false positive on many browser_tests and content_browsertests about noninherited_flags

[derekbruening]

From zhao...@google.com on July 08, 2014 16:40:15

http://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Content%20Browser%20%28DrMemory%20full%29%20%281%29/builds/311 =====================================================
Below is the report for drmemory wrapper PID=2244_14.
It was used while running the OutOfProcessPPAPITest.TraceEvent test.

Suppressions used:
count name
1 http://crbug.com/346842 2 https://code.google.com/p/drmemory/issues/detail?id=18 d
3 bug_347967_all_osmesa
3 https://code.google.com/p/drmemory/issues/detail?id=113 rpcrt4.dll wildcard
3 https://code.google.com/p/drmemory/issues/detail?id=412 h
3 https://code.google.com/p/drmemory/issues/detail?id=513 d
3 https://code.google.com/p/drmemory/issues/detail?id=68 a
4 http://crbug.com/346993 15 http://crbug.com/371348 15 http://crbug.com/371942 21 http://crbug.com/371357 -----------------------------------------------------
11:00:09 drmemory_analyze.py [INFO] Found 3 error reports
11:00:09 drmemory_analyze.py [INFO] Report #1
UNINITIALIZED READ: reading register eax
#0 blink_web.dll!WebCore::RenderStyle::NonInheritedFlags::operator== [third_party\webkit\source\core\rendering\style\renderstyle.h:233]
#1 blink_web.dll!WebCore::RenderStyle::operator== [third_party\webkit\source\core\rendering\style\renderstyle.cpp:252]
#2 blink_web.dll!WebCore::RenderStyle::stylePropagationDiff [third_party\webkit\source\core\rendering\style\renderstyle.cpp:185]
#3 blink_web.dll!WebCore::Document::updateStyle [third_party\webkit\source\core\dom\document.cpp:1869]
#4 blink_web.dll!WebCore::Document::updateRenderTree [third_party\webkit\source\core\dom\document.cpp:1828]
#5 blink_web.dll!WebCore::FrameSelection::focusedOrActiveStateChanged [third_party\webkit\source\core\editing\frameselection.cpp:1457]
#6 blink_web.dll!WebCore::FrameSelection::setFocused [third_party\webkit\source\core\editing\frameselection.cpp:1510]
#7 blink_web.dll!WebCore::FocusController::setFocusedFrame [third_party\webkit\source\core\page\focuscontroller.cpp:257]
#8 blink_web.dll!WebCore::FocusController::setFocused [third_party\webkit\source\core\page\focuscontroller.cpp:321]
#9 blink_web.dll!blink::WebViewImpl::setFocus [third_party\webkit\source\web\webviewimpl.cpp:1970]
#10 content.dll!InputMsg_SetFocus::Dispatch<> [content\common\input_messages.h:168]
#11 content.dll!content::RenderWidget::OnMessageReceived [content\renderer\render_widget.cc:587]
#12 content.dll!content::RenderViewImpl::OnMessageReceived [content\renderer\render_view_impl.cc:1140]
#13 content.dll!content::MessageRouter::RouteMessage [content\common\message_router.cc:54]
#14 content.dll!content::MessageRouter::OnMessageReceived [content\common\message_router.cc:46]
#15 content.dll!content::ChildThread::OnMessageReceived [content\child\child_thread.cc:467]
#16 ipc.dll!IPC::ChannelProxy::Context::OnDispatchMessage [ipc\ipc_channel_proxy.cc:273]
#17 ipc.dll!base::internal::Invoker<>::Run [base\bind_internal.h:1253]
#18 base.dll!base::MessageLoop::RunTask [base\message_loop\message_loop.cc:458]
#19 base.dll!base::MessageLoop::DeferOrRunPendingTask [base\message_loop\message_loop.cc:470]
#20 base.dll!base::MessageLoop::DoWork [base\message_loop\message_loop.cc:584]
#21 base.dll!base::MessagePumpDefault::Run [base\message_loop\message_pump_default.cc:32]
#22 base.dll!base::MessageLoop::RunHandler [base\message_loop\message_loop.cc:408]
#23 content.dll!content::RendererMain [content\renderer\renderer_main.cc:250]
#24 content.dll!content::RunNamedProcessTypeMain [content\app\content_main_runner.cc:417]
#25 content.dll!content::ContentMainRunnerImpl::Run [content\app\content_main_runner.cc:763]
#26 content.dll!content::ContentMain [content\app\content_main.cc:19]
#27 content::LaunchTests [content\public\test\test_launcher.cc:474]
#28 main [content\test\content_test_launcher.cc:123]

