[Webkit-unassigned] [Bug 118686] Dereference null pointer crash in Length::decrementCalculatedRef()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 16 20:42:40 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=118686
--- Comment #3 from Jacky Jiang <jkjiang at webkit.org> 2013-07-16 20:42:37 PST ---
(In reply to comment #2)
> Is this repeatable? If so, can you please attach the page source that's causing the crash. It looks like you're blending transforms where one of the transform coeffs is defined using calc?
I only managed to reproduce once somehow. I am trying to make a test case base on the code path and see if that can reproduce the crash.
Yes, m_x.type(), m_y.type() or m_y.type() must be Calculated, so that it could ASSERT on debug mode and crashed on release mode when the temporary object Length(m_x.type()) went out of the scope and deference the null CalculationValue pointer. See the code here:
return TranslateTransformOperation::create(Length(m_x.type()).blend(m_x, progress),
Length(m_y.type()).blend(m_y, progress),
Length(m_z.type()).blend(m_z, progress), m_type);
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list