228901 2021-08-07 18:47:06 -0700 UBSan: KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value nnn, which is not a valid value for type 'bool' 2021-08-07 21:18:07 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=176131 InRadar P2 Normal --- 228009 1 ddkilzer ddkilzer dana.estra thorton webkit-bug-importer oldest_to_newest 1782745 0 ddkilzer 2021-08-07 18:47:06 -0700 UBSan: KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value nnn, which is not a valid value for type 'bool' Occurs here: void KeyboardScrollingAnimator::handleKeyUpEvent() { if (!m_scrollTriggeringKeyIsPressed) // UBSan warning return; stopKeyboardScrollAnimation(); m_scrollTriggeringKeyIsPressed = false; } Caused by the m_wasAccumulatingRepaintRegion instance variable not being initialized: class KeyboardScrollingAnimator { [...] private: [...] bool m_scrollTriggeringKeyIsPressed; // BUG: No default initialization. [...] }; Affects the following 78 layout tests: accessibility/aria-slider-value-change.html accessibility/insert-children-assert.html accessibility/mac/focus-moves-cursor.html accessibility/mac/input-type-change-crash-2.html accessibility/mac/input-type-change-crash.html accessibility/mac/selection-initial.html accessibility/mac/text-marker-line-boundary.html accessibility/spinbutton-crash.html editing/caret/emoji.html editing/deleting/5729680.html editing/input/caret-at-the-edge-of-input.html editing/input/cocoa/autocorrect-off.html editing/inserting/typing-tab-designmode-forms.html editing/mac/deleting/backward-delete.html editing/mac/spelling/autocorrection-blockquote-crash.html editing/pasteboard/emacs-ctrl-a-k-y.html editing/selection/context-menu-text-selection-lookup.html editing/selection/move-begin-end.html editing/selection/verify-editing-behavior-for-line-granularity.html fast/dom/MutationObserver/inline-event-listener.html fast/dom/access-key-iframe.html fast/dom/fragment-activation-focuses-target.html fast/dom/hidden-iframe-no-focus.html fast/dom/mutation-details-focus.html fast/events/autoscroll-should-not-stop-on-keypress.html fast/events/beforeunload-alert-handled-keydown.html fast/events/event-input-contentEditable.html fast/events/focus-label-legend-elements-with-tab.html fast/events/select-element.html fast/events/tab-focus-anchor.html fast/forms/access-key-case-insensitive.html fast/forms/call-text-did-change-in-text-field-when-typing.html fast/forms/datalist/datalist-option-labels.html fast/forms/datetimelocal/datetimelocal-editable-components/datetimelocal-editable-components-keyboard-events.html fast/forms/disabled-search-input.html fast/forms/input-first-letter-edit.html fast/forms/legend-access-key.html fast/forms/month/month-editable-components/month-editable-components-focus-and-blur-events.html fast/forms/onchange-enter-submit.html fast/forms/radio/input-radio-checked-tab.html fast/forms/range/range-keyboard-oninput-event.html fast/forms/search-event-delay.html fast/forms/tabbing-input-iframe.html fast/forms/time/time-editable-components/time-editable-components-focus-and-blur-events.html fast/forms/validation-message-maxLength.html fast/frames/focus-controller-crash-change-event.html fast/frames/iframe-window-focus.html fast/html/details-keyboard-show-hide.html fast/html/progress-user-modify.html fast/repaint/fixed-move-after-keyboard-scroll.html fast/scrolling/arrow-key-scroll-in-rtl-document.html fast/text/scroll-text-overflow-ellipsis.html fullscreen/full-screen-crash-custom-scrollbars.html fullscreen/full-screen-iframe-allowed-prefixed.html fullscreen/full-screen-table-section.html http/tests/fullscreen/fullscreenelement-different-origin.html http/tests/navigation/keyboard-events-during-provisional-subframe-navigation.html