diff options
27 files changed, 181 insertions, 81 deletions
| diff --git a/Source/JavaScriptCore/wtf/MathExtras.h b/Source/JavaScriptCore/wtf/MathExtras.h index fac187c..f1b13a5 100644 --- a/Source/JavaScriptCore/wtf/MathExtras.h +++ b/Source/JavaScriptCore/wtf/MathExtras.h @@ -220,17 +220,27 @@ inline int clampToPositiveInteger(double d)      return static_cast<int>(std::max<double>(std::min(d, maxIntAsDouble), 0));  } -inline int clampToInteger(float d) +inline int clampToInteger(float x)  { -    const float minIntAsFloat = static_cast<float>(std::numeric_limits<int>::min()); -    const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max()); -    return static_cast<int>(std::max(std::min(d, maxIntAsFloat), minIntAsFloat)); +    static const int s_intMax = std::numeric_limits<int>::max(); +    static const int s_intMin = std::numeric_limits<int>::min(); +     +    if (x >= static_cast<float>(s_intMax)) +        return s_intMax; +    if (x < static_cast<float>(s_intMin)) +        return s_intMin; +    return static_cast<int>(x);  } -inline int clampToPositiveInteger(float d) +inline int clampToPositiveInteger(float x)  { -    const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max()); -    return static_cast<int>(std::max<float>(std::min(d, maxIntAsFloat), 0)); +    static const int s_intMax = std::numeric_limits<int>::max(); +     +    if (x >= static_cast<float>(s_intMax)) +        return s_intMax; +    if (x < 0) +        return 0; +    return static_cast<int>(x);  }  inline int clampToInteger(unsigned value) diff --git a/Source/WebCore/WebCore.exp.in b/Source/WebCore/WebCore.exp.in index d8ee526..f110846 100644 --- a/Source/WebCore/WebCore.exp.in +++ b/Source/WebCore/WebCore.exp.in @@ -1274,6 +1274,7 @@ __ZNK7WebCore8Document20cacheDocumentElementEv  __ZNK7WebCore8Document31displayStringModifiedByEncodingERKN3WTF6StringE  __ZNK7WebCore8Document4bodyEv  __ZNK7WebCore8Document6domainEv +__ZNK7WebCore8Document6loaderEv  __ZNK7WebCore8IntPointcv7CGPointEv  __ZNK7WebCore8IntPointcv8_NSPointEv  __ZNK7WebCore8Position10downstreamENS_27EditingBoundaryCrossingRuleE diff --git a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp index 2236f83..e52db5f 100644 --- a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp +++ b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp @@ -2490,7 +2490,7 @@ VisiblePosition AccessibilityRenderObject::visiblePositionForIndex(int index) co  int AccessibilityRenderObject::indexForVisiblePosition(const VisiblePosition& pos) const  {      if (isNativeTextControl()) -        return toRenderTextControl(m_renderer)->indexForVisiblePosition(pos); +        return RenderTextControl::indexForVisiblePosition(toRenderTextControl(m_renderer)->innerTextElement(), pos);      if (!isTextControl())          return 0; diff --git a/Source/WebCore/bindings/ScriptControllerBase.cpp b/Source/WebCore/bindings/ScriptControllerBase.cpp index 5e87dbf..b7da74d 100644 --- a/Source/WebCore/bindings/ScriptControllerBase.cpp +++ b/Source/WebCore/bindings/ScriptControllerBase.cpp @@ -107,9 +107,15 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu      // FIXME: We should always replace the document, but doing so      //        synchronously can cause crashes:      //        http://bugs.webkit.org/show_bug.cgi?id=16782 -    if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) -        m_frame->document()->loader()->writer()->replaceDocument(scriptResult); - +    if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) { +        // We're still in a frame, so there should be a DocumentLoader. +        ASSERT(m_frame->document()->loader()); +         +        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed, +        // so protect it with a RefPtr. +        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader()) +            loader->writer()->replaceDocument(scriptResult); +    }      return true;  } diff --git a/Source/WebCore/css/CSSParser.cpp b/Source/WebCore/css/CSSParser.cpp index 7db8389..831e438 100644 --- a/Source/WebCore/css/CSSParser.cpp +++ b/Source/WebCore/css/CSSParser.cpp @@ -6027,6 +6027,9 @@ int CSSParser::lex(void* yylvalWithoutType)      case FUNCTION:      case ANYFUNCTION:      case NOTFUNCTION: +    case CALCFUNCTION: +    case MINFUNCTION: +    case MAXFUNCTION:          yylval->string.characters = t;          yylval->string.length = length;          break; diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp index 7ba603b..638b4ab 100644 --- a/Source/WebCore/dom/Document.cpp +++ b/Source/WebCore/dom/Document.cpp @@ -460,7 +460,6 @@ Document::Document(Frame* frame, const KURL& url, bool isXHTML, bool isHTML)      m_ignoreAutofocus = false;      m_frame = frame; -    m_documentLoader = frame ? frame->loader()->activeDocumentLoader() : 0;      // We depend on the url getting immediately set in subframes, but we      // also depend on the url NOT getting immediately set in opened windows. @@ -601,12 +600,6 @@ void Document::removedLastRef()  #if ENABLE(FULLSCREEN_API)          m_fullScreenElement = 0;  #endif -        m_styleSelector.clear(); -        m_styleSheets.clear(); -        m_elemSheet.clear(); -        m_mappedElementSheet.clear(); -        m_pageUserSheet.clear(); -        m_pageGroupUserSheets.clear();          // removeAllChildren() doesn't always unregister IDs,          // so tear down scope information upfront to avoid having stale references in the map. @@ -2013,11 +2006,21 @@ HTMLElement* Document::body() const  void Document::setBody(PassRefPtr<HTMLElement> newBody, ExceptionCode& ec)  { -    if (!newBody || !documentElement()) {  +    ec = 0; + +    if (!newBody || !documentElement() || !newBody->hasTagName(bodyTag)) {           ec = HIERARCHY_REQUEST_ERR;          return;      } +    if (newBody->document() && newBody->document() != this) { +        RefPtr<Node> node = importNode(newBody.get(), true, ec); +        if (ec) +            return; +         +        newBody = toHTMLElement(node.get()); +    } +      HTMLElement* b = body();      if (!b)          documentElement()->appendChild(newBody, ec); @@ -3783,7 +3786,9 @@ String Document::lastModified() const      DateComponents date;      bool foundDate = false;      if (m_frame) { -        String httpLastModified = m_documentLoader->response().httpHeaderField("Last-Modified"); +        String httpLastModified; +        if (DocumentLoader* documentLoader = loader())  +            httpLastModified = documentLoader->response().httpHeaderField("Last-Modified");          if (!httpLastModified.isEmpty()) {              date.setMillisecondsSinceEpochForDateTime(parseDate(httpLastModified));              foundDate = true; @@ -4264,7 +4269,7 @@ void Document::finishedParsing()      if (!m_documentTiming.domContentLoadedEventEnd)          m_documentTiming.domContentLoadedEventEnd = currentTime(); -    if (Frame* f = frame()) { +    if (RefPtr<Frame> f = frame()) {          // FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all          // resource loads are complete. HTMLObjectElements can start loading their resources from          // post attach callbacks triggered by recalcStyle().  This means if we parse out an <object> @@ -4276,7 +4281,7 @@ void Document::finishedParsing()          f->loader()->finishedParsing(); -        InspectorInstrumentation::domContentLoadedEventFired(f, url()); +        InspectorInstrumentation::domContentLoadedEventFired(f.get(), url());      }  } @@ -4491,7 +4496,9 @@ void Document::initSecurityContext()          // load local resources.  See https://bugs.webkit.org/show_bug.cgi?id=16756          // and https://bugs.webkit.org/show_bug.cgi?id=19760 for further          // discussion. -        if (m_documentLoader->substituteData().isValid()) +         +        DocumentLoader* documentLoader = loader(); +        if (documentLoader && documentLoader->substituteData().isValid())              securityOrigin()->grantLoadLocalResources();      } @@ -4572,7 +4579,9 @@ void Document::updateURLForPushOrReplaceState(const KURL& url)      setURL(url);      f->loader()->setOutgoingReferrer(url); -    m_documentLoader->replaceRequestURLForSameDocumentNavigation(url); + +    if (DocumentLoader* documentLoader = loader()) +        documentLoader->replaceRequestURLForSameDocumentNavigation(url);  }  void Document::statePopped(SerializedScriptValue* stateObject) @@ -5038,4 +5047,19 @@ PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const  }  #endif +DocumentLoader* Document::loader() const +{ +    if (!m_frame) +        return 0; +     +    DocumentLoader* loader = m_frame->loader()->activeDocumentLoader(); +    if (!loader) +        return 0; +     +    if (m_frame->document() != this) +        return 0; +     +    return loader; +} +  } // namespace WebCore diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h index 179293c..7478e6c 100644 --- a/Source/WebCore/dom/Document.h +++ b/Source/WebCore/dom/Document.h @@ -553,8 +553,7 @@ public:      void setVisuallyOrdered();      bool visuallyOrdered() const { return m_visuallyOrdered; } -    void setDocumentLoader(DocumentLoader* documentLoader) { m_documentLoader = documentLoader; } -    DocumentLoader* loader() const { return m_documentLoader; } +    DocumentLoader* loader() const;      void open(Document* ownerDocument = 0);      void implicitOpen(); @@ -1156,7 +1155,6 @@ private:      mutable RefPtr<CSSPrimitiveValueCache> m_cssPrimitiveValueCache;      Frame* m_frame; -    DocumentLoader* m_documentLoader;      OwnPtr<CachedResourceLoader> m_cachedResourceLoader;      RefPtr<DocumentParser> m_parser;      bool m_wellFormed; diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp index 50431aa..eef2419 100644 --- a/Source/WebCore/dom/Element.cpp +++ b/Source/WebCore/dom/Element.cpp @@ -90,7 +90,13 @@ public:          if (!m_pushedStyleSelector)              return; + +        // This tells us that our pushed style selector is in a bad state, +        // so we should just bail out in that scenario.          ASSERT(m_pushedStyleSelector == m_parent->document()->styleSelector()); +        if (m_pushedStyleSelector != m_parent->document()->styleSelector()) +            return; +          m_pushedStyleSelector->popParent(m_parent);       } diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp index 5dd6b7d..55a7949 100644 --- a/Source/WebCore/dom/ScriptElement.cpp +++ b/Source/WebCore/dom/ScriptElement.cpp @@ -198,6 +198,14 @@ bool ScriptElement::prepareScript(const TextPosition1& scriptStartPosition, Lega      if (!m_element->document()->frame()->script()->canExecuteScripts(AboutToExecuteScript))          return false; +    // FIXME: This is non-standard. Remove this after https://bugs.webkit.org/show_bug.cgi?id=62412. +    Node* ancestor = m_element->parentNode(); +    while (ancestor) { +        if (ancestor->isSVGShadowRoot()) +            return false; +        ancestor = ancestor->parentNode(); +    } +      if (!isScriptForEventSupported())          return false; diff --git a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp index 2f40db7..0671e05 100644 --- a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp +++ b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp @@ -88,6 +88,8 @@ void WebKitBlobBuilder::append(const String& text, ExceptionCode& ec)  #if ENABLE(BLOB)  void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)  { +    if (!arrayBuffer) +        return;      Vector<char>& buffer = getBuffer();      size_t oldSize = buffer.size();      buffer.append(static_cast<const char*>(arrayBuffer->data()), arrayBuffer->byteLength()); @@ -97,6 +99,8 @@ void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)  void WebKitBlobBuilder::append(Blob* blob)  { +    if (!blob) +        return;      if (blob->isFile()) {          // If the blob is file that is not snapshoted, capture the snapshot now.          // FIXME: This involves synchronous file operation. We need to figure out how to make it asynchronous. diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp index ff94b76..764620c 100644 --- a/Source/WebCore/html/HTMLCanvasElement.cpp +++ b/Source/WebCore/html/HTMLCanvasElement.cpp @@ -372,17 +372,21 @@ PassRefPtr<ImageData> HTMLCanvasElement::getImageData()  IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const  { -    float left = floorf(logicalRect.x() * m_pageScaleFactor); -    float top = floorf(logicalRect.y() * m_pageScaleFactor); -    float right = ceilf(logicalRect.maxX() * m_pageScaleFactor); -    float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor); -     +    // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range +    int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor)); +    int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor)); +    int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor)); +    