224157 2021-04-03 12:07:25 -0700 UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool' 2021-04-06 11:15:41 -0700 1 1 1 Unclassified WebKit Layout and Rendering WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=176131 InRadar P2 Normal --- 1 ddkilzer ddkilzer bfulgham changseok darin esprehn+autocc ews-watchlist glenn kondapallykalyan pdr simon.fraser webkit-bug-importer zalan oldest_to_newest 1746804 0 ddkilzer 2021-04-03 12:07:25 -0700 UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool' Occurs here: RenderView::RepaintRegionAccumulator::~RepaintRegionAccumulator() { if (m_wasAccumulatingRepaintRegion) // UBSan warning/ return; if (!m_rootView) return; m_rootView.get()->flushAccumulatedRepaintRegion(); } Caused by the m_wasAccumulatingRepaintRegion instance variable not being initialized: class RepaintRegionAccumulator { WTF_MAKE_NONCOPYABLE(RepaintRegionAccumulator); public: RepaintRegionAccumulator(RenderView*); ~RepaintRegionAccumulator(); private: WeakPtr<RenderView> m_rootView; bool m_wasAccumulatingRepaintRegion; // BUG: No default initialization. }; Affects the following tests: editing/inserting/insert-list-user-select-none-crash.html fast/dom/clientWidthAfterDocumentIsRemoved.html fast/scrolling/iframe-scrollable-after-back.html fast/text/crash-font-family-parsed.html html5lib/generated/run-template-write.html imported/blink/plugins/renderless-plugin-creation-doesnt-crash-without-frame.html imported/w3c/web-platform-tests/css/cssom-view/scrolling-no-browsing-context.html imported/w3c/web-platform-tests/dom/ranges/Range-mutations-appendChild.html imported/w3c/web-platform-tests/html/browsers/the-window-object/named-access-on-the-window-object/navigated-named-objects.window.html imported/w3c/web-platform-tests/html/semantics/forms/the-label-element/clicking-interactive-content.html imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_template.html imported/w3c/web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/template-owner-document.html imported/w3c/web-platform-tests/selection/addRange-12.html imported/w3c/web-platform-tests/shadow-dom/untriaged/html-elements-in-shadow-trees/html-forms/test-001.html media/track/track-remove-crash.html svg/custom/animate-reference-crash.html 1746805 1 425106 ddkilzer 2021-04-03 12:08:59 -0700 Created attachment 425106 Patch v1 1746806 2 425106 ddkilzer 2021-04-03 12:09:38 -0700 Comment on attachment 425106 Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=425106&action=review > Source/WebCore/rendering/RenderView.h:186 > + bool m_wasAccumulatingRepaintRegion { false }; I used { false } here instead of { } since it matches the style of other default initializers in the file. 1746896 3 webkit-bug-importer 2021-04-04 21:47:42 -0700 <rdar://problem/76205483> 1747532 4 ddkilzer 2021-04-06 11:08:43 -0700 mac-AS-debug-wk2 failure is unrelated to this patch (NSException thrown from Photos in GPU process): media/media-fragments/TC0051.html This test has a history of flakiness: <https://results.webkit.org/?suite=layout-tests&test=media%2Fmedia-fragments%2FTC0051.html> Filed radar 76275085 to cover this crash. 1747538 5 ews-feeder 2021-04-06 11:15:39 -0700 Committed r275536: <https://commits.webkit.org/r275536> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425106. 