Bug 224157 - UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool'
Summary: UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Kilzer (:ddkilzer)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-04-03 12:07 PDT by David Kilzer (:ddkilzer)
Modified: 2021-04-06 11:15 PDT (History)
11 users (show)

See Also:

Attachments
Patch v1 (2.67 KB, patch)
2021-04-03 12:08 PDT, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2021-04-03 12:07:25 PDT 
UBSan: RenderView.cpp:831:9: runtime error: load of value nnn, which is not a valid value for type 'bool'

Occurs here:

    RenderView::RepaintRegionAccumulator::~RepaintRegionAccumulator()
    {
        if (m_wasAccumulatingRepaintRegion)  // UBSan warning/
            return;
        if (!m_rootView)
            return;
        m_rootView.get()->flushAccumulatedRepaintRegion();
    }

Caused by the m_wasAccumulatingRepaintRegion instance variable not being initialized:

    class RepaintRegionAccumulator {
        WTF_MAKE_NONCOPYABLE(RepaintRegionAccumulator);
    public:
        RepaintRegionAccumulator(RenderView*);
        ~RepaintRegionAccumulator();

    private:
        WeakPtr<RenderView> m_rootView;
        bool m_wasAccumulatingRepaintRegion;  // BUG: No default initialization.
    };

Affects the following tests:

editing/inserting/insert-list-user-select-none-crash.html
fast/dom/clientWidthAfterDocumentIsRemoved.html
fast/scrolling/iframe-scrollable-after-back.html
fast/text/crash-font-family-parsed.html
html5lib/generated/run-template-write.html
imported/blink/plugins/renderless-plugin-creation-doesnt-crash-without-frame.html
imported/w3c/web-platform-tests/css/cssom-view/scrolling-no-browsing-context.html
imported/w3c/web-platform-tests/dom/ranges/Range-mutations-appendChild.html
imported/w3c/web-platform-tests/html/browsers/the-window-object/named-access-on-the-window-object/navigated-named-objects.window.html
imported/w3c/web-platform-tests/html/semantics/forms/the-label-element/clicking-interactive-content.html
imported/w3c/web-platform-tests/html/syntax/parsing/html5lib_template.html
imported/w3c/web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/template-owner-document.html
imported/w3c/web-platform-tests/selection/addRange-12.html
imported/w3c/web-platform-tests/shadow-dom/untriaged/html-elements-in-shadow-trees/html-forms/test-001.html
media/track/track-remove-crash.html
svg/custom/animate-reference-crash.html
Comment 1 David Kilzer (:ddkilzer) 2021-04-03 12:08:59 PDT 
Created attachment 425106 [details]
Patch v1
Comment 2 David Kilzer (:ddkilzer) 2021-04-03 12:09:38 PDT 
Comment on attachment 425106 [details]
Patch v1

View in context: https://bugs.webkit.org/attachment.cgi?id=425106&action=review

> Source/WebCore/rendering/RenderView.h:186
> +        bool m_wasAccumulatingRepaintRegion { false };

I used { false } here instead of { } since it matches the style of other default initializers in the file.
Comment 3 Radar WebKit Bug Importer 2021-04-04 21:47:42 PDT 
<rdar://problem/76205483>
Comment 4 David Kilzer (:ddkilzer) 2021-04-06 11:08:43 PDT 
mac-AS-debug-wk2 failure is unrelated to this patch (NSException thrown from Photos in GPU process):

media/media-fragments/TC0051.html

This test has a history of flakiness:

<https://results.webkit.org/?suite=layout-tests&test=media%2Fmedia-fragments%2FTC0051.html>

Filed radar 76275085 to cover this crash.
Comment 5 EWS 2021-04-06 11:15:39 PDT 
Committed r275536: <https://commits.webkit.org/r275536>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 425106 [details].