541013 - UMR [@ nsRange::SetEnd] from alloc [@ nsHTMLEditor::SplitStyleAbovePoint]

Status: RESOLVED FIXED

(Core :: DOM: Editor, defect)

Description

[Jesse Ruderman]

Attachment: testcase

To reproduce:

valgrind --dsymutil=yes --track-origins=yes ~/central/debug-obj/dist/MinefieldDebug.app/Contents/MacOS/firefox-bin f.html

Result:

==967== Conditional jump or move depends on uninitialised value(s)
==967==    at 0x3619DC2: nsRange::SetEnd(nsINode*, int) (nsRange.cpp:699)
==967==    by 0x33AE70D: nsTypedSelection::Collapse(nsINode*, int) (nsSelection.cpp:4864)
==967==    by 0x33AE9B9: nsTypedSelection::Collapse(nsIDOMNode*, int) (nsSelection.cpp:4837)
==967==    by 0x3C83D95: nsHTMLEditRules::CreateStyleForInsertText(nsISelection*, nsIDOMDocument*) (nsHTMLEditRules.cpp:4564)
==967==    by 0x3C88F58: nsHTMLEditRules::WillInsert(nsISelection*, int*) (nsHTMLEditRules.cpp:1333)
==967==    by 0x3C946CD: nsHTMLEditRules::WillDoAction(nsISelection*, nsRulesInfo*, int*, int*) (nsHTMLEditRules.cpp:686)
==967==    by 0x3C46F1A: nsHTMLEditor::InsertHTMLWithContext(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsIDOMDocument*, nsIDOMNode*, int, int) (nsHTMLDataTransfer.cpp:417)
==967==    by 0x3C3F83E: nsHTMLEditor::InsertHTML(nsAString_internal const&) (nsHTMLDataTransfer.cpp:256)
==967==    by 0x3EF5176: nsInsertHTMLCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) (nsComposerCommands.cpp:1472)
==967==    by 0x3D6F2D0: nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) (nsControllerCommandTable.cpp:208)
==967==    by 0x3D696FC: nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) (nsBaseCommandController.cpp:185)
==967==    by 0x3D6C781: nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) (nsCommandManager.cpp:271)
==967==  Uninitialised value was created by a stack allocation
==967==    at 0x3C6CD7A: nsHTMLEditor::SplitStyleAbovePoint(nsCOMPtr<nsIDOMNode>*, int*, nsIAtom*, nsAString_internal const*, nsCOMPtr<nsIDOMNode>*, nsCOMPtr<nsIDOMNode>*) (nsHTMLEditorStyle.cpp:583)

Comment 2

[Jesse Ruderman]

SplitStyleAbovePoint calls SplitNodeDeep without checking rv.  SplitNodeDeep fails and doesn't set its out-param, but SplitStyleAbovePoint assumes it set its out-param.

Comment 3

[Jesse Ruderman]

Attachment: possible fix

This quiets Valgrind (tested with the dup's testcase).  I didn't even try to understand the surrounding code enough to tell whether adding an early return here can create new problems.

Comment 4

[Mats Palmgren (inactive)]

Attachment: fix 2

Jesse's patch makes sense since SplitNodeDeep() could fail for any
number of reasons (so I included it here).
For the testcase though, I don't think it makes sense to call
SplitStyleAbovePoint() on the root node.  This patch gives the
resulting DOM <html>foo<head>...

Comment 5

[Peter Van der Beken [:peterv]]

Comment on attachment 428121 [details] [diff] [review]
fix 2

>diff --git a/editor/libeditor/html/nsHTMLEditorStyle.cpp b/editor/libeditor/html/nsHTMLEditorStyle.cpp

>+      nsresult rv = SplitNodeDeep(tmp, *aNode, *aOffset, &offset, PR_FALSE, outLeftNode, outRightNode);

Long line.
We probably also have a bug where SplitStyleAbovePoint might split nodes that are not editable? :-/

Comment 6

[Mats Palmgren (inactive)]

Attachment: mochitest.diff

Comment 7

[Mats Palmgren (inactive)]

Landed with nit fixed, but without the mochitest for now:
http://hg.mozilla.org/mozilla-central/rev/a20ed5e85c3d

Comment 8

[Mats Palmgren (inactive)]

(In reply to comment #5)
> We probably also have a bug where SplitStyleAbovePoint might split nodes that
> are not editable? :-/

I couldn't find a bug, so I filed bug 552610.