Created attachment 31830 [details] Hover over the item in the center

Crash stack: #0 0x0000000100cbb6e8 in WTF::RefPtr<WebCore::StyleRareInheritedData>::get (this=0x38) at RefPtr.h:55 #1 0x0000000100d26b51 in WebCore::DataRef<WebCore::StyleRareInheritedData>::get (this=0x38) at DataRef.h:33 #2 0x0000000100d26b69 in WebCore::DataRef<WebCore::StyleRareInheritedData>::operator-> (this=0x38) at DataRef.h:36 #3 0x0000000100d26c0d in WebCore::RenderStyle::textShadow (this=0x0) at RenderStyle.h:592 #4 0x0000000100cbff58 in WebCore::PropertyWrapperShadow::equals (this=0x11a6a2200, a=0x0, b=0x11a61aa70) at /Volumes/WebKit/WebKit.git/WebCore/page/animation/AnimationBase.cpp:289 #5 0x0000000100cb9f39 in WebCore::AnimationBase::propertiesEqual (prop=1109, a=0x0, b=0x11a61aa70) at /Volumes/WebKit/WebKit.git/WebCore/page/animation/AnimationBase.cpp:613 #6 0x00000001010d197b in WebCore::ImplicitAnimation::isTargetPropertyEqual (this=0x11a740620, prop=1109, targetStyle=0x11a61aa70) at /Volumes/WebKit/WebKit.git/WebCore/page/animation/ImplicitAnimation.cpp:215 #7 0x0000000100dfc107 in WebCore::CompositeAnimation::updateTransitions (this=0x11a0b0cc0, renderer=0x11a0b0c48, currentStyle=0x11a0a4190, targetStyle=0x11a61aa70) at /Volumes/WebKit/WebKit.git/WebCore/page/animation/CompositeAnimation.cpp:131 #8 0x0000000100dfcb09 in WebCore::CompositeAnimation::animate (this=0x11a0b0cc0, renderer=0x11a0b0c48, currentStyle=0x11a0a4190, targetStyle=0x11a61aa70) at /Volumes/WebKit/WebKit.git/WebCore/page/animation/CompositeAnimation.cpp:253 #9 0x0000000100cc498c in WebCore::AnimationController::updateAnimations (this=0x10503c660, renderer=0x11a0b0c48, newStyle=0x11a61aa70) at /Volumes/WebKit/WebKit.git/WebCore/page/animation/AnimationController.cpp:481 #10 0x00000001013d2e4b in WebCore::RenderObject::setAnimatableStyle (this=0x11a0b0c48, style=@0x7fff5fbfdf50) at /Volumes/WebKit/WebKit.git/WebCore/rendering/RenderObject.cpp:1427 #11 0x00000001012fad87 in WebCore::Node::setRenderStyle (this=0x11a0a40f0, s=@0x7fff5fbfdfd0) at /Volumes/WebKit/WebKit.git/WebCore/dom/Node.cpp:1342 #12 0x0000000100f8f636 in WebCore::Element::recalcStyle (this=0x11a0a40f0, change=WebCore::Node::Force) at /Volumes/WebKit/WebKit.git/WebCore/dom/Element.cpp:815 #13 0x0000000100f8f931 in WebCore::Element::recalcStyle (this=0x11a05e320, change=WebCore::Node::Force) at /Volumes/WebKit/WebKit.git/WebCore/dom/Element.cpp:845 #14 0x0000000100f8f931 in WebCore::Element::recalcStyle (this=0x11a075920, change=WebCore::Node::NoChange) at /Volumes/WebKit/WebKit.git/WebCore/dom/Element.cpp:845 #15 0x0000000100f8f931 in WebCore::Element::recalcStyle (this=0x11a080680, change=WebCore::Node::NoChange) at /Volumes/WebKit/WebKit.git/WebCore/dom/Element.cpp:845 #16 0x0000000100f41a96 in WebCore::Document::recalcStyle (this=0x11818d400, change=WebCore::Node::NoChange) at /Volumes/WebKit/WebKit.git/WebCore/dom/Document.cpp:1192 #17 0x0000000100f36b00 in WebCore::Document::updateStyleIfNeeded (this=0x11818d400) at /Volumes/WebKit/WebKit.git/WebCore/dom/Document.cpp:1228 #18 0x0000000100f36055 in WebCore::Document::prepareMouseEvent (this=0x11818d400, request=@0x7fff5fbfe620, documentPoint=@0x7fff5fbfe470, event=@0x7fff5fbfe710) at /Volumes/WebKit/WebKit.git/WebCore/dom/Document.cpp:2072 #19 0x0000000100f936ef in WebCore::EventHandler::prepareMouseEvent (this=0x10503c4e0, request=@0x7fff5fbfe620, mev=@0x7fff5fbfe710) at /Volumes/WebKit/WebKit.git/WebCore/page/EventHandler.cpp:1526 #20 0x0000000100f99e02 in WebCore::EventHandler::handleMouseMoveEvent (this=0x10503c4e0, mouseEvent=@0x7fff5fbfe710, hoveredNode=0x7fff5fbfe670) at /Volumes/WebKit/WebKit.git/WebCore/page/EventHandler.cpp:1289 #21 0x0000000100f9a34a in WebCore::EventHandler::mouseMoved (this=0x10503c4e0, event=@0x7fff5fbfe710) at /Volumes/WebKit/WebKit.git/WebCore/page/EventHandler.cpp:1237 #22 0x0000000100f9eaa6 in WebCore::EventHandler::mouseMoved (this=0x10503c4e0, event=0x11a837760) at /Volumes/WebKit/WebKit.git/WebCore/page/mac/EventHandlerMac.mm:670 #23 0x0000000100352be0 in -[WebHTMLView(WebPrivate) _updateMouseoverWithEvent:] (self=0x11a0430a0, _cmd=0x7fff88b06489, event=0x11a837760) at /Volumes/WebKit/WebKit.git/WebKit/mac/WebView/WebHTMLView.mm:1584 #24 0x0000000100342462 in -[WebHTMLView mouseMovedNotification:] (self=0x11a0430a0, _cmd=0x7fff88b054be, notification=0x11a7ee600) at /Volumes/WebKit/WebKit.git/WebKit/mac/WebView/WebHTMLView.mm:3540

<rdar://problem/7005665>

m_toStyle is null in ImplicitAnimation::isTargetPropertyEqual()

This is not text-shadow specific. The problem is that the transition looks like: -webkit-transition: color, text-shadow 1s, 1s ease-out; The third transition in the list if on the 'all' property, which overrides the previous text-shadow transition. The bug is that this looks like it might be an override of an earlier fired transition. So I test to see if the properties are equal. But since this property has not yet fired at all, m_toStyle is not yet set and is null. I'm not doing the null check

Created attachment 32015 [details] Patch with updated test

Sending LayoutTests/ChangeLog Sending LayoutTests/transitions/override-transition-crash-expected.txt Sending LayoutTests/transitions/override-transition-crash.html Sending WebCore/ChangeLog Sending WebCore/page/animation/ImplicitAnimation.cpp Transmitting file data ..... Committed revision 45350.