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1586

[derekbruening]

From zhao...@google.com on July 08, 2014 13:49:27

The code is
bool operator==(const NonInheritedFlags& other) const
{
return _effectiveDisplay == other._effectiveDisplay
&& _originalDisplay == other._originalDisplay
&& _overflowX == other._overflowX
&& _overflowY == other._overflowY
&& _vertical_align == other._vertical_align
&& _clear == other._clear
&& _position == other._position
&& _floating == other._floating
&& _table_layout == other._table_layout
&& _page_break_before == other._page_break_before
&& _page_break_after == other._page_break_after
&& _page_break_inside == other._page_break_inside
&& _styleType == other._styleType
&& _affectedByFocus == other._affectedByFocus
&& _affectedByHover == other._affectedByHover
&& _affectedByActive == other._affectedByActive
&& _affectedByDrag == other._affectedByDrag
&& _pseudoBits == other._pseudoBits
&& _unicodeBidi == other._unicodeBidi
&& explicitInheritance == other.explicitInheritance
&& currentColor == other.currentColor
&& unique == other.unique
&& emptyState == other.emptyState
&& firstChildState == other.firstChildState
&& lastChildState == other.lastChildState
&& _isLink == other._isLink;
}

The corresponding asm:
blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0x90 [d:\src\chrome-int\src\third_party\webkit\source\core\rendering\style\renderstyle.h @ 233]:
233 5613e630 8b4904 mov ecx,[ecx+0x4]
233 5613e633 8bc1 mov eax,ecx
233 5613e635 8b5204 mov edx,[edx+0x4]
233 5613e638 33c2 xor eax,edx
233 5613e63a a803 test al,0x3
233 5613e63c 0f85c0000000 jne blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0x162 (5613e702)

blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0xa2 [d:\src\chrome-int\src\third_party\webkit\source\core\rendering\style\renderstyle.h @ 233]:
233 5613e642 8bc1 mov eax,ecx
233 5613e644 33c2 xor eax,edx
233 5613e646 a80c test al,0xc
233 5613e648 0f85b4000000 jne blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0x162 (5613e702)

...

blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0xc9 [d:\src\chrome-int\src\third_party\webkit\source\core\rendering\style\renderstyle.h @ 233]:
233 5613e669 8bc1 mov eax,ecx
233 5613e66b 33c2 xor eax,edx
233 5613e66d a900000004 test eax,0x4000000
233 5613e672 0f858a000000 jne blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0x162 (5613e702)

