Closed Bug 203505 Opened 21 years ago Closed 21 years ago

[FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent

Categories

(Core :: DOM: Events, defect, P2)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.5alpha

People

(Reporter: stephend, Assigned: bzbarsky)

References

Details

Attachments

(1 file)

I bet this fixes it...
716 bytes, patch
bryner
: review+
jst
: superreview+
sspitzer
: approval1.4b+
Details | Diff | Splinter Review 
With the trunk build on Windows 2000, loading:

http://people.netscape.com/stephend/contact.html, and selecting from right to 
left the partial text in 'technutz@netscape.net', I get the following UMR.

    [W] UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext 
*,nsEvent *,nsAString const&) {6 occurrences}
        Reading 4 bytes from 0x0013aae8 (4 bytes at 0x0013aae8 uninitialized)
        Address 0x0013aae8 points into a thread's stack 
        Address 0x0013aae8 is 12 bytes past the start of local variable 'event' 
in nsXULCommandDispatcher::UpdateCommands(nsAString const&)
        Thread ID: 0x568
        Error location
        nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) 
[nsDOMEvent.cpp:221]
            mScreenPoint.x = aEvent->refPoint.x;
            mScreenPoint.y = aEvent->refPoint.y;
            mClientPoint.x = aEvent->point.x;
     =>     mClientPoint.y = aEvent->point.y;
          } else
            mScreenPoint.x = mScreenPoint.y = mClientPoint.x = mClientPoint.y = 
0;
        
        NS_NewDOMUIEvent(nsIDOMEvent * *,nsIPresContext *,nsAString 
const&,nsEvent *) [nsDOMEvent.cpp:1633]
                         nsIPresContext* aPresContext, const nsAString& 
aEventType,
                         nsEvent *aEvent)
        {
     =>   nsDOMEvent* it = new nsDOMEvent(aPresContext, aEvent, aEventType);
        
          if (nsnull == it) {
            return NS_ERROR_OUT_OF_MEMORY;
        nsEventListenerManager::CreateEvent(nsIPresContext *,nsEvent 
*,nsAString const&,nsIDOMEvent * *) [nsEventListenerManager.cpp:2343]
          if ((aEvent && aEvent->eventStructType == NS_MUTATION_EVENT) ||
              (!aEvent && str.EqualsIgnoreCase("MutationEvents")))
            return NS_NewDOMMutationEvent(aDOMEvent, aPresContext, aEvent);
     =>   return NS_NewDOMUIEvent(aDOMEvent, aPresContext, aEventType, aEvent);
        }
        
        /**
        nsXULElement::HandleDOMEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * 
*,UINT,nsEventStatus *) [nsXULElement.cpp:3173]
                            return ret;
                        }
                        nsAutoString empty;
     =>                 if (NS_FAILED(ret = listenerManager->CreateEvent
(aPresContext, aEvent, empty, aDOMEvent))) {
                            NS_ERROR("This event will fail without the ability 
to create the event early.");
                            return ret;
                        }
        nsXULCommandDispatcher::UpdateCommands(nsAString const&) 
[nsXULCommandDispatcher.cpp:389]
              nsEvent event;
              event.eventStructType = NS_EVENT;
              event.message = NS_XUL_COMMAND_UPDATE;
     =>       content->HandleDOMEvent(context, &event, nsnull, 
NS_EVENT_FLAG_INIT, &status);
            }
          }
          return NS_OK;
        GlobalWindowImpl::UpdateCommands(nsAString const&) 
[nsGlobalWindow.cpp:3427]
              // Retrieve the command dispatcher and call updateCommands on it.
              nsCOMPtr<nsIDOMXULCommandDispatcher> xulCommandDispatcher;
              xulDoc->GetCommandDispatcher(getter_AddRefs
(xulCommandDispatcher));
     =>       xulCommandDispatcher->UpdateCommands(anAction);
            }
          }
        
        nsFocusController::UpdateCommands(nsAString const&) 
[nsFocusController.cpp:162]
        nsFocusController::UpdateCommands(const nsAString& aEventName)
        {
          if (mCurrentWindow) {
     =>     mCurrentWindow->UpdateCommands(aEventName);
          }
          else if (mCurrentElement) {
            nsCOMPtr<nsIDOMDocument> domDoc;
    nsFocusController::Focus(nsIDOMEvent *) [nsFocusController.cpp:316]
                }
        
                if (!mCurrentElement)
     =>           UpdateCommands(NS_LITERAL_STRING("focus"));
              }
            }
          }
    nsEventListenerManager::HandleEvent(nsIPresContext *,nsEvent *,nsIDOMEvent 
* *,nsIDOMEventTarget *,UINT,nsEventStatus *) [nsEventListenerManager.cpp:1688]
                      if (focusListener) {
                        switch(aEvent->message) {
                          case NS_FOCUS_CONTENT:
     =>                     ret = focusListener->Focus(*aDOMEvent);
                            break;
                          case NS_BLUR_CONTENT:
                            ret = focusListener->Blur(*aDOMEvent);
    nsWindowRoot::HandleChromeEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * 
*,UINT,nsEventStatus *) [nsWindowRoot.cpp:214]
          //Local handling stage
          if (mListenerManager && !(aEvent->flags & 
NS_EVENT_FLAG_STOP_DISPATCH)) {
            aEvent->flags |= aFlags;
     =>     mListenerManager->HandleEvent(aPresContext, aEvent, aDOMEvent, 
this, aFlags, aEventStatus);
            aEvent->flags &= ~aFlags;
reassigning to boris
Assignee: saari → bzbarsky
Summary: [W] UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences} → UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences}
This is probably the same underlying problem as bug 20953
Blocks: 20953
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.5alpha
Attachment #121833 - Flags: superreview?(jst)
Attachment #121833 - Flags: review?(bryner)
I tested with the patch in attachment 121833 [details] [diff] [review] and ran it under Purify, and the
UMRs are fixed.
Comment on attachment 121833 [details] [diff] [review]
I bet this fixes it...

sr=jst
Attachment #121833 - Flags: superreview?(jst) → superreview+
Summary: UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences} → [FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences}
Attachment #121833 - Flags: review?(bryner) → review+
Comment on attachment 121833 [details] [diff] [review]
I bet this fixes it...

Could this be approved for 1.4b please?  This just makes sure to initialize the
point and refPoint member vars of nsEvent to sane values in the constructor.
Attachment #121833 - Flags: approval1.4b?
Comment on attachment 121833 [details] [diff] [review]
I bet this fixes it...

a=sspitzer
Attachment #121833 - Flags: approval1.4b? → approval1.4b+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Verified FIXED under Purify, debug Win2k build.

Thanks Boris!
Status: RESOLVED → VERIFIED
Summary: [FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences} → [FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: