| Summary: | feMerge crahses if feMergeNodes attribute in is empty | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Dirk Schulze <krit> | ||||||
| Component: | SVG | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | commit-queue, webkit.review.bot, zimmermann | ||||||
| Priority: | P2 | ||||||||
| Version: | 525.x (Safari 3.1) | ||||||||
| Hardware: | PC | ||||||||
| OS: | OS X 10.5 | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 68469, 26389 | ||||||||
| Attachments: |
|
||||||||
Created attachment 45010 [details]
fix of feMerge
Take the reference of the effect not just the pointer. This fixes the crash.
Comment on attachment 45010 [details]
fix of feMerge
sorry, wrong flag.
style-queue ran check-webkit-style on attachment 45010 [details] without any errors.
Comment on attachment 45010 [details]
fix of feMerge
LGTM, r=me.
Comment on attachment 45010 [details] fix of feMerge Clearing flags on attachment: 45010 Committed r52219: <http://trac.webkit.org/changeset/52219> All reviewed patches have been landed. Closing bug. |
Created attachment 44757 [details] feMergeNode empty -- crash If one of the feMergeNodes attribute 'in' is empty and the related feMerge element is not the first effect of the filter, webkit crashes. If the 'in' attribute is empty, SVGFilterBuilder::getElementById gives either one of the predefined SourceGraphics back or the last effect that was added. This works if there is no last effect. The SourceGraphic is given back and no crash appears. We have a test for this: svg/custom/emty-merge.svg. In the case of a lastEffect, getElementId also gives the right effect back. But WebKit crashes during WebCore::FilterEffect::calculateEffectRect in FEMerge. I don't have a debug build atm, but I guess that the reference to the last effect is bogus. I attached an example. Everything works, if feOffset gets an result="" and the mergeNode adresses this result.