Bug 300393

Summary: HTMLMediaElement: Fix two uninitialized member variables
Product: WebKit Reporter: Nikolas Zimmermann <zimmermann>
Component: MediaAssignee: Nikolas Zimmermann <zimmermann>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Nikolas Zimmermann
Reported 2025-10-08 10:09:27 PDT
m_buffering / m_stalled aren't properly initialized, and valgrind warns about that.
Attachments
Add attachment proposed patch, testcase, etc.
Nikolas Zimmermann
Comment 1 2025-10-08 10:11:30 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52014
Nikolas Zimmermann
Comment 2 2025-10-08 12:22:47 PDT
For the m_buffering case: ==348379== Conditional jump or move depends on uninitialised value(s) ==348379== at 0x14D8B5E0: WebCore::HTMLMediaElement::updateBufferingState() (Source/WebCore/html/HTMLMediaElement.cpp:4776) ==348379== by 0x14D8B0F1: WebCore::HTMLMediaElement::setNetworkState(WebCore::MediaPlayerNetworkState) (Source/WebCore/html/HTMLMediaElement.cpp:3088) ==348379== by 0x14D8A99C: WebCore::HTMLMediaElement::mediaPlayerNetworkStateChanged() (Source/WebCore/html/HTMLMediaElement.cpp:2938) ==348379== by 0x15E4350A: WebCore::MediaPlayer::networkStateChanged() (Source/WebCore/platform/graphics/MediaPlayer.cpp:1466) ==348379== by 0x160836A9: WebCore::MediaPlayerPrivateGStreamer::load(WTF::String const&) (Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:387) ==348379== by 0x1611F292: WebCore::MediaPlayerPrivateGStreamerMSE::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp:144) ==348379== by 0x15E3FE5A: WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory const*) (Source/WebCore/platform/graphics/MediaPlayer.cpp:668) ==348379== by 0x15E4012F: WebCore::MediaPlayer::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/MediaPlayer.cpp:547) ==348379== by 0x14D8370C: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&)::$_0::operator()(std::experimental::fundamentals_v3::expected<WebCore::ContentType, WebCore::PlatformMediaError>&&) const (Source/WebCore/html/HTMLMediaElement.cpp:1979) ==348379== by 0x14D81E1F: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&) (Source/WebCore/html/HTMLMediaElement.cpp:2026) ==348379== by 0x14DD3744: auto WebCore::HTMLMediaElement::selectMediaResource()::$_0::operator()<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&) const (Source/WebCore/html/HTMLMediaElement.cpp:1769) ==348379== by 0x14DD28C8: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}::operator()() (ActiveDOMObject.h:123) ==348379== by 0x14DD2898: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x1359DF50: WTF::CancellableTask::operator()() (CancellableTask.h:100) ==348379== by 0x14DD5F08: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}::operator()() (ActiveDOMObject.h:128) ==348379== by 0x14DD5EE8: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x148EE868: WebCore::EventLoopFunctionDispatchTask::execute() (Source/WebCore/dom/EventLoop.cpp:518) ==348379== by 0x148E1EC4: WebCore::EventLoop::run(std::optional<WTF::ApproximateTime>) (Source/WebCore/dom/EventLoop.cpp:336) For the m_stalled case: ==348379== Conditional jump or move depends on uninitialised value(s) ==348379== at 0x14D8B71B: WebCore::HTMLMediaElement::updateStalledState() (Source/WebCore/html/HTMLMediaElement.cpp:4801) ==348379== by 0x14D8B0FD: WebCore::HTMLMediaElement::setNetworkState(WebCore::MediaPlayerNetworkState) (Source/WebCore/html/HTMLMediaElement.cpp:3089) ==348379== by 0x14D8A99C: WebCore::HTMLMediaElement::mediaPlayerNetworkStateChanged() (Source/WebCore/html/HTMLMediaElement.cpp:2938) ==348379== by 0x15E4350A: WebCore::MediaPlayer::networkStateChanged() (Source/WebCore/platform/graphics/MediaPlayer.cpp:1466) ==348379== by 0x160836A9: WebCore::MediaPlayerPrivateGStreamer::load(WTF::String