Bug 973322 - Crash [@ nsMathMLChar::PaintForeground]. r=karlt
authorFrédéric Wang <fred.wang@free.fr>
Thu, 20 Feb 2014 08:43:56 -0500
changeset 170038 739971fe2acf7490b0c0d8dc380cd43221da33e4
parent 170037 6ef599b12a44a271458404b9b51f343413b41bee
child 170039 169de60f0b1ec9facf43d4bde6d26206237a778d
push id270
push userpvanderbeken@mozilla.com
push dateThu, 06 Mar 2014 09:24:21 +0000
reviewerskarlt
bugs973322
milestone30.0a1
Bug 973322 - Crash [@ nsMathMLChar::PaintForeground]. r=karlt
layout/mathml/crashtests/973322-1.xhtml
layout/mathml/crashtests/crashtests.list
layout/mathml/nsMathMLChar.cpp
new file mode 100644
--- /dev/null
+++ b/layout/mathml/crashtests/973322-1.xhtml
@@ -0,0 +1,8 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+    <body onload="document.getElementById('f').setAttribute('class', 'e');">
+        <math xmlns="http://www.w3.org/1998/Math/MathML">
+            <mfenced id="f"/>
+        </math>
+        <p style="overflow: scroll; position: sticky;"></p>
+    </body>
+</html>
--- a/layout/mathml/crashtests/crashtests.list
+++ b/layout/mathml/crashtests/crashtests.list
@@ -53,8 +53,9 @@ load 463763-2.xhtml
 load 476547-1.xhtml
 load 477740-1.xhtml
 load 541620-1.xhtml
 load 557474-1.html
 load 654928-1.html
 load 655451-1.xhtml
 load 713606-1.html
 load 716349-1.html
+asserts(1) load 973322-1.xhtml
--- a/layout/mathml/nsMathMLChar.cpp
+++ b/layout/mathml/nsMathMLChar.cpp
@@ -1846,19 +1846,22 @@ nsMathMLChar::PaintForeground(nsPresCont
   nsRect r = mRect + aPt;
   ApplyTransforms(thebesContext, aPresContext->AppUnitsPerDevPixel(), r);
 
   switch(mDraw)
   {
     case DRAW_NORMAL:
     case DRAW_VARIANT:
       // draw a single glyph (base size or size variant)
-      mGlyphs[0]->Draw(thebesContext, gfxPoint(0.0, mUnscaledAscent),
-                       DrawMode::GLYPH_FILL, 0, mGlyphs[0]->GetLength(),
-                       nullptr, nullptr, nullptr);
+      // XXXfredw verify if mGlyphs[0] is non-null to workaround bug 973322.
+      if (mGlyphs[0]) {
+        mGlyphs[0]->Draw(thebesContext, gfxPoint(0.0, mUnscaledAscent),
+                         DrawMode::GLYPH_FILL, 0, mGlyphs[0]->GetLength(),
+                         nullptr, nullptr, nullptr);
+      }
       break;
     case DRAW_PARTS: {
       // paint by parts
       if (NS_STRETCH_DIRECTION_VERTICAL == mDirection)
         PaintVertically(aPresContext, thebesContext, r);
       else if (NS_STRETCH_DIRECTION_HORIZONTAL == mDirection)
         PaintHorizontally(aPresContext, thebesContext, r);
       break;