Merge WebKit at branches/chromium/742 r89068: Initial merge by Git.

Take us to top of Chrome 12 release branch (12.0.742.130)

Change-Id: I4408a97e343a118cf4a1bb9d71367bcc2c16ae48

8 files changed, 55 insertions, 17 deletions

diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp
index ff94b76..764620c 100644
--- a/Source/WebCore/html/HTMLCanvasElement.cpp
+++ b/Source/WebCore/html/HTMLCanvasElement.cpp
@@ -372,17 +372,21 @@ PassRefPtr<ImageData> HTMLCanvasElement::getImageData()
 
 IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
 {
-    float left = floorf(logicalRect.x() * m_pageScaleFactor);
-    float top = floorf(logicalRect.y() * m_pageScaleFactor);
-    float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
-    float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-    
+    // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+    int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+    int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+    int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+    int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
     return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
 }
 
 IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
 {
-    return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+    // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+    float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+    float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+    return convertToValidDeviceSize(width, height);
 }
 
 IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const
diff --git a/Source/WebCore/html/MediaDocument.cpp b/Source/WebCore/html/MediaDocument.cpp
index cd1fdfb..1d7b0f9 100644
--- a/Source/WebCore/html/MediaDocument.cpp
+++ b/Source/WebCore/html/MediaDocument.cpp
@@ -209,7 +209,11 @@ void MediaDocument::replaceMediaElementTimerFired(Timer<MediaDocument>*)
         embedElement->setAttribute(heightAttr, "100%");
         embedElement->setAttribute(nameAttr, "plugin");
         embedElement->setAttribute(srcAttr, url().string());
-        embedElement->setAttribute(typeAttr, loader()->writer()->mimeType());
+
+        DocumentLoader* documentLoader = loader();
+        ASSERT(documentLoader);
+        if (documentLoader)
+            embedElement->setAttribute(typeAttr, documentLoader->writer()->mimeType());
 
         ExceptionCode ec;
         videoElement->parentNode()->replaceChild(embedElement, videoElement, ec);
diff --git a/Source/WebCore/html/PluginDocument.cpp b/Source/WebCore/html/PluginDocument.cpp
index 94f44cf..6b64237 100644
--- a/Source/WebCore/html/PluginDocument.cpp
+++ b/Source/WebCore/html/PluginDocument.cpp
@@ -92,7 +92,11 @@ void PluginDocumentParser::createDocumentStructure()
     
     m_embedElement->setAttribute(nameAttr, "plugin");
     m_embedElement->setAttribute(srcAttr, document()->url().string());
-    m_embedElement->setAttribute(typeAttr, document()->loader()->writer()->mimeType());
+    
+    DocumentLoader* loader = document()->loader();
+    ASSERT(loader);
+    if (loader)
+        m_embedElement->setAttribute(typeAttr, loader->writer()->mimeType());
 
     static_cast<PluginDocument*>(document())->setPluginNode(m_embedElement);
 
diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
index ab6427e..2051750 100644
--- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
+++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1632,6 +1632,10 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::createImageData(float sw, float
     if (scaledSize.height() < 1)
         scaledSize.setHeight(1);
 
+    float area = 4.0f * scaledSize.width() * scaledSize.height();
+    if (area > static_cast<float>(std::numeric_limits<int>::max()))
+        return 0;
+
     return createEmptyImageData(scaledSize);
 }
 
@@ -1668,7 +1672,12 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::getImageData(float sx, float sy,
     ImageBuffer* buffer = canvas()->buffer();
     if (!buffer)
         return createEmptyImageData(scaledRect.size());
-    return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+    RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+    if (!byteArray)
+        return 0;
+
+    return ImageData::create(scaledRect.size(), byteArray.release());
 }
 
 void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)
diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.cpp b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
index 2be6039..6ca04cd 100644
--- a/Source/WebCore/html/parser/HTMLConstructionSite.cpp
+++ b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
@@ -83,13 +83,14 @@ bool causesFosterParenting(const QualifiedName& tagName)
 } // namespace
 
 template<typename ChildType>
-PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild)
+PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)
 {
     RefPtr<ChildType> child = prpChild;
+    RefPtr<ContainerNode> parent = rawParent;
 
     // FIXME: It's confusing that HTMLConstructionSite::attach does the magic
     // redirection to the foster parent but HTMLConstructionSite::attachAtSite
-    // doesn't.  It feels like we're missing a concept somehow.
+    // doesn't. It feels like we're missing a concept somehow.
     if (shouldFosterParent()) {
         fosterParent(child.get());
         ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached());
@@ -103,11 +104,6 @@ PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRe
     if (!child->parentNode())
         return child.release();
 
-    // It's slightly unfortunate that we need to hold a reference to child
-    // here to call attach().  We should investigate whether we can rely on
-    // |parent| to hold a ref at this point.  In the common case (at least
-    // for elements), however, we'll get to use this ref in the stack of
-    // open elements.
     if (parent->attached() && !child->attached())
         child->attach();
     return child.release();
diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
index 7519699..8f95cc5 100644
--- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp
+++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
@@ -278,7 +278,7 @@ void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode)
         }
 
         m_treeBuilder->constructTreeFromToken(m_token);
-        m_token.clear();
+        ASSERT(m_token.isUninitialized());
     }
 
     // Ensure we haven't been totally deref'ed after pumping. Any caller of this
diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h
index 49ec312..59f7ed4 100644
--- a/Source/WebCore/html/parser/HTMLToken.h
+++ b/Source/WebCore/html/parser/HTMLToken.h
@@ -73,6 +73,8 @@ public:
         m_data.clear();
     }
 
+    bool isUninitialized() { return m_type == Uninitialized; }
+
     int startIndex() const { return m_range.m_start; }
     int endIndex() const { return m_range.m_end; }
 
diff --git a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
index 6db09de..bf03b6e 100644
--- a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
+++ b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
@@ -434,7 +434,26 @@ PassRefPtr<Element> HTMLTreeBuilder::takeScriptToProcess(TextPosition1& scriptSt
 void HTMLTreeBuilder::constructTreeFromToken(HTMLToken& rawToken)
 {
     AtomicHTMLToken token(rawToken);
+
+    // We clear the rawToken in case constructTreeFromAtomicToken
+    // synchronously re-enters the parser. We don't clear the token immedately
+    // for Character tokens because the AtomicHTMLToken avoids copying the
+    // characters by keeping a pointer to the underlying buffer in the
+    // HTMLToken. Fortuantely, Character tokens can't cause use to re-enter
+    // the parser.
+    //
+    // FIXME: Top clearing the rawToken once we start running the parser off
+    // the main thread or once we stop allowing synchronous JavaScript
+    // execution from parseMappedAttribute.
+    if (rawToken.type() != HTMLToken::Character)
+        rawToken.clear();
+
     constructTreeFromAtomicToken(token);
+
+    if (!rawToken.isUninitialized()) {
+        ASSERT(rawToken.type() == HTMLToken::Character);
+        rawToken.clear();
+    }
 }
 
 void HTMLTreeBuilder::constructTreeFromAtomicToken(AtomicHTMLToken& token)