Bug 242516
| Summary: | WebCore::ScrollingStateScrollingNode::setSnapOffsetsInfo Conditional jump or move depends on uninitialised value(s) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | James Hilliard <james.hilliard1> |
| Component: | WebCore Misc. | Assignee: | Simon Fraser (smfr) <simon.fraser> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | nmouchtaris, simon.fraser, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
James Hilliard
I'm seeing this get flagged by valgrind
==137== Conditional jump or move depends on uninitialised value(s)
==137== at 0x14695DA8: WebCore::ScrollSnapOffsetsInfo<float, WebCore::FloatRect>::isEqual(WebCore::ScrollSnapOffsetsInfo<float, WebCore::FloatRect> const&) const (ScrollSnapOffsetsInfo.h:60)
==137== by 0x14691CA3: WebCore::ScrollingStateScrollingNode::setSnapOffsetsInfo(WebCore::ScrollSnapOffsetsInfo<float, WebCore::FloatRect> const&) (ScrollingStateScrollingNode.cpp:157)
==137== by 0x1466D722: WebCore::setStateScrollingNodeSnapOffsetsAsFloat(WebCore::ScrollingStateScrollingNode&, WebCore::ScrollSnapOffsetsInfo<WebCore::LayoutUnit, WebCore::LayoutRect> const*, float) (AsyncScrollingCoordinator.cpp:102)
==137== by 0x14671AC3: WebCore::AsyncScrollingCoordinator::setScrollingNodeScrollableAreaGeometry(unsigned long, WebCore::ScrollableArea&) (AsyncScrollingCoordinator.cpp:803)
==137== by 0x14E0E522: WebCore::RenderLayerCompositor::updateScrollingNodeForScrollingRole(WebCore::RenderLayer&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) (RenderLayerCompositor.cpp:4830)
==137== by 0x14E0D972: WebCore::RenderLayerCompositor::updateScrollCoordinationForLayer(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) (RenderLayerCompositor.cpp:4722)
==137== by 0x14E008CF: WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) (RenderLayerCompositor.cpp:1380)
==137== by 0x14DFD86D: WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) (RenderLayerCompositor.cpp:917)
==137== by 0x144E5DBE: WebCore::FrameView::updateCompositingLayersAfterLayout() (FrameView.cpp:843)
==137== by 0x144E7798: WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::EmptyCounter>) (FrameView.cpp:1323)
==137== by 0x14529A94: WebCore::FrameViewLayoutContext::performLayout() (FrameViewLayoutContext.cpp:277)
==137== by 0x14528FCD: WebCore::FrameViewLayoutContext::layout() (FrameViewLayoutContext.cpp:172)
==137== by 0x138F42D9: WebCore::Document::updateLayout() (Document.cpp:2270)
==137== by 0x138F4387: WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (Document.cpp:2284)
==137== by 0x13BC5578: WebCore::FrameSelection::updateSelectionAppearanceNow() (FrameSelection.cpp:477)
==137== by 0x13BCEEBB: WebCore::FrameSelection::setCaretVisibility(WebCore::CaretBase::CaretVisibility, WebCore::FrameSelection::ShouldUpdateAppearance) (FrameSelection.cpp:2271)
==137== by 0x13BCE477: WebCore::FrameSelection::focusedOrActiveStateChanged() (FrameSelection.cpp:2144)
==137== by 0x13BCE5FA: WebCore::FrameSelection::setFocused(bool) (FrameSelection.cpp:2168)
==137== by 0x144D7BD1: WebCore::FocusController::setFocusedFrame(WebCore::Frame*) (FocusController.cpp:377)
==137== by 0x144D7E39: WebCore::FocusController::setFocusedInternal(bool) (FocusController.cpp:411)
==137== by 0x144D9F28: WebCore::FocusController::setActivityState(WTF::OptionSet<WebCore::ActivityState::Flag>) (FocusController.cpp:912)
==137== by 0x145648D8: WebCore::Page::setActivityState(WTF::OptionSet<WebCore::ActivityState::Flag>) (Page.cpp:2461)
==137== by 0xEF7D3C3: WebKit::WebPage::WebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebPage.cpp:786)
==137== by 0xEF7B307: WebKit::WebPage::create(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebPage.cpp:461)
==137== by 0xECA85C2: WebKit::WebProcess::createWebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebProcess.cpp:837)
==137== by 0xDEB4991: void IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) (HandleMessage.h:131)
==137== by 0xDEB1B6F: void IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>, std::integer_sequence<unsigned long, 0ul, 1ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) (HandleMessage.h:137)
==137== by 0xDEACC26: void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) (HandleMessage.h:259)
