Dereference null pointer crash in Length::decrementCalculatedRef()
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 18 Jul 2013 01:02:56 +0000 (01:02 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 18 Jul 2013 01:02:56 +0000 (01:02 +0000)
commit6193db2ea6d3d3c2978000a62459d8f4b558dbbd
treea2f5bd35d2b9ad5b954e1c800c4b151e6f9025c9
parent67c193044412b31a55ba9a4b66afd87446dde894
Dereference null pointer crash in Length::decrementCalculatedRef()
https://bugs.webkit.org/show_bug.cgi?id=118686

Patch by Jacky Jiang <zhajiang@blackberry.com> on 2013-07-17
Reviewed by Simon Fraser.

Source/WebCore:

Length(Calculated) won't insert any CalculationValue to CalculationValueHandleMap;
therefore, we dereference null CalculationValue pointer when the temporary
Length object goes out of the scope.
Length(Calculated) is not allowed as it doesn't make sense that we construct
a Calculated Length object with uninitialized calc expression.
The code just wants to blend with zero. To fix the bug, we can just blend
with Length(0, Fixed) here as we currently can blend different type units
and zero has the same behavior regardless of unit.

Test: transitions/transition-transform-translate-calculated-length-crash.html

* platform/graphics/transforms/TranslateTransformOperation.cpp:
(WebCore::TranslateTransformOperation::blend):

LayoutTests:

* transitions/transition-transform-translate-calculated-length-crash-expected.txt: Added.
* transitions/transition-transform-translate-calculated-length-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@152825 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/transitions/transition-transform-translate-calculated-length-crash-expected.txt [new file with mode: 0644]
LayoutTests/transitions/transition-transform-translate-calculated-length-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp