Check |m_image| before using in |LayoutListMarker::imageChanged()|

This CL fixed crash cause by css: ``` cursor:url('?'),auto; display:list-item; ``` |LayoutObject::imageChanged()| can be shared by multiple image listeners, it could be invoked by other listeners (from base class) before we add our own listeners. We should make sure the object is ready and the image is the expected image. Example Crash Log: #0 0x7f0b7e03def7 base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7f0b7aa78330 <unknown> #2 0x7f0b7d98ae36 blink::LayoutListMarker::imageChanged() #3 0x7f0b7d73002c blink::ImageResource::notifyObservers() #4 0x7f0b7d72fb9e blink::ImageResource::updateImage() #5 0x7f0b7d730240 blink::ImageResource::finish() #6 0x7f0b7d74335c blink::ResourceFetcher::didFinishLoading() #7 0x7f0b7d0426f1 content::WebURLLoaderImpl::Context::OnCompletedRequest() #8 0x7f0b7d029de5 content::ResourceDispatcher::OnRequestComplete() #9 0x7f0b7d02b395 _ZN3IPC8MessageTI32ResourceMsg_RequestComplete_MetaSt5tupleIJiN7content31ResourceRequestCompletionStatusEEEvE8DispatchINS3_18ResourceDispatcherES8_vMS8_FviRKS4_EEEbPKNS_7MessageEPT_PT0_PT1_T2_ #10 0x7f0b7d0283e2 content::ResourceDispatcher::DispatchMessage() #11 0x7f0b7d027cdb content::ResourceDispatcher::OnMessageReceived() #12 0x7f0b7bba92e9 _ZN4base8internal7InvokerINS0_9BindStateIPFvSt10unique_ptrIN6syncer22AttachmentStoreBackendESt14default_deleteIS5_EEEJNS0_13PassedWrapperIS8_EEEEEFvvEE3RunEPNS0_13BindStateBaseE #13 0x7f0b7e0afdd6 base::debug::TaskAnnotator::RunTask() BUG=627811 Review-Url: https://codereview.chromium.org/2152853003 Cr-Commit-Position: refs/heads/master@{#405595}

Check |m_image| before using in |LayoutListMarker::imageChanged()|
This CL fixed crash cause by css: ``` cursor:url('?'),auto; display:list-item; ``` |LayoutObject::imageChanged()| can be shared by multiple image listeners, it could be invoked by other listeners (from base class) before we add our own listeners. We should make sure the object is ready and the image is the expected image. Example Crash Log: #0 0x7f0b7e03def7 base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7f0b7aa78330 <unknown> #2 0x7f0b7d98ae36 blink::LayoutListMarker::imageChanged() #3 0x7f0b7d73002c blink::ImageResource::notifyObservers() #4 0x7f0b7d72fb9e blink::ImageResource::updateImage() #5 0x7f0b7d730240 blink::ImageResource::finish() #6 0x7f0b7d74335c blink::ResourceFetcher::didFinishLoading() #7 0x7f0b7d0426f1 content::WebURLLoaderImpl::Context::OnCompletedRequest() #8 0x7f0b7d029de5 content::ResourceDispatcher::OnRequestComplete() #9 0x7f0b7d02b395 _ZN3IPC8MessageTI32ResourceMsg_RequestComplete_MetaSt5tupleIJiN7content31ResourceRequestCompletionStatusEEEvE8DispatchINS3_18ResourceDispatcherES8_vMS8_FviRKS4_EEEbPKNS_7MessageEPT_PT0_PT1_T2_ #10 0x7f0b7d0283e2 content::ResourceDispatcher::DispatchMessage() #11 0x7f0b7d027cdb content::ResourceDispatcher::OnMessageReceived() #12 0x7f0b7bba92e9 _ZN4base8internal7InvokerINS0_9BindStateIPFvSt10unique_ptrIN6syncer22AttachmentStoreBackendESt14default_deleteIS5_EEEJNS0_13PassedWrapperIS8_EEEEEFvvEE3RunEPNS0_13BindStateBaseE #13 0x7f0b7e0afdd6 base::debug::TaskAnnotator::RunTask() BUG=627811 Review-Url: https://codereview.chromium.org/2152853003 Cr-Commit-Position: refs/heads/master@{#405595}
7f53d505 · chongz · Commit bot · 33375730 · 7f53d505 · 7f53d505
Commit 7f53d505 authored Jul 14, 2016 by chongz Committed by Commit bot Jul 14, 2016
2 changed files
--- a/third_party/WebKit/LayoutTests/fast/css/cursor-image-list-item-crash.html
+++ b/third_party/WebKit/LayoutTests/fast/css/cursor-image-list-item-crash.html
+<!DOCTYPE html>
+<html>
+<head>
+<title>display:list-item shouldn't crash when combined with custom cursor image</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+test(function() {
+    // PASS if not crash.
+    // https://crbug.com/627811
+    document.body.style.cursor = "url('?'),auto";
+    document.body.style.display = "list-item";
+}, 'Testing display:list-item wont crash.');
+</script>
+</body>
+</html>
--- a/third_party/WebKit/Source/core/layout/LayoutListMarker.cpp
+++ b/third_party/WebKit/Source/core/layout/LayoutListMarker.cpp
@@ -163,7 +163,7 @@ void LayoutListMarker::layout()
 void LayoutListMarker::imageChanged(WrappedImagePtr o, const IntRect*)
 {
    // A list marker can't have a background or border image, so no need to call the base class method.
-    if (o != m_image->data())
+    if (!m_image || o != m_image->data())
        return;

    LayoutSize imageSize = isImage() ? imageBulletSize() : LayoutSize();