summaryrefslogtreecommitdiffstats
path: root/Source
diff options
context:
space:
mode:
Diffstat (limited to 'Source')
-rw-r--r--Source/JavaScriptCore/wtf/MathExtras.h24
-rw-r--r--Source/WebCore/WebCore.exp.in1
-rw-r--r--Source/WebCore/accessibility/AccessibilityRenderObject.cpp2
-rw-r--r--Source/WebCore/bindings/ScriptControllerBase.cpp12
-rw-r--r--Source/WebCore/css/CSSParser.cpp3
-rw-r--r--Source/WebCore/dom/Document.cpp50
-rw-r--r--Source/WebCore/dom/Document.h4
-rw-r--r--Source/WebCore/dom/Element.cpp6
-rw-r--r--Source/WebCore/dom/ScriptElement.cpp8
-rw-r--r--Source/WebCore/fileapi/WebKitBlobBuilder.cpp4
-rw-r--r--Source/WebCore/html/HTMLCanvasElement.cpp16
-rw-r--r--Source/WebCore/html/MediaDocument.cpp6
-rw-r--r--Source/WebCore/html/PluginDocument.cpp6
-rw-r--r--Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp11
-rw-r--r--Source/WebCore/html/parser/HTMLConstructionSite.cpp10
-rw-r--r--Source/WebCore/html/parser/HTMLDocumentParser.cpp2
-rw-r--r--Source/WebCore/html/parser/HTMLToken.h2
-rw-r--r--Source/WebCore/html/parser/HTMLTreeBuilder.cpp19
-rw-r--r--Source/WebCore/inspector/front-end/inspector.css2
-rw-r--r--Source/WebCore/platform/graphics/FloatRect.cpp16
-rw-r--r--Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp4
-rw-r--r--Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp4
-rw-r--r--Source/WebCore/platform/mac/HTMLConverter.mm3
-rw-r--r--Source/WebCore/rendering/RenderTextControl.cpp32
-rw-r--r--Source/WebCore/rendering/RenderTextControl.h4
-rw-r--r--Source/WebKit/chromium/src/ChromeClientImpl.cpp3
-rw-r--r--Source/WebKit/chromium/src/WebViewImpl.cpp8
27 files changed, 181 insertions, 81 deletions
diff --git a/Source/JavaScriptCore/wtf/MathExtras.h b/Source/JavaScriptCore/wtf/MathExtras.h
index fac187c..f1b13a5 100644
--- a/Source/JavaScriptCore/wtf/MathExtras.h
+++ b/Source/JavaScriptCore/wtf/MathExtras.h
@@ -220,17 +220,27 @@ inline int clampToPositiveInteger(double d)
return static_cast<int>(std::max<double>(std::min(d, maxIntAsDouble), 0));
}
-inline int clampToInteger(float d)
+inline int clampToInteger(float x)
{
- const float minIntAsFloat = static_cast<float>(std::numeric_limits<int>::min());
- const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max());
- return static_cast<int>(std::max(std::min(d, maxIntAsFloat), minIntAsFloat));
+ static const int s_intMax = std::numeric_limits<int>::max();
+ static const int s_intMin = std::numeric_limits<int>::min();
+
+ if (x >= static_cast<float>(s_intMax))
+ return s_intMax;
+ if (x < static_cast<float>(s_intMin))
+ return s_intMin;
+ return static_cast<int>(x);
}
-inline int clampToPositiveInteger(float d)
+inline int clampToPositiveInteger(float x)
{
- const float maxIntAsFloat = static_cast<float>(std::numeric_limits<int>::max());
- return static_cast<int>(std::max<float>(std::min(d, maxIntAsFloat), 0));
+ static const int s_intMax = std::numeric_limits<int>::max();
+
+ if (x >= static_cast<float>(s_intMax))
+ return s_intMax;
+ if (x < 0)
+ return 0;
+ return static_cast<int>(x);
}
inline int clampToInteger(unsigned value)
diff --git a/Source/WebCore/WebCore.exp.in b/Source/WebCore/WebCore.exp.in
index d8ee526..f110846 100644
--- a/Source/WebCore/WebCore.exp.in
+++ b/Source/WebCore/WebCore.exp.in
@@ -1274,6 +1274,7 @@ __ZNK7WebCore8Document20cacheDocumentElementEv