int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor)); +      return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));  }  IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const  { -    return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor); +    // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range +    float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor)); +    float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor)); +    return convertToValidDeviceSize(width, height);  }  IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const diff --git a/Source/WebCore/html/MediaDocument.cpp b/Source/WebCore/html/MediaDocument.cpp index cd1fdfb..1d7b0f9 100644 --- a/Source/WebCore/html/MediaDocument.cpp +++ b/Source/WebCore/html/MediaDocument.cpp @@ -209,7 +209,11 @@ void MediaDocument::replaceMediaElementTimerFired(Timer<MediaDocument>*)          embedElement->setAttribute(heightAttr, "100%");          embedElement->setAttribute(nameAttr, "plugin");          embedElement->setAttribute(srcAttr, url().string()); -        embedElement->setAttribute(typeAttr, loader()->writer()->mimeType()); + +        DocumentLoader* documentLoader = loader(); +        ASSERT(documentLoader); +        if (documentLoader) +            embedElement->setAttribute(typeAttr, documentLoader->writer()->mimeType());          ExceptionCode ec;          videoElement->parentNode()->replaceChild(embedElement, videoElement, ec); diff --git a/Source/WebCore/html/PluginDocument.cpp b/Source/WebCore/html/PluginDocument.cpp index 94f44cf..6b64237 100644 --- a/Source/WebCore/html/PluginDocument.cpp +++ b/Source/WebCore/html/PluginDocument.cpp @@ -92,7 +92,11 @@ void PluginDocumentParser::createDocumentStructure()      m_embedElement->setAttribute(nameAttr, "plugin");      m_embedElement->setAttribute(srcAttr, document()->url().string()); -    m_embedElement->setAttribute(typeAttr, document()->loader()->writer()->mimeType()); +     +    DocumentLoader* loader = document()->loader(); +    ASSERT(loader); +    if (loader) +        m_embedElement->setAttribute(typeAttr, loader->writer()->mimeType());      static_cast<PluginDocument*>(document())->setPluginNode(m_embedElement); diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp index ab6427e..2051750 100644 --- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp +++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp @@ -1632,6 +1632,10 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::createImageData(float sw, float      if (scaledSize.height() < 1)          scaledSize.setHeight(1); +    float area = 4.0f * scaledSize.width() * scaledSize.height(); +    if (area > static_cast<float>(std::numeric_limits<int>::max())) +        return 0; +      return createEmptyImageData(scaledSize);  } @@ -1668,7 +1672,12 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::getImageData(float sx, float sy,      ImageBuffer* buffer = canvas()->buffer();      if (!buffer)          return createEmptyImageData(scaledRect.size()); -    return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect)); + +    RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect); +    if (!byteArray) +        return 0; + +    return ImageData::create(scaledRect.size(), byteArray.release());  }  void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec) diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.cpp b/Source/WebCore/html/parser/HTMLConstructionSite.cpp index 2be6039..6ca04cd 100644 --- a/Source/WebCore/html/parser/HTMLConstructionSite.cpp +++ b/Source/WebCore/html/parser/HTMLConstructionSite.cpp @@ -83,13 +83,14 @@ bool causesFosterParenting(const QualifiedName& tagName)  } // namespace  template<typename ChildType> -PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild) +PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)  {      RefPtr<ChildType> child = prpChild; +    RefPtr<ContainerNode> parent = rawParent;      // FIXME: It's confusing that HTMLConstructionSite::attach does the magic      // redirection to the foster parent but HTMLConstructionSite::attachAtSite -    // doesn't.  It feels like we're missing a concept somehow. +    // doesn't. It feels like we're missing a concept somehow.      