From caller:
if (oldStyle == *newStyle)
return diffPseudoStyles(oldStyle, newStyle);
0:000> dv
oldStyle = 0x030c2ba0
newStyle = 0x030ba178
0:000> dt -r oldStyle
Local var @ 0x2aeb58 Type WebCore::RenderStyle
0x030c2ba0
+0x000 m_refCount : 1
+0x004 m_box :
+0x000 m_data :
+0x000 m_ptr : 0x030c2bf8
+0x008 visual :
+0x000 m_data :
+0x000 m_ptr : 0x03272428
+0x00c m_background :
+0x000 m_data :
+0x000 m_ptr : 0x03272478
+0x010 surround :
+0x000 m_data :
+0x000 m_ptr : 0x032724e0
+0x014 rareNonInheritedData :
+0x000 m_data :
+0x000 m_ptr : 0x032726d8
+0x018 rareInheritedData :
+0x000 m_data :
+0x000 m_ptr : 0x03272d10
+0x01c inherited :
+0x000 m_data :
+0x000 m_ptr : 0x030c2ed8
+0x020 m_cachedPseudoStyles :
+0x000 m_ptr : (null)
+0x024 m_svgStyle :
+0x000 m_data :
+0x000 m_ptr : 0x03272e68
+0x028 inherited_flags :
+0x000 _empty_cells : 0y0
+0x000 _caption_side : 0y00
+0x000 _list_style_type : 0y0000000 (0)
+0x000 _list_style_position : 0y0
+0x000 _visibility : 0y00
+0x000 _text_align : 0y0111
+0x000 _text_transform : 0y11
+0x000 m_textUnderline : 0y0
+0x000 _cursor_style : 0y000000 (0)
+0x000 _direction : 0y1
+0x000 _white_space : 0y000
+0x000 _border_collapse : 0y0
+0x000 _box_direction : 0y0
+0x004 m_rtlOrdering : 0y0
+0x004 m_printColorAdjust : 0y0
+0x004 _pointerEvents : 0y0001
+0x004 _insideLink : 0y00
+0x004 m_writingMode : 0y00
+0x030 noninherited_flags :
+0x000 effectiveDisplay : 0y00001 (0x1)
+0x000 originalDisplay : 0y00000 (0)
+0x000 overflowX : 0y000
+0x000 overflowY : 0y000
+0x000 verticalAlign : 0y0000
+0x000 clear : 0y00
+0x000 position : 0y000
+0x000 floating : 0y00
+0x000 tableLayout : 0y0
+0x000 unicodeBidi : 0y000
+0x000 hasViewportUnits : 0y0
+0x004 pageBreakBefore : 0y00
+0x004 pageBreakAfter : 0y00
+0x004 pageBreakInside : 0y00
+0x004 styleType : 0y000000 (0)
+0x004 pseudoBits : 0y00000000 (0)
+0x004 explicitInheritance : 0y0
+0x004 currentColor : 0y0
+0x004 unique : 0y0
+0x004 emptyState : 0y0
+0x004 firstChildState : 0y0
+0x004 lastChildState : 0y0
+0x004 affectedByFocus : 0y0
+0x004 affectedByHover : 0y0
+0x004 affectedByActive : 0y0
+0x004 affectedByDrag : 0y0
+0x004 isLink : 0y0

0:000> dt -r newStyle
Local var @ 0x2aeb5c Type WebCore::RenderStyle*
0x030ba178
+0x000 m_refCount : 1
+0x004 m_box :
+0x000 m_data :
+0x000 m_ptr : 0x03273138
+0x008 visual :
+0x000 m_data :
+0x000 m_ptr : 0x03272428
+0x00c m_background :
+0x000 m_data :
+0x000 m_ptr : 0x03272478
+0x010 surround :
+0x000 m_data :
+0x000 m_ptr : 0x032724e0
+0x014 rareNonInheritedData :
+0x000 m_data :
+0x000 m_ptr : 0x032726d8
+0x018 rareInheritedData :
+0x000 m_data :
+0x000 m_ptr : 0x03272d10
+0x01c inherited :
+0x000 m_data :
+0x000 m_ptr : 0x03277390
+0x020 m_cachedPseudoStyles :
+0x000 m_ptr : (null)
+0x024 m_svgStyle :
+0x000 m_data :
+0x000 m_ptr : 0x03272e68
+0x028 inherited_flags :
+0x000 _empty_cells : 0y0
+0x000 _caption_side : 0y00
+0x000 _list_style_type : 0y0000000 (0)
+0x000 _list_style_position : 0y0
+0x000 _visibility : 0y00
+0x000 _text_align : 0y0111
+0x000 _text_transform : 0y11
+0x000 m_textUnderline : 0y0
+0x000 _cursor_style : 0y000000 (0)
+0x000 _direction : 0y1
+0x000 _white_space : 0y000
+0x000 _border_collapse : 0y0
+0x000 _box_direction : 0y0
+0x004 m_rtlOrdering : 0y0
+0x004 m_printColorAdjust : 0y0
+0x004 _pointerEvents : 0y0001
+0x004 _insideLink : 0y00
+0x004 m_writingMode : 0y00
+0x030 noninherited_flags :
+0x000 effectiveDisplay : 0y00001 (0x1)
+0x000 originalDisplay : 0y00000 (0)
+0x000 overflowX : 0y000
+0x000 overflowY : 0y000
+0x000 verticalAlign : 0y0000
+0x000 clear : 0y00
+0x000 position : 0y000
+0x000 floating : 0y00
+0x000 tableLayout : 0y0
+0x000 unicodeBidi : 0y000
+0x000 hasViewportUnits : 0y0
+0x004 pageBreakBefore : 0y00
+0x004 pageBreakAfter : 0y00
+0x004 pageBreakInside : 0y00
+0x004 styleType : 0y000000 (0)
+0x004 pseudoBits : 0y00000000 (0)
+0x004 explicitInheritance : 0y0
+0x004 currentColor : 0y0
+0x004 unique : 0y0
+0x004 emptyState : 0y0
+0x004 firstChildState : 0y0
+0x004 lastChildState : 0y0
+0x004 affectedByFocus : 0y0
+0x004 affectedByHover : 0y0
+0x004 affectedByActive : 0y0
+0x004 affectedByDrag : 0y0
+0x004 isLink ...