__ZNK7WebCore8Document31displayStringModifiedByEncodingERKN3WTF6StringE
__ZNK7WebCore8Document4bodyEv
__ZNK7WebCore8Document6domainEv
+__ZNK7WebCore8Document6loaderEv
__ZNK7WebCore8IntPointcv7CGPointEv
__ZNK7WebCore8IntPointcv8_NSPointEv
__ZNK7WebCore8Position10downstreamENS_27EditingBoundaryCrossingRuleE
diff --git a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp
index 2236f83..e52db5f 100644
--- a/Source/WebCore/accessibility/AccessibilityRenderObject.cpp
+++ b/Source/WebCore/accessibility/AccessibilityRenderObject.cpp
@@ -2490,7 +2490,7 @@ VisiblePosition AccessibilityRenderObject::visiblePositionForIndex(int index) co
int AccessibilityRenderObject::indexForVisiblePosition(const VisiblePosition& pos) const
{
if (isNativeTextControl())
- return toRenderTextControl(m_renderer)->indexForVisiblePosition(pos);
+ return RenderTextControl::indexForVisiblePosition(toRenderTextControl(m_renderer)->innerTextElement(), pos);
if (!isTextControl())
return 0;
diff --git a/Source/WebCore/bindings/ScriptControllerBase.cpp b/Source/WebCore/bindings/ScriptControllerBase.cpp
index 5e87dbf..b7da74d 100644
--- a/Source/WebCore/bindings/ScriptControllerBase.cpp
+++ b/Source/WebCore/bindings/ScriptControllerBase.cpp
@@ -107,9 +107,15 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
// FIXME: We should always replace the document, but doing so
// synchronously can cause crashes:
// http://bugs.webkit.org/show_bug.cgi?id=16782
- if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL)
- m_frame->document()->loader()->writer()->replaceDocument(scriptResult);
-
+ if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
+ // We're still in a frame, so there should be a DocumentLoader.
+ ASSERT(m_frame->document()->loader());
+
+ // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+ // so protect it with a RefPtr.
+ if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
+ loader->writer()->replaceDocument(scriptResult);
+ }
return true;
}
diff --git a/Source/WebCore/css/CSSParser.cpp b/Source/WebCore/css/CSSParser.cpp
index 7db8389..831e438 100644
--- a/Source/WebCore/css/CSSParser.cpp
+++ b/Source/WebCore/css/CSSParser.cpp
@@ -6027,6 +6027,9 @@ int CSSParser::lex(void* yylvalWithoutType)
case FUNCTION:
case ANYFUNCTION:
case NOTFUNCTION:
+ case CALCFUNCTION:
+ case MINFUNCTION:
+ case MAXFUNCTION:
yylval->string.characters = t;
yylval->string.length = length;
break;
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
index 7ba603b..638b4ab 100644
--- a/Source/WebCore/dom/Document.cpp
+++ b/Source/WebCore/dom/Document.cpp
@@ -460,7 +460,6 @@ Document::Document(Frame* frame, const KURL& url, bool isXHTML, bool isHTML)
m_ignoreAutofocus = false;
m_frame = frame;
- m_documentLoader = frame ? frame->loader()->activeDocumentLoader() : 0;
// We depend on the url getting immediately set in subframes, but we
// also depend on the url NOT getting immediately set in opened windows.
@@ -601,12 +600,6 @@ void Document::removedLastRef()
#if ENABLE(FULLSCREEN_API)
m_fullScreenElement = 0;
#endif
- m_styleSelector.clear();
- m_styleSheets.clear();
- m_elemSheet.clear();
- m_mappedElementSheet.clear();
- m_pageUserSheet.clear();
- m_pageGroupUserSheets.clear();
// removeAllChildren() doesn't always unregister IDs,
// so tear down scope information upfront to avoid having stale references in the map.
