Crashed at ImageEventListener::cast & ConditionEventListener::cast.

Add null checking in EventTarget::removeEventListener, because we shouldn't be passing in a null listener reference to the ==()operator. BUG=377425 R=sigbjornf@opera.com Review URL: https://codereview.chromium.org/539453002 git-svn-id: svn://svn.chromium.org/blink/trunk@181514 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Crashed at ImageEventListener::cast & ConditionEventListener::cast.
Add null checking in EventTarget::removeEventListener, because we shouldn't be passing in a null listener reference to the ==()operator. BUG=377425 R=sigbjornf@opera.com Review URL: https://codereview.chromium.org/539453002 git-svn-id: svn://svn.chromium.org/blink/trunk@181514 bbb929c8-8fbe-4397-9dbb-9b2b20218538
c10a8f04 · myid.o.shin@gmail.com · f1a40023 · c10a8f04 · c10a8f04 · c10a8f04
Commit c10a8f04 authored Sep 07, 2014 by myid.o.shin@gmail.com
4 changed files
--- a/third_party/WebKit/LayoutTests/fast/images/image-document-remove-listener-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/images/image-document-remove-listener-expected.txt
+Test that removing invalid event listeners from image documents doesn't crash.
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+PASS No crash.
+PASS successfullyParsed is true
+TEST COMPLETE
--- a/third_party/WebKit/LayoutTests/fast/images/image-document-remove-listener.html
+++ b/third_party/WebKit/LayoutTests/fast/images/image-document-remove-listener.html
+<!DOCTYPE html>
+<html>
+<script src="../../resources/js-test.js"></script>
+<body>
+<script>
+description("Test that removing invalid event listeners from image documents doesn't crash.");
+window.jsTestIsAsync = true;
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.waitUntilDone();
+}
+function runTest()
+{
+    var newWindow = window.open("resources/dice.png");
+    newWindow.onload = function() {
+        newWindow.addEventListener("resize", function () {;});
+        newWindow.removeEventListener("resize", 2);
+        testPassed("No crash.");
+        finishJSTest();
+    };
+}
+runTest();
+</script>
+</body>
+</html>
--- a/third_party/WebKit/Source/core/events/EventTarget.cpp
+++ b/third_party/WebKit/Source/core/events/EventTarget.cpp
@@ -107,6 +107,11 @@ bool EventTarget::addEventListener(const AtomicString& eventType, PassRefPtr<Eve
 bool EventTarget::removeEventListener(const AtomicString& eventType, PassRefPtr<EventListener> listener, bool useCapture)
 {
+    // FIXME: listener null check should throw TypeError (and be done in
+    // generated bindings), but breaks legacy content. http://crbug.com/249598
+    if (!listener)
+        return false;
    EventTargetData* d = eventTargetData();
    if (!d)
        return false;

--- a/third_party/WebKit/Source/core/events/RegisteredEventListener.h
+++ b/third_party/WebKit/Source/core/events/RegisteredEventListener.h
@@ -43,6 +43,8 @@ namespace blink {
    inline bool operator==(const RegisteredEventListener& a, const RegisteredEventListener& b)
    {
+        ASSERT(a.listener);
+        ASSERT(b.listener);
        return *a.listener == *b.listener && a.useCapture == b.useCapture;
    }