[derekbruening]

From zhao...@google.com on July 08, 2014 13:49:27

... : 0y0

Based on the instruction: test eax,0x4000000
The bit should be at pos 26:
0:000> dt WebCore::RenderStyle -r
+0x000 m_refCount : Int4B
+0x004 m_box :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleBoxData
+0x008 visual :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleVisualData
+0x00c m_background :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleBackgroundData
+0x010 surround :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleSurroundData
+0x014 rareNonInheritedData :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleRareNonInheritedData
+0x018 rareInheritedData :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleRareInheritedData
+0x01c inherited :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::StyleInheritedData
+0x020 m_cachedPseudoStyles :
+0x000 m_ptr : Ptr32
+0x000 m_buffer : Ptr32 WTF::RefPtrWebCore::RenderStyle
+0x004 m_capacity : Uint4B
+0x008 m_size : Uint4B
=54680000 m_inlineBufferSize : Uint4B
+0x00c m_inlineBuffer : WTF::AlignedBuffer<16,4>
+0x024 m_svgStyle :
+0x000 m_data :
+0x000 m_ptr : Ptr32 WebCore::SVGRenderStyle
+0x028 inherited_flags :
+0x000 _empty_cells : Pos 0, 1 Bit
+0x000 _caption_side : Pos 1, 2 Bits
+0x000 _list_style_type : Pos 3, 7 Bits
+0x000 _list_style_position : Pos 10, 1 Bit
+0x000 _visibility : Pos 11, 2 Bits
+0x000 _text_align : Pos 13, 4 Bits
+0x000 _text_transform : Pos 17, 2 Bits
+0x000 m_textUnderline : Pos 19, 1 Bit
+0x000 _cursor_style : Pos 20, 6 Bits
+0x000 _direction : Pos 26, 1 Bit
+0x000 _white_space : Pos 27, 3 Bits
+0x000 _border_collapse : Pos 30, 1 Bit
+0x000 _box_direction : Pos 31, 1 Bit
+0x004 m_rtlOrdering : Pos 0, 1 Bit
+0x004 m_printColorAdjust : Pos 1, 1 Bit
+0x004 _pointerEvents : Pos 2, 4 Bits
+0x004 _insideLink : Pos 6, 2 Bits
+0x004 m_writingMode : Pos 8, 2 Bits
+0x030 noninherited_flags :
+0x000 effectiveDisplay : Pos 0, 5 Bits
+0x000 originalDisplay : Pos 5, 5 Bits
+0x000 overflowX : Pos 10, 3 Bits
+0x000 overflowY : Pos 13, 3 Bits
+0x000 verticalAlign : Pos 16, 4 Bits
+0x000 clear : Pos 20, 2 Bits
+0x000 position : Pos 22, 3 Bits
+0x000 floating : Pos 25, 2 Bits
+0x000 tableLayout : Pos 27, 1 Bit
+0x000 unicodeBidi : Pos 28, 3 Bits
+0x000 hasViewportUnits : Pos 31, 1 Bit
+0x004 pageBreakBefore : Pos 0, 2 Bits
+0x004 pageBreakAfter : Pos 2, 2 Bits
+0x004 pageBreakInside : Pos 4, 2 Bits
+0x004 styleType : Pos 6, 6 Bits
+0x004 pseudoBits : Pos 12, 8 Bits
+0x004 explicitInheritance : Pos 20, 1 Bit
+0x004 currentColor : Pos 21, 1 Bit
+0x004 unique : Pos 22, 1 Bit
+0x004 emptyState : Pos 23, 1 Bit
+0x004 firstChildState : Pos 24, 1 Bit
+0x004 lastChildState : Pos 25, 1 Bit
+0x004 affectedByFocus : Pos 26, 1 Bit
+0x004 affectedByHover : Pos 27, 1 Bit
+0x004 affectedByActive : Pos 28, 1 Bit
+0x004 affectedByDrag : Pos 29, 1 Bit
+0x004 isLink : Pos 30, 1 Bit
So it should be affectedByFocus

