10606 - Uninitialized memory error caused by nsMargin

Status: RESOLVED FIXED

(Core :: Layout: Block and Inline, defect)

Description

[Eric Vaughan]

Is there a reason why nsMargin's default constructor does not initialize its
members to 0?

struct nsMargin {
  nscoord left, top, right, bottom;

  // Constructors
  nsMargin() {}
  nsMargin(const nsMargin& aMargin) {*this = aMargin;}
  nsMargin(nscoord aLeft,  nscoord aTop,
           nscoord aRight, nscoord aBottom) {left = aLeft; top = aTop;
      ...

I have found numerous places in gecko where margins are constructed and then:

nsMargin margin;
spacing->GetMargin(margin);

is done. But if you look as nsStyleContext GetMargin can fail and just not set
the margin.

PRBool nsStyleSpacing::GetPadding(nsMargin& aPadding) const
{
  if (mHasCachedPadding) {
    aPadding = mCachedPadding;
    return PR_TRUE;
  }

 return PR_FALSE;
}

This is causing some nasty uninitialized memory bugs.

It seems most people expect this:

nsMargin margin;
spacing->GetMargin(margin);

to just work. Is there a reason nsMargin does not initialize is children in the
default constructor? And is there a reason
nsStyleContext does not set the margin's values to 0 if GetPadding fails?

I would be happy to fix this I just want to make sure there isn't a reason for
it.

-E

Comment 1

[troy]

nsMargin's constructor does not initialize the memory to 0 for performance
reasons. I would prefer that we do not change this

Comment 2

[Peter Linss]

Anyone expecting nsStyleSpacing's GetMargin (& GetPadding, GetBorder,
GetOutline) to always work is flat out wrong.

If that method returns PR_FALSE it does not mean the the margin is 0, it means
that the margin could not be computed by the style code. The raw margin
nsStyleCoords need to then be evaluated and "inherit" and/or percentage values
must be computed by the consumer.

Please file bugs for any call sites that do not repect the return status of
GetMargin (et al). Having the nsMargin uninitialized just helps catch these
errors, so I second the motion to leave it alone.

Comment 3

[Eric Vaughan]

Agreed here are the files that I found doing a grep for GetBorder. But that
doesn't include GetBorderPadding, GetMargin or any others. I fixed the ones on
boxes and it fixed a lot of the strange behavior going on there. This may be
causing strange things to happen in layout as well.

nsAbsoluteContainingBlock
RootFrame
nsHTMLReflowState
nsScrollFrame
nsFieldSetFrame
nsCSSRendering
nsTableFrame

This should probably be fixed ASAP.

Comment 4

[troy]

The discussion was about GetMargin() and not about GetBorder().

Peter, at least in CSS border values can't be percentage based and so if we're
sticking with that model then GetBorder() should never fail and we should
probably make it return "void" instead of "PRBool"

I know Kipp and I have been counting on that behavior and that's why we
intentionally ignore the return from GetBorder().

Ignoring the return from GetMargin() is bad, of course

Comment 5

[Peter Linss]

I left GetBorder returning a PRBool because percentage values may become legal
there in the future, we should at least test for it and assert on the PR_FALSE
return, something like:

nsMargin border;
if (! spacing->GetBorder(border)) {
  NS_NOTYETIMPLEMENTED("percentage border");
}

Note that GetBorderPadding can return PR_FALSE now (due to percentage padding).

Fixing this is also a good time to expunge the use of the deprecated
CalcMargin/Border/Padding/BorderPaddingFor methods, this should all be
calculated in the reflow state...

Comment 6

[troy]

Yes I know GetBorderPadding() can return PR_FALSE. That's never called outside
of the HTML reflow state code. And we don't usually check the return there
because we've already pre-initialized the value to {0, 0, 0, 0}

Comment 7

[troy]

I'm accepting this bug mostly to fix any remaining calls to the
CalcMargin/Border/Padding/BorderPaddingFor methods which as Peter indicated need
to be eliminated.

Comment 8

[Christopher Hoess (gone)]

REMIND is deprecated per bug 35839.

Comment 9

[Christopher Hoess (gone)]

->default

Comment 10

[Boris Zbarsky [:bzbarsky]]

dbaron, roc, what do we want to do here?  I just took a look at some callers
(see http://lxr.mozilla.org/seamonkey/search?string=GetMargin\( ) and
nsImageDocument, nsGfxScrollFrame (and maybe others; I only looked at the first
5-6 items) seem to break on percent margins....

Comment 11

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Not sure ... can we pass in a frame to be used as the base for the %
calculation, and then always return a valid margin?

Comment 12

[Boris Zbarsky [:bzbarsky]]

Some places that are calling GetMargin() don't have a frame to pass in
(nsImageDocument in particular).

Comment 13

[Christopher Hoess (gone)]

->B&I

Comment 14

[Boris Zbarsky [:bzbarsky]]

If you reassign, please remove obsolete priorities and milestones, ok?

Comment 15

[Peter Kroll]

requested in 1999. Please see if this can be fixed for 2003. Thanks.

Comment 16

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

While some further analysis should be done here, there are no known symptoms, so
it's not exactly high priority, and certainly not a release blocker.  Priority
of bugs should be evaluated independently of when they were filed -- there's no
reason to assume that the bugs filed earliest are the most important.

Comment 17

[Mats Palmgren (inactive)]

Attachment: GetMargin() fixes, rev. 1

Comment 18

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 194911 [details] [diff] [review]
GetMargin() fixes, rev. 1

In nsImageDocument, you should use the if() pattern because there are multiple
calls, and there could still be a bug if one of the later ones returns false.

With that, r+sr=dbaron.  Sorry for the delay.

Comment 19

[Mats Palmgren (inactive)]

Taking bug, I completely forgot about this one, sorry.
I'll try to make an updated patch when time allows.

Comment 20

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Are you planning to land this?

Comment 21

[Ryan VanderMeulen [:RyanVM]]

Mats, is this still on the radar for 1.9?

Comment 22

[nidaisfree]

Happy birthday, bug 10606!

Happy 11 years!

Happy 11 years with importance = CRITICAL, affecting ALL operating systems on ALL platforms!

Comment 23

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

While we might want to change the code design here, I don't think there are any real bugs caused by this problem, so it doesn't block.

Comment 24

[Mats Palmgren (inactive)]

This was fixed some time ago by making the ctor initialize all the fields to zero.