==137== by 0xDEAA311: WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) (WebProcessMessageReceiver.cpp:280)
==137== by 0xECA8AA3: WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebProcess.cpp:916)
==137== by 0xE58AFE3: IPC::Connection::dispatchMessage(IPC::Decoder&) (Connection.cpp:1108)
==137== by 0xE58B27A: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:1153)
==137== by 0xE58B821: IPC::Connection::dispatchOneIncomingMessage() (Connection.cpp:1222)
==137== by 0xE58ACF3: IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (Connection.cpp:1072)
==137== by 0xE591DD7: WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}, void>::call() (Function.h:53)
==137== by 0xD9D5E94: WTF::Function<void ()>::operator()() const (Function.h:82)
==137== by 0x10FD4BEE: WTF::RunLoop::performWork() (RunLoop.cpp:133)
==137== by 0x110803FD: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (RunLoopGLib.cpp:80)
==137== by 0x11080421: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82)
==137== by 0x11080390: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (RunLoopGLib.cpp:53)
==137== by 0x110803DE: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56)
==137== by 0x15FB4293: g_main_dispatch (gmain.c:3381)
==137== by 0x15FB4293: g_main_context_dispatch (gmain.c:4099)
==137== by 0x15FB4637: g_main_context_iterate.constprop.0 (gmain.c:4175)
==137== by 0x15FB4942: g_main_loop_run (gmain.c:4373)
==137== by 0x11080A49: WTF::RunLoop::run() (RunLoopGLib.cpp:108)
==137== by 0xF022010: WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (AuxiliaryProcessMain.h:70)
==137== by 0xF01F6C2: int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWPE>(int, char**) (AuxiliaryProcessMain.h:96)
==137== by 0xF01BC1A: WebKit::WebProcessMain(int, char**) (WebProcessMainWPE.cpp:75)
==137== by 0x109918: main (WebProcessMain.cpp:31)
==137== Uninitialised value was created by a heap allocation
==137== at 0x4840899: malloc (vg_replace_malloc.c:381)
==137== by 0x10F9144F: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:232)
==137== by 0x1467EAF6: WebCore::ScrollingStateNode::operator new(unsigned long) (ScrollingStateNode.h:201)
==137== by 0x1468E1CC: WebCore::ScrollingStateFrameScrollingNode::create(WebCore::ScrollingStateTree&, WebCore::ScrollingNodeType, unsigned long) (ScrollingStateFrameScrollingNode.cpp:38)
==137== by 0x1469AD79: WebCore::ScrollingStateTree::insertNode(WebCore::ScrollingNodeType, unsigned long, unsigned long, unsigned long) (ScrollingStateTree.cpp:175)
==137== by 0x14670A7F: WebCore::AsyncScrollingCoordinator::insertNode(WebCore::ScrollingNodeType, unsigned long, unsigned long, unsigned long) (AsyncScrollingCoordinator.cpp:638)
==137== by 0x14E0D0A8: WebCore::RenderLayerCompositor::registerScrollingNodeID(WebCore::ScrollingCoordinator&, unsigned long, WebCore::ScrollingNodeType, WebCore::ScrollingTreeState&) (RenderLayerCompositor.cpp:4570)
==137== by 0x14E0CD69: WebCore::RenderLayerCompositor::attachScrollingNode(WebCore::RenderLayer&, WebCore::ScrollingNodeType, WebCore::ScrollingTreeState&) (RenderLayerCompositor.cpp:4543)
==137== by 0x14E0E41C: WebCore::RenderLayerCompositor::updateScrollingNodeForScrollingRole(WebCore::RenderLayer&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) (RenderLayerCompositor.cpp:4819)
==137== by 0x14E0D972: WebCore::RenderLayerCompositor::updateScrollCoordinationForLayer(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) (RenderLayerCompositor.cpp:4722)
==137== by 0x14E008CF: WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) (RenderLayerCompositor.cpp:1380)
==137== by 0x14DFD86D: WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) (RenderLayerCompositor.cpp:917)
==137== by 0x144E5DBE: WebCore::FrameView::updateCompositingLayersAfterLayout() (FrameView.cpp:843)
==137== by 0x144E7798: WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::EmptyCounter>) (FrameView.cpp:1323)
==137== by 0x14529A94: WebCore::FrameViewLayoutContext::performLayout() (FrameViewLayoutContext.cpp:277)
==137== by 0x14528FCD: WebCore::FrameViewLayoutContext::layout() (FrameViewLayoutContext.cpp:172)
==137== by 0x138F42D9: WebCore::Document::updateLayout() (Document.cpp:2270)
