We analyzed WebKit (r35407, qt-linux) with Valgrind and found that there is an execution path in RenderText.cpp that use unitilazed variables. If the "(!len || (stripFrontSpaces && m_text->containsOnlyWhitespace()))" condition is true in RenderText::trimmedPrefWidths the function returns without initalizing beginWS and endWS (thes are the names of the formal parameters and the variables that are given to the function too). After calling trimmedPrefWiths in RenderBlock::calcInlinePrefWidths these variables are used to determine a condition in line 3866. Declaration and use of the potentially uninitalized variables: Webkit/WebCore/rendering/RenderBlock.cpp - lines: 3856-3871 ------------------------- bool hasBreakableChar, hasBreak; int beginMin, endMin; bool beginWS, endWS; int beginMax, endMax; t->trimmedPrefWidths(inlineMax, beginMin, beginWS, endMin, endWS, hasBreakableChar, hasBreak, beginMax, endMax, childMin, childMax, stripFrontSpaces); // This text object will not be rendered, but it may still provide a breaking opportunity. if (!hasBreak && childMax == 0) { if (autoWrap && (beginWS || endWS)) { m_minPrefWidth = max(inlineMin, m_minPrefWidth); inlineMin = 0; } continue; } ------------- The called function: Webkit/WebCore/rendering/RenderText.cpp - lines: 399-423 ------------- void RenderText::trimmedPrefWidths(int leadWidth, int& beginMinW, bool& beginWS, int& endMinW, bool& endWS, bool& hasBreakableChar, bool& hasBreak, int& beginMaxW, int& endMaxW, int& minW, int& maxW, bool& stripFrontSpaces) { bool collapseWhiteSpace = style()->collapseWhiteSpace(); if (!collapseWhiteSpace) stripFrontSpaces = false; if (m_hasTab || prefWidthsDirty()) calcPrefWidths(leadWidth); int len = textLength(); if (!len || (stripFrontSpaces && m_text->containsOnlyWhitespace())) { beginMinW = 0; endMinW = 0; beginMaxW = 0; endMaxW = 0; minW = 0; maxW = 0; hasBreak = false; return; } ----------------
*** This bug has been marked as a duplicate of 13864 ***