImageData(float sw, float
     if (scaledSize.height() < 1)
         scaledSize.setHeight(1);
 
+    float area = 4.0f * scaledSize.width() * scaledSize.height();
+    if (area > static_cast<float>(std::numeric_limits<int>::max()))
+        return 0;
+
     return createEmptyImageData(scaledSize);
 }
 
@@ -1668,7 +1672,12 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::getImageData(float sx, float sy,
     ImageBuffer* buffer = canvas()->buffer();
     if (!buffer)
         return createEmptyImageData(scaledRect.size());
-    return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+    RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+    if (!byteArray)
+        return 0;
+
+    return ImageData::create(scaledRect.size(), byteArray.release());
 }
 
 void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)

diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.cpp b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
@@ -83,13 +83,14 @@ bool causesFosterParenting(const QualifiedName& tagName)
 } // namespace
 
 template<typename ChildType>
-PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild)
+PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)
 {
     RefPtr<ChildType> child = prpChild;
+    RefPtr<ContainerNode> parent = rawParent;
 
     // FIXME: It's confusing that HTMLConstructionSite::attach does the magic
     // redirection to the foster parent but HTMLConstructionSite::attachAtSite
-    // doesn't.  It feels like we're missing a concept somehow.
+    // doesn't. It feels like we're missing a concept somehow.
     if (shouldFosterParent()) {
         fosterParent(child.get());
         ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached());
@@ -103,11 +104,6 @@ PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRe
     if (!child->parentNode())
         return child.release();
 
-    // It's slightly unfortunate that we need to hold a reference to child
-    // here to call attach().  We should investigate whether we can rely on
-    // |parent| to hold a ref at this point.  In the common case (at least
-    // for elements), however, we'll get to use this ref in the stack of
-    // open elements.
     if (parent->attached() && !child->attached())
         child->attach();
     return child.release();

diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
@@ -278,7 +278,7 @@ void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode)
         }
 
         m_treeBuilder->constructTreeFromToken(m_token);
-        m_token.clear();
+        ASSERT(m_token.isUninitialized());
     }
 
     // Ensure we haven't been totally deref'ed after pumping. Any caller of this

diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h
@@ -73,6 +73,8 @@ class HTMLToken {
         m_data.clear();
     }
 
+    bool isUninitialized() { return m_type == Uninitialized; }
+
     int startIndex() const { return m_range.m_start; }
     int endIndex() const { return m_range.m_end; }