RESOLVED FIXED224157
UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool' 
https://bugs.webkit.org/show_bug.cgi?id=224157
Summary UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a...
David Kilzer (:ddkilzer)
Reported 2021-04-03 12:07:25 PDT
UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool' Occurs here: RenderView::RepaintRegionAccumulator::~RepaintRegionAccumulator() { if (m_wasAccumulatingRepaintRegion) // UBSan warning/ return; if (!m_rootView) return; m_rootView.get()->flushAccumulatedRepaintRegion(); } Caused by the m_wasAccumulatingRepaintRegion instance variable not being initialized: class RepaintRegionAccumulator { WTF_MAKE_NONCOPYABLE(RepaintRegionAccumulator); public: RepaintRegionAccumulator(RenderView*); ~RepaintRegionAccumulator(); private: WeakPtr<RenderView> m_rootView; bool m_wasAccumulatingRepaintRegion; // BUG: No default initialization. }; Affects the following tests: editing/inserting/insert-list-user-select-none-crash.html fast/dom/clientWidthAfterDocumentIsRemoved.html fast/scrolling/iframe-scrollable-after-back.html fast/text/crash-font-family-parsed.html html5lib/generated/run-template-write.html imported/blink/plugins/renderless-plugin-creation-doesnt-crash-without-frame.html imported/w3c/web-platform-tests/css/cssom-view/scrolling-no-browsing-context.html imported/w3c/web-platform-tests/dom/ranges/Range-mutations-appendChild.html imported/w3c/web-platform-tests/html/browsers/the-window-object/named-access-on-the-window-object/navigated-named-objects.window.html imported/w3c/web-platform-tests/html/semantics/forms/the-label-element/clicking-interactive-content.html imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_template.html imported/w3c/web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/template-owner-document.html imported/w3c/web-platform-tests/selection/addRange-12.html imported/w3c/web-platform-tests/shadow-dom/untriaged/html-elements-in-shadow-trees/html-forms/test-001.html media/track/track-remove-crash.html svg/custom/animate-reference-crash.html
Attachments
Patch v1 (2.67 KB, patch)
2021-04-03 12:08 PDT, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2021-04-03 12:08:59 PDT
Created attachment 425106 [details] Patch v1
David Kilzer (:ddkilzer)
Comment 2 2021-04-03 12:09:38 PDT
Comment on attachment 425106 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=425106&action=review > Source/WebCore/rendering/RenderView.h:186 > + bool m_wasAccumulatingRepaintRegion { false }; I used { false } here instead of { } since it matches the style of other default initializers in the file.
Radar WebKit Bug Importer
Comment 3 2021-04-04 21:47:42 PDT
<rdar://problem/76205483>
David Kilzer (:ddkilzer)
Comment 4 2021-04-06 11:08:43 PDT
mac-AS-debug-wk2 failure is unrelated to this patch (NSException thrown from Photos in GPU process): media/media-fragments/TC0051.html This test has a history of flakiness: <https://results.webkit.org/?suite=layout-tests&test=media%2Fmedia-fragments%2FTC0051.html> Filed radar 76275085 to cover this crash.
EWS
Comment 5 2021-04-06 11:15:39 PDT
Committed r275536: <https://commits.webkit.org/r275536> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425106 [details].
Note You need to log in before you can comment on or make changes to this bug.