Closed Bug 1065310 Opened 6 years ago Closed 6 years ago

nsHtml5TreeBuilder::contextName is used uninitialised

Categories

(Core :: DOM: HTML Parser, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla35

People

(Reporter: jseward, Assigned: jseward)

Details

Attachments

(1 file)

Test dom/tests/mochitest/webcomponents/test_template.html
gives the Valgrind complaints shown in the next comment.

This happens in nsHtml5TreeBuilder::resetTheInsertionMode
here

3355      if (name == contextName) {

and a bit of poking around shows that it is contextName that is
uninitialised.  This contextName comes from a nsHtml5TreeBuilder that
is created by the 2-arg constructor in
nsHtml5TreeBuilderCppSupplement.h.  Neither this nor the 1-arg
constructor gives an initial value for contextName.
Valgrind complaint:

Thread 22 HTML5 Parser:
Conditional jump or move depends on uninitialised value(s)
   at 0x5FC32F8: nsHtml5TreeBuilder::resetTheInsertionMode() (parser/html/nsHtml5TreeBuilder.cpp:3355)
   by 0x5FCAC5C: nsHtml5TreeBuilder::endTagTemplateInHead() (parser/html/nsHtml5TreeBuilder.cpp:3026)
   by 0x5FCD1E3: nsHtml5TreeBuilder::endTag(nsHtml5ElementName*) (parser/html/nsHtml5TreeBuilder.cpp:2748)
   by 0x5FD299F: nsHtml5Tokenizer::emitCurrentTagToken(bool, int) (parser/html/nsHtml5Tokenizer.cpp:303)
   by 0x5FDA0DB: int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) (parser/html/nsHtml5Tokenizer.cpp:562)
   by 0x5FD2B76: nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) (parser/html/nsHtml5Tokenizer.cpp:413)
   by 0x5FD3769: nsHtml5StreamParser::ParseAvailableData() (parser/html/nsHtml5StreamParser.cpp:1378)
   by 0x5FD39BC: nsHtml5StreamParser::DoDataAvailable(unsigned char const*, unsigned int) (parser/html/nsHtml5StreamParser.cpp:1089)
   by 0x5FD3A4B: nsHtml5StreamParser::CopySegmentsToParser(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (parser/html/nsHtml5StreamParser.cpp:1185)
   by 0x5842A05: nsInputStreamTee::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (xpcom/io/nsInputStreamTee.cpp:211)
   by 0x5845309: nsPipeInputStream::ReadSegments(tag_nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (xpcom/io/nsPipe3.cpp:822)
   by 0x583D380: nsInputStreamTee::ReadSegments(tag_nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (xpcom/io/nsInputStreamTee.cpp:273)
   by 0x5FC5F9B: nsHtml5StreamParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (parser/html/nsHtml5StreamParser.cpp:1165)
   by 0x5FC6005: nsHtml5StreamListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (parser/html/nsHtml5StreamListener.cpp:80)
   by 0x5F6DC9D: nsDocumentOpenInfo::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (uriloader/base/nsURILoader.cpp:306)
   by 0x58DAB1F: nsStreamListenerTee::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (netwerk/base/src/nsStreamListenerTee.cpp:93)

 Uninitialised value was created by a heap allocation
   at 0x4809064: malloc (/home/sewardj/VgTRUNK/mozhx/coregrind/m_replacemalloc/vg_replace_malloc.c:298)
   by 0x482886B: moz_xmalloc (memory/mozalloc/mozalloc.cpp:52)
   by 0x5FC641A: operator new (ff-O-linux64/parser/html/../../dist/include/mozilla/mozalloc.h:201)
   by 0x5FC641A: nsHtml5StreamParser::nsHtml5StreamParser(nsHtml5TreeOpExecutor*, nsHtml5Parser*, eParserMode) (parser/html/nsHtml5StreamParser.cpp:167)
   by 0x5FA502E: nsHtml5Parser::MarkAsNotScriptCreated(char const*) (parser/html/nsHtml5Parser.cpp:587)
   by 0x6C76333: nsHTMLDocument::StartDocumentLoad(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsIStreamListener**, bool, nsIContentSink*) (content/html/document/src/nsHTMLDocument.cpp:623)
   by 0x713D0E0: nsContentDLF::CreateDocument(char const*, nsIChannel*, nsILoadGroup*, nsIDocShell*, nsID const&, nsIStreamListener**, nsIContentViewer**) (layout/build/nsContentDLF.cpp:404)
   by 0x713D529: nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, char const*, nsIDocShell*, nsISupports*, nsIStreamListener**, nsIContentViewer**) (layout/build/nsContentDLF.cpp:205)
   by 0x728F70A: nsDocShell::NewContentViewerObj(char const*, nsIRequest*, nsILoadGroup*, nsIStreamListener**, nsIContentViewer**) (docshell/base/nsDocShell.cpp:8618)
   by 0x72A08C0: nsDocShell::CreateContentViewer(char const*, nsIRequest*, nsIStreamListener**) (docshell/base/nsDocShell.cpp:8413)
   by 0x72B0230: nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*) (docshell/base/nsDSURIContentListener.cpp:141)
   by 0x5F6EE80: nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) (uriloader/base/nsURILoader.cpp:730)
   by 0x5F6F065: nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) (uriloader/base/nsURILoader.cpp:401)
   by 0x5F6F8A0: nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) (uriloader/base/nsURILoader.cpp:262)
   by 0x59B5ABF: mozilla::net::nsHttpChannel::CallOnStartRequest() (netwerk/protocol/http/nsHttpChannel.cpp:913)
   by 0x59B6104: mozilla::net::nsHttpChannel::ContinueProcessNormal(tag_nsresult) (netwerk/protocol/http/nsHttpChannel.cpp:1516)
   by 0x59B61E5: mozilla::net::nsHttpChannel::ProcessNormal() (netwerk/protocol/http/nsHttpChannel.cpp:1451)
Attached patch A possible fixSplinter Review
Initialises contextName in both nsHtml5TreeBuilder constructors.
Attachment #8487110 - Flags: review?(hsivonen)
Comment on attachment 8487110 [details] [diff] [review]
A possible fix

Please also initialized contextNamespace to kNameSpaceID_None.
Attachment #8487110 - Flags: review?(hsivonen) → review+
https://hg.mozilla.org/mozilla-central/rev/5172971f07dc
Assignee: nobody → jseward
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.