204107 – valgrind: Source and destination overlap in memcpy_chk()

NEW 204107

valgrind: Source and destination overlap in memcpy_chk()

https://bugs.webkit.org/show_bug.cgi?id=204107

Summary valgrind: Source and destination overlap in memcpy_chk()

Milan Crha

Reported 2019-11-12 01:24:35 PST

I just noticed this when running WebKitWebProcess of 2.26.2 release under valgrind. It showed when starting evolution. ==9353== Thread 1: ==9353== Source and destination overlap in memcpy_chk(0x1ffeffc117, 0x1ffeffc116, 8) ==9353== at 0x4840960: __memcpy_chk (vg_replace_strmem.c:1595) ==9353== by 0x5E18C00: UnknownInlinedFun (string_fortified.h:40) ==9353== by 0x5E18C00: cssValueKeywordID<char16_t> (CSSPropertyParser.cpp:190) ==9353== by 0x5E18C00: WebCore::cssValueKeywordID(WTF::StringView) (CSSPropertyParser.cpp:208) ==9353== by 0x5E18D21: WebCore::CSSParserToken::id() const [clone .part.0] (CSSParserToken.cpp:310) ==9353== by 0x5E3B6AB: WebCore::CSSPropertyParser::consumeCSSWideKeyword(WebCore::CSSPropertyID, bool) (CSSPropertyParser.cpp:352) ==9353== by 0x5E471C9: WebCore::CSSPropertyParser::parseValueStart(WebCore::CSSPropertyID, bool) (CSSPropertyParser.cpp:317) ==9353== by 0x5E4748F: WebCore::CSSPropertyParser::parseValue(WebCore::CSSPropertyID, bool, WebCore::CSSParserTokenRange const&, WebCore::CSSParserContext const&, WTF::Vector<WebCore::CSSProperty, 256ul, WTF::CrashOnOverflow, 16ul>&, WebCore::StyleRuleBase::Type) (CSSPropertyParser.cpp:277) ==9353== by 0x5E0B390: WebCore::CSSParserImpl::consumeDeclarationValue(WebCore::CSSParserTokenRange, WebCore::CSSPropertyID, bool, WebCore::StyleRuleBase::Type) (CSSParserImpl.cpp:850) ==9353== by 0x5E0F5E6: WebCore::CSSParserImpl::consumeDeclaration(WebCore::CSSParserTokenRange, WebCore::StyleRuleBase::Type) (CSSParserImpl.cpp:833) ==9353== by 0x5E0FAA1: WebCore::CSSParserImpl::consumeDeclarationList(WebCore::CSSParserTokenRange, WebCore::StyleRuleBase::Type) (CSSParserImpl.cpp:771) ==9353== by 0x5E12141: WebCore::CSSParserImpl::consumeStyleRule(WebCore::CSSParserTokenRange, WebCore::CSSParserTokenRange) (CSSParserImpl.cpp:742) ==9353== by 0x5E124B6: WebCore::CSSParserImpl::consumeQualifiedRule(WebCore::CSSParserTokenRange&, WebCore::CSSParserImpl::AllowedRulesType) (CSSParserImpl.cpp:471) ==9353== by 0x5E141CE: consumeRuleList<WebCore::CSSParserImpl::parseStyleSheet(const WTF::String&, const WebCore::CSSParserContext&, WebCore::StyleSheetContents*, WebCore::CSSParser::RuleParsing)::<lambda(WTF::RefPtr<WebCore::StyleRuleBase>)> > (CSSParserImpl.cpp:385) ==9353== by 0x5E141CE: WebCore::CSSParserImpl::parseStyleSheet(WTF::String const&, WebCore::CSSParserContext const&, WebCore::StyleSheetContents*, WebCore::CSSParser::RuleParsing) (CSSParserImpl.cpp:247) ==9353== by 0x5DFE79E: WebCore::StyleSheetContents::parseString(WTF::String const&) (StyleSheetContents.cpp:347) ==9353== by 0x5D489B7: WebCore::parseUASheet(WTF::String const&) (CSSDefaultStyleSheets.cpp:114) ==9353== by 0x5D4D2F1: WebCore::CSSDefaultStyleSheets::loadFullDefaultStyle() (CSSDefaultStyleSheets.cpp:179) ==9353== by 0x5D4D825: WebCore::CSSDefaultStyleSheets::ensureDefaultStyleSheetsForElement(WebCore::Element const&) (CSSDefaultStyleSheets.cpp:207) ==9353== by 0x5DF5190: WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::SelectorFilter const*) (StyleResolver.cpp:373) ==9353== by 0x5EAD978: WebCore::Document::styleForElementIgnoringPendingStylesheets(WebCore::Element&, WebCore::RenderStyle const*, WebCore::PseudoId) (Document.cpp:2120) ==9353== by 0x5EE7B03: WebCore::Element::resolveComputedStyle() (Element.cpp:3160) ==9353== by 0x5EE7E87: computedStyle (Element.cpp:3199) ==9353== by 0x5EE7E87: WebCore::Element::computedStyle(WebCore::PseudoId) (Element.cpp:3189) ==9353== by 0x6125AEF: WebCore::HTMLTitleElement::computedTextWithDirection() (HTMLTitleElement.cpp:84) ==9353== by 0x6125C5B: WebCore::HTMLTitleElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) (HTMLTitleElement.cpp:72) ==9353== by 0x5E7FB13: executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::parserAppendChild(WebCore::Node&)::<lambda()> > (ContainerNode.cpp:204) ==9353== by 0x5E7FB13: WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (ContainerNode.cpp:746) ==9353== by 0x61AC2FC: insert (HTMLConstructionSite.cpp:114) ==9353== by 0x61AC2FC: insert (HTMLConstructionSite.cpp:103) ==9353== by 0x61AC2FC: executeInsertTask (HTMLConstructionSite.cpp:121) ==9353== by 0x61AC2FC: executeTask (HTMLConstructionSite.cpp:175) ==9353== by 0x61AC2FC: WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&, WebCore::WhitespaceMode) (HTMLConstructionSite.cpp:606) ==9353== by 0x61DDDEF: WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (HTMLTreeBuilder.cpp:2421) ==9353== by 0x61DF50B: WebCore::HTMLTreeBuilder::processCharacter(WebCore::AtomicHTMLToken&&) (HTMLTreeBuilder.cpp:2191) ==9353== by 0x61DFC54: WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (HTMLTreeBuilder.cpp:350) ==9353== by 0x61B7190: WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (HTMLDocumentParser.cpp:348) ==9353== by 0x61B7368: WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (HTMLDocumentParser.cpp:285) ==9353== by 0x61B769A: WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (HTMLDocumentParser.cpp:303) ==9353== by 0x61B8436: WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (HTMLDocumentParser.cpp:417) ==9353== by 0x5E96198: WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (DecodedDataDocumentParser.cpp:50) ==9353== by 0x62C5A96: WebCore::DocumentLoader::commitData(char const*, unsigned long) (DocumentLoader.cpp:1160) ==9353== by 0x53D5635: WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (WebFrameLoaderClient.cpp:1094) ==9353== by 0x62C272E: WebCore::DocumentLoader::commitLoad(char const*, int) (DocumentLoader.cpp:1047) ==9353== by 0x6370304: notifyClientsDataWasReceived (CachedRawResource.cpp:136) ==9353== by 0x6370304: WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (CachedRawResource.cpp:128) ==9353== by 0x6370675: updateBuffer (CachedRawResource.cpp:73) ==9353== by 0x6370675: WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (CachedRawResource.cpp:57) ==9353== by 0x633B427: WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (SubresourceLoader.cpp:481) ==9353== by 0x633B596: WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (SubresourceLoader.cpp:449) ==9353== by 0x4F40B68: callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(const IPC::DataReference&, long int), std::tuple<IPC::DataReference, long int>, 0, 1> (HandleMessage.h:41) ==9353== by 0x4F40B68: callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(const IPC::DataReference&, long int), std::tuple<IPC::DataReference, long int> > (HandleMessage.h:47) ==9353== by 0x4F40B68: void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long)) (HandleMessage.h:120) ==9353== by 0x503E3F3: IPC::Connection::dispatchMessage(IPC::Decoder&) (Connection.cpp:939) ==9353== by 0x503F66C: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:991) ==9353== by 0x504073E: IPC::Connection::dispatchOneIncomingMessage() (Connection.cpp:1060) ==9353== by 0xA01DD24: WTF::RunLoop::performWork() (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.14.7) ==9353== by 0xA06A88C: ??? (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.14.7) ==9353== by 0x89AB49F: g_main_dispatch (gmain.c:3179) ==9353== by 0x89AB49F: g_main_context_dispatch (gmain.c:3844) ==9353== by 0x89AB82F: g_main_context_iterate.isra.0 (gmain.c:3917) ==9353== by 0x89ABB22: g_main_loop_run (gmain.c:4111) ==9353== by 0xA06B2FF: WTF::RunLoop::run() (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.14.7) ==9353== by 0x543DD29: int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (AuxiliaryProcessMain.h:66)

Attachments
Add attachment proposed patch, testcase, etc.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2019-11-12 01:24 PST

Modified

2022-07-01 14:40 PDT History

CC List

3 users Show

URL

Keywords DoNotImportToRadar

Depends on

Blocks