236647 2022-02-15 06:56:56 -0800 valgrind claim: Source and destination overlap in memcpy_chk(0x1ffeff9c77, 0x1ffeff9c76, 8) from CSSPropertyParser.cpp:158 2022-05-16 09:08:48 -0700 1 1 1 Unclassified WebKit CSS WebKit Nightly Build Unspecified Unspecified NEW InRadar P2 Normal --- 1 mcrha webkit-unassigned bugs-noreply koivisto mcatanzaro sam webkit-bug-importer oldest_to_newest 1841686 0 mcrha 2022-02-15 06:56:56 -0800 This is with webkit2gtk3-2.34.5-1.fc35.x86_64. While testing [1], valgrind showed (I also used `--undef-value-errors=no` to avoid flood of errors from the JavaScriptCore) the below warning: ==10894== Source and destination overlap in memcpy_chk(0x1ffeff9c77, 0x1ffeff9c76, 8) ==10894== at 0x10084F292: __memcpy_chk (vg_replace_strmem.c:1723) ==10894== by 0x1029115AD: UnknownInlinedFun (string_fortified.h:36) ==10894== by 0x1029115AD: UnknownInlinedFun (CSSPropertyParser.cpp:158) ==10894== by 0x1029115AD: WebCore::cssValueKeywordID(WTF::StringView) [clone .isra.0] (CSSPropertyParser.cpp:176) ==10894== by 0x101B3741D: UnknownInlinedFun (CSSParserToken.cpp:346) ==10894== by 0x101B3741D: WebCore::CSSParserToken::id() const (CSSParserToken.cpp:341) ==10894== by 0x101B38D63: WebCore::maybeConsumeCSSWideKeyword(WebCore::CSSParserTokenRange&) [clone .lto_priv.0] (CSSPropertyParser.cpp:250) ==10894== by 0x101B612F8: UnknownInlinedFun (CSSPropertyParser.cpp:338) ==10894== by 0x101B612F8: WebCore::CSSPropertyParser::parseValueStart(WebCore::CSSPropertyID, bool) (CSSPropertyParser.cpp:305) ==10894== by 0x101B62269: UnknownInlinedFun (CSSPropertyParser.cpp:239) ==10894== by 0x101B62269: UnknownInlinedFun (CSSParserImpl.cpp:962) ==10894== by 0x101B62269: WebCore::CSSParserImpl::consumeDeclaration(WebCore::CSSParserTokenRange, WebCore::StyleRuleType) (CSSParserImpl.cpp:943) ==10894== by 0x101B62605: WebCore::CSSParserImpl::consumeDeclarationList(WebCore::CSSParserTokenRange, WebCore::StyleRuleType) (CSSParserImpl.cpp:866) ==10894== by 0x101B63E96: UnknownInlinedFun (CSSParserImpl.cpp:837) ==10894== by 0x101B63E96: WebCore::CSSParserImpl::consumeQualifiedRule(WebCore::CSSParserTokenRange&, WebCore::CSSParserImpl::AllowedRulesType) (CSSParserImpl.cpp:476) ==10894== by 0x101B682D6: UnknownInlinedFun (CSSParserImpl.cpp:388) ==10894== by 0x101B682D6: WebCore::CSSParserImpl::parseStyleSheet(WTF::String const&, WebCore::CSSParserContext const&, WebCore::StyleSheetContents&, WebCore::CSSParser::RuleParsing) (CSSParserImpl.cpp:249) ==10894== by 0x101B68419: UnknownInlinedFun (CSSParser.cpp:70) ==10894== by 0x101B68419: WebCore::StyleSheetContents::parseString(WTF::String const&) (StyleSheetContents.cpp:349) ==10894== by 0x102376AD7: WebCore::Style::parseUASheet(WTF::String const&) (UserAgentStyle.cpp:104) ==10894== by 0x10237C984: UnknownInlinedFun (UserAgentStyle.cpp:142) ==10894== by 0x10237C984: UnknownInlinedFun (UserAgentStyle.cpp:130) ==10894== by 0x10237C984: WebCore::Style::Resolver::Resolver(WebCore::Document&) (StyleResolver.cpp:100) ==10894== by 0x10237CE83: UnknownInlinedFun (StyleResolver.cpp:92) ==10894== by 0x10237CE83: UnknownInlinedFun (StyleScope.cpp:98) ==10894== by 0x10237CE83: WebCore::Style::Scope::resolver() (StyleScope.cpp:86) ==10894== by 0x101BBD3D2: UnknownInlinedFun (StyleTreeResolver.cpp:602) ==10894== by 0x101BBD3D2: WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (Document.cpp:2100) ==10894== by 