425106 2021-04-03 12:08:59 -0700 2021-04-06 11:15:40 -0700 Patch v1 bug-224157-20210403120858.patch text/plain 2731 ddkilzer U3VidmVyc2lvbiBSZXZpc2lvbjogMjc1NDUwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYWIyZDAwZDIxMjA2Zjg1 NDc2Y2I0MzlkNmUxMTJiNmJhZWQzOWY2Yi4uMWQ2NGE5ZjliYTg3ZDFjY2Y0OGJhODkxNDA1Nzk5 NjNmNjIzNmFjYiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDMxIEBACisyMDIxLTA0LTAzICBEYXZp ZCBLaWx6ZXIgIDxkZGtpbHplckBhcHBsZS5jb20+CisKKyAgICAgICAgVUJTYW46IFJlbmRlclZp ZXcuY3BwOjgzMTo5OiBydW50aW1lIGVycm9yOiBsb2FkIG9mIHZhbHVlIG5ubiwgd2hpY2ggaXMg bm90IGEgdmFsaWQgdmFsdWUgZm9yIHR5cGUgJ2Jvb2wnCisgICAgICAgIDxodHRwczovL3dlYmtp dC5vcmcvYi8yMjQxNTc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgVGVzdHM6IGVkaXRpbmcvaW5zZXJ0aW5nL2luc2VydC1saXN0LXVzZXItc2VsZWN0 LW5vbmUtY3Jhc2guaHRtbAorICAgICAgICAgICAgICAgZmFzdC9kb20vY2xpZW50V2lkdGhBZnRl ckRvY3VtZW50SXNSZW1vdmVkLmh0bWwKKyAgICAgICAgICAgICAgIGZhc3Qvc2Nyb2xsaW5nL2lm cmFtZS1zY3JvbGxhYmxlLWFmdGVyLWJhY2suaHRtbAorICAgICAgICAgICAgICAgZmFzdC90ZXh0 L2NyYXNoLWZvbnQtZmFtaWx5LXBhcnNlZC5odG1sCisgICAgICAgICAgICAgICBodG1sNWxpYi9n ZW5lcmF0ZWQvcnVuLXRlbXBsYXRlLXdyaXRlLmh0bWwKKyAgICAgICAgICAgICAgIGltcG9ydGVk L2JsaW5rL3BsdWdpbnMvcmVuZGVybGVzcy1wbHVnaW4tY3JlYXRpb24tZG9lc250LWNyYXNoLXdp dGhvdXQtZnJhbWUuaHRtbAorICAgICAgICAgICAgICAgaW1wb3J0ZWQvdzNjL3dlYi1wbGF0Zm9y bS10ZXN0cy9jc3MvY3Nzb20tdmlldy9zY3JvbGxpbmctbm8tYnJvd3NpbmctY29udGV4dC5odG1s CisgICAgICAgICAgICAgICBpbXBvcnRlZC93M2Mvd2ViLXBsYXRmb3JtLXRlc3RzL2RvbS9yYW5n ZXMvUmFuZ2UtbXV0YXRpb25zLWFwcGVuZENoaWxkLmh0bWwKKyAgICAgICAgICAgICAgIGltcG9y dGVkL3czYy93ZWItcGxhdGZvcm0tdGVzdHMvaHRtbC9icm93c2Vycy90aGUtd2luZG93LW9iamVj dC9uYW1lZC1hY2Nlc3Mtb24tdGhlLXdpbmRvdy1vYmplY3QvbmF2aWdhdGVkLW5hbWVkLW9iamVj dHMud2luZG93Lmh0bWwKKyAgICAgICAgICAgICAgIGltcG9ydGVkL3czYy93ZWItcGxhdGZvcm0t dGVzdHMvaHRtbC9zZW1hbnRpY3MvZm9ybXMvdGhlLWxhYmVsLWVsZW1lbnQvY2xpY2tpbmctaW50 ZXJhY3RpdmUtY29udGVudC5odG1sCisgICAgICAgICAgICAgICBpbXBvcnRlZC93M2Mvd2ViLXBs YXRmb3JtLXRlc3RzL2h0bWwvc3ludGF4L3BhcnNpbmcvaHRtbDVsaWJfdGVtcGxhdGUuaHRtbAor ICAgICAgICAgICAgICAgaW1wb3J0ZWQvdzNjL3dlYi1wbGF0Zm9ybS10ZXN0cy9odG1sL3N5bnRh eC9wYXJzaW5nL3RlbXBsYXRlL2NyZWF0aW5nLWFuLWVsZW1lbnQtZm9yLXRoZS10b2tlbi90ZW1w bGF0ZS1vd25lci1kb2N1bWVudC5odG1sCisgICAgICAgICAgICAgICBpbXBvcnRlZC93M2Mvd2Vi LXBsYXRmb3JtLXRlc3RzL3NlbGVjdGlvbi9hZGRSYW5nZS0xMi5odG1sCisgICAgICAgICAgICAg ICBpbXBvcnRlZC93M2Mvd2ViLXBsYXRmb3JtLXRlc3RzL3NoYWRvdy1kb20vdW50cmlhZ2VkL2h0 bWwtZWxlbWVudHMtaW4tc2hhZG93LXRyZWVzL2h0bWwtZm9ybXMvdGVzdC0wMDEuaHRtbAorICAg ICAgICAgICAgICAgbWVkaWEvdHJhY2svdHJhY2stcmVtb3ZlLWNyYXNoLmh0bWwKKyAgICAgICAg ICAgICAgIHN2Zy9jdXN0b20vYW5pbWF0ZS1yZWZlcmVuY2UtY3Jhc2guaHRtbAorCisgICAgICAg ICogcmVuZGVyaW5nL1JlbmRlclZpZXcuaDoKKyAgICAgICAgKFdlYkNvcmU6OlJlbmRlclZpZXc6 Om1fd2FzQWNjdW11bGF0aW5nUmVwYWludFJlZ2lvbik6CisgICAgICAgIC0gQWRkIGRlZmF1bHQg aW5pdGlhbGl6YXRpb24uCisKIDIwMjEtMDQtMDMgIERhdmlkIEtpbHplciAgPGRka2lsemVyQGFw cGxlLmNvbT4KIAogICAgICAgICBbQ29yZUlQQ10gRW5jb2RpbmcvZGVjb2Rpbmcgb2YgV2ViQ29y ZTo6Q2FwYWJpbGl0eVZhbHVlT3JSYW5nZSB0cmFuc21pdHMgcGFkZGluZyBieXRlcwpkaWZmIC0t Z2l0IGEvU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlclZpZXcuaCBiL1NvdXJjZS9XZWJD b3JlL3JlbmRlcmluZy9SZW5kZXJWaWV3LmgKaW5kZXggNDc4MWU0ZjFkMjRlMDM5MGRlMmJkMTE4 MzE5OWM5ZjI4NWNkOWQ4ZS4uNDE2NzMxYmJkNTZjNDY2MDA4Yzk1MjRhY2EyMzgxZTI3ZTJjZTk4 MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlclZpZXcuaAorKysg Yi9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyVmlldy5oCkBAIC0xODMsNyArMTgzLDcg QEAgcHVibGljOgogCiAgICAgcHJpdmF0ZToKICAgICAgICAgV2Vha1B0cjxSZW5kZXJWaWV3PiBt X3Jvb3RWaWV3OwotICAgICAgICBib29sIG1fd2FzQWNjdW11bGF0aW5nUmVwYWludFJlZ2lvbjsK KyAgICAgICAgYm9vbCBtX3dhc0FjY3VtdWxhdGluZ1JlcGFpbnRSZWdpb24geyBmYWxzZSB9Owog ICAgIH07CiAKICAgICB2b2lkIHNjaGVkdWxlTGF6eVJlcGFpbnQoUmVuZGVyQm94Jik7Cg==