Title: [190931] releases/WebKitGTK/webkit-2.10
- Revision
- 190931
- Author
- [email protected]
- Date
- 2015-10-13 01:53:44 -0700 (Tue, 13 Oct 2015)
Log Message
Merge r190013 - Null dereference loading Blink layout test svg/filters/feImage-failed-load-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149316
<rdar://problem/22749532>
Reviewed by Tim Horton.
Source/WebCore:
If an feImage triggered loading a resource, and then was removed from the document,
we'd still try to notify its parent when the resource arrived (or failed).
Merge Blink commit:
https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a
Test: svg/filters/feImage-failed-load-crash.html
* svg/SVGFEImageElement.cpp:
(WebCore::SVGFEImageElement::notifyFinished): Add a null check to the parent element
before sending the notification.
LayoutTests:
Merge Blink commit:
https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a
* svg/filters/feImage-failed-load-crash-expected.txt: Added.
* svg/filters/feImage-failed-load-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog (190930 => 190931)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2015-10-13 08:53:21 UTC (rev 190930)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2015-10-13 08:53:44 UTC (rev 190931)
@@ -1,5 +1,19 @@
2015-09-18 Dean Jackson <[email protected]>
+ Null dereference loading Blink layout test svg/filters/feImage-failed-load-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=149316
+ <rdar://problem/22749532>
+
+ Reviewed by Tim Horton.
+
+ Merge Blink commit:
+ https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a
+
+ * svg/filters/feImage-failed-load-crash-expected.txt: Added.
+ * svg/filters/feImage-failed-load-crash.html: Added.
+
+2015-09-18 Dean Jackson <[email protected]>
+
Null dereference loading Blink layout test svg/custom/use-href-attr-removal-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149315
<rdar://problem/22749358>
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/svg/filters/feImage-failed-load-crash-expected.txt (0 => 190931)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/svg/filters/feImage-failed-load-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/svg/filters/feImage-failed-load-crash-expected.txt 2015-10-13 08:53:44 UTC (rev 190931)
@@ -0,0 +1 @@
+
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/svg/filters/feImage-failed-load-crash.html (0 => 190931)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/svg/filters/feImage-failed-load-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/svg/filters/feImage-failed-load-crash.html 2015-10-13 08:53:44 UTC (rev 190931)
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+ <p id="a">This test passes if it does not crash.</p>
+ <svg>
+ <feImage id="feImage"></feImage>
+ </svg>
+ <script>
+ _onload_ = function() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ var feImage = document.getElementById("feImage");
+ feImage.setAttributeNS("http://www.w3.org/1999/xlink", "xlink:href", "#doesnotexist");
+ document.replaceChild(feImage, document.documentElement);
+ feImage.setAttribute("xlink:href", "doesnotexist.svg");
+ }
+ </script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (190930 => 190931)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-10-13 08:53:21 UTC (rev 190930)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2015-10-13 08:53:44 UTC (rev 190931)
@@ -1,5 +1,25 @@
2015-09-18 Dean Jackson <[email protected]>
+ Null dereference loading Blink layout test svg/filters/feImage-failed-load-crash.html
+ https://bugs.webkit.org/show_bug.cgi?id=149316
+ <rdar://problem/22749532>
+
+ Reviewed by Tim Horton.
+
+ If an feImage triggered loading a resource, and then was removed from the document,
+ we'd still try to notify its parent when the resource arrived (or failed).
+
+ Merge Blink commit:
+ https://chromium.googlesource.com/chromium/blink/+/9cbcfd7866bbaff0c4b3c4c8508b7c97b46d6e6a
+
+ Test: svg/filters/feImage-failed-load-crash.html
+
+ * svg/SVGFEImageElement.cpp:
+ (WebCore::SVGFEImageElement::notifyFinished): Add a null check to the parent element
+ before sending the notification.
+
+2015-09-18 Dean Jackson <[email protected]>
+
Null dereference loading Blink layout test svg/custom/use-href-attr-removal-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149315
<rdar://problem/22749358>
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/svg/SVGFEImageElement.cpp (190930 => 190931)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/svg/SVGFEImageElement.cpp 2015-10-13 08:53:21 UTC (rev 190930)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/svg/SVGFEImageElement.cpp 2015-10-13 08:53:44 UTC (rev 190931)
@@ -167,9 +167,8 @@
return;
Element* parent = parentElement();
- ASSERT(parent);
- if (!parent->hasTagName(SVGNames::filterTag))
+ if (!parent || !parent->hasTagName(SVGNames::filterTag))
return;
RenderElement* parentRenderer = parent->renderer();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