[derekbruening]

From zhao...@google.com on July 08, 2014 13:58:44

affectedByFocus can only be affected by the following code in src/third_party/WebKit/Source/core/rendering/style/RenderStyle.h

NonInheritedFlags
void setAffectedByFocus(bool value) { _affectedByFocus = value; }

RenderStyle
void setAffectedByFocus() { noninherited_flags.setAffectedByFocus(true); }

blink_web!WebCore::RenderStyle::setAffectedByFocus:
55bea070 81493400000004 or dword ptr [ecx+0x34],0x4000000
55bea077 c3 ret

void setBitDefaults()
{
inherited_flags._empty_cells = initialEmptyCells();
inherited_flags._caption_side = initialCaptionSide();
inherited_flags._list_style_type = initialListStyleType();
inherited_flags._list_style_position = initialListStylePosition();
inherited_flags._visibility = initialVisibility();
inherited_flags._text_align = initialTextAlign();
inherited_flags._text_transform = initialTextTransform();
inherited_flags.m_textUnderline = false;
inherited_flags._cursor_style = initialCursor();
inherited_flags._direction = initialDirection();
inherited_flags._white_space = initialWhiteSpace();
inherited_flags._border_collapse = initialBorderCollapse();
inherited_flags.m_rtlOrdering = initialRTLOrdering();
inherited_flags._box_direction = initialBoxDirection();
inherited_flags.m_printColorAdjust = initialPrintColorAdjust();
inherited_flags._pointerEvents = initialPointerEvents();
inherited_flags._insideLink = NotInsideLink;
inherited_flags.m_writingMode = initialWritingMode();

    noninherited_flags._effectiveDisplay = noninherited_flags._originalDisplay = initialDisplay();
    noninherited_flags._overflowX = initialOverflowX();
    noninherited_flags._overflowY = initialOverflowY();
    noninherited_flags._vertical_align = initialVerticalAlign();
    noninherited_flags._clear = initialClear();
    noninherited_flags._position = initialPosition();
    noninherited_flags._floating = initialFloating();
    noninherited_flags._table_layout = initialTableLayout();
    noninherited_flags._unicodeBidi = initialUnicodeBidi();
    noninherited_flags._page_break_before = initialPageBreak();
    noninherited_flags._page_break_after = initialPageBreak();
    noninherited_flags._page_break_inside = initialPageBreak();
    noninherited_flags._styleType = NOPSEUDO;
    noninherited_flags._pseudoBits = 0;
    noninherited_flags.explicitInheritance = false;
    noninherited_flags.currentColor = false;
    noninherited_flags.unique = false;
    noninherited_flags.emptyState = false;
    noninherited_flags.firstChildState = false;
    noninherited_flags.lastChildState = false;
    noninherited_flags.hasViewportUnits = false;
    noninherited_flags.setAffectedByFocus(false);
    noninherited_flags.setAffectedByHover(false);
    noninherited_flags.setAffectedByActive(false);
    noninherited_flags.setAffectedByDrag(false);
    noninherited_flags.setIsLink(false);
}

