-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=118686 Patch by Jacky Jiang <zhajiang@blackberry.com> on 2013-07-17 Reviewed by Simon Fraser. Source/WebCore: Length(Calculated) won't insert any CalculationValue to CalculationValueHandleMap; therefore, we dereference null CalculationValue pointer when the temporary Length object goes out of the scope. Length(Calculated) is not allowed as it doesn't make sense that we construct a Calculated Length object with uninitialized calc expression. The code just wants to blend with zero. To fix the bug, we can just blend with Length(0, Fixed) here as we currently can blend different type units and zero has the same behavior regardless of unit. Test: transitions/transition-transform-translate-calculated-length-crash.html * platform/graphics/transforms/TranslateTransformOperation.cpp: (WebCore::TranslateTransformOperation::blend): LayoutTests: * transitions/transition-transform-translate-calculated-length-crash-expected.txt: Added. * transitions/transition-transform-translate-calculated-length-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@152825 268f45cc-cd09-0410-ab3c-d52691b4dbfc
e7c6768d