const&) (Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:387) ==348379== by 0x1611F292: WebCore::MediaPlayerPrivateGStreamerMSE::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp:144) ==348379== by 0x15E3FE5A: WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory const*) (Source/WebCore/platform/graphics/MediaPlayer.cpp:668) ==348379== by 0x15E4012F: WebCore::MediaPlayer::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/MediaPlayer.cpp:547) ==348379== by 0x14D8370C: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&)::$_0::operator()(std::experimental::fundamentals_v3::expected<WebCore::ContentType, WebCore::PlatformMediaError>&&) const (Source/WebCore/html/HTMLMediaElement.cpp:1979) ==348379== by 0x14D81E1F: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&) (Source/WebCore/html/HTMLMediaElement.cpp:2026) ==348379== by 0x14DD3744: auto WebCore::HTMLMediaElement::selectMediaResource()::$_0::operator()<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&) const (Source/WebCore/html/HTMLMediaElement.cpp:1769) ==348379== by 0x14DD28C8: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}::operator()() (ActiveDOMObject.h:123) ==348379== by 0x14DD2898: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x1359DF50: WTF::CancellableTask::operator()() (CancellableTask.h:100) ==348379== by 0x14DD5F08: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}::operator()() (ActiveDOMObject.h:128) ==348379== by 0x14DD5EE8: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x148EE868: WebCore::EventLoopFunctionDispatchTask::execute() (Source/WebCore/dom/EventLoop.cpp:518) ==348379== by 0x148E1EC4: WebCore::EventLoop::run(std::optional<WTF::ApproximateTime>) (Source/WebCore/dom/EventLoop.cpp:336)
Nikolas Zimmermann
Comment 3 2025-10-08 12:22:47 PDT
For the m_buffering case: ==348379== Conditional jump or move depends on uninitialised value(s) ==348379== at 0x14D8B5E0: WebCore::HTMLMediaElement::updateBufferingState() (Source/WebCore/html/HTMLMediaElement.cpp:4776) ==348379== by 0x14D8B0F1: WebCore::HTMLMediaElement::setNetworkState(WebCore::MediaPlayerNetworkState) (Source/WebCore/html/HTMLMediaElement.cpp:3088) ==348379== by 0x14D8A99C: WebCore::HTMLMediaElement::mediaPlayerNetworkStateChanged() (Source/WebCore/html/HTMLMediaElement.cpp:2938) ==348379== by 0x15E4350A: WebCore::MediaPlayer::networkStateChanged() (Source/WebCore/platform/graphics/MediaPlayer.cpp:1466) ==348379== by 0x160836A9: WebCore::MediaPlayerPrivateGStreamer::load(WTF::String const&) (Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:387) ==348379== by 0x1611F292: WebCore::MediaPlayerPrivateGStreamerMSE::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp:144) ==348379== by 0x15E3FE5A: WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory const*) (Source/WebCore/platform/graphics/MediaPlayer.cpp:668) ==348379== by 0x15E4012F: WebCore::MediaPlayer::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/MediaPlayer.cpp:547) ==348379== by 0x14D8370C: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&)::$_0::operator()(std::experimental::fundamentals_v3::expected<WebCore::ContentType, WebCore::PlatformMediaError>&&) const (Source/WebCore/html/HTMLMediaElement.cpp:1979) ==348379== by 0x14D81E1F: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&) (Source/WebCore/html/HTMLMediaElement.cpp:2026) ==348379== by 0x14DD3744: auto WebCore::HTMLMediaElement::selectMediaResource()::$_0::operator()<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&) const (Source/WebCore/html/HTMLMediaElement.cpp:1769) ==348379== by 0x14DD28C8: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}::operator()() (ActiveDOMObject.h:123) ==348379== by 0x14DD2898: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x1359DF50: WTF::CancellableTask::operator()() (CancellableTask.h:100) ==348379== by 0x14DD5F08: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}::operator()() (ActiveDOMObject.h:128) ==348379== by 0x14DD5EE8: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x148EE868: WebCore::EventLoopFunctionDispatchTask::execute() (Source/WebCore/dom/EventLoop.cpp:518) ==348379== by 0x148E1EC4: WebCore::EventLoop::run(std::optional<WTF::ApproximateTime>) (Source/WebCore/dom/EventLoop.cpp:336) For the m_stalled case: ==348379== Conditional jump or move depends on uninitialised value(s) ==348379== at 0x14D8B71B: WebCore::HTMLMediaElement::updateStalledState() (Source/WebCore/html/HTMLMediaElement.cpp:4801) ==348379== by 0x14D8B0FD: WebCore::HTMLMediaElement::setNetworkState(WebCore::MediaPlayerNetworkState) (Source/WebCore/html/HTMLMediaElement.cpp:3089) ==348379== by 0x14D8A99C: WebCore::HTMLMediaElement::mediaPlayerNetworkStateChanged() (Source/WebCore/html/HTMLMediaElement.cpp:2938) ==348379== by 0x15E4350A: WebCore::MediaPlayer::networkStateChanged() (Source/WebCore/platform/graphics/MediaPlayer.cpp:1466) ==348379== by 0x160836A9: WebCore::MediaPlayerPrivateGStreamer::load(WTF::String const&) (Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:387) ==348379== by 0x1611F292: WebCore::MediaPlayerPrivateGStreamerMSE::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp:144) ==348379== by 0x15E3FE5A: WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory const*) (Source/WebCore/platform/graphics/MediaPlayer.cpp:668) ==348379== by 0x15E4012F: WebCore::MediaPlayer::load(WTF::URL const&, WebCore::MediaPlayerLoadOptions const&, WebCore::MediaSourcePrivateClient&) (Source/WebCore/platform/graphics/MediaPlayer.cpp:547) ==348379== by 0x14D8370C: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&)::$_0::operator()(std::experimental::fundamentals_v3::expected<WebCore::ContentType, WebCore::PlatformMediaError>&&) const (Source/WebCore/html/HTMLMediaElement.cpp:1979) ==348379== by 0x14D81E1F: WebCore::HTMLMediaElement::loadResource(WTF::URL const&, WebCore::ContentType const&) (Source/WebCore/html/HTMLMediaElement.cpp:2026) ==348379== by 0x14DD3744: auto WebCore::HTMLMediaElement::selectMediaResource()::$_0::operator()<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&) const (Source/WebCore/html/HTMLMediaElement.cpp:1769) ==348379== by 0x14DD28C8: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}::operator()() (ActiveDOMObject.h:123) ==348379== by 0x14DD2898: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#1}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x1359DF50: WTF::CancellableTask::operator()() (CancellableTask.h:100) ==348379== by 0x14DD5F08: WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}::operator()() (ActiveDOMObject.h:128) ==348379== by 0x14DD5EE8: WTF::Detail::CallableWrapper<WebCore::ActiveDOMObject::queueCancellableTaskKeepingObjectAlive<WebCore::HTMLMediaElement, WebCore::HTMLMediaElement::selectMediaResource()::$_0>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::TaskCancellationGroup&, WebCore::HTMLMediaElement::selectMediaResource()::$_0&&)::{lambda()#2}, void>::call() (Function.h:53) ==348379== by 0xD5D1586: WTF::Function<void ()>::operator()() const (Function.h:82) ==348379== by 0x148EE868: WebCore::EventLoopFunctionDispatchTask::execute() (Source/WebCore/dom/EventLoop.cpp:518) ==348379== by 0x148E1EC4: WebCore::EventLoop::run(std::optional<WTF::ApproximateTime>) (Source/WebCore/dom/EventLoop.cpp:336)
EWS
Comment 4 2025-10-08 12:47:10 PDT
Committed 301219@main (3c79ffefbb7c): <https://commits.webkit.org/301219@main> Reviewed commits have been landed. Closing PR #52014 and removing active labels.
Radar WebKit Bug Importer
Comment 5 2025-10-08 12:48:15 PDT
<rdar://problem/162222904>
Note You need to log in before you can comment on or make changes to this bug.