blink_web!WebCore::RenderStyle::setBitDefaults:
56146800 8bd1 mov edx,ecx
56146802 8b422c mov eax,[edx+0x2c]
56146805 8b4a30 mov ecx,[edx+0x30]
56146808 2504fcffff and eax,0xfffffc04
5614680d 81623400000080 and dword ptr [edx+0x34],0x80000000
56146814 83c804 or eax,0x4
56146817 89422c mov [edx+0x2c],eax
5614681a 81e11ffcffff and ecx,0xfffffc1f
56146820 8bc1 mov eax,ecx
56146822 c7422800e00604 mov dword ptr [edx+0x28],0x406e000
56146829 c1e805 shr eax,0x5
5614682c 81e1e0030000 and ecx,0x3e0
56146832 83e01f and eax,0x1f
56146835 0bc1 or eax,ecx
56146837 894230 mov [edx+0x30],eax
5614683a c3 ret

[derekbruening]

From zhao...@google.com on July 08, 2014 14:06:18

From the caller:
void Document::updateStyle(StyleRecalcChange change)

    RefPtr<RenderStyle> documentStyle = StyleResolver::styleForDocument(*this);
    StyleRecalcChange localChange = RenderStyle::stylePropagationDiff(documentStyle.get(), renderView()->style());

And in PassRefPtr StyleResolver::styleForDocument(Document& document)
an RenderStyle object is created
RefPtr documentStyle = RenderStyle::create();

PassRefPtr RenderStyle::create()
{
return adoptRef(new RenderStyle());
}

setBitDefaults() is called in RenderStyle::RenderStyle() constructor
So it looks like we did not handle setBitDefaults right.

[derekbruening]

From zhao...@google.com on July 08, 2014 14:16:53

Another uninit error:
UNINITIALIZED READ: reading register al

0 blink_web.dll!WebCore::ContainerNode::setHovered [third_party\webkit\source\core\dom\containernode.cpp:984]

1 blink_web.dll!WebCore::Document::updateHoverActiveState [third_party\webkit\source\core\dom\document.cpp:5579]

2 blink_web.dll!WebCore::Document::prepareMouseEvent [third_party\webkit\source\core\dom\document.cpp:3238]

...
Note: instruction: test %al $0x01

It is similar problem on affectedByHover

struct NonInheritedFlags {
...
unsigned affectedByFocus : 1;
unsigned affectedByHover : 1;
unsigned affectedByActive : 1;
unsigned affectedByDrag : 1;
}

Another one:
UNINITIALIZED READ: reading register al

0 blink_web.dll!WebCore::RenderStyle::stylePropagationDiff [third_party\webkit\source\core\rendering\style\renderstyle.cpp:190]

1 blink_web.dll!WebCore::Document::updateStyle [third_party\webkit\source\core\dom\document.cpp:1869]

test %al $0x01

if (oldStyle->inheritedNotEqual(newStyle)
    || oldStyle->hasExplicitlyInheritedProperties()
    || newStyle->hasExplicitlyInheritedProperties())
    return Inherit;

So the inherited flags might have similar problem.

[derekbruening]

From zhao...@google.com on July 08, 2014 14:57:51

correction on
UNINITIALIZED READ: reading register al

0 blink_web.dll!WebCore::RenderStyle::stylePropagationDiff [third_party\webkit\source\core\rendering\style\renderstyle.cpp:190]

It is uninit for hasExplicitlyInheritedProperties()
bool hasExplicitlyInheritedProperties() const { return noninherited_flags.explicitInheritance; }

[derekbruening]

