2011-03-25 Maciej Stachowiak <mjs@apple.com>
authormjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 25 Mar 2011 16:11:57 +0000 (16:11 +0000)
committermjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 25 Mar 2011 16:11:57 +0000 (16:11 +0000)
        Reviewed by Antti Koivisto.

        Crash when a wbr element is inserted inside mroot
        https://bugs.webkit.org/show_bug.cgi?id=56352

        * mathml/wbr-in-mroot-crash-expected.txt: Added.
        * mathml/wbr-in-mroot-crash.html: Added.
2011-03-25  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Antti Koivisto.

        Crash when a wbr element is inserted inside mroot
        https://bugs.webkit.org/show_bug.cgi?id=56352

        Test: mathml/wbr-in-mroot-crash.html

        * rendering/mathml/RenderMathMLRoot.cpp:
        (WebCore::RenderMathMLRoot::layout): Look for the first box model child of the first
        child, instead of just assuming.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@81964 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/mathml/wbr-in-mroot-crash-expected.txt [new file with mode: 0644]
LayoutTests/mathml/wbr-in-mroot-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/mathml/RenderMathMLRoot.cpp

index 228ab77..186d1fb 100644 (file)
@@ -1,3 +1,13 @@
+2011-03-25  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Antti Koivisto.
+
+        Crash when a wbr element is inserted inside mroot
+        https://bugs.webkit.org/show_bug.cgi?id=56352
+
+        * mathml/wbr-in-mroot-crash-expected.txt: Added.
+        * mathml/wbr-in-mroot-crash.html: Added.
+
 2011-03-25  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Reviewed by Pavel Feldman.
diff --git a/LayoutTests/mathml/wbr-in-mroot-crash-expected.txt b/LayoutTests/mathml/wbr-in-mroot-crash-expected.txt
new file mode 100644 (file)
index 0000000..4217e68
--- /dev/null
@@ -0,0 +1,3 @@
+This test shouldn't crash.
+
+
diff --git a/LayoutTests/mathml/wbr-in-mroot-crash.html b/LayoutTests/mathml/wbr-in-mroot-crash.html
new file mode 100644 (file)
index 0000000..90b40b7
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<body>
+<p>This test shouldn't crash.</p>
+<p><math><mroot><mrow><mroot><mrow><mroot><mrow><mroot><mrow><mroot><mrow><mroot><mrow><mroot><mrow id="insertion-point"></mrow></mroot></mrow></mroot></mrow></mroot></mrow></mroot></mrow></mroot></mrow></mroot></mrow></mroot></math></p></body></html>
+<script>
+var elem = document.getElementById("insertion-point"); 
+var parent = elem.parentNode;
+var wbr = document.createElement("wbr");
+parent.insertBefore(wbr, elem);
+</script>
index e235020..fb042a7 100644 (file)
@@ -1,3 +1,16 @@
+2011-03-25  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Antti Koivisto.
+
+        Crash when a wbr element is inserted inside mroot
+        https://bugs.webkit.org/show_bug.cgi?id=56352
+
+        Test: mathml/wbr-in-mroot-crash.html
+
+        * rendering/mathml/RenderMathMLRoot.cpp:
+        (WebCore::RenderMathMLRoot::layout): Look for the first box model child of the first
+        child, instead of just assuming.
+
 2011-03-25  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Reviewed by Pavel Feldman.
index 075f6ba..51046f8 100644 (file)
@@ -229,7 +229,10 @@ void RenderMathMLRoot::layout()
     }
     
     // Positioning of the index
-    RenderBoxModelObject* indexBox = toRenderBoxModelObject(firstChild()->firstChild());
+    RenderObject* possibleIndex = firstChild()->firstChild();
+    while (possibleIndex && !possibleIndex->isBoxModelObject())
+        possibleIndex = possibleIndex->nextSibling();
+    RenderBoxModelObject* indexBox = toRenderBoxModelObject(possibleIndex);
     if (!indexBox)
         return;