[Webkit-unassigned] [Bug 242518] New: IPC::Connection::sendOutputMessage(IPC::UnixMessage&) Syscall param sendmsg(msg.msg_iov[2]) points to uninitialised byte(s)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 8 09:38:38 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=242518

            Bug ID: 242518
           Summary: IPC::Connection::sendOutputMessage(IPC::UnixMessage&)
                    Syscall param sendmsg(msg.msg_iov[2]) points to
                    uninitialised byte(s)
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: james.hilliard1 at gmail.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

I'm seeing this get flagged by valgrind

==137== Thread 4 ReceiveQueue:
==137== Syscall param sendmsg(msg.msg_iov[2]) points to uninitialised byte(s)
==137==    at 0x1678009B: __libc_sendmsg (sendmsg.c:28)
==137==    by 0x1678009B: sendmsg (sendmsg.c:25)
==137==    by 0xE5DA819: IPC::Connection::sendOutputMessage(IPC::UnixMessage&) (ConnectionUnix.cpp:548)
==137==    by 0xE5D9D97: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionUnix.cpp:462)
==137==    by 0xE58A6CF: IPC::Connection::sendOutgoingMessages() (Connection.cpp:975)
==137==    by 0xE587F8D: IPC::Connection::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<WTF::Thread::QOS>)::{lambda()#1}::operator()() (Connection.cpp:511)
==137==    by 0xE591F2D: WTF::Detail::CallableWrapper<IPC::Connection::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<WTF::Thread::QOS>)::{lambda()#1}, void>::call() (Function.h:53)
==137==    by 0xD9D5E94: WTF::Function<void ()>::operator()() const (Function.h:82)
==137==    by 0x1107B42F: WTF::WorkQueueBase::dispatch(WTF::Function<void ()>&&)::{lambda()#1}::operator()() const (WorkQueueGeneric.cpp:70)
==137==    by 0x1107D3DF: WTF::Detail::CallableWrapper<WTF::WorkQueueBase::dispatch(WTF::Function<void ()>&&)::{lambda()#1}, void>::call() (Function.h:53)
==137==    by 0xD9D5E94: WTF::Function<void ()>::operator()() const (Function.h:82)
==137==    by 0x10FD4BEE: WTF::RunLoop::performWork() (RunLoop.cpp:133)
==137==    by 0x110803FD: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (RunLoopGLib.cpp:80)
==137==    by 0x11080421: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82)
==137==    by 0x11080390: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (RunLoopGLib.cpp:53)
==137==    by 0x110803DE: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56)
==137==    by 0x15FB4293: g_main_dispatch (gmain.c:3381)
==137==    by 0x15FB4293: g_main_context_dispatch (gmain.c:4099)
==137==    by 0x15FB4637: g_main_context_iterate.constprop.0 (gmain.c:4175)
==137==    by 0x15FB4942: g_main_loop_run (gmain.c:4373)
==137==    by 0x11080A49: WTF::RunLoop::run() (RunLoopGLib.cpp:108)
==137==    by 0x1107B273: WTF::WorkQueueBase::platformInitialize(char const*, WTF::WorkQueueBase::Type, WTF::Thread::QOS)::{lambda()#1}::operator()() const (WorkQueueGeneric.cpp:51)
==137==    by 0x1107D41F: WTF::Detail::CallableWrapper<WTF::WorkQueueBase::platformInitialize(char const*, WTF::WorkQueueBase::Type, WTF::Thread::QOS)::{lambda()#1}, void>::call() (Function.h:53)
==137==    by 0xD9D5E94: WTF::Function<void ()>::operator()() const (Function.h:82)
==137==    by 0x10FDD522: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:236)
==137==    by 0x1108D690: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:242)
==137==    by 0x18A423B9: start_thread (pthread_create.c:481)
==137==    by 0x1677E952: clone (clone.S:95)
==137==  Address 0x3bd51d18 is 104 bytes inside a block of size 576 alloc'd
==137==    at 0x4840899: malloc (vg_replace_malloc.c:381)
==137==    by 0x10F9144F: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:232)
==137==    by 0xD95B551: IPC::Encoder::operator new(unsigned long) (Encoder.h:44)
==137==    by 0xD960F15: WTF::UniqueRef<IPC::Encoder> WTF::makeUniqueRefWithoutFastMallocCheck<IPC::Encoder, IPC::MessageName, unsigned long&>(IPC::MessageName&&, unsigned long&) (UniqueRef.h:40)
==137==    by 0xD95FD21: WTF::UniqueRef<IPC::Encoder> WTF::makeUniqueRef<IPC::Encoder, IPC::MessageName, unsigned long&>(IPC::MessageName&&, unsigned long&) (UniqueRef.h:47)
