diff options
Diffstat (limited to 'Source')
27 files changed, 181 insertions, 81 deletions
diff --git a/Source/JavaScriptCore/wtf/MathExtras.h b/Source/JavaScriptCore/wtf/MathExtras.h index fac187c..f1b13a5 100644 --- a/Source/JavaScriptCore/wtf/MathExtras.h +++ b/Source/JavaScriptCore/wtf/MathExtras.h @@ -220,17 +220,27 @@ inline int clampToPositiveInteger(double d) return static_cast<int>(std::max<double>(std::min(d, maxIntAsDouble), 0)); } -inline int clampToInteger(float d) +inline int clampToInteger(float x) { - const float minIntAsFloat = static_cast<float>(std::numeric_limits<int>::min()); - const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max()); - return static_cast<int>(std::max(std::min(d, maxIntAsFloat), minIntAsFloat)); + static const int s_intMax = std::numeric_limits<int>::max(); + static const int s_intMin = std::numeric_limits<int>::min(); + + if (x >= static_cast<float>(s_intMax)) + return s_intMax; + if (x < static_cast<float>(s_intMin)) + return s_intMin; + return static_cast<int>(x); } -inline int clampToPositiveInteger(float d) +inline int clampToPositiveInteger(float x) { - const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max()); - return static_cast<int>(std::max<float>(std::min(d, maxIntAsFloat), 0)); + static const int s_intMax = std::numeric_limits<int>::max(); + + if (x >= static_cast<float>(s_intMax)) + return s_intMax; + if (x < 0) + return 0; + return static_cast<int>(x); } inline int clampToInteger(unsigned value) diff --git a/Source/WebCore/WebCore.exp.in b/Source/WebCore/WebCore.exp.in index d8ee526..f110846 100644 --- a/Source/WebCore/WebCore.exp.in +++ b/Source/WebCore/WebCore.exp.in @@ -1274,6 +1274,7 @@ __ZNK7WebCore8Document20cacheDocumentElementEv __ZNK7WebCore8Document31displayStringModifiedByEncodingERKN3WTF6StringE __ZNK7WebCore8Document4bodyEv __ZNK7WebCore8Document6domainEv +__ZNK7WebCore8Document6loaderEv __ZNK7WebCore8IntPointcv7CGPointEv __ZNK7WebCore8IntPointcv8_NSPointEv __ZNK7WebCore8Position10downstreamENS_27EditingBoundaryCrossingRuleE diff --git a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp index 2236f83..e52db5f 100644 --- a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp +++ b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp @@ -2490,7 +2490,7 @@ VisiblePosition AccessibilityRenderObject::visiblePositionForIndex(int index) co int AccessibilityRenderObject::indexForVisiblePosition(const VisiblePosition& pos) const { if (isNativeTextControl()) - return toRenderTextControl(m_renderer)->indexForVisiblePosition(pos); + return RenderTextControl::indexForVisiblePosition(toRenderTextControl(m_renderer)->innerTextElement(), pos); if (!isTextControl()) return 0; diff --git a/Source/WebCore/bindings/ScriptControllerBase.cpp b/Source/WebCore/bindings/ScriptControllerBase.cpp index 5e87dbf..b7da74d 100644 --- a/Source/WebCore/bindings/ScriptControllerBase.cpp +++ b/Source/WebCore/bindings/ScriptControllerBase.cpp @@ -107,9 +107,15 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu // FIXME: We should always replace the document, but doing so // synchronously can cause crashes: // http://bugs.webkit.org/show_bug.cgi?id=16782 - if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) - m_frame->document()->loader()->writer()->replaceDocument(scriptResult); - + if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) { + // We're still in a frame, so there should be a DocumentLoader. + ASSERT(m_frame->document()->loader()); + + // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed, + // so protect it with a RefPtr. + if (RefPtr<DocumentLoader> loader = m_frame->document()->loader()) + loader->writer()->replaceDocument(scriptResult); + } return true; } diff --git a/Source/WebCore/css/CSSParser.cpp b/Source/WebCore/css/CSSParser.cpp index 7db8389..831e438 100644 --- a/Source/WebCore/css/CSSParser.cpp +++ b/Source/WebCore/css/CSSParser.cpp @@ -6027,6 +6027,9 @@ int CSSParser::lex(void* yylvalWithoutType) case FUNCTION: