Closed Bug 1074697 Opened 10 years ago Closed 10 years ago

nsDisplaymtdBorder::GetBounds does not set out parameter *aSnap

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla36

People

(Reporter: jseward, Assigned: jseward)

Details

Attachments

(1 file)

bug1074697-1.diff
844 bytes, patch
roc
: review+
Details | Diff | Splinter Review 
This eventually leads to branches on uninitialised data, as shown in the
next comment.  Test case is layout/mathml/tests/test_bug330964.html.  I
inspected all other implementations of GetBounds(nsDisplayListBuilder*, bool*)
that I could find, and they all write to *aSnap.

Possibly related to bug 330964.
Conditional jump or move depends on uninitialised value(s)
  at 0x81EA903: ScaleToOutsidePixels (layout/base/FrameLayerBuilder.cpp:651)
  by 0x81EA903: mozilla::ThebesLayerData::Accumulate(mozilla::ContainerState*, nsDisplayItem*, nsIntRegion const&, nsIntRect const&, nsIntRect const&, mozilla::DisplayItemClip const&) (layout/base/FrameLayerBuilder.cpp:2339)
  by 0x81F2466: mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) (layout/base/FrameLayerBuilder.cpp:3052)
  by 0x81F3AF8: mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4 const*, unsigned int) (layout/base/FrameLayerBuilder.cpp:3999)
  by 0x8215680: nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) (layout/base/nsDisplayList.cpp:3672)
  by 0x821B0D6: nsDisplaySubDocument::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) (layout/base/nsDisplayList.cpp:3714)
  by 0x81F1D2A: mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) (layout/base/FrameLayerBuilder.cpp:2892)
  by 0x81F3AF8: mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4 const*, unsigned int) (layout/base/FrameLayerBuilder.cpp:3999)
  by 0x824E640: nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) (layout/base/nsDisplayList.cpp:1317)
  by 0x824F19A: nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) (layout/base/nsDisplayList.cpp:1235)
  by 0x824FEB9: nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) (layout/base/nsLayoutUtils.cpp:3064)
  by 0x81C9290: PresShell::Paint(nsView*, nsRegion const&, unsigned int) (layout/base/nsPresShell.cpp:6231)
  by 0x7D280DB: nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) (view/nsViewManager.cpp:443)
  by 0x7D284E1: nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) (view/nsViewManager.cpp:384)
  by 0x7D28651: nsViewManager::ProcessPendingUpdates() (view/nsViewManager.cpp:1075)
  by 0x81D48E2: nsRefreshDriver::Tick(long, mozilla::TimeStamp) (layout/base/nsRefreshDriver.cpp:1341)
  by 0x81D650D: TickDriver (layout/base/nsRefreshDriver.cpp:173)
  by 0x81D650D: Tick (layout/base/nsRefreshDriver.cpp:164)
  by 0x81D650D: mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) (layout/base/nsRefreshDriver.cpp:190)
The obvious fix -- set *aSnap to false.  Note that I have no
idea whether 'false' is the correct value here.  It does stop
Valgrind complaining, though.
Stupid, stupid me.

The parent class uses true, but false looks to be acceptable if in doubt.  Do not take my word for it however.

https://hg.mozilla.org/mozilla-central/annotate/7c24470b6b3a/layout/base/nsDisplayList.h#l921
(In reply to James Kitchener from comment #3)
> The parent class uses true, but false looks to be acceptable if in doubt. 
> Do not take my word for it however.

Who would be able to tell us for sure?
My first guess would be Robert O'Callahan (robert@ocallahan.org)
Robert, can we get your opinion on this?  In short:
nsDisplaymtdBorder::GetBounds needs to set its out-param *aSnap to
something, but it is unclear whether it should be to false or true.
Attachment #8497368 - Flags: review?(roc)
Comment on attachment 8497368 [details] [diff] [review]
bug1074697-1.diff

Review of attachment 8497368 [details] [diff] [review]:
-----------------------------------------------------------------

False is always safe.

::: layout/mathml/nsMathMLmtableFrame.cpp
@@ +274,5 @@
>    }
>  
>    virtual nsRect GetBounds(nsDisplayListBuilder* aBuilder, bool* aSnap) MOZ_OVERRIDE
>    {
> +    *aSnap = false;

Make it true; nsCSSRendering::PaintBorderWithStyleBorder snaps.
Attachment #8497368 - Flags: review?(roc) → review+
https://hg.mozilla.org/mozilla-central/rev/d85ad6786d38
Assignee: nobody → jseward
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: