74065 – [Chromium] Set empty string makes WebCString::length() returns -1

Bug 74065 - [Chromium] Set empty string makes WebCString::length() returns -1

Summary: [Chromium] Set empty string makes WebCString::length() returns -1

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit API (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-12-08 01:32 PST by yosin
Modified:	2011-12-11 22:29 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description yosin 2011-12-08 01:32:17 PST

WebCString::assign is called data of "" (including NUL) and legnth = 0.

This is happened on Windows/Debug build with WebPreferences::user_style_sheet_location is empty string.

  if (user_style_sheet_enabled)
    settings->setUserStyleSheetLocation(user_style_sheet_location);
  else
    settings->setUserStyleSheetLocation(WebURL());

chrome.dll!WebKit::WebCString::assign(const char * data, unsigned int length)  Line 70 + 0x1c bytesC++
>chrome.dll!WebKit::WebCString::WebCString(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & s)  Line 103C++
chrome.dll!WebKit::WebURL::WebURL(const GURL & g)  Line 118 + 0x21 bytesC++
chrome.dll!WebPreferences::Apply(WebKit::WebView * web_view)  Line 195 + 0x15 bytesC++
chrome.dll!RenderViewImpl::RenderViewImpl(int parent_hwnd, int opener_id, const content::RendererPreferences & renderer_prefs, const WebPreferences & webkit_prefs, base::RefCountedData<int> * counter, int routing_id, __int64 session_storage_namespace_id, const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & frame_name)  Line 406C++
chrome.dll!RenderViewImpl::Create(int parent_hwnd, int opener_id, const content::RendererPreferences & renderer_prefs, const WebPreferences & webkit_prefs, base::RefCountedData<int> * counter, int routing_id, __int64 session_storage_namespace_id, const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & frame_name)  Line 518 + 0x4d bytesC++
chrome.dll!RenderThreadImpl::OnCreateNewView(const ViewMsg_New_Params & params)  Line 772 + 0x76 bytesC++
chrome.dll!DispatchToMethod<RenderThreadImpl,void (__thiscall RenderThreadImpl::*)(ViewMsg_New_Params const &),ViewMsg_New_Params>(RenderThreadImpl * obj, void (const ViewMsg_New_Params &)* method, const Tuple1<ViewMsg_New_Params> & arg)  Line 547 + 0xf bytesC++
chrome.dll!ViewMsg_New::Dispatch<RenderThreadImpl,RenderThreadImpl,void (__thiscall RenderThreadImpl::*)(ViewMsg_New_Params const &)>(const IPC::Message * msg, RenderThreadImpl * obj, RenderThreadImpl * sender, void (const ViewMsg_New_Params &)* func)  Line 687 + 0x63 bytesC++
chrome.dll!RenderThreadImpl::OnControlMessageReceived(const IPC::Message & msg)  Line 722 + 0x62 bytesC++
chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg)  Line 201 + 0x13 bytesC++
chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message)  Line 257 + 0x19 bytesC++
chrome.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1)  Line 189 + 0x18 bytesC++
chrome.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2)  Line 877C++
chrome.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base)  Line 1214 + 0x18 bytesC++
chrome.dll!base::Callback<void __cdecl(void)>::Run()  Line 274 + 0xe bytesC++
chrome.dll!MessageLoop::RunTask(const base::PendingTask & pending_task)  Line 502C++
chrome.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task)  Line 515C++
chrome.dll!MessageLoop::DoWork()  Line 702 + 0xc bytesC++
chrome.dll!base::MessagePumpForUI::DoRunLoop()  Line 203 + 0x1d bytesC++
chrome.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate, base::MessagePumpWin::Dispatcher * dispatcher)  Line 51 + 0xf bytesC++
chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate)  Line 64 + 0x1c bytesC++
chrome.dll!MessageLoop::RunInternal()  Line 459 + 0x2a bytesC++
chrome.dll!MessageLoop::RunHandler()  Line 433C++
chrome.dll!MessageLoop::Run()  Line 343C++
chrome.dll!base::Thread::Run(MessageLoop * message_loop)  Line 127C++
chrome.dll!base::Thread::ThreadMain()  Line 161 + 0x16 bytesC++
chrome.dll!base::`anonymous namespace'::ThreadFunc(void * params)  Line 58 + 0xf bytesC++

Comment 1 Darin Fisher (:fishd, Google) 2011-12-08 16:27:41 PST

Looking at the implementation, it is not clear how WebCString::length() manages to return -1.  Can you provide steps to reproduce this?

Comment 2 yosin 2011-12-11 22:29:45 PST

It seems this is caused by memory corruption or broken profile.
I ran debug build chrome with --signle-process. My debugging operations might break profile.