Closed Bug 1140317 Opened 10 years ago Closed 10 years ago

Coverity: string allocated by DecompileValueGenerator sometimes isn't freed

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla39

Tracking Flags:

Tracking

Status

firefox39

---

fixed

People

(Reporter: bbouvier, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Attachments

(2 files)

Fix a few resource leaks related to DecompileValueGenerator 10 years ago Benjamin Bouvier [:bbouvier] (inactive) 4.65 KB, patch		Details \| Diff \| Splinter Review
Use uniqueptr 10 years ago Benjamin Bouvier [:bbouvier] (inactive) 19.71 KB, patch	Waldo : review+	Details \| Diff \| Splinter Review

Benjamin Bouvier [:bbouvier] (inactive)

Assignee

Description

•

10 years ago

Found thanks to Coverity (https://scan.coverity.com/projects/56)

Benjamin Bouvier [:bbouvier] (inactive)

Assignee

Comment 1

•

10 years ago

Attached patch Fix a few resource leaks related to DecompileValueGenerator — Details — Splinter Review

Waldo, do you prefer manual js_free, or using a UniquePtr for all these cases where the char* bytes was allocated without being freed? How could we enforce auto-free rather than this? Could DecompileValueGenerator return a UniquePtr instead?

Attachment #8573814 - Flags: review?(jwalden+bmo)

Benjamin Bouvier [:bbouvier] (inactive)

Assignee

Comment 2

•

10 years ago

(this fixes coverity issues with CID 1286715, CID 1286667, CID 1286476 and a few others)

Sylvestre Ledru [:Sylvestre]

Updated

•

10 years ago

Keywords: coverity

Benjamin Bouvier [:bbouvier] (inactive)

Assignee

Comment 3

•

10 years ago

Attached patch Use uniqueptr — Details — Splinter Review

And this does what's asked in the previous comment. Seems to work fine.

Attachment #8573869 - Flags: feedback?(jwalden+bmo)

Jeff Walden [:Waldo]

Comment 4

•

10 years ago

Comment on attachment 8573869 [details] [diff] [review] Use uniqueptr Review of attachment 8573869 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, UniquePtr is better than fixing up raw uses manually, for sure. ::: js/src/builtin/Object.cpp @@ +674,5 @@ > > if (!args[0].isObjectOrNull()) { > RootedValue v(cx, args[0]); > + UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, > + v, NullPtr()); UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, v, NullPtr()); is a more readable way to write this, I think. ::: js/src/jsarray.cpp @@ +3587,5 @@ > for (unsigned i = 0; i < args.length(); i++) { > RootedValue arg(cx, args[i]); > > + UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, > + arg, NullPtr()); Again, UniquePtr... = DecompileValueGenerator(...); ::: js/src/jscntxt.cpp @@ +806,2 @@ > bool ok; > + UniquePtr<char[], JS::FreePolicy> bytes(nullptr); No need for (nullptr) here. I'd do the UP = on one line, DVG(...) on the next if it were me, consistent with the other comments I've made here. @@ +835,5 @@ > void > js::ReportMissingArg(JSContext *cx, HandleValue v, unsigned arg) > { > char argbuf[11]; > + UniquePtr<char[], JS::FreePolicy> bytes(nullptr); Again no need for (nullptr). @@ +855,5 @@ > js::ReportValueErrorFlags(JSContext *cx, unsigned flags, const unsigned errorNumber, > int spindex, HandleValue v, HandleString fallback, > const char *arg1, const char *arg2) > { > + UniquePtr<char[], JS::FreePolicy> bytes(nullptr); . ::: js/src/jsobj.cpp @@ +94,5 @@ > { > if (v.isPrimitive()) { > RootedValue value(cx, v); > + UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, > + value, NullPtr()); Same split-across-lines thing. @@ +250,5 @@ > > HandleValue v = args[0]; > if (!v.isObject()) { > + UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, > + v, NullPtr()); . @@ +286,5 @@ > > /* 8.10.5 step 1 */ > if (v.isPrimitive()) { > + UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, > + v, NullPtr()); . ::: js/src/jsopcode.cpp @@ +1818,5 @@ > > return ed.getOutput(res); > } > > +typedef UniquePtr<char[], JS::FreePolicy> UniquePtrChars; mozilla:: ::: js/src/jsweakmap.cpp @@ +388,5 @@ > MOZ_ASSERT(IsWeakMap(args.thisv())); > > if (!args.get(0).isObject()) { > + UniquePtr<char[], JS::FreePolicy> bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, > + args.get(0), NullPtr()); Same.

Attachment #8573869 - Flags: feedback?(jwalden+bmo) → review+

Jeff Walden [:Waldo]

Updated

•

10 years ago

Attachment #8573814 - Flags: review?(jwalden+bmo)

Benjamin Bouvier [:bbouvier] (inactive)

Assignee

Comment 5

•

10 years ago

Thanks! https://hg.mozilla.org/integration/mozilla-inbound/rev/f257cfba6686

Benjamin Bouvier [:bbouvier] (inactive)

Assignee

Comment 6

•

10 years ago

Two follow up with more |using mozilla::UniquePtr;| because UNIFIED BUILDS https://hg.mozilla.org/integration/mozilla-inbound/rev/ff5ddf743796 https://hg.mozilla.org/integration/mozilla-inbound/rev/3f28ce99ab61

Carsten Book [:Tomcat]

Comment 7

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/f257cfba6686 https://hg.mozilla.org/mozilla-central/rev/ff5ddf743796 https://hg.mozilla.org/mozilla-central/rev/3f28ce99ab61

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

status-firefox39: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla39

Sylvestre Ledru [:Sylvestre]

Updated

•

7 years ago

Blocks: coverity-analysis

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Coverity: string allocated by DecompileValueGenerator sometimes isn't freed

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: bbouvier, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Comment 7

Updated

Attachment

General

Description

File Name

Content Type