Closed Bug 109487 Opened 24 years ago Closed 24 years ago

[W] UMR: Uninitialized memory read in nsHTMLInputElement::HandleDOMEvent

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: stephend, Assigned: jst)

Details

(Whiteboard: [HAVE FIX])

Just saw this on my Win2K box, (latest tip) when reading 2 IMAP messages with pictures attached. [W] UMR: Uninitialized memory read in nsHTMLInputElement::HandleDOMEvent (nsIPresContext *,nsEvent *,nsIDOMEvent * *,UINT,nsEventStatus *) {1 occurrence} Reading 4 bytes from 0x0013f050 (4 bytes at 0x0013f050 uninitialized) Address 0x0013f050 points into a thread's stack Address 0x0013f050 is 28 bytes past the start of local variable 'blurevent' in nsEventStateManager::PreHandleEvent(nsIPresContext *,nsEvent *,nsIFrame *,nsEventStatus *,nsIView *) Thread ID: 0x38c Error location nsHTMLInputElement::HandleDOMEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * *,UINT,nsEventStatus *) [nsHTMLInputElement.cpp:1134] // If NS_EVENT_FLAG_NO_CONTENT_DISPATCH is set we will not allow content to handle // this event. But to allow middle mouse button paste to work we must allow // middle clicks to go to text fields anyway. => PRBool noContentDispatch = aEvent->flags & NS_EVENT_FLAG_NO_CONTENT_DISPATCH; if (type == NS_FORM_INPUT_TEXT && aEvent->message == NS_MOUSE_MIDDLE_CLICK) { aEvent->flags &= ~NS_EVENT_FLAG_NO_CONTENT_DISPATCH; } nsEventStateManager::PreHandleEvent(nsIPresContext *,nsEvent *,nsIFrame *,nsEventStatus *,nsIView *) [nsEventStateManager.cpp:674] oldPresContext->GetEventStateManager(getter_AddRefs(esm)); esm->SetFocusedContent(gLastFocusedContent); if(focusedContent) => focusedContent->HandleDOMEvent(oldPresContext, &event, nsnull, NS_EVENT_FLAG_INIT, &status); esm->SetFocusedContent(nsnull); NS_IF_RELEASE(gLastFocusedContent); } PresShell::HandleEventInternal(nsEvent *,nsIView *,UINT,nsEventStatus *) [nsPresShell.cpp:5809] nsIEventStateManager *manager; if (NS_OK == mPresContext->GetEventStateManager(&manager) && GetCurrentEventFrame()) { //1. Give event to event manager for pre event state changes and generation of synthetic events. => rv = manager->PreHandleEvent(mPresContext, aEvent, mCurrentEventFrame, aStatus, aView); //2. Give event to the DOM for third party and JS use. if ((GetCurrentEventFrame()) && NS_OK == rv) { PresShell::HandleEvent(nsIView *,nsGUIEvent *,nsEventStatus *,int,int&) [nsPresShell.cpp:5740] } } if (GetCurrentEventFrame()) { => rv = HandleEventInternal(aEvent, aView, NS_EVENT_FLAG_INIT, aEventStatus); } NS_RELEASE(manager); } nsView::HandleEvent(nsGUIEvent *,UINT,nsEventStatus *,int,int&) [nsView.cpp:362] //if no child's bounds matched the event or we consumed but still want //default behavior check the view itself. -EDV if (nsnull != mClientData && nsnull != obs) { => obs->HandleEvent((nsIView *)this, event, aStatus, aForceHandle, aHandled); } } /* XXX Just some debug code to see what event are being thrown away because nsViewManager::DispatchEvent(nsGUIEvent *,nsEventStatus *) [nsViewManager.cpp:1872] NS_VIEW_FLAG_CHECK_SIBLINGS, aStatus, PR_TRUE, => handled); aEvent->point.x -= offset.x; aEvent->point.y -= offset.y; HandleEvent [nsView.cpp:81] { nsViewManager *vm = view->GetViewManager(); => vm->DispatchEvent(aEvent, &result); } return result; nsWindow::DispatchEvent(nsGUIEvent *,nsEventStatus&) [nsWindow.obj:744] nsWindow::DispatchFocus(UINT,int) [nsWindow.cpp:4506] event.nativeMsg = (void *)&pluginEvent; => PRBool result = DispatchWindowEvent(&event); NS_RELEASE(event.widget); return result; } nsWindow::ProcessMessage(UINT,UINT,long,long *) [nsWindow.cpp:3409] isMozWindowTakingFocus = PR_FALSE; if(gJustGotDeactivate) { gJustGotDeactivate = PR_FALSE; => result = DispatchFocus(NS_DEACTIVATE, isMozWindowTakingFocus); } result = DispatchFocus(NS_LOSTFOCUS, isMozWindowTakingFocus); break;
I bet there's a ton of these in our code, it's all because our nsEvent structs don't have constructors that would take care of initializing everything properly. This patch fixes this particular UMR: Index: content/events/src/nsEventStateManager.cpp =================================================================== RCS file: /cvsroot/mozilla/content/events/src/nsEventStateManager.cpp,v retrieving revision 1.312 diff -u -r1.312 nsEventStateManager.cpp --- content/events/src/nsEventStateManager.cpp 6 Dec 2001 15:29:01 -00001.312 +++ content/events/src/nsEventStateManager.cpp 14 Dec 2001 07:15:21 -0000 @@ -684,6 +684,7 @@ nsEvent event; event.eventStructType = NS_EVENT; event.message = NS_BLUR_CONTENT; + event.flags = 0; nsCOMPtr<nsIEventStateManager> esm; oldPresContext->GetEventStateManager(getter_AddRefs(esm)); esm->SetFocusedContent(gLastFocusedContent); Peter, would you review this please?
Status: NEW → ASSIGNED
OS: Windows 2000 → All
Hardware: PC → All
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla0.9.8
r=peterv
Target Milestone: mozilla0.9.8 → mozilla0.9.9
Pushing to mozilla1.0
Target Milestone: mozilla0.9.9 → mozilla1.0
Boy, I'd love to see those grow a constructor. But I have no real belief that we'll actually solve this right, so sure: what's another snippet of wallpaper between friends? sr=shaver.
FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
verified fixed with the latest win32 tip
Status: RESOLVED → VERIFIED
QA Contact: stummala → stephend
Component: DOM: HTML → DOM: Core & HTML
QA Contact: stephend → general
You need to log in before you can comment on or make changes to this bug.