http/tests/pointer-lock/iframe-sandboxed-nested-allow-pointer-lock.html http/tests/storageAccess/aggregate-sorted-data-with-storage-access.html http/tests/storageAccess/deny-without-prompt-preserves-gesture.html http/tests/storageAccess/request-and-grant-access-cross-origin-non-sandboxed-iframe-ephemeral.html http/tests/storageAccess/request-and-grant-access-cross-origin-non-sandboxed-iframe.html http/tests/storageAccess/request-and-grant-access-then-navigate-same-site-should-have-access.html http/tests/storageAccess/request-and-grant-access-with-per-page-scope-access-from-another-frame.html imported/blink/fast/events/click-focus-keydown-no-ring.html imported/w3c/web-platform-tests/css/css-contain/content-visibility/content-visibility-047.html imported/w3c/web-platform-tests/css/css-scroll-snap/input/keyboard.html imported/w3c/web-platform-tests/css/selectors/focus-visible-008.html imported/w3c/web-platform-tests/html/interaction/focus/focus-keyboard-js.html imported/w3c/web-platform-tests/html/semantics/forms/the-input-element/maxlength-number.html imported/w3c/web-platform-tests/shadow-dom/focus/focus-tabindex-order-shadow-negative-delegatesFocus.html imported/w3c/web-platform-tests/shadow-dom/focus/focus-tabindex-order-shadow-negative.html platform/mac/fast/events/non-roman-key-code.html pointer-lock/lock-element-not-in-dom.html scrollbars/scrollbar-miss-mousemove-disabled.html svg/custom/focus-event-handling-keyboard.xhtml tiled-drawing/scrolling/scroll-snap/scroll-snap-mandatory-mainframe-horizontal-with-keyboard-scaled.html webaudio/audiocontext-restriction-audiobuffersourcenode-start.html How to find list of tests: $ cd OpenSource/LayoutTests $ $ for F in `grep -l -r 'KeyboardScrollingAnimator.cpp:303:10' ../WebKitBuild/layout-test-results/ | sed -e 's#^.*//##' -e 's/-stderr.txt/*/'`; do ls $F | grep -v 'expected'; done | sort | pbcopy 1782746 1 ddkilzer 2021-08-07 18:48:33 -0700 Regressed in r280492 for Bug 228009. 1782747 2 435140 ddkilzer 2021-08-07 18:54:03 -0700 Created attachment 435140 Patch v1 1782748 3 webkit-bug-importer 2021-08-07 18:55:16 -0700 <rdar://problem/81660796> 1782751 4 435140 ap 2021-08-07 20:28:32 -0700 Comment on attachment 435140 Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=435140&action=review > Source/WebCore/platform/KeyboardScrollingAnimator.h:54 > + bool m_scrollTriggeringKeyIsPressed { false }; Is there a bug here, or just another false positive that we trade a little bit of perf for? 1782752 5 435140 thorton 2021-08-07 20:37:43 -0700 Comment on attachment 435140 Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=435140&action=review >> Source/WebCore/platform/KeyboardScrollingAnimator.h:54 >> + bool m_scrollTriggeringKeyIsPressed { false }; > > Is there a bug here, or just another false positive that we trade a little bit of perf for? I think this one is legit; we read the bit in beginKeyboardScrollGesture, which is before it's set for the first time 1782753 6 thorton 2021-08-07 20:38:46 -0700 (also this is all really really new and off-by default code, so it's not super surprising that there are bugs) 1782755 7 ddkilzer 2021-08-07 20:51:00 -0700 (In reply to Tim Horton from comment #5) > Comment on attachment 435140 [details] > Patch v1 > > View in context: > https://bugs.webkit.org/attachment.cgi?id=435140&action=review > > >> Source/WebCore/platform/KeyboardScrollingAnimator.h:54 > >> + bool m_scrollTriggeringKeyIsPressed { false }; > > > > Is there a bug here, or just another false positive that we trade a little bit of perf for? > > I think this one is legit; we read the bit in beginKeyboardScrollGesture, > which is before it's set for the first time What Tim said. Here are