@@ -2013,11 +2006,21 @@ HTMLElement* Document::body() const
void Document::setBody(PassRefPtr<HTMLElement> newBody, ExceptionCode& ec)
{
- if (!newBody || !documentElement()) {
+ ec = 0;
+
+ if (!newBody || !documentElement() || !newBody->hasTagName(bodyTag)) {
ec = HIERARCHY_REQUEST_ERR;
return;
}
+ if (newBody->document() && newBody->document() != this) {
+ RefPtr<Node> node = importNode(newBody.get(), true, ec);
+ if (ec)
+ return;
+
+ newBody = toHTMLElement(node.get());
+ }
+
HTMLElement* b = body();
if (!b)
documentElement()->appendChild(newBody, ec);
@@ -3783,7 +3786,9 @@ String Document::lastModified() const
DateComponents date;
bool foundDate = false;
if (m_frame) {
- String httpLastModified = m_documentLoader->response().httpHeaderField("Last-Modified");
+ String httpLastModified;
+ if (DocumentLoader* documentLoader = loader())
+ httpLastModified = documentLoader->response().httpHeaderField("Last-Modified");
if (!httpLastModified.isEmpty()) {
date.setMillisecondsSinceEpochForDateTime(parseDate(httpLastModified));
foundDate = true;
@@ -4264,7 +4269,7 @@ void Document::finishedParsing()
if (!m_documentTiming.domContentLoadedEventEnd)
m_documentTiming.domContentLoadedEventEnd = currentTime();
- if (Frame* f = frame()) {
+ if (RefPtr<Frame> f = frame()) {
// FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all
// resource loads are complete. HTMLObjectElements can start loading their resources from
// post attach callbacks triggered by recalcStyle(). This means if we parse out an <object>
@@ -4276,7 +4281,7 @@ void Document::finishedParsing()
f->loader()->finishedParsing();
- InspectorInstrumentation::domContentLoadedEventFired(f, url());
+ InspectorInstrumentation::domContentLoadedEventFired(f.get(), url());
}
}
@@ -4491,7 +4496,9 @@ void Document::initSecurityContext()
// load local resources. See https://bugs.webkit.org/show_bug.cgi?id=16756
// and https://bugs.webkit.org/show_bug.cgi?id=19760 for further
// discussion.
- if (m_documentLoader->substituteData().isValid())
+
+ DocumentLoader* documentLoader = loader();
+ if (documentLoader && documentLoader->substituteData().isValid())
securityOrigin()->grantLoadLocalResources();
}
@@ -4572,7 +4579,9 @@ void Document::updateURLForPushOrReplaceState(const KURL& url)
setURL(url);
f->loader()->setOutgoingReferrer(url);
- m_documentLoader->replaceRequestURLForSameDocumentNavigation(url);
+
+ if (DocumentLoader* documentLoader = loader())
+ documentLoader->replaceRequestURLForSameDocumentNavigation(url);
}
void Document::statePopped(SerializedScriptValue* stateObject)
@@ -5038,4 +5047,19 @@ PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const
}
#endif
+DocumentLoader* Document::loader() const
+{
+ if (!m_frame)
+ return 0;
+
+ DocumentLoader* loader = m_frame->loader()->activeDocumentLoader();
+ if (!loader)
+ return 0;
+
+ if (m_frame->document() != this)
+ return 0;
+
+ return loader;
+}
+
} // namespace WebCore
diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h
index 179293c..7478e6c 100644
--- a/Source/WebCore/dom/Document.h
+++ b/Source/WebCore/dom/Document.h
@@ -553,8 +553,7 @@ public:
void setVisuallyOrdered();
bool visuallyOrdered() const { return m_visuallyOrdered; }
- void setDocumentLoader(DocumentLoader* documentLoader) { m_documentLoader = documentLoader; }
- DocumentLoader* loader() const { return m_documentLoader; }
+ DocumentLoader* loader() const;
void open(Document* ownerDocument = 0);
void implicitOpen();
@@ -1156,7 +1155,6 @@ private:
mutable RefPtr<CSSPrimitiveValueCache> m_cssPrimitiveValueCache;
Frame* m_frame;
- DocumentLoader* m_documentLoader;
OwnPtr<CachedResourceLoader> m_cachedResourceLoader;
RefPtr<DocumentParser> m_parser;
bool m_wellFormed;
diff --git a/Source/WebCore/dom/Element.cpp b/Source/WebCore/dom/Element.cpp
index 50431aa..eef2419 100644
--- a/Source/WebCore/dom/Element.cpp
+++ b/Source/WebCore/dom/Element.cpp
@@ -90,7 +90,13 @@ public:
if (!m_pushedStyleSelector)
return;
+
+ // This tells us that our pushed style selector is in a bad state,
+ // so we should just bail out in that scenario.
