Abort the SVG filter content recording if the FilterData was dropped

In the (rare) case of a recording being started and the FilterData structure being yanked away (and destroyed) from under SVGFilterPainter's feet, we need to put the PaintController in a consistent state before destroying it. Add a new method SVGFilterRecordingContext::Abort() and call that when SVGFilterPainter::FinishEffect encounters a null FilterData for the LayoutObject. BUG=713024 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2847133002 Cr-Commit-Position: refs/heads/master@{#468092}

Abort the SVG filter content recording if the FilterData was dropped
In the (rare) case of a recording being started and the FilterData structure being yanked away (and destroyed) from under SVGFilterPainter's feet, we need to put the PaintController in a consistent state before destroying it. Add a new method SVGFilterRecordingContext::Abort() and call that when SVGFilterPainter::FinishEffect encounters a null FilterData for the LayoutObject. BUG=713024 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2847133002 Cr-Commit-Position: refs/heads/master@{#468092}
b599adbf · fs · Commit bot · 160584b5 · b599adbf · b599adbf
Commit b599adbf authored Apr 28, 2017 by fs Committed by Commit bot Apr 28, 2017
2 changed files
--- a/third_party/WebKit/Source/core/paint/SVGFilterPainter.cpp
+++ b/third_party/WebKit/Source/core/paint/SVGFilterPainter.cpp
@@ -47,6 +47,12 @@ sk_sp<PaintRecord> SVGFilterRecordingContext::EndContent(
  return content;
 }
+void SVGFilterRecordingContext::Abort() {
+  if (!paint_controller_)
+    return;
+  EndContent(FloatRect());
+}
 static void PaintFilteredContent(GraphicsContext& context,
                                 const LayoutObject& object,
                                 const FloatRect& bounds,
@@ -115,8 +121,14 @@ void SVGFilterPainter::FinishEffect(
    const LayoutObject& object,
    SVGFilterRecordingContext& recording_context) {
  FilterData* filter_data = filter_.GetFilterDataForLayoutObject(&object);
-  if (!filter_data)
+  if (!filter_data) {
+    // Our state was torn down while we were being painted (selection style for
+    // <text> can have this effect), or it was never created (invalid filter.)
+    // In the former case we may have been in the process of recording content,
+    // so make sure we put recording state into a consistent state.
+    recording_context.Abort();
    return;
+  }
  // A painting cycle can occur when an FeImage references a source that
  // makes use of the FeImage itself. This is the first place we would hit

--- a/third_party/WebKit/Source/core/paint/SVGFilterPainter.h
+++ b/third_party/WebKit/Source/core/paint/SVGFilterPainter.h
@@ -25,6 +25,7 @@ class SVGFilterRecordingContext {
  GraphicsContext* BeginContent();
  sk_sp<PaintRecord> EndContent(const FloatRect&);
+  void Abort();
  GraphicsContext& PaintingContext() const { return initial_context_; }