[Webkit-unassigned] [Bug 176151] Crash in WebCore::CalculationValue::evaluate

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 19 05:03:50 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=176151

Bastien Nocera <bugzilla at hadess.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugzilla at hadess.net

--- Comment #2 from Bastien Nocera <bugzilla at hadess.net> ---
(In reply to Michael Catanzaro from comment #1)
> I found a second reporter, who says "I was listening to music at the website
> rcnmundo.com/lafm"

I reproduced this in an online course, epiphany crashed multiple times trying to finish that course.

Truncated backtrace (gdb crashes with OOM when I try to print a backtrace):
#0  0x00007f6801abfa38 in std::__uniq_ptr_impl<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::_M_ptr() const (this=0x8)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/CalculationValue.cpp:63
#1  0x00007f6801abfa38 in std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::get() const (this=0x8) at /usr/include/c++/8/bits/unique_ptr.h:343
#2  0x00007f6801abfa38 in std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::operator->() const (this=0x8) at /usr/include/c++/8/bits/unique_ptr.h:337
#3  0x00007f6801abfa38 in WebCore::CalculationValue::evaluate(float) const (this=0x0, maxValue=356) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/CalculationValue.cpp:63
#4  0x00007f6801accd30 in WebCore::Length::nonNanCalculatedValue(int) const (this=<optimized out>, maxValue=356) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/Length.cpp:277


The "this" pointer in #2 looks suspiciously like a NULL pointer dereference.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181019/bc364854/attachment.html>

More information about the webkit-unassigned mailing list