ASSERT(m_pushedStyleSelector == m_parent->document()->styleSelector());
+ if (m_pushedStyleSelector != m_parent->document()->styleSelector())
+ return;
+
m_pushedStyleSelector->popParent(m_parent);
}
diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
index 5dd6b7d..55a7949 100644
--- a/Source/WebCore/dom/ScriptElement.cpp
+++ b/Source/WebCore/dom/ScriptElement.cpp
@@ -198,6 +198,14 @@ bool ScriptElement::prepareScript(const TextPosition1& scriptStartPosition, Lega
if (!m_element->document()->frame()->script()->canExecuteScripts(AboutToExecuteScript))
return false;
+ // FIXME: This is non-standard. Remove this after https://bugs.webkit.org/show_bug.cgi?id=62412.
+ Node* ancestor = m_element->parentNode();
+ while (ancestor) {
+ if (ancestor->isSVGShadowRoot())
+ return false;
+ ancestor = ancestor->parentNode();
+ }
+
if (!isScriptForEventSupported())
return false;
diff --git a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp
index 2f40db7..0671e05 100644
--- a/Source/WebCore/fileapi/WebKitBlobBuilder.cpp
+++ b/Source/WebCore/fileapi/WebKitBlobBuilder.cpp
@@ -88,6 +88,8 @@ void WebKitBlobBuilder::append(const String& text, ExceptionCode& ec)
#if ENABLE(BLOB)
void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)
{
+ if (!arrayBuffer)
+ return;
Vector<char>& buffer = getBuffer();
size_t oldSize = buffer.size();
buffer.append(static_cast<const char*>(arrayBuffer->data()), arrayBuffer->byteLength());
@@ -97,6 +99,8 @@ void WebKitBlobBuilder::append(ArrayBuffer* arrayBuffer)
void WebKitBlobBuilder::append(Blob* blob)
{
+ if (!blob)
+ return;
if (blob->isFile()) {
// If the blob is file that is not snapshoted, capture the snapshot now.
// FIXME: This involves synchronous file operation. We need to figure out how to make it asynchronous.
diff --git a/Source/WebCore/html/HTMLCanvasElement.cpp b/Source/WebCore/html/HTMLCanvasElement.cpp
index ff94b76..764620c 100644
--- a/Source/WebCore/html/HTMLCanvasElement.cpp
+++ b/Source/WebCore/html/HTMLCanvasElement.cpp
@@ -372,17 +372,21 @@ PassRefPtr<ImageData> HTMLCanvasElement::getImageData()
IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
{
- float left = floorf(logicalRect.x() * m_pageScaleFactor);
- float top = floorf(logicalRect.y() * m_pageScaleFactor);
- float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
- float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-
+ // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+ int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+ int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+ int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+ int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
}
IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
{
- return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+ // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+ float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+ float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+ return convertToValidDeviceSize(width, height);
}
IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const
diff --git a/Source/WebCore/html/MediaDocument.cpp b/Source/WebCore/html/MediaDocument.cpp
index cd1fdfb..1d7b0f9 100644
--- a/Source/WebCore/html/MediaDocument.cpp
+++ b/Source/WebCore/html/MediaDocument.cpp
@@ -209,7 +209,11 @@ void MediaDocument::replaceMediaElementTimerFired(Timer<MediaDocument>*)
embedElement->setAttribute(heightAttr, "100%");
embedElement->setAttribute(nameAttr, "plugin");
embedElement->setAttribute(srcAttr, url().string());