From zhao...@google.com on July 08, 2014 15:30:45

for shadow register:
0:000> dt sr
Local var @ 0x1e1eeb94 Type _shadow_registers_t*
0xfffdded4
+0x000 eax : 0xc0 ''
+0x001 ecx : 0xc0 ''
+0x002 edx : 0xc0 ''
+0x003 ebx : 0 ''
+0x004 esp : 0 ''
+0x005 ebp : 0 ''
+0x006 esi : 0 ''
+0x007 edi : 0 ''
+0x008 eflags : 0xc0 ''
+0x009 in_heap_routine : 0 ''
+0x00a padding : [2] ""
+0x00c aux : 0x1e1f61b8

for code like:
5613e683 8bc1 mov eax,ecx
5613e685 33c2 xor eax,edx
5613e687 a900000010 test eax,0x10000000
5613e68c 7574 jnz blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0x162 (5613e702)
5613e68e 8bc1 mov eax,ecx
5613e690 33c2 xor eax,edx
5613e692 a900000020 test eax,0x20000000
5613e697 7569 jnz blink_web!WebCore::RenderStyle::NonInheritedFlags::operator==+0x162 (5613e702)

It shows that eax, ecx, and edx are all partially undefined, i.e., both new_style and old_style.

[derekbruening]

From zhao...@google.com on July 08, 2014 16:07:11

The setBitDefaults is usually inlined, and the style are likely initialized at:
blink_web!WebCore::RenderStyle::createDefaultStyle
and the related code is:

56142575 81623400000080 and dword ptr [edx+0x34],0x80000000
5614257c 894230 mov [edx+0x30],eax
5614257f e8558855fe call blink_web!ILT+105940(?init?$DataRefVStyleBoxDataWebCoreWebCoreQAEXXZ) (5469add9)
56142584 8bcb mov ecx,ebx

[derekbruening]

From zhao...@google.com on July 10, 2014 20:19:39

an old build

blink_web!WebCore::RenderStyle::setBitDefaults:
11aaca60 8bd1 mov edx,ecx
11aaca62 8b422c mov eax,[edx+0x2c]
11aaca65 8b4a30 mov ecx,[edx+0x30]
11aaca68 2504fcffff and eax,0xfffffc04
11aaca6d 816234000000fc and dword ptr [edx+0x34],0xfc000000
11aaca74 83c804 or eax,0x4
11aaca77 89422c mov [edx+0x2c],eax
11aaca7a 81e11ffcffff and ecx,0xfffffc1f
11aaca80 8bc1 mov eax,ecx
11aaca82 c7422800e00604 mov dword ptr [edx+0x28],0x406e000
11aaca89 c1e805 shr eax,0x5
11aaca8c 81e1e0030000 and ecx,0x3e0
11aaca92 83e01f and eax,0x1f
11aaca95 0bc1 or eax,ecx
11aaca97 894230 mov [edx+0x30],eax
11aaca9a 816234ffffff83 and dword ptr [edx+0x34],0x83ffffff
11aacaa1 c3 ret
compare to the recent build:

blink_web!WebCore::RenderStyle::setBitDefaults:
56146800 8bd1 mov edx,ecx
56146802 8b422c mov eax,[edx+0x2c]
56146805 8b4a30 mov ecx,[edx+0x30]
56146808 2504fcffff and eax,0xfffffc04
5614680d 81623400000080 and dword ptr [edx+0x34],0x80000000
56146814 83c804 or eax,0x4
56146817 89422c mov [edx+0x2c],eax
5614681a 81e11ffcffff and ecx,0xfffffc1f
56146820 8bc1 mov eax,ecx
56146822 c7422800e00604 mov dword ptr [edx+0x28],0x406e000
56146829 c1e805 shr eax,0x5
5614682c 81e1e0030000 and ecx,0x3e0
56146832 83e01f and eax,0x1f
56146835 0bc1 or eax,ecx
56146837 894230 mov [edx+0x30],eax
5614683a c3 ret
which should be the cause of the difference.

[derekbruening]

From zhao...@google.com on July 11, 2014 06:37:14

Found the cause:
blink_web!WebCore::RenderStyle::create

5660c4cb 81663400000080 and dword ptr [esi+0x34],0x80000000
5660c4d2 894630 mov [esi+0x30],eax
5660c4d5 eb02 jmp blink_web!WebCore::RenderStyle::create+0x139 (5660c4d9)

[derekbruening]

From zhao...@google.com on July 14, 2014 12:11:34

This issue was closed by revision r1973 .

Status: Fixed