==137== by 0x138F4387: WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (Document.cpp:2284)
==137== by 0x13BC5578: WebCore::FrameSelection::updateSelectionAppearanceNow() (FrameSelection.cpp:477)
==137== by 0x13BCEEBB: WebCore::FrameSelection::setCaretVisibility(WebCore::CaretBase::CaretVisibility, WebCore::FrameSelection::ShouldUpdateAppearance) (FrameSelection.cpp:2271)
==137== by 0x13BCE477: WebCore::FrameSelection::focusedOrActiveStateChanged() (FrameSelection.cpp:2144)
==137== by 0x13BCE5FA: WebCore::FrameSelection::setFocused(bool) (FrameSelection.cpp:2168)
==137== by 0x144D7BD1: WebCore::FocusController::setFocusedFrame(WebCore::Frame*) (FocusController.cpp:377)
==137== by 0x144D7E39: WebCore::FocusController::setFocusedInternal(bool) (FocusController.cpp:411)
==137== by 0x144D9F28: WebCore::FocusController::setActivityState(WTF::OptionSet<WebCore::ActivityState::Flag>) (FocusController.cpp:912)
==137== by 0x145648D8: WebCore::Page::setActivityState(WTF::OptionSet<WebCore::ActivityState::Flag>) (Page.cpp:2461)
==137== by 0xEF7D3C3: WebKit::WebPage::WebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebPage.cpp:786)
==137== by 0xEF7B307: WebKit::WebPage::create(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebPage.cpp:461)
==137== by 0xECA85C2: WebKit::WebProcess::createWebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) (WebProcess.cpp:837)
==137== by 0xDEB4991: void IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) (HandleMessage.h:131)
==137== by 0xDEB1B6F: void IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>, std::integer_sequence<unsigned long, 0ul, 1ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) (HandleMessage.h:137)
==137== by 0xDEACC26: void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) (HandleMessage.h:259)
==137== by 0xDEAA311: WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) (WebProcessMessageReceiver.cpp:280)
==137== by 0xECA8AA3: WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebProcess.cpp:916)
==137== by 0xE58AFE3: IPC::Connection::dispatchMessage(IPC::Decoder&) (Connection.cpp:1108)
==137== by 0xE58B27A: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:1153)
==137== by 0xE58B821: IPC::Connection::dispatchOneIncomingMessage() (Connection.cpp:1222)
==137== by 0xE58ACF3: IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (Connection.cpp:1072)
==137== by 0xE591DD7: WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}, void>::call() (Function.h:53)
==137== by 0xD9D5E94: WTF::Function<void ()>::operator()() const (Function.h:82)
==137== by 0x10FD4BEE: WTF::RunLoop::performWork() (RunLoop.cpp:133)
==137== by 0x110803FD: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (RunLoopGLib.cpp:80)
==137== by 0x11080421: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82)
==137== by 0x11080390: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (RunLoopGLib.cpp:53)
==137== by 0x110803DE: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56)
==137== by 0x15FB4293: g_main_dispatch (gmain.c:3381)
==137== by 0x15FB4293: g_main_context_dispatch (gmain.c:4099)
==137== by 0x15FB4637: g_main_context_iterate.constprop.0 (gmain.c:4175)
==137== by 0x15FB4942: g_main_loop_run (gmain.c:4373)
==137== by 0x11080A49: WTF::RunLoop::run() (RunLoopGLib.cpp:108)
==137== by 0xF022010: WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (AuxiliaryProcessMain.h:70)
==137== by 0xF01F6C2: int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWPE>(int, char**) (AuxiliaryProcessMain.h:96)
==137== by 0xF01BC1A: WebKit::WebProcessMain(int, char**) (WebProcessMainWPE.cpp:75)
==137== by 0x109918: main (WebProcessMain.cpp:31)
==137==
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Yusuke Suzuki
ScrollSnapOffsetsInfo in ScrollingStateScrollingNode can be uninitialized.
While setSnapOffsetsInfo only overrides the field if it isn't equal, anyway, making ScrollSnapOffsetsInfo initialized with default value (ScrollSnapStrictness strictness field) is good.
Radar WebKit Bug Importer
<rdar://problem/97078735>
James Hilliard
Pull request: https://github.com/WebKit/WebKit/pull/2495
EWS
Committed 254027@main (5306cdbb0420): <https://commits.webkit.org/254027@main>
Reviewed commits have been landed. Closing PR #2495 and removing active labels.