Null dereference loading Blink layout test svg/filters/feImage-failed-load-crash...
authordino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 19 Sep 2015 09:59:47 +0000 (09:59 +0000)
committerdino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 19 Sep 2015 09:59:47 +0000 (09:59 +0000)
https://bugs.webkit.org/show_bug.cgi?id=149316
<rdar://problem/22749532>

Reviewed by Tim Horton.

Source/WebCore:

If an feImage triggered loading a resource, and then was removed from the document,
we'd still try to notify its parent when the resource arrived (or failed).

Merge Blink commit:
https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a

Test: svg/filters/feImage-failed-load-crash.html

* svg/SVGFEImageElement.cpp:
(WebCore::SVGFEImageElement::notifyFinished): Add a null check to the parent element
before sending the notification.

LayoutTests:

Merge Blink commit:
https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a

* svg/filters/feImage-failed-load-crash-expected.txt: Added.
* svg/filters/feImage-failed-load-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@190013 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/filters/feImage-failed-load-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/filters/feImage-failed-load-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGFEImageElement.cpp

index f299697..1e9f336 100644 (file)
@@ -1,5 +1,19 @@
 2015-09-18  Dean Jackson  <dino@apple.com>
 
+        Null dereference loading Blink layout test svg/filters/feImage-failed-load-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=149316
+        <rdar://problem/22749532>
+
+        Reviewed by Tim Horton.
+
+        Merge Blink commit:
+        https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a
+
+        * svg/filters/feImage-failed-load-crash-expected.txt: Added.
+        * svg/filters/feImage-failed-load-crash.html: Added.
+
+2015-09-18  Dean Jackson  <dino@apple.com>
+
         Null dereference loading Blink layout test svg/custom/use-href-attr-removal-crash.html
         https://bugs.webkit.org/show_bug.cgi?id=149315
         <rdar://problem/22749358>
diff --git a/LayoutTests/svg/filters/feImage-failed-load-crash-expected.txt b/LayoutTests/svg/filters/feImage-failed-load-crash-expected.txt
new file mode 100644 (file)
index 0000000..8b13789
--- /dev/null
@@ -0,0 +1 @@
+
diff --git a/LayoutTests/svg/filters/feImage-failed-load-crash.html b/LayoutTests/svg/filters/feImage-failed-load-crash.html
new file mode 100644 (file)
index 0000000..3fd1414
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+    <p id="a">This test passes if it does not crash.</p>
+    <svg>
+        <feImage id="feImage"></feImage>
+    </svg>
+    <script>
+        onload = function() {
+            if (window.testRunner)
+                testRunner.dumpAsText();
+            var feImage = document.getElementById("feImage");
+            feImage.setAttributeNS("http://www.w3.org/1999/xlink", "xlink:href", "#doesnotexist");
+            document.replaceChild(feImage, document.documentElement);
+            feImage.setAttribute("xlink:href", "doesnotexist.svg");
+        }
+    </script>
+</body>
+</html>
index 3c2f95a..d65fdcf 100644 (file)
@@ -1,5 +1,25 @@
 2015-09-18  Dean Jackson  <dino@apple.com>
 
+        Null dereference loading Blink layout test svg/filters/feImage-failed-load-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=149316
+        <rdar://problem/22749532>
+
+        Reviewed by Tim Horton.
+
+        If an feImage triggered loading a resource, and then was removed from the document,
+        we'd still try to notify its parent when the resource arrived (or failed).
+
+        Merge Blink commit:
+        https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a
+
+        Test: svg/filters/feImage-failed-load-crash.html
+
+        * svg/SVGFEImageElement.cpp:
+        (WebCore::SVGFEImageElement::notifyFinished): Add a null check to the parent element
+        before sending the notification.
+
+2015-09-18  Dean Jackson  <dino@apple.com>
+
         Null dereference loading Blink layout test svg/custom/use-href-attr-removal-crash.html
         https://bugs.webkit.org/show_bug.cgi?id=149315
         <rdar://problem/22749358>
index fffc3d8..592dcb6 100644 (file)
@@ -167,9 +167,8 @@ void SVGFEImageElement::notifyFinished(CachedResource*)
         return;
 
     Element* parent = parentElement();
-    ASSERT(parent);
 
-    if (!parent->hasTagName(SVGNames::filterTag))
+    if (!parent || !parent->hasTagName(SVGNames::filterTag))
         return;
 
     RenderElement* parentRenderer = parent->renderer();