WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
25123
Uninitialized memory read in ScrollView
https://bugs.webkit.org/show_bug.cgi?id=25123
Summary
Uninitialized memory read in ScrollView
Brett Wilson (Google)
Reported
2009-04-09 15:08:16 PDT
This change
http://trac.webkit.org/changeset?new=0
introduced a call to minimumContentsSize in ScrollView::updateScrollbars. For some code paths, this value is uninitialized. My guess this is during the first layout. Stack from Purify on Windows: Uninitialized memory read in WebCore::RenderView::docHeight(void)const Error Location third_party/webkit/webcore/rendering/renderview.h:59 WebCore::RenderView::docHeight(void)const third_party/webkit/webcore/page/frameview.cpp:1456 WebCore::FrameView::minimumContentsSize(void)const third_party/webkit/webcore/platform/scrollview.cpp:342 WebCore::ScrollView::updateScrollbars(IntSize::WebCore const&) third_party/webkit/webcore/platform/scrollview.cpp:642 WebCore::ScrollView::setFrameRect(IntRect::WebCore const&) third_party/webkit/webcore/rendering/renderwidget.cpp:250 WebCore::RenderWidget::updateWidgetPosition(void) third_party/webkit/webcore/rendering/renderview.cpp:530 WebCore::RenderView::updateWidgetPositions(void) third_party/webkit/webcore/page/frameview.cpp:1097 WebCore::FrameView::performPostLayoutTasks(void) third_party/webkit/webcore/page/frameview.cpp:624 WebCore::FrameView::layout(bool) third_party/webkit/webcore/page/frameview.h:209 WebCore::FrameView::visibleContentsResized(void) third_party/webkit/webcore/platform/scrollview.cpp:340 WebCore::ScrollView::updateScrollbars(IntSize::WebCore const&) third_party/webkit/webcore/platform/scrollview.cpp:225 WebCore::ScrollView::setContentsSize(IntSize::WebCore const&) third_party/webkit/webcore/page/frameview.cpp:338 WebCore::FrameView::setContentsSize(IntSize::WebCore const&) third_party/webkit/webcore/page/frameview.cpp:353 WebCore::FrameView::adjustViewSize(void) third_party/webkit/webcore/page/frameview.cpp:593 WebCore::FrameView::layout(bool) third_party/webkit/webcore/page/frameview.cpp:866 WebCore::FrameView::layoutTimerFired(Timer::WebCore *) third_party/webkit/webcore/platform/timer.h:93 WebCore::Timer::fired(void) third_party/webkit/webcore/platform/threadtimers.cpp:111 WebCore::ThreadTimers::fireTimers(double,Vector::WTF const&) third_party/webkit/webcore/platform/threadtimers.cpp:141 WebCore::ThreadTimers::sharedTimerFiredInternal(void) third_party/webkit/webcore/platform/threadtimers.cpp:122 WebCore::ThreadTimers::sharedTimerFired(void) Stack from Valgrind on Linux: WebCore::ScrollView::setFrameRect(WebCore::IntRect const&) (third_party/WebKit/WebCore/platform/ScrollView.cpp:642) WebCore::RenderWidget::updateWidgetPosition() (third_party/WebKit/WebCore/rendering/RenderWidget.cpp:250) WebCore::RenderView::updateWidgetPositions() (third_party/WebKit/WebCore/rendering/RenderView.cpp:530) WebCore::FrameView::performPostLayoutTasks() (third_party/WebKit/WebCore/page/FrameView.cpp:1097) WebCore::FrameView::layout(bool) (third_party/WebKit/WebCore/page/FrameView.cpp:624) WebCore::FrameView::visibleContentsResized() (third_party/WebKit/WebCore/page/FrameView.h:209) WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&) (third_party/WebKit/WebCore/platform/ScrollView.cpp:340) WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (third_party/WebKit/WebCore/platform/ScrollView.cpp:225) WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (third_party/WebKit/WebCore/page/FrameView.cpp:338) WebCore::FrameView::adjustViewSize() (third_party/WebKit/WebCore/page/FrameView.cpp:353) WebCore::FrameView::layout(bool) (third_party/WebKit/WebCore/page/FrameView.cpp:593) WebCore::Document::implicitClose() (third_party/WebKit/WebCore/dom/Document.cpp:1628) WebCore::FrameLoader::checkCallImplicitClose() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1321) WebCore::FrameLoader::checkCompleted() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1274) WebCore::FrameLoader::finishedParsing() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1231) WebCore::Document::finishedParsing() (third_party/WebKit/WebCore/dom/Document.cpp:3885) WebCore::HTMLParser::finished() (third_party/WebKit/WebCore/html/HTMLParser.cpp:1580) WebCore::HTMLTokenizer::end() (third_party/WebKit/WebCore/html/HTMLTokenizer.cpp:1815) WebCore::HTMLTokenizer::finish() (third_party/WebKit/WebCore/html/HTMLTokenizer.cpp:1855) WebCore::Document::finishParsing() (third_party/WebKit/WebCore/dom/Document.cpp:1739) WebCore::FrameLoader::endIfNotLoadingMainResource() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1082) WebCore::FrameLoader::end() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:1067) WebCore::DocumentLoader::finishedLoading() (third_party/WebKit/WebCore/loader/DocumentLoader.cpp:349) WebCore::FrameLoader::finishedLoading() (third_party/WebKit/WebCore/loader/FrameLoader.cpp:3089) WebCore::MainResourceLoader::didFinishLoading() (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:369) WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:262) WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction) (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:278) WebCore::MainResourceLoader::callContinueAfterContentPolicy(void*, WebCore::PolicyAction) (third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:270) WebCore::FrameLoader::checkContentPolicy(WebCore::String const&, void (*)(void*, WebCore::PolicyAction), void*) (third_party/WebKit/WebCore/loader/FrameLoader.cpp:2462)
Attachments
Add attachment
proposed patch, testcase, etc.
Brett Wilson (Google)
Comment 1
2009-04-09 15:33:12 PDT
Hyatt said this was fixed in
http://trac.webkit.org/changeset/42334
and
http://trac.webkit.org/changeset/42336
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug