Bug 74065

Summary: [Chromium] Set empty string makes WebCString::length() returns -1
Product: WebKit Reporter: yosin
Component: WebKit APIAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fishd, jamesr, kbr
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

yosin
Reported 2011-12-08 01:32:17 PST
WebCString::assign is called data of "" (including NUL) and legnth = 0. This is happened on Windows/Debug build with WebPreferences::user_style_sheet_location is empty string. if (user_style_sheet_enabled) settings->setUserStyleSheetLocation(user_style_sheet_location); else settings->setUserStyleSheetLocation(WebURL()); chrome.dll!WebKit::WebCString::assign(const char * data, unsigned int length) Line 70 + 0x1c bytesC++ >chrome.dll!WebKit::WebCString::WebCString(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & s) Line 103C++ chrome.dll!WebKit::WebURL::WebURL(const GURL & g) Line 118 + 0x21 bytesC++ chrome.dll!WebPreferences::Apply(WebKit::WebView * web_view) Line 195 + 0x15 bytesC++ chrome.dll!RenderViewImpl::RenderViewImpl(int parent_hwnd, int opener_id, const content::RendererPreferences & renderer_prefs, const WebPreferences & webkit_prefs, base::RefCountedData<int> * counter, int routing_id, __int64 session_storage_namespace_id, const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & frame_name) Line 406C++ chrome.dll!RenderViewImpl::Create(int parent_hwnd, int opener_id, const content::RendererPreferences & renderer_prefs, const WebPreferences & webkit_prefs, base::RefCountedData<int> * counter, int routing_id, __int64 session_storage_namespace_id, const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & frame_name) Line 518 + 0x4d bytesC++ chrome.dll!RenderThreadImpl::OnCreateNewView(const ViewMsg_New_Params & params) Line 772 + 0x76 bytesC++ chrome.dll!DispatchToMethod<RenderThreadImpl,void (__thiscall RenderThreadImpl::*)(ViewMsg_New_Params const &),ViewMsg_New_Params>(RenderThreadImpl * obj, void (const ViewMsg_New_Params &)* method, const Tuple1<ViewMsg_New_Params> & arg) Line 547 + 0xf bytesC++ chrome.dll!ViewMsg_New::Dispatch<RenderThreadImpl,RenderThreadImpl,void (__thiscall RenderThreadImpl::*)(ViewMsg_New_Params const &)>(const IPC::Message * msg, RenderThreadImpl * obj, RenderThreadImpl * sender, void (const ViewMsg_New_Params &)* func) Line 687 + 0x63 bytesC++ chrome.dll!RenderThreadImpl::OnControlMessageReceived(const IPC::Message & msg) Line 722 + 0x62 bytesC++ chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg) Line 201 + 0x13 bytesC++ chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 257 + 0x19 bytesC++ chrome.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1) Line 189 + 0x18 bytesC++ chrome.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2) Line 877C++ chrome.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base) Line 1214 + 0x18 bytesC++ chrome.dll!base::Callback<void __cdecl(void)>::Run() Line 274 + 0xe bytesC++ chrome.dll!MessageLoop::RunTask(const base::PendingTask & pending_task) Line 502C++ chrome.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task) Line 515C++ chrome.dll!MessageLoop::DoWork() Line 702 + 0xc bytesC++ chrome.dll!base::MessagePumpForUI::DoRunLoop() Line 203 + 0x1d bytesC++ chrome.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate, base::MessagePumpWin::Dispatcher * dispatcher) Line 51 + 0xf bytesC++ chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 64 + 0x1c bytesC++ chrome.dll!MessageLoop::RunInternal() Line 459 + 0x2a bytesC++ chrome.dll!MessageLoop::RunHandler() Line 433C++ chrome.dll!MessageLoop::Run() Line 343C++ chrome.dll!base::Thread::Run(MessageLoop * message_loop) Line 127C++ chrome.dll!base::Thread::ThreadMain() Line 161 + 0x16 bytesC++ chrome.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 58 + 0xf bytesC++
Attachments
Add attachment proposed patch, testcase, etc.
Darin Fisher (:fishd, Google)
Comment 1 2011-12-08 16:27:41 PST
Looking at the implementation, it is not clear how WebCString::length() manages to return -1. Can you provide steps to reproduce this?
yosin
Comment 2 2011-12-11 22:29:45 PST
It seems this is caused by memory corruption or broken profile. I ran debug build chrome with --signle-process. My debugging operations might break profile.
Note You need to log in before you can comment on or make changes to this bug.