<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:mcrha@redhat.com" title="Milan Crha <mcrha@redhat.com>"> <span class="fn">Milan Crha</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s) in IPC::Connection::sendOutgoingMessage"
href="https://bugs.webkit.org/show_bug.cgi?id=146729">bug 146729</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>mcrha@redhat.com
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s) in IPC::Connection::sendOutgoingMessage"
href="https://bugs.webkit.org/show_bug.cgi?id=146729#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s) in IPC::Connection::sendOutgoingMessage"
href="https://bugs.webkit.org/show_bug.cgi?id=146729">bug 146729</a>
from <span class="vcard"><a class="email" href="mailto:mcrha@redhat.com" title="Milan Crha <mcrha@redhat.com>"> <span class="fn">Milan Crha</span></a>
</span></b>
<pre>The 2.13.90 gives me these:
==17692== Warning: set address range perms: large range [0x395d9000, 0x795db000) (noaccess)
==17692== Thread 4:
==17692== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==17692== at 0x772166D: ??? (in /usr/lib64/libc-2.23.so)
==17692== by 0x559B881: IPC::Connection::sendOutgoingMessage(std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x535316B: IPC::Connection::sendOutgoingMessages() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0xA8F780A: WTF::RunLoop::performWork() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92C258: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x977E802: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EBAF: ??? (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EED1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0xA92CB3F: WTF::RunLoop::run() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92B867: std::_Function_handler<void (), WTF::WorkQueue::platformInitialize(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS)::{lambda()#1}>::_M_invoke(std::_Any_data const&) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA8F86E7: WTF::threadEntryPoint(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA929CAC: WTF::wtfThreadEntryPoint(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xB19F589: start_thread (in /usr/lib64/libpthread-2.23.so)
==17692== by 0x77205CC: clone (in /usr/lib64/libc-2.23.so)
==17692== Address 0x23ba8871 is on thread 4's stack
==17692== in frame #1, created by IPC::Connection::sendOutgoingMessage(std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >) (???:)
==17692==
==17692== Syscall param sendmsg(msg.msg_iov[1]) points to uninitialised byte(s)
==17692== at 0x772166D: ??? (in /usr/lib64/libc-2.23.so)
==17692== by 0x559B881: IPC::Connection::sendOutgoingMessage(std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x535316B: IPC::Connection::sendOutgoingMessages() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0xA8F780A: WTF::RunLoop::performWork() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92C258: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x977E802: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EBAF: ??? (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EED1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0xA92CB3F: WTF::RunLoop::run() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92B867: std::_Function_handler<void (), WTF::WorkQueue::platformInitialize(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS)::{lambda()#1}>::_M_invoke(std::_Any_data const&) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA8F86E7: WTF::threadEntryPoint(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA929CAC: WTF::wtfThreadEntryPoint(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xB19F589: start_thread (in /usr/lib64/libpthread-2.23.so)
==17692== by 0x77205CC: clone (in /usr/lib64/libc-2.23.so)
==17692== Address 0x1b3d3ab9 is 41 bytes inside a block of size 600 alloc'd
==17692== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==17692== by 0xA8EB868: WTF::fastMalloc(unsigned long) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x535254B: IPC::Connection::createSyncMessageEncoder(IPC::StringReference, IPC::StringReference, unsigned long, unsigned long&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5484622: WebKit::WebProcess::ensureNetworkProcessConnection() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x54875A8: WebKit::WebProcess::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5673259: void IPC::handleMessage<Messages::WebProcess::InitializeWebProcess, WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&)>(IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&)) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5672033: WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5355595: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5356547: IPC::Connection::dispatchOneMessage() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0xA8F780A: WTF::RunLoop::performWork() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92C258: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x977E802: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EBAF: ??? (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EED1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0xA92CB3F: WTF::RunLoop::run() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x5620541: int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x7635720: (below main) (in /usr/lib64/libc-2.23.so)
==17692==
==17692== Thread 1:
==17692== Conditional jump or move depends on uninitialised value(s)
