Bug 105408 - NULL ptr in WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::blend
Summary: NULL ptr in WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::b...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Dirk Schulze
URL:
Keywords:
: 119579 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-12-19 02:54 PST by Takashi Sakamoto
Modified: 2013-09-05 00:40 PDT (History)
6 users (show)

See Also:

Attachments
repro.html (311 bytes, text/html)
2012-12-19 02:54 PST, Takashi Sakamoto 		no flags Details
Patch (4.95 KB, patch)
2013-09-04 22:44 PDT, Dirk Schulze 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Takashi Sakamoto 2012-12-19 02:54:10 PST 
Created attachment 180125 [details]
repro.html

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=149785711

Crash address	0x000000000000
Crash state	- crash stack -
WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::blend
WebCore::CSSPropertyAnimation::blendProperties
WebCore::KeyframeAnimation::getAnimatedStyle
Comment 1 Takashi Sakamoto 2012-12-19 02:58:21 PST 
CSSPropertyAnimation.cpp:

static inline PassRefPtr<ClipPathOperation> blendFunc(const AnimationBase*, ClipPathOperation* from, ClipPathOperation* to, double progress)
{
    // Other clip-path operations than BasicShapes can not be animated.         
    if (from->getOperationType() != ClipPathOperation::SHAPE || to->getOperationType() != ClipPathOperation::SHAPE)
        return to;
...

Looking at repro.html,

0% {
   // no -webkit-clip-path
   ...
}

100% {
   ...
   -webkit-clip-path: ...
}

Since 0% has no -webkit-clip-path, from would be NULL and from->getOperationType() crashes.
Comment 2 Dirk Schulze 2013-09-04 22:44:42 PDT 
Created attachment 210547 [details]
Patch
Comment 3 WebKit Commit Bot 2013-09-05 00:37:46 PDT 
Comment on attachment 210547 [details]
Patch

Clearing flags on attachment: 210547

Committed r155105: <http://trac.webkit.org/changeset/155105>
Comment 4 WebKit Commit Bot 2013-09-05 00:37:48 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 5 Dirk Schulze 2013-09-05 00:40:30 PDT 
*** Bug 119579 has been marked as a duplicate of this bug. ***