Bug 82992

webkit crashes while destructing GraphicsContext3D object when the init failed in GraphicsContext3D constructor. We are trying to access and deallocate member variables which are never been allocated when constructor init failed in Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp Here is the backtrack for the crash #0 0xb62bcc76 in WTF::OwnPtr<WebCore::GraphicsContext3DPrivate>::operator-> (this=0x8e1bad8) at ../../../../Source/WTF/wtf/OwnPtr.h:64 #1 0xb62bc392 in WebCore::GraphicsContext3D::makeContextCurrent (this=0x8e1b9c8) at ../../../../Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp:390 #2 0xb62bc11e in WebCore::GraphicsContext3D::~GraphicsContext3D (this=0x8e1b9c8, __in_chrg=<value optimized out>) at ../../../../Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp:351 #3 0xb62ab55b in WTF::RefCounted<WebCore::GraphicsContext3D>::deref (this=0x8e1b9c8) at ../../../../Source/WTF/wtf/RefCounted.h:190 #4 0xb62a9657 in WTF::derefIfNotNull<WebCore::GraphicsContext3D> (ptr=0x8e1b9c8) at ../../../../Source/WTF/wtf/PassRefPtr.h:52 #5 0xb62a6f21 in WTF::RefPtr<WebCore::GraphicsContext3D>::~RefPtr (this=0xbfffd42c, __in_chrg=<value optimized out>) at ../../../../Source/WTF/wtf/RefPtr.h:58 #6 0xb62bba0e in WebCore::GraphicsContext3D::create (attrs=..., hostWindow=0x82a3d20, renderStyle=WebCore::GraphicsContext3D::RenderOffscreen) at ../../../../Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp:243 #7 0xb629032b in WebCore::WebGLRenderingContext::create (canvas=0x8e1df90, attrs=0x8e1b5a0) at ../../../../Source/WebCore/html/canvas/WebGLRenderingContext.cpp:409 #8 0xb5b5427d in WebCore::HTMLCanvasElement::getContext (this=0x8e1df90, type=..., attrs=0x8e1b5a0) at ../../../../Source/WebCore/html/HTMLCanvasElement.cpp:202 #9 0xb57463ea in WebCore::JSHTMLCanvasElement::getContext (this=0xa7a59e40, exec=0xa88672a8) at ../../../../Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp:75 #10 0xb647cbee in WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext (exec=0xa88672a8) at generated/JSHTMLCanvasElement.cpp:208 #11 0xa7e7b309 in ?? () #12 0xb6789e29 in JSC::JITCode::execute (this=0xa7f210b0, registerFile=0x8497ba4, callFrame=0xa8867038, globalData=0x82f0258) at ../../../../Source/JavaScriptCore/jit/JITCode.h:127 #13 0xb6786a48 in JSC::Interpreter::execute (this=0x8497b98, program=0xa7f210a0, callFrame=0xa7fffcb4, scopeChain=0xa7fdffe0, thisObj=0xa803ffc0) at ../../../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1198 #14 0xb6845f44 in JSC::evaluate (exec=0xa7fffcb4, scopeChain=0xa7fdffe0, source=..., thisValue=..., returnedException=0xbfffe1b4) at ../../../../Source/JavaScriptCore/runtime/Completion.cpp:73 #15 0xb575012e in WebCore::JSMainThreadExecState::evaluate (exec=0xa7fffcb4, chain=0xa7fdffe0, source=..., thisValue=..., exception=0xbfffe1b4) at ../../../../Source/WebCore/bindings/js/JSMainThreadExecState.h:76 #16 0xb577e495 in WebCore::ScriptController::evaluateInWorld (this=0x82ee478, sourceCode=..., world=0x84980c8) at ../../../../Source/WebCore/bindings/js/ScriptController.cpp:145 #17 0xb577e5ca in WebCore::ScriptController::evaluate (this=0x82ee478, sourceCode=...) at ../../../../Source/WebCore/bindings/js/ScriptController.cpp:162 #18 0xb5a32933 in WebCore::ScriptElement::executeScript (this=0x870add8, sourceCode=...) at ../../../../Source/WebCore/dom/ScriptElement.cpp:290 #19 0xb5a322a5 in WebCore::ScriptElement::prepareScript (this=0x870add8, scriptStartPosition=..., supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute) at ../../../../Source/WebCore/dom/ScriptElement.cpp:235 #20 0xb5bf026d in WebCore::HTMLScriptRunner::runScript (this=0x82c6468, script=0x870ad98, scriptStartPosition=...) at ../../../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:296