- embedElement->setAttribute(typeAttr, loader()->writer()->mimeType());
+
+ DocumentLoader* documentLoader = loader();
+ ASSERT(documentLoader);
+ if (documentLoader)
+ embedElement->setAttribute(typeAttr, documentLoader->writer()->mimeType());
ExceptionCode ec;
videoElement->parentNode()->replaceChild(embedElement, videoElement, ec);
diff --git a/Source/WebCore/html/PluginDocument.cpp b/Source/WebCore/html/PluginDocument.cpp
index 94f44cf..6b64237 100644
--- a/Source/WebCore/html/PluginDocument.cpp
+++ b/Source/WebCore/html/PluginDocument.cpp
@@ -92,7 +92,11 @@ void PluginDocumentParser::createDocumentStructure()
m_embedElement->setAttribute(nameAttr, "plugin");
m_embedElement->setAttribute(srcAttr, document()->url().string());
- m_embedElement->setAttribute(typeAttr, document()->loader()->writer()->mimeType());
+
+ DocumentLoader* loader = document()->loader();
+ ASSERT(loader);
+ if (loader)
+ m_embedElement->setAttribute(typeAttr, loader->writer()->mimeType());
static_cast<PluginDocument*>(document())->setPluginNode(m_embedElement);
diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
index ab6427e..2051750 100644
--- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
+++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1632,6 +1632,10 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::createImageData(float sw, float
if (scaledSize.height() < 1)
scaledSize.setHeight(1);
+ float area = 4.0f * scaledSize.width() * scaledSize.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
return createEmptyImageData(scaledSize);
}
@@ -1668,7 +1672,12 @@ PassRefPtr<ImageData> CanvasRenderingContext2D::getImageData(float sx, float sy,
ImageBuffer* buffer = canvas()->buffer();
if (!buffer)
return createEmptyImageData(scaledRect.size());
- return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+ RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+ if (!byteArray)
+ return 0;
+
+ return ImageData::create(scaledRect.size(), byteArray.release());
}
void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)
diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.cpp b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
index 2be6039..6ca04cd 100644
--- a/Source/WebCore/html/parser/HTMLConstructionSite.cpp
+++ b/Source/WebCore/html/parser/HTMLConstructionSite.cpp
@@ -83,13 +83,14 @@ bool causesFosterParenting(const QualifiedName& tagName)
} // namespace
template<typename ChildType>
-PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRefPtr<ChildType> prpChild)
+PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* rawParent, PassRefPtr<ChildType> prpChild)
{
RefPtr<ChildType> child = prpChild;
+ RefPtr<ContainerNode> parent = rawParent;
// FIXME: It's confusing that HTMLConstructionSite::attach does the magic
// redirection to the foster parent but HTMLConstructionSite::attachAtSite
- // doesn't. It feels like we're missing a concept somehow.
+ // doesn't. It feels like we're missing a concept somehow.
if (shouldFosterParent()) {
fosterParent(child.get());
ASSERT(child->attached() || !child->parentNode() || !child->parentNode()->attached());
@@ -103,11 +104,6 @@ PassRefPtr<ChildType> HTMLConstructionSite::attach(ContainerNode* parent, PassRe
if (!child->parentNode())
return child.release();
- // It's slightly unfortunate that we need to hold a reference to child
- // here to call attach(). We should investigate whether we can rely on
- // |parent| to hold a ref at this point. In the common case (at least
- // for elements), however, we'll get to use this ref in the stack of
- // open elements.