==137==    by 0xF00D1A6: bool IPC::MessageSender::send<Messages::DrawingAreaProxy::DidUpdateBackingStoreState>(Messages::DrawingAreaProxy::DidUpdateBackingStoreState&&, unsigned long, WTF::OptionSet<IPC::SendOption>) (MessageSender.h:47)
==137==    by 0xF009B04: bool WebKit::DrawingArea::send<Messages::DrawingAreaProxy::DidUpdateBackingStoreState>(Messages::DrawingAreaProxy::DidUpdateBackingStoreState&&) (DrawingArea.h:162)
==137==    by 0xEFF8248: WebKit::DrawingAreaCoordinatedGraphics::sendDidUpdateBackingStoreState() (DrawingAreaCoordinatedGraphics.cpp:565)
==137==    by 0xEFF7DAC: WebKit::DrawingAreaCoordinatedGraphics::updateBackingStoreState(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&) (DrawingAreaCoordinatedGraphics.cpp:453)
==137==    by 0xDFB2DDB: void IPC::callMemberFunctionImpl<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&), std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>, 0ul, 1ul, 2ul, 3ul, 4ul>(WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&), std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul>) (HandleMessage.h:131)
==137==    by 0xDFB2877: void IPC::callMemberFunction<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&), std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul> >(std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>&&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)) (HandleMessage.h:137)
==137==    by 0xDFB2552: void IPC::handleMessage<Messages::DrawingArea::UpdateBackingStoreState, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)>(IPC::Connection&, IPC::Decoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)) (HandleMessage.h:259)
==137==    by 0xDFB217B: WebKit::DrawingArea::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (DrawingAreaMessageReceiver.cpp:75)
==137==    by 0xE5B3897: IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (MessageReceiverMap.cpp:129)
==137==    by 0xECA8A68: WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebProcess.cpp:912)
==137==    by 0xE58AFE3: IPC::Connection::dispatchMessage(IPC::Decoder&) (Connection.cpp:1108)
==137==    by 0xE58B27A: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (Connection.cpp:1153)
==137==    by 0xE58B821: IPC::Connection::dispatchOneIncomingMessage() (Connection.cpp:1222)
==137==    by 0xE58ACF3: IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (Connection.cpp:1072)
==137==    by 0xE591DD7: WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}, void>::call() (Function.h:53)
==137==    by 0xD9D5E94: WTF::Function<void ()>::operator()() const (Function.h:82)
==137==    by 0x10FD4BEE: WTF::RunLoop::performWork() (RunLoop.cpp:133)
==137==    by 0x110803FD: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (RunLoopGLib.cpp:80)
==137==    by 0x11080421: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82)
==137==    by 0x11080390: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (RunLoopGLib.cpp:53)
==137==    by 0x110803DE: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56)
==137==    by 0x15FB4293: g_main_dispatch (gmain.c:3381)
==137==    by 0x15FB4293: g_main_context_dispatch (gmain.c:4099)
==137==    by 0x15FB4637: g_main_context_iterate.constprop.0 (gmain.c:4175)
==137==    by 0x15FB4942: g_main_loop_run (gmain.c:4373)
==137==    by 0x11080A49: WTF::RunLoop::run() (RunLoopGLib.cpp:108)
==137==    by 0xF022010: WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (AuxiliaryProcessMain.h:70)
==137==    by 0xF01F6C2: int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWPE>(int, char**) (AuxiliaryProcessMain.h:96)
==137==    by 0xF01BC1A: WebKit::WebProcessMain(int, char**) (WebProcessMainWPE.cpp:75)
==137==    by 0x109918: main (WebProcessMain.cpp:31)
==137==  Uninitialised value was created by a stack allocation
==137==    at 0xEFF7EA8: WebKit::DrawingAreaCoordinatedGraphics::sendDidUpdateBackingStoreState() (DrawingAreaCoordinatedGraphics.cpp:529)
==137==

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220708/f759d3f4/attachment.htm>

More information about the webkit-unassigned mailing list