235931 2022-01-31 17:26:34 -0800 [libpas] get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory 2022-01-31 20:34:00 -0800 1 1 1 Unclassified WebKit bmalloc Other Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ddkilzer ddkilzer fpizlo ggaren webkit-bug-importer ysuzuki oldest_to_newest 1835789 0 ddkilzer 2022-01-31 17:26:34 -0800 In libpas, get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory. pas_all_heaps_get_num_free_bytes() is called and doesn't initialize `result` on the stack, then calls the following functions with a pointer to `result`: - pas_all_heaps_for_each_heap(), - pas_all_heaps_for_each_static_heap(), - callback() / get_num_free_bytes_for_each_heap_callback(). Found by clang static analyzer. 1835790 1 webkit-bug-importer 2022-01-31 17:26:59 -0800 <rdar://problem/88303899> 1835791 2 450482 ddkilzer 2022-01-31 17:28:47 -0800 Created attachment 450482 Patch v1 1835795 3 450482 ysuzuki 2022-01-31 17:43:08 -0800 Comment on attachment 450482 Patch v1 r=me 1835827 4 ews-feeder 2022-01-31 20:33:58 -0800 Committed r288866 (246618@main): <https://commits.webkit.org/246618@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450482. 450482 2022-01-31 17:28:47 -0800 2022-01-31 20:33:59 -0800 Patch v1 bug-235931-20220131172846.patch text/plain 1548 ddkilzer U3VidmVyc2lvbiBSZXZpc2lvbjogMjg4NDY0CmRpZmYgLS1naXQgYS9Tb3VyY2UvYm1hbGxvYy9D aGFuZ2VMb2cgYi9Tb3VyY2UvYm1hbGxvYy9DaGFuZ2VMb2cKaW5kZXggNThiNzNlNmZjMzU1MWYw NTlmNTY1NTdmODk4MWQ1MTBiYjk5MWVhYS4uMjdmZTNkOGI0ZmVjZjMxMmMwNmRmMzVmY2RiNTJj MzUyMGRjZjMxYSAxMDA2NDQKLS0tIGEvU291cmNlL2JtYWxsb2MvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9ibWFsbG9jL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDIyLTAxLTMxICBEYXZp ZCBLaWx6ZXIgIDxkZGtpbHplckBhcHBsZS5jb20+CisKKyAgICAgICAgW2xpYnBhc10gZ2V0X251 bV9mcmVlX2J5dGVzX2Zvcl9lYWNoX2hlYXBfY2FsbGJhY2soKSBpcyBjYWxsZWQgd2l0aCBgYXJn YCBwb2ludGluZyB0byB1bmluaXRpYWxpemVkIHN0YWNrIG1lbW9yeQorICAgICAgICA8aHR0cHM6 Ly93ZWJraXQub3JnL2IvMjM1OTMxPgorICAgICAgICA8cmRhcjovL3Byb2JsZW0vODgzMDM4OTk+ CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBsaWJw YXMvc3JjL2xpYnBhcy9wYXNfYWxsX2hlYXBzLmM6CisgICAgICAgIChwYXNfYWxsX2hlYXBzX2dl dF9udW1fZnJlZV9ieXRlcyk6CisgICAgICAgIC0gSW5pdGlhbGl6ZSBgcmVzdWx0YCBzdGFjayB2 YXJpYWJsZSB0byB6ZXJvLgorCiAyMDIyLTAxLTIxICBDb21taXQgUXVldWUgIDxjb21taXQtcXVl dWVAd2Via2l0Lm9yZz4KIAogICAgICAgICBVbnJldmlld2VkLCByZXZlcnRpbmcgcjI4ODQwMC4K ZGlmZiAtLWdpdCBhL1NvdXJjZS9ibWFsbG9jL2xpYnBhcy9zcmMvbGlicGFzL3Bhc19hbGxfaGVh cHMuYyBiL1NvdXJjZS9ibWFsbG9jL2xpYnBhcy9zcmMvbGlicGFzL3Bhc19hbGxfaGVhcHMuYwpp bmRleCA4ZDY3NzhjNjk3OTI5NjNlM2EzY2NiMWU3YmJjNTk5MjZkNDZhNmU5Li44ZGQzY2NiMDYz ZjVlMGRlYmEzNzlhYTRhMTZlNDEzZTM0ZDhmOGJmIDEwMDY0NAotLS0gYS9Tb3VyY2UvYm1hbGxv Yy9saWJwYXMvc3JjL2xpYnBhcy9wYXNfYWxsX2hlYXBzLmMKKysrIGIvU291cmNlL2JtYWxsb2Mv bGlicGFzL3NyYy9saWJwYXMvcGFzX2FsbF9oZWFwcy5jCkBAIC0xOTMsNyArMTkzLDcgQEAgc3Rh dGljIGJvb2wgZ2V0X251bV9mcmVlX2J5dGVzX2Zvcl9lYWNoX2hlYXBfY2FsbGJhY2socGFzX2hl YXAqIGhlYXAsIHZvaWQqIGFyZykKIAogc2l6ZV90IHBhc19hbGxfaGVhcHNfZ2V0X251bV9mcmVl X2J5dGVzKHBhc19sb2NrX2hvbGRfbW9kZSBoZWFwX2xvY2tfaG9sZF9tb2RlKQogewotICAgIHNp emVfdCByZXN1bHQ7CisgICAgc2l6ZV90IHJlc3VsdCA9IDA7CiAgICAgcGFzX2hlYXBfbG9ja19s b2NrX2NvbmRpdGlvbmFsbHkoaGVhcF9sb2NrX2hvbGRfbW9kZSk7CiAgICAgcGFzX2FsbF9oZWFw c19mb3JfZWFjaF9oZWFwKGdldF9udW1fZnJlZV9ieXRlc19mb3JfZWFjaF9oZWFwX2NhbGxiYWNr LCAmcmVzdWx0KTsKICAgICByZXN1bHQgKz0gcGFzX3V0aWxpdHlfaGVhcF9nZXRfbnVtX2ZyZWVf Ynl0ZXMoKTsK