case ANYFUNCTION: case NOTFUNCTION: + case CALCFUNCTION: + case MINFUNCTION: + case MAXFUNCTION: yylval->string.characters = t; yylval->string.length = length; break; diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp index 7ba603b..638b4ab 100644 --- a/Source/WebCore/dom/Document.cpp +++ b/Source/WebCore/dom/Document.cpp @@ -460,7 +460,6 @@ Document::Document(Frame* frame, const KURL& url, bool isXHTML, bool isHTML) m_ignoreAutofocus = false; m_frame = frame; - m_documentLoader = frame ? frame->loader()->activeDocumentLoader() : 0; // We depend on the url getting immediately set in subframes, but we // also depend on the url NOT getting immediately set in opened windows. @@ -601,12 +600,6 @@ void Document::removedLastRef() #if ENABLE(FULLSCREEN_API) m_fullScreenElement = 0; #endif - m_styleSelector.clear(); - m_styleSheets.clear(); - m_elemSheet.clear(); - m_mappedElementSheet.clear(); - m_pageUserSheet.clear(); - m_pageGroupUserSheets.clear(); // removeAllChildren() doesn't always unregister IDs, // so tear down scope information upfront to avoid having stale references in the map. @@ -2013,11 +2006,21 @@ HTMLElement* Document::body() const void Document::setBody(PassRefPtr<HTMLElement> newBody, ExceptionCode& ec) { - if (!newBody || !documentElement()) { + ec = 0; + + if (!newBody || !documentElement() || !newBody->hasTagName(bodyTag)) { ec = HIERARCHY_REQUEST_ERR; return; } + if (newBody->document() && newBody->document() != this) { + RefPtr<Node> node = importNode(newBody.get(), true, ec); + if (ec) + return; + + newBody = toHTMLElement(node.get()); + } + HTMLElement* b = body(); if (!b) documentElement()->appendChild(newBody, ec); @@ -3783,7 +3786,9 @@ String Document::lastModified() const DateComponents date; bool foundDate = false; if (m_frame) { - String httpLastModified = m_documentLoader->response().httpHeaderField("Last-Modified"); + String httpLastModified; + if (DocumentLoader* documentLoader = loader()) + httpLastModified = documentLoader->response().httpHeaderField("Last-Modified"); if (!httpLastModified.isEmpty()) { date.setMillisecondsSinceEpochForDateTime(parseDate(httpLastModified)); foundDate = true; @@ -4264,7 +4269,7 @@ void Document::finishedParsing() if (!m_documentTiming.domContentLoadedEventEnd) m_documentTiming.domContentLoadedEventEnd = currentTime(); - if (Frame* f = frame()) { + if (RefPtr<Frame> f = frame()) { // FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all // resource loads are complete. HTMLObjectElements can start loading their resources from // post attach callbacks triggered by recalcStyle(). This means if we parse out an <object> @@ -4276,7 +4281,7 @@ void Document::finishedParsing() f->loader()->finishedParsing(); - InspectorInstrumentation::domContentLoadedEventFired(f, url()); + InspectorInstrumentation::domContentLoadedEventFired(f.get(), url()); } } @@ -4491,7 +4496,9 @@ void Document::initSecurityContext() // load local resources. See https://bugs.webkit.org/show_bug.cgi?id=16756 // and https://bugs.webkit.org/show_bug.cgi?id=19760 for further // discussion. - if (m_documentLoader->substituteData().isValid()) + + DocumentLoader* documentLoader = loader(); + if (documentLoader && documentLoader->substituteData().isValid()) securityOrigin()->grantLoadLocalResources(); } @@ -4572,7 +4579,9 @@ void Document::updateURLForPushOrReplaceState(const KURL& url) setURL(url); f->loader()->setOutgoingReferrer(url); - m_documentLoader->replaceRequestURLForSameDocumentNavigation(url); + + if (DocumentLoader* documentLoader = loader()) + documentLoader->replaceRequestURLForSameDocumentNavigation(url); } void Document::statePopped(SerializedScriptValue* stateObject) @@ -5038,4 +5047,19 @@ PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const } #endif +DocumentLoader* Document::loader() const +{ + if (!m_frame) + return 0; + + DocumentLoader* loader = m_frame->loader()->activeDocumentLoader(); + if (!loader) + return 0; + + if (m_frame->document() != this) + return 