if (parent->attached() && !child->attached())
child->attach();
return child.release();
diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
index 7519699..8f95cc5 100644
--- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp
+++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
@@ -278,7 +278,7 @@ void HTMLDocumentParser::pumpTokenizer(SynchronousMode mode)
}
m_treeBuilder->constructTreeFromToken(m_token);
- m_token.clear();
+ ASSERT(m_token.isUninitialized());
}
// Ensure we haven't been totally deref'ed after pumping. Any caller of this
diff --git a/Source/WebCore/html/parser/HTMLToken.h b/Source/WebCore/html/parser/HTMLToken.h
index 49ec312..59f7ed4 100644
--- a/Source/WebCore/html/parser/HTMLToken.h
+++ b/Source/WebCore/html/parser/HTMLToken.h
@@ -73,6 +73,8 @@ public:
m_data.clear();
}
+ bool isUninitialized() { return m_type == Uninitialized; }
+
int startIndex() const { return m_range.m_start; }
int endIndex() const { return m_range.m_end; }
diff --git a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
index 6db09de..bf03b6e 100644
--- a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
+++ b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
@@ -434,7 +434,26 @@ PassRefPtr<Element> HTMLTreeBuilder::takeScriptToProcess(TextPosition1& scriptSt
void HTMLTreeBuilder::constructTreeFromToken(HTMLToken& rawToken)
{
AtomicHTMLToken token(rawToken);
+
+ // We clear the rawToken in case constructTreeFromAtomicToken
+ // synchronously re-enters the parser. We don't clear the token immedately
+ // for Character tokens because the AtomicHTMLToken avoids copying the
+ // characters by keeping a pointer to the underlying buffer in the
+ // HTMLToken. Fortuantely, Character tokens can't cause use to re-enter
+ // the parser.
+ //
+ // FIXME: Top clearing the rawToken once we start running the parser off
+ // the main thread or once we stop allowing synchronous JavaScript
+ // execution from parseMappedAttribute.
+ if (rawToken.type() != HTMLToken::Character)
+ rawToken.clear();
+
constructTreeFromAtomicToken(token);
+
+ if (!rawToken.isUninitialized()) {
+ ASSERT(rawToken.type() == HTMLToken::Character);
+ rawToken.clear();
+ }
}
void HTMLTreeBuilder::constructTreeFromAtomicToken(AtomicHTMLToken& token)
diff --git a/Source/WebCore/inspector/front-end/inspector.css b/Source/WebCore/inspector/front-end/inspector.css
index 6848aaf..c560e1c 100644
--- a/Source/WebCore/inspector/front-end/inspector.css
+++ b/Source/WebCore/inspector/front-end/inspector.css
@@ -91,7 +91,7 @@ body.inactive #toolbar {
body.detached.platform-mac-leopard:not(.remote) #toolbar,
body.detached.platform-mac-snowleopard:not(.remote) #toolbar {
- background: transparent !important;
+ background: transparent;
}
body.attached #toolbar {
diff --git a/Source/WebCore/platform/graphics/FloatRect.cpp b/Source/WebCore/platform/graphics/FloatRect.cpp
index 165ef76..7afc92b 100644
--- a/Source/WebCore/platform/graphics/FloatRect.cpp
+++ b/Source/WebCore/platform/graphics/FloatRect.cpp
@@ -182,18 +182,6 @@ void FloatRect::fitToPoints(const FloatPoint& p0, const FloatPoint& p1, const Fl
setLocationAndSizeFromEdges(left, top, right, bottom);
}
-static inline int safeFloatToInt(float x)
-{
- static const int s_intMax = std::numeric_limits<int>::max();
- static const int s_intMin = std::numeric_limits<int>::min();
-
- if (x >= static_cast<float>(s_intMax))
- return s_intMax;
- if (x < static_cast<float>(s_intMin))
- return s_intMin;
- return static_cast<int>(x);
-}
-
IntRect enclosingIntRect(const FloatRect& rect)
{
float left = floorf(rect.x());
