[Webkit-unassigned] [Bug 32489] New: feMerge crahses if feMergeNodes attribute in is empty

Sun Dec 13 08:43:43 PST 2009

https://bugs.webkit.org/show_bug.cgi?id=32489

           Summary: feMerge crahses if feMergeNodes attribute in is empty
           Product: WebKit
           Version: 525.x (Safari 3.1)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: krit at webkit.org

Created an attachment (id=44757)
 --> (https://bugs.webkit.org/attachment.cgi?id=44757)
feMergeNode empty -- crash

If one of the feMergeNodes attribute 'in' is empty and the related feMerge
element is not the first effect of the filter, webkit crashes.

If the 'in' attribute is empty, SVGFilterBuilder::getElementById gives either
one of the predefined SourceGraphics back or the last effect that was added.
This works if there is no last effect. The SourceGraphic is given back and no
crash appears. We have a test for this: svg/custom/emty-merge.svg.

In the case of a lastEffect, getElementId also gives the right effect back. But
WebKit crashes during WebCore::FilterEffect::calculateEffectRect in FEMerge. I
don't have a debug build atm, but I guess that the reference to the last effect
is bogus.

I attached an example. Everything works, if feOffset gets an result="" and the
mergeNode adresses this result.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.