0x101FE553F: UnknownInlinedFun (Document.cpp:2459) ==10894== by 0x101FE553F: UnknownInlinedFun (Document.cpp:2444) ==10894== by 0x101FE553F: UnknownInlinedFun (Document.cpp:2471) ==10894== by 0x101FE553F: UnknownInlinedFun (Document.cpp:2462) ==10894== by 0x101FE553F: WebCore::Frame::setDocument(WTF::RefPtr<WebCore::Document, WTF::RawPtrTraits<WebCore::Document>, WTF::DefaultRefDerefTraits<WebCore::Document> >&&) [clone .part.0] (Frame.cpp:306) ==10894== by 0x101F0A541: UnknownInlinedFun (Frame.cpp:273) ==10894== by 0x101F0A541: WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (DocumentWriter.cpp:176) ==10894== by 0x101EE5233: WebCore::DocumentLoader::commitData(unsigned char const*, unsigned long) (DocumentLoader.cpp:1288) ==10894== by 0x101EE5FCB: WebCore::DocumentLoader::finishedLoading() (DocumentLoader.cpp:482) ==10894== by 0x101EFFB7F: WebCore::DocumentLoader::maybeLoadEmpty() (DocumentLoader.cpp:2040) ==10894== by 0x101F00013: WebCore::DocumentLoader::startLoadingMainResource() (DocumentLoader.cpp:2054) ==10894== by 0x101F00426: WebCore::FrameLoader::init() (FrameLoader.cpp:345) ==10894== by 0x1013450D6: WebKit::WebPage::WebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebPage.cpp:692) ==10894== by 0x101219A65: UnknownInlinedFun (WebPage.cpp:444) ==10894== by 0x101219A65: WebKit::WebProcess::createWebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebProcess.cpp:798) ==10894== by 0x102841D65: UnknownInlinedFun (HandleMessage.h:43) ==10894== by 0x102841D65: UnknownInlinedFun (HandleMessage.h:49) ==10894== by 0x102841D65: void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)>(IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) [clone .constprop.0] (HandleMessage.h:119) ==10894== by 0x10107435E: UnknownInlinedFun (Connection.cpp:1058) ==10894== by 0x10107435E: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:1103) ==10894== by 0x1010762C2: UnknownInlinedFun (Connection.cpp:1172) ==10894== by 0x1010762C2: UnknownInlinedFun (Connection.cpp:1027) ==10894== by 0x1010762C2: WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}, void>::call() (Function.h:53) ==10894== by 0x104B036FC: WTF::RunLoop::performWork() (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.19.10) ==10894== by 0x104B535EC: ??? (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.19.10) ==10894== by 0x104B4D362: ??? (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.19.10) ==10894== by 0x1039C805E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4) The memcpy() documentation claims to use memmove() in case the buffers overlap. [1] https://gitlab.gnome.org/GNOME/evolution/-/issues/1804#note_1385346 1841688 1 mcrha 2022-02-15 06:57:49 -0800 This is a different place than bug #204107. 1844680 2 webkit-bug-importer 2022-02-22 06:57:17 -0800 <rdar://problem/89291141> 1869249 3 gsnedders 2022-05-16 09:08:48 -0700 This is presumably, given I can't find any other usage of them around here: // FIXME: Remove this mangling without breaking the web. if (isAppleLegacyCssValueKeyword(buffer, length)) { memmove(buffer + 7, buffer + 6, length + 1 - 6); memcpy(buffer, "-webkit", 7); ++length; } Which is… odd. (i.e., https://github.com/WebKit/WebKit/blob/0e58ce7c537aafbff6e7ce0fa4e579d1889b0ee6/Source/WebCore/css/parser/CSSPropertyParser.cpp#L157)