[Webkit-unassigned] [Bug 224157] New: UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool'

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 3 12:07:25 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=224157

            Bug ID: 224157
           Summary: UBSan: RenderView.cpp:831:9: runtime error: load of
                    value nnn, which is not a valid value for type 'bool'
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool'

Occurs here:

    RenderView::RepaintRegionAccumulator::~RepaintRegionAccumulator()
    {
        if (m_wasAccumulatingRepaintRegion)  // UBSan warning/
            return;
        if (!m_rootView)
            return;
        m_rootView.get()->flushAccumulatedRepaintRegion();
    }

Caused by the m_wasAccumulatingRepaintRegion instance variable not being initialized:

    class RepaintRegionAccumulator {
        WTF_MAKE_NONCOPYABLE(RepaintRegionAccumulator);
    public:
        RepaintRegionAccumulator(RenderView*);
        ~RepaintRegionAccumulator();

    private:
        WeakPtr<RenderView> m_rootView;
        bool m_wasAccumulatingRepaintRegion;  // BUG: No default initialization.
    };

Affects the following tests:

editing/inserting/insert-list-user-select-none-crash.html
fast/dom/clientWidthAfterDocumentIsRemoved.html
fast/scrolling/iframe-scrollable-after-back.html
fast/text/crash-font-family-parsed.html
html5lib/generated/run-template-write.html
imported/blink/plugins/renderless-plugin-creation-doesnt-crash-without-frame.html
imported/w3c/web-platform-tests/css/cssom-view/scrolling-no-browsing-context.html
imported/w3c/web-platform-tests/dom/ranges/Range-mutations-appendChild.html
imported/w3c/web-platform-tests/html/browsers/the-window-object/named-access-on-the-window-object/navigated-named-objects.window.html
imported/w3c/web-platform-tests/html/semantics/forms/the-label-element/clicking-interactive-content.html
imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_template.html
imported/w3c/web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/template-owner-document.html
imported/w3c/web-platform-tests/selection/addRange-12.html
imported/w3c/web-platform-tests/shadow-dom/untriaged/html-elements-in-shadow-trees/html-forms/test-001.html
media/track/track-remove-crash.html
svg/custom/animate-reference-crash.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210403/5fe1139f/attachment.htm>

More information about the webkit-unassigned mailing list