RESOLVED FIXED Bug 105408
NULL ptr in WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::blend 
https://bugs.webkit.org/show_bug.cgi?id=105408
Summary NULL ptr in WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::b...
Takashi Sakamoto
Reported 2012-12-19 02:54:10 PST
Created attachment 180125 [details] repro.html Detailed report: https://cluster-fuzz.appspot.com/testcase?key=149785711 Crash address 0x000000000000 Crash state - crash stack - WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::blend WebCore::CSSPropertyAnimation::blendProperties WebCore::KeyframeAnimation::getAnimatedStyle
Attachments
repro.html (311 bytes, text/html)
2012-12-19 02:54 PST, Takashi Sakamoto 		no flags
Details
Patch (4.95 KB, patch)
2013-09-04 22:44 PDT, Dirk Schulze 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Takashi Sakamoto
Comment 1 2012-12-19 02:58:21 PST
CSSPropertyAnimation.cpp: static inline PassRefPtr<ClipPathOperation> blendFunc(const AnimationBase*, ClipPathOperation* from, ClipPathOperation* to, double progress) { // Other clip-path operations than BasicShapes can not be animated. if (from->getOperationType() != ClipPathOperation::SHAPE || to->getOperationType() != ClipPathOperation::SHAPE) return to; ... Looking at repro.html, 0% { // no -webkit-clip-path ... } 100% { ... -webkit-clip-path: ... } Since 0% has no -webkit-clip-path, from would be NULL and from->getOperationType() crashes.
Dirk Schulze
Comment 2 2013-09-04 22:44:42 PDT
Created attachment 210547 [details] Patch
WebKit Commit Bot
Comment 3 2013-09-05 00:37:46 PDT
Comment on attachment 210547 [details] Patch Clearing flags on attachment: 210547 Committed r155105: <http://trac.webkit.org/changeset/155105>
WebKit Commit Bot
Comment 4 2013-09-05 00:37:48 PDT
All reviewed patches have been landed. Closing bug.
Dirk Schulze
Comment 5 2013-09-05 00:40:30 PDT
*** Bug 119579 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.