0; + + return loader; +} + } // namespace WebCore diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h index 179293c..7478e6c 100644 --- a/Source/WebCore/dom/Document.h +++ b/Source/WebCore/dom/Document.h @@ -553,8 +553,7 @@ public: void setVisuallyOrdered(); bool visuallyOrdered() const { return m_visuallyOrdered; } - void setDocumentLoader(DocumentLoader* documentLoader) { m_documentLoader = documentLoader; } - DocumentLoader* loader() const { return m_documentLoader; } + DocumentLoader* loader() const; void open(Document* ownerDocument = 0); void implicitOpen(); @@ -1156,7 +1155,6 @@ private: mutable RefPtr<CSSPrimitiveValueCache> m_cssPrimitiveValueCache; Frame* m_frame; - DocumentLoader* m_documentLoader; OwnPtr<CachedResourceLoader> m_cachedResourceLoader; RefPtr<DocumentParser> m_parser; bool m_wellFormed; diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp index 50431aa..eef2419 100644 --- a/Source/WebCore/dom/Element.cpp +++ b/Source/WebCore/dom/Element.cpp @@ -90,7 +90,13 @@ public: if (!m_pushedStyleSelector) return; + + // This tells us that our pushed style selector is in a bad state, + // so we should just bail out in that scenario. ASSERT(m_pushedStyleSelector == m_parent->document()->styleSelector()); + if (m_pushedStyleSelector != m_parent->document()->styleSelector()) + return; + m_pushedStyleSelector->popParent(m_parent); } diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp index 5dd6b7d..55a7949 100644 --- a/Source/WebCore/dom/ScriptElement.cpp +++ b/Source/WebCore/dom/ScriptElement.cpp @@ -198,6 +198,14 @@ bool ScriptElement::prepareScript(const TextPosition1& scriptStartPosition, Lega if (!m_element->document()->frame()->script()->canExecuteScripts(AboutToExecuteScript)) return false; + // FIXME: This is non-standard. Remove this after https://bugs.webkit.org/show_bug.cgi?id=62412. + Node* ancestor = m_element->parentNode(); + while (ancestor) { + if (ancestor->isSVGShadowRoot()) + return false; + ancestor = ancestor->parentNode(); + } + if (!isScriptForEventSupported()) return false; diff --git a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp index 2f40db7..0671e05 100644 --- a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp +++ b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp @@ -88,6 +88,8 @@ void WebKitBlobBuilder::append(const String& text, ExceptionCode& ec) #if ENABLE(BLOB) void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer) { + if (!arrayBuffer) + return; Vector<char>& buffer = getBuffer(); size_t oldSize = buffer.size(); buffer.append(static_cast<const char*>(arrayBuffer->data()), arrayBuffer->byteLength()); @@ -97,6 +99,8 @@ void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer) void WebKitBlobBuilder::append(Blob* blob) { + if (!blob) + return; if (blob->isFile()) { // If the blob is file that is not snapshoted, capture the snapshot now. // FIXME: This involves synchronous file operation. We need to figure out how to make it asynchronous. diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp index ff94b76..764620c 100644 --- a/Source/WebCore/html/HTMLCanvasElement.cpp +++ b/Source/WebCore/html/HTMLCanvasElement.cpp @@ -372,17 +372,21 @@ PassRefPtr<ImageData> HTMLCanvasElement::getImageData() IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const { - float left = floorf(logicalRect.x() * m_pageScaleFactor); - float top = floorf(logicalRect.y() * m_pageScaleFactor); - float right = ceilf(logicalRect.maxX() * m_pageScaleFactor); - float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor); - + // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range + int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor)); + int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor)); + int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor)); + int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor)); + return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top)); } IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const { - return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor); + // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range + float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor)); + float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor)); + return convertToValidDeviceSize(width, height); } IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const diff --git a/Source/WebCore/html/MediaDocument.cpp b/Source/WebCore/html/MediaDocument.cpp index cd1fdfb..1d7b0f9 100644 --- a/Source/WebCore/html/MediaDocument.cpp +++ b/Source/WebCore/html/MediaDocument.cpp @@ -209,7 +209,11 @@ void MediaDocument::replaceMediaElementTimerFired(Timer<MediaDocument>*) embedElement->setAttribute(heightAttr, "100%"); embedElement->setAttribute(nameAttr, "plugin"); embedElement->setAttribute(srcAttr, url().string()); - embedElement->setAttribute(typeAttr, loader()->writer()->mimeType()); + + DocumentLoader* documentLoader = loader(); + ASSERT(documentLoader); + if (documentLoader) + embedElement->setAttribute(typeAttr, documentLoader->writer()->mimeType()); ExceptionCode ec; videoElement->parentNode()->replaceChild(embedElement, videoElement, ec); diff --git a/Source/WebCore/html/PluginDocument.cpp b/Source/WebCore/html/PluginDocument.cpp index 94f44cf..6b64237 100644 --- a/Source/WebCore/html/PluginDocument.cpp +++ b/Source/WebCore/html/PluginDocument.cpp @@ -92,7 +92,11 @@ void PluginDocumentParser::createDocumentStructure() m_embedElement->setAttribute(nameAttr, "plugin"); m_embedElement->setAttribute(srcAttr, document()->url().string()); - m_embedElement->setAttribute(typeAttr, document()->loader()->writer()->mimeType()); + + DocumentLoader* loader = document()->loader(); + ASSERT(loader); + if (loader) + m_embedElement->setAttribute(typeAttr, loader->writer()->mimeType()); static_cast<PluginDocument*>(document())->setPluginNode(m_embedElement); diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp index ab6427e..2051750 100644 --- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp +++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp @@ -1632,6 +1632,10 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::createImageData(float sw, float if (scaledSize.height() < 1) scaledSize.setHeight(1); + float area = 4.0f * scaledSize.width() * scaledSize.height(); + if (area > static_cast<float>(std::numeric_limits<int>::max())) + return 0; + return createEmptyImageData(scaledSize); } @@ -1668,7 +1672,12 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::getImageData(float sx, float sy, ImageBuffer* buffer = canvas()->buffer(); if (!buffer) return createEmptyImageData(scaledRect.size()); - return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect)); + + RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect); + if (!byteArray) + return 0; + + return ImageData::create(scaledRect.size(), byteArray.release()); } void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec) diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.cpp b/Source/WebCore/html/parser/HTMLConstructionSite.cpp index 2be6039..6ca04cd 100644 --- a/Source/WebCore/html/parser/HTMLConstructionSite.cpp +++ b/Source/WebCore/html/parser/HTMLConstructionSite.cpp @@ -83,13 +83,14 @@ bool causesFosterParenting(const QualifiedName& tagName) } // namespace template<typename ChildType> -PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild) +PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild) { RefPtr<ChildType> child = prpChild; + RefPtr<ContainerNode> parent = rawParent; // FIXME: It's confusing that HTMLConstructionSite::attach does the magic // redirection to the foster parent but HTMLConstructionSite::attachAtSite - // doesn't. It feels like we're missing a concept somehow. + // doesn't. It feels like we're missing a concept somehow. if (shouldFosterParent()) { fosterParent(child.get()); ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached()); @@ -103,11 +104,6 @@ PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRe if (!child->parentNode()) return child.release(); - // It's slightly unfortunate that we need to hold a reference to child - // here to call attach(). We should investigate whether we can rely on - // |parent| to hold a ref at this point. In the common case (at least - // for elements), however, we'll get to use this ref in the stack of - // open elements. if (parent->attached() && !child->attached()) child->attach(); return child.release(); diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp index 7519699..8f95cc5 100644 --- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp +++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp @@ -278,7 +278,7 @@ void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode) } m_treeBuilder->constructTreeFromToken(m_token); - m_token.clear(); + ASSERT(m_token.isUninitialized()); } // Ensure we haven't been totally deref'ed after pumping. Any caller of this diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h index 49ec312..59f7ed4 100644 --- a/Source/WebCore/html/parser/HTMLToken.h +++ b/Source/WebCore/html/parser/HTMLToken.h @@ -73,6 +73,8 @@ public: m_data.clear(); } + bool isUninitialized() { return m_type == Uninitialized; } + int startIndex() const { return m_range.m_start; } int endIndex() const { return m_range.m_end; } diff --git a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp index 6db09de..bf03b6e 100644 --- a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp +++ b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp @@ -434,7 +434,26 @@ PassRefPtr<Element> HTMLTreeBuilder::takeScriptToProcess(TextPosition1& scriptSt void HTMLTreeBuilder::constructTreeFromToken(HTMLToken& rawToken) { AtomicHTMLToken token(rawToken); + + // We clear the rawToken in case constructTreeFromAtomicToken + // synchronously re-enters the parser. We don't clear the token immedately + // for Character tokens because the AtomicHTMLToken avoids copying the + // characters by keeping a pointer to the underlying buffer in the + // HTMLToken. Fortuantely, Character tokens can't cause use to re-enter + // the parser. + // + // FIXME: Top clearing the rawToken once we start running the parser off + // the main thread or once we stop allowing synchronous JavaScript + // execution from parseMappedAttribute. + if (rawToken.type() != HTMLToken::Character) + rawToken.clear(); + constructTreeFromAtomicToken(token); + + if (!rawToken.isUninitialized()) { + ASSERT(rawToken.type() == HTMLToken::Character); + rawToken.clear(); + } } void HTMLTreeBuilder::constructTreeFromAtomicToken(AtomicHTMLToken& token) diff --git a/Source/WebCore/inspector/front-end/inspector.css b/Source/WebCore/inspector/front-end/inspector.css index 6848aaf..c560e1c 100644 --- a/Source/WebCore/inspector/front-end/inspector.css +++ b/Source/WebCore/inspector/front-end/inspector.css @@ -91,7 +91,7 @@ body.inactive #toolbar { body.detached.platform-mac-leopard:not(.remote) #toolbar, body.detached.platform-mac-snowleopard:not(.remote) #toolbar { - background: transparent !important; + background: transparent; } body.attached #toolbar { diff --git a/Source/WebCore/platform/graphics/FloatRect.cpp b/Source/WebCore/platform/graphics/FloatRect.cpp index 165ef76..7afc92b 100644 --- a/Source/WebCore/platform/graphics/FloatRect.cpp +++ b/Source/WebCore/platform/graphics/FloatRect.cpp @@ -182,18 +182,6 @@ void FloatRect::fitToPoints(const FloatPoint& p0, const FloatPoint& p1, const Fl setLocationAndSizeFromEdges(left, top, right, bottom); } -static inline int safeFloatToInt(float x) -{ - static const int s_intMax = std::numeric_limits<int>::max(); - static const int s_intMin = std::numeric_limits<int>::min(); - - if (x >= static_cast<float>(s_intMax)) - return s_intMax; - if (x < static_cast<float>(s_intMin)) - return s_intMin; - return static_cast<int>(x); -} - IntRect enclosingIntRect(const FloatRect& rect) { float left = floorf(rect.x()); @@ -201,8 +189,8 @@ IntRect enclosingIntRect(const FloatRect& rect) float width = ceilf(rect.maxX()) - left; float height = ceilf(rect.maxY()) - top; - return IntRect(safeFloatToInt(left), safeFloatToInt(top), - safeFloatToInt(width), safeFloatToInt(height)); + return IntRect(clampToInteger(left), clampToInteger(top), + clampToInteger(width), clampToInteger(height)); } FloatRect mapRect(const FloatRect& r, const FloatRect& srcRect, const FloatRect& destRect) diff --git a/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp b/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp index f067b66..08652c9 100644 --- a/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp +++ b/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp @@ -110,6 +110,10 @@ static void premultitplyScanline(void* data, size_t tileNumber) PassRefPtr<ByteArray> ImageBufferData::getData(const IntRect& rect, const IntSize& size, bool accelerateRendering, bool unmultiplied) const { + float area = 4.0f * rect.width() * rect.height(); + if (area > static_cast<float>(std::numeric_limits<int>::max())) + return 0; + RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4); unsigned char* data = result->data(); diff --git a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp index 2352672..2a1738a 100644 --- a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp +++ b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp @@ -168,6 +168,10 @@ template <Multiply multiplied> PassRefPtr<ByteArray> getImageData(const IntRect& rect, SkDevice& srcDevice, const IntSize& size) { + float area = 4.0f * rect.width() * rect.height(); + if (area > static_cast<float>(std::numeric_limits<int>::max())) + return 0; + RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4); SkBitmap::Config srcConfig = srcDevice.accessBitmap(false).config(); diff --git a/Source/WebCore/platform/mac/HTMLConverter.mm b/Source/WebCore/platform/mac/HTMLConverter.mm index c0b0ba2..80016fd 100644 --- a/Source/WebCore/platform/mac/HTMLConverter.mm +++ b/Source/WebCore/platform/mac/HTMLConverter.mm @@ -1753,7 +1753,8 @@ static NSFileWrapper *fileWrapperForElement(Element* element) const AtomicString& attr = element->getAttribute(srcAttr); if (!attr.isEmpty()) { NSURL *URL = element->document()->completeURL(attr); - wrapper = fileWrapperForURL(element->document()->loader(), URL); + if (DocumentLoader* loader = element->document()->loader()) + wrapper = fileWrapperForURL(loader, URL); } if (!wrapper) { RenderImage* renderer = toRenderImage(element->renderer()); diff --git a/Source/WebCore/rendering/RenderTextControl.cpp b/Source/WebCore/rendering/RenderTextControl.cpp index 8149f6c..0862df3 100644 --- a/Source/WebCore/rendering/RenderTextControl.cpp +++ b/Source/WebCore/rendering/RenderTextControl.cpp @@ -205,7 +205,12 @@ int RenderTextControl::selectionStart() const Frame* frame = this->frame(); if (!frame) return 0; - return indexForVisiblePosition(frame->selection()->start()); + + HTMLElement* innerText = innerTextElement(); + // Do not call innerTextElement() in the function arguments as creating a VisiblePosition + // from frame->selection->start() can blow us from underneath. Also, function ordering is + // usually dependent on the compiler. + return RenderTextControl::indexForVisiblePosition(innerText, frame->selection()->start()); } int RenderTextControl::selectionEnd() const @@ -213,7 +218,12 @@ int RenderTextControl::selectionEnd() const Frame* frame = this->frame(); if (!frame) return 0; - return indexForVisiblePosition(frame->selection()->end()); + + HTMLElement* innerText = innerTextElement(); + // Do not call innerTextElement() in the function arguments as creating a VisiblePosition + // from frame->selection->end() can blow us from underneath. Also, function ordering is + // usually dependent on the compiler. + return RenderTextControl::indexForVisiblePosition(innerText, frame->selection()->end()); } bool RenderTextControl::hasVisibleTextArea() const @@ -256,15 +266,15 @@ void