RESOLVED FIXED 27453
Uninitialized variable in WebCore::CSSFunctionValue::parserValue 
https://bugs.webkit.org/show_bug.cgi?id=27453
Summary Uninitialized variable in WebCore::CSSFunctionValue::parserValue
James Hawkins
Reported Monday, July 20, 2009 7:59:41 PM UTC
WebCore::CSSFunctionValue::parserValue creates a CSSParserValue for a function, but doesn't initialize isInt (which obviously should be false). I will attach a patch shortly.
Attachments
Patch which initializes a variable (1.09 KB, patch)
2009-07-20 12:02 PDT, James Hawkins 		no flags
DetailsFormatted DiffDiff
removed tabs from Changelog (1.11 KB, patch)
2009-07-20 12:16 PDT, James Hawkins 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
James Hawkins
Comment 1 Monday, July 20, 2009 8:02:40 PM UTC
Created attachment 33097 [details] Patch which initializes a variable
James Hawkins
Comment 2 Monday, July 20, 2009 8:16:03 PM UTC
Created attachment 33099 [details] removed tabs from Changelog
Dave Hyatt
Comment 3 Monday, July 20, 2009 9:53:49 PM UTC
Comment on attachment 33099 [details] removed tabs from Changelog Test case?
James Hawkins
Comment 4 Monday, July 20, 2009 10:31:39 PM UTC
Currently the only code that checks isInt will short-circuit on a check for CSSPrimitiveValue::CSS_NUMBER or (unitFlags & FInteger). CSSParser.cpp 419: if (!b && (unitflags & FInteger) && value->isInt) CSSParserValues.cpp 64: else if (unit == CSSPrimitiveValue::CSS_NUMBER && isInt) With that being said, I don't think I can write a test case that will fail before the change and succeed with the patch applied. Regardless, code added in the future could depend on the value of isInt alone, which could be set to garbage if left uninitialized.
Dave Hyatt
Comment 5 Monday, July 20, 2009 11:30:09 PM UTC
Comment on attachment 33099 [details] removed tabs from Changelog Ok, sounds fine.
David Levin
Comment 6 Tuesday, July 21, 2009 7:23:48 PM UTC
Assigned to levin for landing
David Levin
Comment 7 Tuesday, July 21, 2009 8:20:36 PM UTC
Committed as http://trac.webkit.org/changeset/46186
Note You need to log in before you can comment on or make changes to this bug.