Closed Bug 166360 Opened 23 years ago Closed 22 years ago

Incorrect comparison in nsListBoxObject.cpp

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tenthumbs, Assigned: timeless)

References

Details

Attachments

(1 file, 1 obsolete file)

change the logic
1.15 KB, patch
axel
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
In layout/xul/base/src/nsListBoxObject.cpp, gcc3.1.1 says: nsListBoxObject.cpp: In function `void FindBodyContent(nsIContent*, nsIContent**)': nsListBoxObject.cpp:201: warning: comparison of unsigned expression >= 0 is always true The code is: PRUint32 count; kids->GetLength(&count); // start from the end, cuz we're smart and we know the listboxbody is probably at the end for (PRUint32 i = count-1; i >= 0; --i) { <<<=========== nsCOMPtr<nsIDOMNode> childNode; kids->Item(i, getter_AddRefs(childNode)); nsCOMPtr<nsIContent> childContent(do_QueryInterface(childNode)); FindBodyContent(childContent, aResult); if (*aResult) break; } so i>=0 is always true and the for loop has no termination test. You better hope you can always break out of the loop.
Sorry about the spam but I have to correct a typo in the summary.
Summary: Incorrecto comparison in nsListBoxObject.cpp → Incorrect comparison in nsListBoxObject.cpp
Attached patch signed! Signed! (obsolete) — Splinter Review
jag? hewitt? reviews?
Attachment #97747 - Flags: review+
Comment on attachment 97747 [details] [diff] [review] signed! Signed! Shouldn't you change kids->Item(i, ...) to kids->Item(PRUint32(i), ...) ? sr=jag if you fix it so you don't get a signed/unsigned warning there.
Attachment #97747 - Flags: superreview+
-> XPToolkit/Widgets
Assignee: attinasi → jaggernaut
Component: Layout → XP Toolkit/Widgets
QA Contact: petersen → jrgm
*** Bug 157155 has been marked as a duplicate of this bug. ***
.
Assignee: jaggernaut → bzbarsky
If I wanted this bug, I would have taken it.
Assignee: bzbarsky → jaggernaut
mine
Assignee: jaggernaut → timeless
Attached patch change the logicSplinter Review
Attachment #97747 - Attachment is obsolete: true
Comment on attachment 115319 [details] [diff] [review] change the logic r=axel@pike.org
Attachment #115319 - Flags: review+
Seems rather ugly to me. The original for loop expressed the functioning rather clearly but the patch obscures it. Furthermore it is possible you'll confuse the compiler into generating less optimal code because you're taking the address if "i" which is obviously just a temporary. What's wrong with for (PRInt32 i = PRInt(count - 1); i >= 0; --i) ?
Actually I think there's another problem. If kids->GetLength returns an unsigned quantity then you should check that it's < INT_MAX before converting to a signed quantity. Alternatively, run the loop from count-1 to 1 and test 0 separately.
BTW, the simplest fix is for (PRUIint32 i = count - 1; i < count; --i) which works for twos-complement arithmetic.
Sorry about all the comments but let me be very clear. If GetLength operates on a PRUInt32 then the i<count method is the simplest solution. If GetLength operates on a PRInt32 (which I now think it does) then just s/PRUInt32/PRInt32/ will be better. Is there a spec on what GetLength is supposed to do, as opposed to reading the source?
Comment on attachment 115319 [details] [diff] [review] change the logic both interface methods GetLength/Item are unsigned <http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/dom/public/idl/core/nsIDOM NodeList.idl&rev=1.4&mark=58-59#55>, all of the casts make me queezy. Note that my change really isn't that big. old flow: i (count) := kids->GetLength loop: if i < 1 goto done i (count-1|--i) := i - 1 Item(i) goto loop done: new flow: i := kids->GetLength loop: if i <= 0 goto done i := i - 1 Item(i) goto loop done:
Attachment #115319 - Flags: superreview?(jaggernaut)
Since GetLength is unsigned I object strongly to using signed quantities. A valid unsigned number can be equivalent a negative signed one. The loop would never run in this case. You are implicitly asserting a range constraint on count, namely that half the range of a uint is disallowed. If this is the place to make such an assertion then you should do it explicitly with suitable testing to catch errors. I have no doubt that such a case would be a bug but I doubt greatly that this is the place to handle it.
eh? i'm using prUint32 ...
Status: NEW → ASSIGNED
Yes, you're right. I looked at the patch a number of times and saw PRInt32. Sorry about that.
Attachment #115319 - Flags: superreview?(jaggernaut) → superreview?(dbaron)
Attachment #115319 - Flags: superreview?(dbaron) → superreview+
checked in
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: