[Webkit-unassigned] [Bug 25123] New: Uninitialized memory read in ScrollView
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 9 15:08:17 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25123
Summary: Uninitialized memory read in ScrollView
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P1
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: brettw at chromium.org
CC: hyatt at apple.com
This change
http://trac.webkit.org/changeset?new=42297@trunk/WebCore/platform/ScrollView.cpp&old=42002@trunk/WebCore/platform/ScrollView.cpp
introduced a call to minimumContentsSize in ScrollView::updateScrollbars. For
some code paths, this value is uninitialized. My guess this is during the first
layout.
Stack from Purify on Windows:
Uninitialized memory read in WebCore::RenderView::docHeight(void)const
Error Location
third_party/webkit/webcore/rendering/renderview.h:59
WebCore::RenderView::docHeight(void)const
third_party/webkit/webcore/page/frameview.cpp:1456
WebCore::FrameView::minimumContentsSize(void)const
third_party/webkit/webcore/platform/scrollview.cpp:342
WebCore::ScrollView::updateScrollbars(IntSize::WebCore const&)
third_party/webkit/webcore/platform/scrollview.cpp:642
WebCore::ScrollView::setFrameRect(IntRect::WebCore const&)
third_party/webkit/webcore/rendering/renderwidget.cpp:250
WebCore::RenderWidget::updateWidgetPosition(void)
third_party/webkit/webcore/rendering/renderview.cpp:530
WebCore::RenderView::updateWidgetPositions(void)
third_party/webkit/webcore/page/frameview.cpp:1097
WebCore::FrameView::performPostLayoutTasks(void)
third_party/webkit/webcore/page/frameview.cpp:624
WebCore::FrameView::layout(bool)
third_party/webkit/webcore/page/frameview.h:209
WebCore::FrameView::visibleContentsResized(void)
third_party/webkit/webcore/platform/scrollview.cpp:340
WebCore::ScrollView::updateScrollbars(IntSize::WebCore const&)
third_party/webkit/webcore/platform/scrollview.cpp:225
WebCore::ScrollView::setContentsSize(IntSize::WebCore const&)
third_party/webkit/webcore/page/frameview.cpp:338
WebCore::FrameView::setContentsSize(IntSize::WebCore const&)
third_party/webkit/webcore/page/frameview.cpp:353
WebCore::FrameView::adjustViewSize(void)
third_party/webkit/webcore/page/frameview.cpp:593
WebCore::FrameView::layout(bool)
third_party/webkit/webcore/page/frameview.cpp:866
WebCore::FrameView::layoutTimerFired(Timer::WebCore *)
third_party/webkit/webcore/platform/timer.h:93 WebCore::Timer::fired(void)
third_party/webkit/webcore/platform/threadtimers.cpp:111
WebCore::ThreadTimers::fireTimers(double,Vector::WTF const&)
third_party/webkit/webcore/platform/threadtimers.cpp:141
WebCore::ThreadTimers::sharedTimerFiredInternal(void)
third_party/webkit/webcore/platform/threadtimers.cpp:122
WebCore::ThreadTimers::sharedTimerFired(void)
Stack from Valgrind on Linux:
WebCore::ScrollView::setFrameRect(WebCore::IntRect const&)
(third_party/WebKit/WebCore/platform/ScrollView.cpp:642)
WebCore::RenderWidget::updateWidgetPosition()
(third_party/WebKit/WebCore/rendering/RenderWidget.cpp:250)
WebCore::RenderView::updateWidgetPositions()
(third_party/WebKit/WebCore/rendering/RenderView.cpp:530)
WebCore::FrameView::performPostLayoutTasks()
(third_party/WebKit/WebCore/page/FrameView.cpp:1097)
WebCore::FrameView::layout(bool)
(third_party/WebKit/WebCore/page/FrameView.cpp:624)
WebCore::FrameView::visibleContentsResized()
(third_party/WebKit/WebCore/page/FrameView.h:209)
WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&)
(third_party/WebKit/WebCore/platform/ScrollView.cpp:340)
WebCore::ScrollView::setContentsSize(WebCore::IntSize const&)
(third_party/WebKit/WebCore/platform/ScrollView.cpp:225)
WebCore::FrameView::setContentsSize(WebCore::IntSize const&)
(third_party/WebKit/WebCore/page/FrameView.cpp:338)
WebCore::FrameView::adjustViewSize()
(third_party/WebKit/WebCore/page/FrameView.cpp:353)
WebCore::FrameView::layout(bool)
(third_party/WebKit/WebCore/page/FrameView.cpp:593)
WebCore::Document::implicitClose()
(third_party/WebKit/WebCore/dom/Document.cpp:1628)
WebCore::FrameLoader::checkCallImplicitClose()
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:1321)
WebCore::FrameLoader::checkCompleted()
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:1274)
WebCore::FrameLoader::finishedParsing()
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:1231)
WebCore::Document::finishedParsing()
(third_party/WebKit/WebCore/dom/Document.cpp:3885)
WebCore::HTMLParser::finished()
(third_party/WebKit/WebCore/html/HTMLParser.cpp:1580)
WebCore::HTMLTokenizer::end()
(third_party/WebKit/WebCore/html/HTMLTokenizer.cpp:1815)
WebCore::HTMLTokenizer::finish()
(third_party/WebKit/WebCore/html/HTMLTokenizer.cpp:1855)
WebCore::Document::finishParsing()
(third_party/WebKit/WebCore/dom/Document.cpp:1739)
WebCore::FrameLoader::endIfNotLoadingMainResource()
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:1082)
WebCore::FrameLoader::end()
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:1067)
WebCore::DocumentLoader::finishedLoading()
(third_party/WebKit/WebCore/loader/DocumentLoader.cpp:349)
WebCore::FrameLoader::finishedLoading()
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:3089)
WebCore::MainResourceLoader::didFinishLoading()
(third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:369)
WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction,
WebCore::ResourceResponse const&)
(third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:262)
WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction)
(third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:278)
WebCore::MainResourceLoader::callContinueAfterContentPolicy(void*,
WebCore::PolicyAction)
(third_party/WebKit/WebCore/loader/MainResourceLoader.cpp:270)
WebCore::FrameLoader::checkContentPolicy(WebCore::String const&, void
(*)(void*, WebCore::PolicyAction), void*)
(third_party/WebKit/WebCore/loader/FrameLoader.cpp:2462)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list