@@ -201,8 +189,8 @@ IntRect enclosingIntRect(const FloatRect& rect)
float width = ceilf(rect.maxX()) - left;
float height = ceilf(rect.maxY()) - top;
- return IntRect(safeFloatToInt(left), safeFloatToInt(top),
- safeFloatToInt(width), safeFloatToInt(height));
+ return IntRect(clampToInteger(left), clampToInteger(top),
+ clampToInteger(width), clampToInteger(height));
}
FloatRect mapRect(const FloatRect& r, const FloatRect& srcRect, const FloatRect& destRect)
diff --git a/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp b/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp
index f067b66..08652c9 100644
--- a/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp
+++ b/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp
@@ -110,6 +110,10 @@ static void premultitplyScanline(void* data, size_t tileNumber)
PassRefPtr<ByteArray> ImageBufferData::getData(const IntRect& rect, const IntSize& size, bool accelerateRendering, bool unmultiplied) const
{
+ float area = 4.0f * rect.width() * rect.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
unsigned char* data = result->data();
diff --git a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
index 2352672..2a1738a 100644
--- a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
+++ b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
@@ -168,6 +168,10 @@ template <Multiply multiplied>
PassRefPtr<ByteArray> getImageData(const IntRect& rect, SkDevice& srcDevice,
const IntSize& size)
{
+ float area = 4.0f * rect.width() * rect.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
SkBitmap::Config srcConfig = srcDevice.accessBitmap(false).config();
diff --git a/Source/WebCore/platform/mac/HTMLConverter.mm b/Source/WebCore/platform/mac/HTMLConverter.mm
index c0b0ba2..80016fd 100644
--- a/Source/WebCore/platform/mac/HTMLConverter.mm
+++ b/Source/WebCore/platform/mac/HTMLConverter.mm
@@ -1753,7 +1753,8 @@ static NSFileWrapper *fileWrapperForElement(Element* element)
const AtomicString& attr = element->getAttribute(srcAttr);
if (!attr.isEmpty()) {
NSURL *URL = element->document()->completeURL(attr);
- wrapper = fileWrapperForURL(element->document()->loader(), URL);
+ if (DocumentLoader* loader = element->document()->loader())
+ wrapper = fileWrapperForURL(loader, URL);
}
if (!wrapper) {
RenderImage* renderer = toRenderImage(element->renderer());
diff --git a/Source/WebCore/rendering/RenderTextControl.cpp b/Source/WebCore/rendering/RenderTextControl.cpp
index 8149f6c..0862df3 100644
--- a/Source/WebCore/rendering/RenderTextControl.cpp
+++ b/Source/WebCore/rendering/RenderTextControl.cpp
@@ -205,7 +205,12 @@ int RenderTextControl::selectionStart() const
Frame* frame = this->frame();
if (!frame)
return 0;
- return indexForVisiblePosition(frame->selection()->start());
+
+ HTMLElement* innerText = innerTextElement();
+ // Do not call innerTextElement() in the function arguments as creating a VisiblePosition
+ // from frame->selection->start() can blow us from underneath. Also, function ordering is
+ // usually dependent on the compiler.
+ return RenderTextControl::indexForVisiblePosition(innerText, frame->selection()->start());
}
int RenderTextControl::selectionEnd() const
@@ -213,7 +218,12 @@ int RenderTextControl::selectionEnd() const
Frame* frame = this->frame();
if (!frame)
return 0;
- return indexForVisiblePosition(frame->selection()->end());
+
+ HTMLElement* innerText = innerTextElement();
+ // Do not call innerTextElement() in the function arguments as creating a VisiblePosition
+ // from frame->selection->end() can blow us from underneath. Also, function ordering is
+ // usually dependent on the compiler.
