[Webkit-unassigned] [Bug 118686] New: Dereference null pointer crash in Length::decrementCalculatedRef()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 15 14:33:50 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=118686

           Summary: Dereference null pointer crash in
                    Length::decrementCalculatedRef()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jkjiang at webkit.org
                CC: rwlbuis at gmail.com, simon.fraser at apple.com,
                    tonikitoo at webkit.org


I got this crash once and do not know how to make a test case here so far.

Program terminated with signal 11, Segmentation fault. 
#0  hasOneRef (this=0x0) at /home/jacky/dev/webkit/Source/WTF/wtf/RefCounted.h:75 
75            return m_refCount == 1; 
(gdb) bt 
#0  hasOneRef (this=0x0) at /home/jacky/dev/webkit/Source/WTF/wtf/RefCounted.h:75 
#1  WebCore::Length::decrementCalculatedRef (this=0x77eba4d0) at /home/jacky/dev/webkit/Source/WebCore/platform/Length.cpp:234 
#2  0x7bdd9166 in ~Length (this=0x77eba4d0, __in_chrg=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/platform/Length.h:101 
#3  WebCore::TranslateTransformOperation::blend (this=<optimized out>, from=<optimized out>, progress=0, blendToIdentity=true) 
    at /home/jacky/dev/webkit/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp:36 
#4  0x7bdd4d80 in WebCore::TransformOperations::blendByMatchingOperations (this=0x79d9bb7c, from=..., progress=@0x77eba608: 0) 
    at /home/jacky/dev/webkit/Source/WebCore/platform/graphics/transforms/TransformOperations.cpp:78 
#5  0x7bd6e76e in blendFunc (progress=0, to=..., from=..., anim=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/page/animation/CSSPropertyAnimation.cpp:127 
#6  WebCore::PropertyWrapperAcceleratedTransform::blend (this=<optimized out>, anim=<optimized out>, dst=0x7ccdecb0, a=<optimized out>, b=0x7c870c20, progress=0) 
    at /home/jacky/dev/webkit/Source/WebCore/page/animation/CSSPropertyAnimation.cpp:493 
#7  0x7bd665de in WebCore::CSSPropertyAnimation::blendProperties (anim=0x7ae7de20, prop=<optimized out>, dst=0x7ccdecb0, a=<optimized out>, b=0x7c870c20, progress=0) 
    at /home/jacky/dev/webkit/Source/WebCore/page/animation/CSSPropertyAnimation.cpp:1268 
#8  0x7bd6f212 in WebCore::ImplicitAnimation::animate (this=0x7ae7de20, targetStyle=0x7c870c20, animatedStyle=...) 
    at /home/jacky/dev/webkit/Source/WebCore/page/animation/ImplicitAnimation.cpp:81 
#9  0x7bd6101c in WebCore::CompositeAnimation::animate (this=0x7d2bc9e0, renderer=0x7d46c708, currentStyle=0x7cd19710, targetStyle=0x7c870c20) 
    at /home/jacky/dev/webkit/Source/WebCore/page/animation/CompositeAnimation.cpp:292 
#10 0x7bd5e398 in WebCore::AnimationController::updateAnimations (this=0x79d8ef20, renderer=0x7d46c708, newStyle=0x7c870c20) 
    at /home/jacky/dev/webkit/Source/WebCore/page/animation/AnimationController.cpp:523 
#11 0x7bed86b8 in WebCore::RenderObject::setAnimatableStyle (this=0x7d46c708, style=...) at /home/jacky/dev/webkit/Source/WebCore/rendering/RenderObject.cpp:1710 
#12 0x7ba69844 in WebCore::Element::recalcStyle (this=0x7c872958, change=WebCore::Node::NoChange) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1395 
#13 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7acaa710, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#14 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7aa55bd8, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#15 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7aa55b90, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#16 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7aa55998, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#17 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7aa524d0, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#18 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7aa50a70, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#19 0x7ba69914 in WebCore::Element::recalcStyle (this=0x7a123b00, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#20 0x7ba69914 in WebCore::Element::recalcStyle (this=0x79dbde60, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:1448 
#21 0x7ba4e950 in recalcStyle (change=<optimized out>, this=0x79f9c8a0) at /home/jacky/dev/webkit/Source/WebCore/dom/Document.cpp:1840 
#22 WebCore::Document::recalcStyle (this=0x79f9c8a0, change=<optimized out>) at /home/jacky/dev/webkit/Source/WebCore/dom/Document.cpp:1777 
#23 0x7ba4eba6 in updateStyleIfNeeded (this=0x79f9c8a0) at /home/jacky/dev/webkit/Source/WebCore/dom/Document.cpp:1885 
#24 WebCore::Document::updateStyleIfNeeded (this=0x79f9c8a0) at /home/jacky/dev/webkit/Source/WebCore/dom/Document.cpp:1874 
#25 0x7ba4f5b2 in WebCore::Document::updateLayout (this=0x79f9c8a0) at /home/jacky/dev/webkit/Source/WebCore/dom/Document.cpp:1916 
#26 0x7ba50e6c in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x79f9c8a0) at /home/jacky/dev/webkit/Source/WebCore/dom/Document.cpp:1954 
#27 0x7ba64974 in WebCore::Element::offsetWidth (this=0x7c872958) at /home/jacky/dev/webkit/Source/WebCore/dom/Element.cpp:517

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list