uninit in blink::WebURLResponse::isNull

[derekbruening]

From bruen...@google.com on April 23, 2014 19:25:22

In renderer, so not in stdout, so don't know which test it's from --
though on my own machine I later saw it in LazyBackgroundPageApiTest.BroadcastEvent:

UNINITIALIZED READ: reading 0x0b6e008c-0x0b6e008d 1 byte(s)
#0 blink_platform.dll!blink::WebURLResponse::isNull [third_party\webkit\source\platform\exported\weburlresponse.cpp:110]
#1 content.dll!content::MultiResolutionImageResourceFetcher::OnURLFetchComplete [content\renderer\fetchers\multi_resolution_image_resource_fetcher.cc:46]
#2 content.dll!base::internal::Invoker<>::Run [base\bind_internal.h:1316]
#3 content.dll!content::ResourceFetcherImpl::RunCallback [content\renderer\fetchers\resource_fetcher_impl.cc:121]
#4 content.dll!content::ResourceFetcherImpl::didFinishLoading [content\renderer\fetchers\resource_fetcher_impl.cc:171]
#5 content.dll!content::WebURLLoaderImpl::Context::OnCompletedRequest [content\child\web_url_loader_impl.cc:636]
#6 content.dll!content::ResourceDispatcher::OnRequestComplete [content\child\resource_dispatcher.cc:557]
#7 content.dll!ResourceMsg_RequestComplete::Dispatch<> [content\common\resource_messages.h:300]
#8 content.dll!content::ResourceDispatcher::DispatchMessageW [content\child\resource_dispatcher.cc:662]
#9 content.dll!content::ResourceDispatcher::OnMessageReceived [content\child\resource_dispatcher.cc:317]
#10 content.dll!content::ChildThread::OnMessageReceived [content\child\child_thread.cc:413]
#11 ipc.dll!IPC::ChannelProxy::Context::OnDispatchMessage [ipc\ipc_channel_proxy.cc:384]
#12 ipc.dll!base::internal::Invoker<>::Run [base\bind_internal.h:1253]
#13 base.dll!base::MessageLoop::RunTask [base\message_loop\message_loop.cc:443]
#14 base.dll!base::MessageLoop::DeferOrRunPendingTask [base\message_loop\message_loop.cc:455]
#15 base.dll!base::MessageLoop::DoWork [base\message_loop\message_loop.cc:569]
#16 base.dll!base::MessagePumpDefault::Run [base\message_loop\message_pump_default.cc:32]
#17 base.dll!base::MessageLoop::RunHandler [base\message_loop\message_loop.cc:393]
#18 content.dll!content::RendererMain [content\renderer\renderer_main.cc:252]
#19 content.dll!content::RunNamedProcessTypeMain [content\app\content_main_runner.cc:411]
#20 content.dll!content::ContentMainRunnerImpl::Run [content\app\content_main_runner.cc:735]
#21 content.dll!content::ContentMain [content\app\content_main.cc:19]
#22 browser_tests.exe!? +0x0 (0x027dca03 <browser_tests.exe+0x189ca03>)
#23 browser_tests.exe!? +0x0 (0x01c93fcc <browser_tests.exe+0xd53fcc>)
#24 browser_tests.exe!? +0x0 (0x0161bcb1 <browser_tests.exe+0x6dbcb1>)
#25 browser_tests.exe!? +0x0 (0x028c1546 <browser_tests.exe+0x1981546>)
#26 KERNEL32.dll!BaseThreadInitThunk +0x11 (0x7694336a <KERNEL32.dll+0x1336a>)
Note: @0:04:54.825 in thread 2488
Note: instruction: test 0x000000a4(%eax) $0x01

Error #1: UNINITIALIZED READ: reading 0x05ad6de4-0x05ad6de5 1 byte(s)
#0 blink_platform.dll!blink::WebURLResponse::isNull [e:\derek\chromium\src\third_party\webkit\source\platform\exported\weburlresponse.cpp:110](0x67d93119 <blink_platform.dll+0x63119) modid:39

bool WebURLResponse::isNull() const
{
return !m_private || m_private->m_resourceResponse->isNull();

blink_platform!blink::WebURLResponse::isNull:
679d3110 8b01 mov eax,dword ptr [ecx]
679d3112 85c0 test eax,eax
679d3114 740f je blink_platform!blink::WebURLResponse::isNull+0x15 (679d3125)
679d3116 8b4004 mov eax,dword ptr [eax+4]
679d3119 f680a400000001 test byte ptr [eax+0A4h],1 <---
679d3120 7503 jne blink_platform!blink::WebURLResponse::isNull+0x15 (679d3125)
679d3122 32c0 xor al,al
679d3124 c3 ret
679d3125 b001 mov al,1
679d3127 c3 ret

+0x000 m_private : Ptr32 to class blink::WebURLResponsePrivate, 6 elements, 0x8 bytes
class blink::WebURLResponsePrivate, 6 elements, 0x8 bytes
+0x000 __VFN_table : Ptr32 to 1 entries
+0x004 m_resourceResponse : Ptr32 to class WebCore::ResourceResponse, 133 elements, 0x168 bytes
class WebCore::ResourceResponse, 133 elements, 0x168 bytes
+0x0a4 m_isNull : Bitfield Pos 0, 1 Bit

ResourceResponse::ResourceResponse()
...
, m_isNull(true)

3 constructors:

1. blink_platform!WebCore::ResourceResponse::ResourceResponse (void)
   Sets to true:

   60 67a6323c 808ba400000001 or byte ptr [ebx+0A4h],1

That should hit issue #849 and mark it defined.

2. blink_platform!WebCore::ResourceResponse::ResourceResponse (class WebCore::KURL *, class WTF::AtomicString *, int64, class WTF::AtomicString *, class WTF::String *)
   Sets to false:

   92 678e3051 80a7a4000000fe and byte ptr [edi+0A4h],0FEh

That should also match issue #849.

3. blink_platform!WebCore::ResourceResponse::ResourceResponse (class WebCore::ResourceResponse *)
   Default copy constructor. Note how it has an unrelated store sitting in
   the typical xor;and;xor pattern:

678076ce 0fb687a4000000 movzx eax,byte ptr [edi+0A4h]
678076d5 3286a4000000 xor al,byte ptr [esi+0A4h]
678076db 2401 and al,1
678076dd c645fc07 mov byte ptr [ebp-4],7
678076e1 3086a4000000 xor byte ptr [esi+0A4h],al

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1530

[derekbruening]

From derek.br...@gmail.com on April 23, 2014 17:31:48

This issue was closed by revision r1900 .

Status: Fixed