a list of invalid values when I ran layout tests locally: 6 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 115, which is not a valid value for type 'bool' 4 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 32, which is not a valid value for type 'bool' 3 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 6, which is not a valid value for type 'bool' 3 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 116, which is not a valid value for type 'bool' 2 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 97, which is not a valid value for type 'bool' 2 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 108, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 98, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 84, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 59, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 49, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 40, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 4, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 24, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 111, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 104, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 101, which is not a valid value for type 'bool' 1 platform/KeyboardScrollingAnimator.cpp:303:10: runtime error: load of value 100, which is not a valid value for type 'bool' 1782758 8 ews-feeder 2021-08-07 21:18:06 -0700 Committed r280764 (240349@main): <https://commits.webkit.org/240349@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 435140. 435140 2021-08-07 18:54:03 -0700 2021-08-07 21:18:07 -0700 Patch v1 bug-228901-20210807185402.patch text/plain 1530 ddkilzer U3VidmVyc2lvbiBSZXZpc2lvbjogMjgwNzYwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOGRiNmE2MWFkZTBlMmZj MDE1ZTY2ZjYwZjlhZDU2N2I4ODlkZjE0Zi4uZjQ5NmYwNWMxNDMwOGViZDAwYzE5Y2Y2YWI1YjM1 YzQ5OWZkZDEyZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDIxLTA4LTA3ICBEYXZp ZCBLaWx6ZXIgIDxkZGtpbHplckBhcHBsZS5jb20+CisKKyAgICAgICAgVUJTYW46IEtleWJvYXJk U2Nyb2xsaW5nQW5pbWF0b3IuY3BwOjMwMzoxMDogcnVudGltZSBlcnJvcjogbG9hZCBvZiB2YWx1 ZSBubm4sIHdoaWNoIGlzIG5vdCBhIHZhbGlkIHZhbHVlIGZvciB0eXBlICdib29sJworICAgICAg ICA8aHR0cHM6Ly93ZWJraXQub3JnL2IvMjI4OTAxPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5P Qk9EWSAoT09QUyEpLgorCisgICAgICAgIENvdmVyZWQgYnkgcnVubmluZyA3OCBsYXlvdXQgdGVz dHMgd2l0aCBVQlNhbiBlbmFibGVkLgorCisgICAgICAgICogcGxhdGZvcm0vS2V5Ym9hcmRTY3Jv bGxpbmdBbmltYXRvci5oOgorICAgICAgICAtIEluaXRpYWxpemUgbV9zY3JvbGxUcmlnZ2VyaW5n S2V5SXNQcmVzc2VkIHRvIGZhbHNlLgorCiAyMDIxLTA4LTA3ICBNeWxlcyBDLiBNYXhmaWVsZCAg PG1tYXhmaWVsZEBhcHBsZS5jb20+CiAKICAgICAgICAgRGVkdXBsaWNhdGUgbG9nZ2luZyBjaGFu bmVsIGFsZ29yaXRobXMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL0tleWJv YXJkU2Nyb2xsaW5nQW5pbWF0b3IuaCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL0tleWJvYXJk U2Nyb2xsaW5nQW5pbWF0b3IuaAppbmRleCBmNTc4NDA3M2EyZGQyYTY2ZDVjZTdjNGY1YzFmZmNk ODM2ZTZiMWFkLi44MzJiOTFiYmY5NWFmMjQ4MGIxMDdiN2Q3OGVkZDVlNjI3ZGJlMzI3IDEwMDY0 NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9LZXlib2FyZFNjcm9sbGluZ0FuaW1hdG9y LmgKKysrIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vS2V5Ym9hcmRTY3JvbGxpbmdBbmltYXRv ci5oCkBAIC01MSw3ICs1MSw3IEBAIHByaXZhdGU6CiAgICAgU2Nyb2xsQW5pbWF0b3ImIG1fc2Ny b2xsQW5pbWF0b3I7CiAgICAgU2Nyb2xsQ29udHJvbGxlciYgbV9zY3JvbGxDb250cm9sbGVyOwog ICAgIHN0ZDo6b3B0aW9uYWw8V2ViQ29yZTo6S2V5Ym9hcmRTY3JvbGw+IG1fY3VycmVudEtleWJv YXJkU2Nyb2xsOwotICAgIGJvb2wgbV9zY3JvbGxUcmlnZ2VyaW5nS2V5SXNQcmVzc2VkOworICAg IGJvb2wgbV9zY3JvbGxUcmlnZ2VyaW5nS2V5SXNQcmVzc2VkIHsgZmFsc2UgfTsKICAgICBGbG9h dFNpemUgbV92ZWxvY2l0eTsKICAgICBNb25vdG9uaWNUaW1lIG1fdGltZUF0TGFzdEZyYW1lOwog ICAgIEZsb2F0UG9pbnQgbV9pZGVhbFBvc2l0aW9uRm9yTWluaW11bVRyYXZlbDsK