Bug 25123
| Summary: | Uninitialized memory read in ScrollView | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brett Wilson (Google) <brettw> |
| Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | hyatt, pam |
| Priority: | P1 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Brett Wilson (Google)
This change
http://trac.webkit.org/changeset?new=0
introduced a call to minimumContentsSize in ScrollView::updateScrollbars. For some code paths, this value is uninitialized. My guess this is during the first layout.
Stack from Purify on Windows:
Uninitialized memory read in WebCore::RenderView::docHeight(void)const
Error Location
third_party/webkit/webcore/rendering/renderview.h:59 WebCore::RenderView::docHeight(void)const
third_party/webkit/webcore/page/frameview.cpp:1456 WebCore::FrameView::minimumContentsSize(void)const
third_party/webkit/webcore/platform/scrollview.cpp:342 WebCore::ScrollView::updateScrollbars(IntSize::WebCore const&)
third_party/webkit/webcore/platform/scrollview.cpp:642 WebCore::ScrollView::setFrameRect(IntRect::WebCore const&)
third_party/webkit/webcore/rendering/renderwidget.cpp:250 WebCore::RenderWidget::updateWidgetPosition(void)
third_party/webkit/webcore/rendering/renderview.cpp:530 WebCore::RenderView::updateWidgetPositions(void)
third_party/webkit/webcore/page/frameview.cpp:1097 WebCore::FrameView::performPostLayoutTasks(void)
third_party/webkit/webcore/page/frameview.cpp:624 WebCore::FrameView::layout(bool)
third_party/webkit/webcore/page/frameview.h:209 WebCore::FrameView::visibleContentsResized(void)
third_party/webkit/webcore/platform/scrollview.cpp:340 WebCore::ScrollView::updateScrollbars(IntSize::WebCore const&)
third_party/webkit/webcore/platform/scrollview.cpp:225 WebCore::ScrollView::setContentsSize(IntSize::WebCore const&)
third_party/webkit/webcore/page/frameview.cpp:338 WebCore::FrameView::setContentsSize(IntSize::WebCore const&)
third_party/webkit/webcore/page/frameview.cpp:353 WebCore::FrameView::adjustViewSize(void)
third_party/webkit/webcore/page/frameview.cpp:593 WebCore::FrameView::layout(bool)
third_party/webkit/webcore/page/frameview.cpp:866 WebCore::FrameView::layoutTimerFired(Timer::WebCore *)
third_party/webkit/webcore/platform/timer.h:93 WebCore::Timer::fired(void)
third_party/webkit/webcore/platform/threadtimers.cpp:111 WebCore::ThreadTimers::fireTimers(double,Vector::WTF const&)
third_party/webkit/webcore/platform/threadtimers.cpp:141 WebCore::ThreadTimers::sharedTimerFiredInternal(void)
third_party/webkit/webcore/platform/threadtimers.cpp:122 WebCore::ThreadTimers::sharedTimerFired(void)
Stack from Valgrind on Linux:
WebCore::ScrollView::setFrameRect(WebCore::IntRect const&) (third_party/WebKit/WebCore/platform/ScrollView.cpp:642)
WebCore::RenderWidget::updateWidgetPosition() (third_party/WebKit/WebCore/rendering/RenderWidget.cpp:250)
WebCore::RenderView::updateWidgetPositions() (third_party/WebKit/WebCore/rendering/RenderView.cpp:530)
WebCore::FrameView::performPostLayoutTasks() (third_party/WebKit/WebCore/page/FrameView.cpp:1097)
WebCore::FrameView::layout(bool) (third_party/WebKit/WebCore/page/FrameView.cpp:624)
WebCore::FrameView::visibleContentsResized() (third_party/WebKit/WebCore/page/FrameView.h:209)
WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&) (third_party/WebKit/WebCore/platform/ScrollView.cpp:340)
WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (third_party/WebKit/WebCore/platform/ScrollView.cpp:225)
WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (third_party/WebKit/WebCore/page/FrameView.cpp:338)
WebCore::FrameView::adjustViewSize() (third_party/WebKit/WebCore/page/FrameView.cpp:353)
WebCore::FrameView::layout(bool) (third_party/WebKit/WebCore/page/FrameView.cpp:593)
WebCore::Document::implicitClose() (third_party/WebKit/WebCore/dom/Document.cpp:1628)
WebCore::FrameLoader::checkCallImplicitClose() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1321)
WebCore::FrameLoader::checkCompleted() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1274)
WebCore::FrameLoader::finishedParsing() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1231)
WebCore::Document::finishedParsing() (third_party/WebKit/WebCore/dom/Document.cpp:3885)
WebCore::HTMLParser::finished() (third_party/WebKit/WebCore/html/HTMLParser.cpp:1580)
WebCore::HTMLTokenizer::end() (third_party/WebKit/WebCore/html/HTMLTokenizer.cpp:1815)
WebCore::HTMLTokenizer::finish() (third_party/WebKit/WebCore/html/HTMLTokenizer.cpp:1855)
WebCore::Document::finishParsing() (third_party/WebKit/WebCore/dom/Document.cpp:1739)
WebCore::FrameLoader::endIfNotLoadingMainResource() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1082)
WebCore::FrameLoader::end() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1067)
WebCore::DocumentLoader::finishedLoading() (third_party/WebKit/WebCore/loader/DocumentLoader.cpp:349)
WebCore::FrameLoader::finishedLoading() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:3089)
WebCore::MainResourceLoader::didFinishLoading() (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:369)
WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:262)
WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction) (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:278)
WebCore::MainResourceLoader::callContinueAfterContentPolicy(void*, WebCore::PolicyAction) (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:270)
WebCore::FrameLoader::checkContentPolicy(WebCore::String const&, void (*)(void*, WebCore::PolicyAction), void*) (third_party/WebKit/WebCore/loader/FrameLoader.cpp:2462)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Brett Wilson (Google)
Hyatt said this was fixed in
http://trac.webkit.org/changeset/42334 and
http://trac.webkit.org/changeset/42336