==17692== at 0x552F05E: WebKit::WebPage::setPageActivityState(unsigned int) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5EDBE21: WebCore::Page::setPageActivityState(unsigned int) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5EEAE41: WebCore::PageThrottler::pageLoadActivityCounterChanged() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5EEACCD: WebCore::PageThrottler::pageLoadActivityToken() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DB5A39: WebCore::FrameLoader::started() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DB5BC2: WebCore::FrameLoader::didOpenURL() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DBF57F: WebCore::FrameLoader::commitProvisionalLoad() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DA4215: WebCore::DocumentLoader::finishedLoading(double) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DA4B17: WebCore::DocumentLoader::maybeLoadEmpty() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DA4EA2: WebCore::DocumentLoader::startLoadingMainResource() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5DB8DDA: WebCore::FrameLoader::init() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x551FDE2: WebKit::WebFrame::createWithCoreMainFrame(WebKit::WebPage*, WebCore::Frame*) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x553E08B: WebKit::WebPage::WebPage(unsigned long, WebKit::WebPageCreationParameters const&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x553E66D: WebKit::WebPage::create(unsigned long, WebKit::WebPageCreationParameters const&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5487B07: WebKit::WebProcess::createWebPage(unsigned long, WebKit::WebPageCreationParameters const&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5673C35: void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters const&)>(IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters const&)) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x56720B3: WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5355595: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5356547: IPC::Connection::dispatchOneMessage() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0xA8F78D2: WTF::RunLoop::performWork() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92C258: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x977E802: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EBAF: ??? (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EED1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0xA92CB3F: WTF::RunLoop::run() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x5620541: int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x7635720: (below main) (in /usr/lib64/libc-2.23.so)
==17692==
==17692== Thread 4:
==17692== Syscall param sendmsg(msg.msg_iov[2]) points to uninitialised byte(s)
==17692== at 0x772166D: ??? (in /usr/lib64/libc-2.23.so)
==17692== by 0x559B881: IPC::Connection::sendOutgoingMessage(std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x535316B: IPC::Connection::sendOutgoingMessages() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0xA8F780A: WTF::RunLoop::performWork() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92C258: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x977E802: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EBAF: ??? (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EED1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0xA92CB3F: WTF::RunLoop::run() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92B867: std::_Function_handler<void (), WTF::WorkQueue::platformInitialize(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS)::{lambda()#1}>::_M_invoke(std::_Any_data const&) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA8F86E7: WTF::threadEntryPoint(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA929CAC: WTF::wtfThreadEntryPoint(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xB19F589: start_thread (in /usr/lib64/libpthread-2.23.so)
==17692== by 0x77205CC: clone (in /usr/lib64/libc-2.23.so)
==17692== Address 0x32e2c309 is 41 bytes inside a block of size 600 alloc'd
==17692== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==17692== by 0xA8EB868: WTF::fastMalloc(unsigned long) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x5617D1F: WebKit::AcceleratedDrawingArea::sendDidUpdateBackingStoreState() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x561A298: WebKit::DrawingAreaImpl::sendDidUpdateBackingStoreState() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x561825B: WebKit::AcceleratedDrawingArea::updateBackingStoreState(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x561AEEA: WebKit::DrawingAreaImpl::updateBackingStoreState(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5683491: void IPC::handleMessage<Messages::DrawingArea::UpdateBackingStoreState, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)>(IPC::Decoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x56833A1: WebKit::DrawingArea::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x535965B: IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x548ACA5: WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5355595: IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x5356547: IPC::Connection::dispatchOneMessage() (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0xA8F78D2: WTF::RunLoop::performWork() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0xA92C258: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x977E802: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EBAF: ??? (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0x977EED1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4800.0)
==17692== by 0xA92CB3F: WTF::RunLoop::run() (in /build/local/lib/libjavascriptcoregtk-4.0.so.18.4.4)
==17692== by 0x5620541: int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (in /build/local/lib/libwebkit2gtk-4.0.so.37.14.4)
==17692== by 0x7635720: (below main) (in /usr/lib64/libc-2.23.so)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>