setSelectionRange(Node* node, int start, int end) frame->selection()->setSelection(newSelection); } -bool RenderTextControl::isSelectableElement(Node* node) const +bool RenderTextControl::isSelectableElement(HTMLElement* innerText, Node* node) { - if (!node || !m_innerText) + if (!node || !innerText) return false; - - if (node->rootEditableElement() == m_innerText) + + if (node->rootEditableElement() == innerText) return true; - if (!m_innerText->contains(node)) + if (!innerText->contains(node)) return false; Node* shadowAncestor = node->shadowAncestorNode(); @@ -334,14 +344,14 @@ VisiblePosition RenderTextControl::visiblePositionForIndex(int index) const return VisiblePosition(Position(endContainer, endOffset, Position::PositionIsOffsetInAnchor), UPSTREAM); } -int RenderTextControl::indexForVisiblePosition(const VisiblePosition& pos) const +int RenderTextControl::indexForVisiblePosition(HTMLElement* innerTextElement, const VisiblePosition& pos) { Position indexPosition = pos.deepEquivalent(); - if (!isSelectableElement(indexPosition.deprecatedNode())) + if (!RenderTextControl::isSelectableElement(innerTextElement, indexPosition.deprecatedNode())) return 0; ExceptionCode ec = 0; - RefPtr<Range> range = Range::create(document()); - range->setStart(m_innerText.get(), 0, ec); + RefPtr<Range> range = Range::create(indexPosition.document()); + range->setStart(innerTextElement, 0, ec); ASSERT(!ec); range->setEnd(indexPosition.deprecatedNode(), indexPosition.deprecatedEditingOffset(), ec); ASSERT(!ec); diff --git a/Source/WebCore/rendering/RenderTextControl.h b/Source/WebCore/rendering/RenderTextControl.h index 0c30ed6..78b295b 100644 --- a/Source/WebCore/rendering/RenderTextControl.h +++ b/Source/WebCore/rendering/RenderTextControl.h @@ -49,7 +49,7 @@ public: void selectionChanged(bool userTriggered); VisiblePosition visiblePositionForIndex(int index) const; - int indexForVisiblePosition(const VisiblePosition&) const; + static int indexForVisiblePosition(HTMLElement*, const VisiblePosition&); void updatePlaceholderVisibility(bool, bool); @@ -104,7 +104,7 @@ private: bool hasVisibleTextArea() const; friend void setSelectionRange(Node*, int start, int end); - bool isSelectableElement(Node*) const; + static bool isSelectableElement(HTMLElement*, Node*); virtual int textBlockInsetLeft() const = 0; virtual int textBlockInsetRight() const = 0; diff --git a/Source/WebKit/chromium/src/ChromeClientImpl.cpp b/Source/WebKit/chromium/src/ChromeClientImpl.cpp index eee6934..fb41fbf 100644 --- a/Source/WebKit/chromium/src/ChromeClientImpl.cpp +++ b/Source/WebKit/chromium/src/ChromeClientImpl.cpp @@ -839,7 +839,8 @@ void ChromeClientImpl::scheduleCompositingLayerSync() ChromeClient::CompositingTriggerFlags ChromeClientImpl::allowedCompositingTriggers() const { - if (!m_webView->allowsAcceleratedCompositing()) + // FIXME: RTL style not supported by the compositor yet. + if (!m_webView->allowsAcceleratedCompositing() || m_webView->pageHasRTLStyle()) return 0; CompositingTriggerFlags flags = 0; diff --git a/Source/WebKit/chromium/src/WebViewImpl.cpp b/Source/WebKit/chromium/src/WebViewImpl.cpp index 9447b18..896395d 100644 --- a/Source/WebKit/chromium/src/WebViewImpl.cpp +++ b/Source/WebKit/chromium/src/WebViewImpl.cpp @@ -1006,11 +1006,6 @@ void WebViewImpl::animate() void WebViewImpl::layout() { -#if USE(ACCELERATED_COMPOSITING) - // FIXME: RTL style not supported by the compositor yet. - if (isAcceleratedCompositingActive() && pageHasRTLStyle()) - setIsAcceleratedCompositingActive(false); -#endif WebFrameImpl* webframe = mainFrameImpl(); if (webframe) { @@ -2303,8 +2298,7 @@ bool WebViewImpl::pageHasRTLStyle() const void WebViewImpl::setRootGraphicsLayer(WebCore::PlatformLayer* layer) { - // FIXME: RTL style not supported by the compositor yet. - setIsAcceleratedCompositingActive(layer && !pageHasRTLStyle() ? true : false); + setIsAcceleratedCompositingActive(layer); if (m_layerRenderer) m_layerRenderer->setRootLayer(layer); |