Bug 1502936 - Fix SVGUseElement::GetFrame to not get confused. r=heycam
authorEmilio Cobos Álvarez <emilio@crisal.io>
Mon, 29 Oct 2018 20:30:22 +0100
changeset 499857 8ff29f3d64b79cfe630e5ce302fc2bca7e02f425
parent 499856 ed8ea654ccde9f893d933c88b51d2acd41154ee2
child 499858 3f6e29ae6529c657e027b8d1fd36a7daaf501526
push id10290
push userffxbld-merge
push dateMon, 03 Dec 2018 16:23:23 +0000
treeherdermozilla-beta@700bed2445e6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersheycam
bugs1502936, 1502658
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1502936 - Fix SVGUseElement::GetFrame to not get confused. r=heycam Should've noticed in bug 1502658 that GetFrame() was dead, to verify its assumptions... Oh well. Differential Revision: https://phabricator.services.mozilla.com/D10109
dom/svg/SVGUseElement.cpp
layout/svg/crashtests/1502936.html
layout/svg/crashtests/crashtests.list
--- a/dom/svg/SVGUseElement.cpp
+++ b/dom/svg/SVGUseElement.cpp
@@ -558,17 +558,22 @@ SVGUseElement::GetStringInfo()
   return StringAttributesInfo(mStringAttributes, sStringInfo,
                               ArrayLength(sStringInfo));
 }
 
 nsSVGUseFrame*
 SVGUseElement::GetFrame() const
 {
   nsIFrame* frame = GetPrimaryFrame();
-  MOZ_ASSERT_IF(frame, frame->IsSVGUseFrame());
+  // We might be a plain nsSVGContainerFrame if we didn't pass the conditional
+  // processing checks.
+  if (!frame || !frame->IsSVGUseFrame()) {
+    MOZ_ASSERT_IF(frame, frame->Type() == LayoutFrameType::None);
+    return nullptr;
+  }
   return static_cast<nsSVGUseFrame*>(frame);
 }
 
 //----------------------------------------------------------------------
 // nsIContent methods
 
 NS_IMETHODIMP_(bool)
 SVGUseElement::IsAttributeMapped(const nsAtom* name) const
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1502936.html
@@ -0,0 +1,11 @@
+<script>
+function go() {
+  a.setAttribute("requiredExtensions", "x");
+  b.getBoundingClientRect();
+  a.setAttribute("y", "-1px");
+}
+</script>
+<body onload=go()>
+<svg>
+<use id="a">
+<feGaussianBlur id="b">
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -212,8 +212,9 @@ load 1467552-1.html
 load 1474982.html
 load conditional-outer-svg-nondirty-reflow-assert.xhtml
 load extref-test-1.xhtml
 load blob-merging-and-retained-display-list.html
 load empty-blob-merging.html
 load grouping-empty-bounds.html
 load 1480275.html
 load 1480224.html
+load 1502936.html