+ return RenderTextControl::indexForVisiblePosition(innerText, frame->selection()->end());
}
bool RenderTextControl::hasVisibleTextArea() const
@@ -256,15 +266,15 @@ void setSelectionRange(Node* node, int start, int end)
frame->selection()->setSelection(newSelection);
}
-bool RenderTextControl::isSelectableElement(Node* node) const
+bool RenderTextControl::isSelectableElement(HTMLElement* innerText, Node* node)
{
- if (!node || !m_innerText)
+ if (!node || !innerText)
return false;
-
- if (node->rootEditableElement() == m_innerText)
+
+ if (node->rootEditableElement() == innerText)
return true;
- if (!m_innerText->contains(node))
+ if (!innerText->contains(node))
return false;
Node* shadowAncestor = node->shadowAncestorNode();
@@ -334,14 +344,14 @@ VisiblePosition RenderTextControl::visiblePositionForIndex(int index) const
return VisiblePosition(Position(endContainer, endOffset, Position::PositionIsOffsetInAnchor), UPSTREAM);
}
-int RenderTextControl::indexForVisiblePosition(const VisiblePosition& pos) const
+int RenderTextControl::indexForVisiblePosition(HTMLElement* innerTextElement, const VisiblePosition& pos)
{
Position indexPosition = pos.deepEquivalent();
- if (!isSelectableElement(indexPosition.deprecatedNode()))
+ if (!RenderTextControl::isSelectableElement(innerTextElement, indexPosition.deprecatedNode()))
return 0;
ExceptionCode ec = 0;
- RefPtr<Range> range = Range::create(document());
- range->setStart(m_innerText.get(), 0, ec);
+ RefPtr<Range> range = Range::create(indexPosition.document());
+ range->setStart(innerTextElement, 0, ec);
ASSERT(!ec);
range->setEnd(indexPosition.deprecatedNode(), indexPosition.deprecatedEditingOffset(), ec);
ASSERT(!ec);
diff --git a/Source/WebCore/rendering/RenderTextControl.h b/Source/WebCore/rendering/RenderTextControl.h
index 0c30ed6..78b295b 100644
--- a/Source/WebCore/rendering/RenderTextControl.h
+++ b/Source/WebCore/rendering/RenderTextControl.h
@@ -49,7 +49,7 @@ public:
void selectionChanged(bool userTriggered);
VisiblePosition visiblePositionForIndex(int index) const;
- int indexForVisiblePosition(const VisiblePosition&) const;
+ static int indexForVisiblePosition(HTMLElement*, const VisiblePosition&);
void updatePlaceholderVisibility(bool, bool);
@@ -104,7 +104,7 @@ private:
bool hasVisibleTextArea() const;
friend void setSelectionRange(Node*, int start, int end);
- bool isSelectableElement(Node*) const;
+ static bool isSelectableElement(HTMLElement*, Node*);
virtual int textBlockInsetLeft() const = 0;
virtual int textBlockInsetRight() const = 0;
diff --git a/Source/WebKit/chromium/src/ChromeClientImpl.cpp b/Source/WebKit/chromium/src/ChromeClientImpl.cpp
index eee6934..fb41fbf 100644
--- a/Source/WebKit/chromium/src/ChromeClientImpl.cpp
+++ b/Source/WebKit/chromium/src/ChromeClientImpl.cpp
@@ -839,7 +839,8 @@ void ChromeClientImpl::scheduleCompositingLayerSync()
ChromeClient::CompositingTriggerFlags ChromeClientImpl::allowedCompositingTriggers() const
{
- if (!m_webView->allowsAcceleratedCompositing())
+ // FIXME: RTL style not supported by the compositor yet.
+ if (!m_webView->allowsAcceleratedCompositing() || m_webView->pageHasRTLStyle())
return 0;
CompositingTriggerFlags flags = 0;
diff --git a/Source/WebKit/chromium/src/WebViewImpl.cpp b/Source/WebKit/chromium/src/WebViewImpl.cpp
index 9447b18..896395d 100644
--- a/Source/WebKit/chromium/src/WebViewImpl.cpp
+++ b/Source/WebKit/chromium/src/WebViewImpl.cpp
@@ -1006,11 +1006,6 @@ void WebViewImpl::animate()
void WebViewImpl::layout()
{
-#if USE(ACCELERATED_COMPOSITING)
- // FIXME: RTL style not supported by the compositor yet.
- if (isAcceleratedCompositingActive() && pageHasRTLStyle())
- setIsAcceleratedCompositingActive(false);
-#endif
WebFrameImpl* webframe = mainFrameImpl();
if (webframe) {
@@ -2303,8 +2298,7 @@ bool WebViewImpl::pageHasRTLStyle() const
void WebViewImpl::setRootGraphicsLayer(WebCore::PlatformLayer* layer)
{
- // FIXME: RTL style not supported by the compositor yet.
- setIsAcceleratedCompositingActive(layer && !pageHasRTLStyle() ? true : false);
+ setIsAcceleratedCompositingActive(layer);
if (m_layerRenderer)
m_layerRenderer->setRootLayer(layer);