if (shouldFosterParent()) {          fosterParent(child.get());          ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached()); @@ -103,11 +104,6 @@ PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRe      if (!child->parentNode())          return child.release(); -    // It's slightly unfortunate that we need to hold a reference to child -    // here to call attach().  We should investigate whether we can rely on -    // |parent| to hold a ref at this point.  In the common case (at least -    // for elements), however, we'll get to use this ref in the stack of -    // open elements.      if (parent->attached() && !child->attached())          child->attach();      return child.release(); diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp index 7519699..8f95cc5 100644 --- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp +++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp @@ -278,7 +278,7 @@ void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode)          }          m_treeBuilder->constructTreeFromToken(m_token); -        m_token.clear(); +        ASSERT(m_token.isUninitialized());      }      // Ensure we haven't been totally deref'ed after pumping. Any caller of this diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h index 49ec312..59f7ed4 100644 --- a/Source/WebCore/html/parser/HTMLToken.h +++ b/Source/WebCore/html/parser/HTMLToken.h @@ -73,6 +73,8 @@ public:          m_data.clear();      } +    bool isUninitialized() { return m_type == Uninitialized; } +      int startIndex() const { return m_range.m_start; }      int endIndex() const { return m_range.m_end; } diff --git a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp index 6db09de..bf03b6e 100644 --- a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp +++ b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp @@ -434,7 +434,26 @@ PassRefPtr<Element> HTMLTreeBuilder::takeScriptToProcess(TextPosition1& scriptSt  void HTMLTreeBuilder::constructTreeFromToken(HTMLToken& rawToken)  {      AtomicHTMLToken token(rawToken); + +    // We clear the rawToken in case constructTreeFromAtomicToken +    // synchronously re-enters the parser. We don't clear the token immedately +    // for Character tokens because the AtomicHTMLToken avoids copying the +    // characters by keeping a pointer to the underlying buffer in the +    // HTMLToken. Fortuantely, Character tokens can't cause use to re-enter +    // the parser. +    // +    // FIXME: Top clearing the rawToken once we start running the parser off +    // the main thread or once we stop allowing synchronous JavaScript +    // execution from parseMappedAttribute. +    if (rawToken.type() != HTMLToken::Character) +        rawToken.clear(); +      constructTreeFromAtomicToken(token); + +    if (!rawToken.isUninitialized()) { +        ASSERT(rawToken.type() == HTMLToken::Character); +        rawToken.clear(); +    }  }  void HTMLTreeBuilder::constructTreeFromAtomicToken(AtomicHTMLToken& token) diff --git a/Source/WebCore/inspector/front-end/inspector.css b/Source/WebCore/inspector/front-end/inspector.css index 6848aaf..c560e1c 100644 --- a/Source/WebCore/inspector/front-end/inspector.css +++ b/Source/WebCore/inspector/front-end/inspector.css @@ -91,7 +91,7 @@ body.inactive #toolbar {  body.detached.platform-mac-leopard:not(.remote) #toolbar,  body.detached.platform-mac-snowleopard:not(.remote) #toolbar { -    background: transparent !important; +    background: transparent;  }  body.attached #toolbar { diff --git a/Source/WebCore/platform/graphics/FloatRect.cpp b/Source/WebCore/platform/graphics/FloatRect.cpp index 165ef76..7afc92b 100644 --- a/Source/WebCore/platform/graphics/FloatRect.cpp +++ b/Source/WebCore/platform/graphics/FloatRect.cpp @@ -182,18 +182,6 @@ void FloatRect::fitToPoints(const FloatPoint& p0, const FloatPoint& p1, const Fl      setLocationAndSizeFromEdges(left, top, right, bottom);  } -static inline int safeFloatToInt(float x) -{ -    static const int s_intMax = std::numeric_limits<int>::max(); -    static const int s_intMin = std::numeric_limits<int>::min(); - -    if (x >= static_cast<float>(s_intMax)) -        return s_intMax; -    if (x < static_cast<float>(s_intMin)) -        return s_intMin; -    return static_cast<int>(x); -} -  IntRect enclosingIntRect(const FloatRect& rect)  {      float left = floorf(rect.x()); @@ -201,8 +189,8 @@ IntRect enclosingIntRect(const FloatRect& rect)      float width = ceilf(rect.maxX()) - left;      float height = ceilf(rect.maxY()) - top; -    return IntRect(safeFloatToInt(left), safeFloatToInt(top),  -                   safeFloatToInt(width), safeFloatToInt(height)); +    return IntRect(clampToInteger(left), clampToInteger(top),  +                   clampToInteger(width), clampToInteger(height));  }  FloatRect mapRect(const FloatRect& r, const FloatRect& srcRect, const FloatRect& destRect) diff --git a/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp b/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp index f067b66..08652c9 100644 --- a/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp +++ b/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp @@ -110,6 +110,10 @@ static void premultitplyScanline(void* data, size_t tileNumber)  PassRefPtr<ByteArray> ImageBufferData::getData(const IntRect& rect, const IntSize& size, bool accelerateRendering, bool unmultiplied) const  { +    float area = 4.0f * rect.width() * rect.height(); +    if (area > static_cast<float>(std::numeric_limits<int>::max())) +        return 0; +      RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);      unsigned char* data = result->data(); diff --git a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp index 2352672..2a1738a 100644 --- a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp +++ b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp @@ -168,6 +168,10 @@ template <Multiply multiplied>  PassRefPtr<ByteArray> getImageData(const IntRect& rect, SkDevice& srcDevice,                                     const IntSize& size)  { +    float area = 4.0f * rect.width() * rect.height(); +    if (area > static_cast<float>(std::numeric_limits<int>::max())) +        return 0; +      RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);      SkBitmap::Config srcConfig = srcDevice.accessBitmap(false).config(); diff --git a/Source/WebCore/platform/mac/HTMLConverter.mm b/Source/WebCore/platform/mac/HTMLConverter.mm index c0b0ba2..80016fd 100644 --- a/Source/WebCore/platform/mac/HTMLConverter.mm +++ b/Source/WebCore/platform/mac/HTMLConverter.mm @@ -1753,7 +1753,8 @@ static NSFileWrapper *fileWrapperForElement(Element* element)      const AtomicString& attr = element->getAttribute(srcAttr);      if (!attr.isEmpty()) {          NSURL *URL = element->document()->completeURL(attr); -        wrapper = fileWrapperForURL(element->document()->loader(), URL); +        if (DocumentLoader* loader = element->document()->loader()) +            wrapper = fileWrapperForURL(loader, URL);      }      if (!wrapper) {          RenderImage* renderer = toRenderImage(element->renderer()); diff --git a/Source/WebCore/rendering/RenderTextControl.cpp b/Source/WebCore/rendering/RenderTextControl.cpp index 8149f6c..0862df3 100644 --- a/Source/WebCore/rendering/RenderTextControl.cpp +++ b/Source/WebCore/rendering/RenderTextControl.cpp @@ -205,7 +205,12 @@ int RenderTextControl::selectionStart() const      Frame* frame = this->frame();      if (!frame)          return 0; -    return indexForVisiblePosition(frame->selection()->start()); +     +    HTMLElement* innerText = innerTextElement(); +    // Do not call innerTextElement() in the function arguments as creating a VisiblePosition +    // from frame->selection->start() can blow us from underneath. Also, function ordering is +    // usually dependent on the compiler. +    return RenderTextControl::indexForVisiblePosition(innerText, frame->selection()->start());  }  int RenderTextControl::selectionEnd() const @@ -213,7 +218,12 @@ int RenderTextControl::selectionEnd() const      Frame* frame = this->frame();      if (!frame)          return 0; -    return indexForVisiblePosition(frame->selection()->end()); + +    HTMLElement* innerText = innerTextElement(); +    // Do not call innerTextElement() in the function arguments as creating a VisiblePosition +    // from frame->selection->end() can blow us from underneath. Also, function ordering is +    // usually dependent on the compiler. +    return RenderTextControl::indexForVisiblePosition(innerText, frame->selection()->end());  }  bool RenderTextControl::hasVisibleTextArea() const @@ -256,15 +266,15 @@ void setSelectionRange(Node* node, int start, int end)          frame->selection()->setSelection(newSelection);  } -bool RenderTextControl::isSelectableElement(Node* node) const +bool RenderTextControl::isSelectableElement(HTMLElement* innerText, Node* node)  { -    if (!node || !m_innerText) +    if (!node || !innerText)          return false; -     -    if (node->rootEditableElement() == m_innerText) + +    if (node->rootEditableElement() == innerText)          return true; -    if (!m_innerText->contains(node)) +    if (!innerText->contains(node))          return false;      Node* shadowAncestor = node->shadowAncestorNode(); @@ -334,14 +344,14 @@ VisiblePosition RenderTextControl::visiblePositionForIndex(int index) const      return VisiblePosition(Position(endContainer, endOffset, Position::PositionIsOffsetInAnchor), UPSTREAM);  } -int RenderTextControl::indexForVisiblePosition(const VisiblePosition& pos) const +int RenderTextControl::indexForVisiblePosition(HTMLElement* innerTextElement, const VisiblePosition& pos)  {      Position indexPosition = pos.deepEquivalent(); -    if (!isSelectableElement(indexPosition.deprecatedNode())) +    if (!RenderTextControl::isSelectableElement(innerTextElement, indexPosition.deprecatedNode()))          return 0;      ExceptionCode ec = 0; -    RefPtr<Range> range = Range::create(document()); -    range->setStart(m_innerText.get(), 0, ec); +    RefPtr<Range> range = Range::create(indexPosition.document()); +    range->setStart(innerTextElement, 0, ec);      ASSERT(!ec);      range->setEnd(indexPosition.deprecatedNode(), indexPosition.deprecatedEditingOffset(), ec);      ASSERT(!ec); diff --git a/Source/WebCore/rendering/RenderTextControl.h b/Source/WebCore/rendering/RenderTextControl.h index 0c30ed6..78b295b 100644 --- a/Source/WebCore/rendering/RenderTextControl.h +++ b/Source/WebCore/rendering/RenderTextControl.h @@ -49,7 +49,7 @@ public:      void selectionChanged(bool userTriggered);      VisiblePosition visiblePositionForIndex(int index) const; -    int indexForVisiblePosition(const VisiblePosition&) const; +    static int indexForVisiblePosition(HTMLElement*, const VisiblePosition&);      void updatePlaceholderVisibility(bool, bool); @@ -104,7 +104,7 @@ private:      bool hasVisibleTextArea() const;      friend void setSelectionRange(Node*, int start, int end); -    bool isSelectableElement(Node*) const; +    static bool isSelectableElement(HTMLElement*, Node*);      virtual int textBlockInsetLeft() const = 0;      virtual int textBlockInsetRight() const = 0; diff --git a/Source/WebKit/chromium/src/ChromeClientImpl.cpp b/Source/WebKit/chromium/src/ChromeClientImpl.cpp index eee6934..fb41fbf 100644 --- a/Source/WebKit/chromium/src/ChromeClientImpl.cpp +++ b/Source/WebKit/chromium/src/ChromeClientImpl.cpp @@ -839,7 +839,8 @@ void ChromeClientImpl::scheduleCompositingLayerSync()  ChromeClient::CompositingTriggerFlags ChromeClientImpl::allowedCompositingTriggers() const  { -    if (!m_webView->allowsAcceleratedCompositing()) +    // FIXME: RTL style not supported by the compositor yet. +    if (!m_webView->allowsAcceleratedCompositing() || m_webView->pageHasRTLStyle())          return 0;      CompositingTriggerFlags flags = 0; diff --git a/Source/WebKit/chromium/src/WebViewImpl.cpp b/Source/WebKit/chromium/src/WebViewImpl.cpp index 9447b18..896395d 100644 --- a/Source/WebKit/chromium/src/WebViewImpl.cpp +++ b/Source/WebKit/chromium/src/WebViewImpl.cpp @@ -1006,11 +1006,6 @@ void WebViewImpl::animate()  void WebViewImpl::layout()  { -#if USE(ACCELERATED_COMPOSITING) -    // FIXME: RTL style not supported by the compositor yet. -    if (isAcceleratedCompositingActive() && pageHasRTLStyle()) -        setIsAcceleratedCompositingActive(false); -#endif      WebFrameImpl* webframe = mainFrameImpl();      if (webframe) { @@ -2303,8 +2298,7 @@ bool WebViewImpl::pageHasRTLStyle() const  void WebViewImpl::setRootGraphicsLayer(WebCore::PlatformLayer* layer)  { -    // FIXME: RTL style not supported by the compositor yet. -    setIsAcceleratedCompositingActive(layer && !pageHasRTLStyle() ? true : false); +    setIsAcceleratedCompositingActive(layer);      if (m_layerRenderer)          m_layerRenderer->setRootLayer(layer); | 
