Closed
Bug 1232635
Opened 10 years ago
Closed 10 years ago
[Static Analysis][Dereference before null check] In function FrameLayerBuilder::DrawPaintedLayer from FrameLayerBuilder.cpp
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla47
People
(Reporter: andi, Assigned: andi)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: CID 1338377 )
Attachments
(1 file, 1 obsolete file)
|
1.06 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
The Static Analysis tool Coverity added that presContext is dereferenced before being null checked.
dereference:
>> // PaintedLayers. If aDirtyRegion has not changed since the previous call
>> // then we can skip this.
>> int32_t appUnitsPerDevPixel = presContext->AppUnitsPerDevPixel();
>> RecomputeVisibilityForItems(entry->mItems, builder, aDirtyRegion,
>> offset, appUnitsPerDevPixel,
>> userData->mXScale, userData->mYScale);
>> userData->mVisibilityComputedRegion = aDirtyRegion;
null check:
>> if (presContext && presContext->GetDocShell() && isActiveLayerManager) {
>> nsDocShell* docShell = static_cast<nsDocShell*>(presContext->GetDocShell());
>> RefPtr<TimelineConsumers> timelines = TimelineConsumers::Get();
The null check is done after the dereference was made.
if we expect that the normal behavior of this functios is to always have a valid presContext we should add an assert checking it's validity thus letting know Coverity that this is the intended behavior.
|
Assignee | |
Comment 1•10 years ago
|
||
Attachment #8698411 -
Flags: review?(dbaron)
Comment on attachment 8698411 [details] [diff] [review]
Bug 1232635.diff
Coverity should know that PresContext() never returns a null pointer without this. We should fix that problem rather than adding this assertion.
Attachment #8698411 -
Flags: review?(dbaron) → review-
|
|
Assignee | |
Comment 3•10 years ago
|
||
What actually confused Coveirty was this check:
>> if (presContext && presContext->GetDocShell() && isActiveLayerManager) {
>> nsDocShell* docShell = static_cast<nsDocShell*>(presContext->GetDocShell());
>> RefPtr<TimelineConsumers> timelines = TimelineConsumers::Get();
Testing the validity of presContext determined Coverity to assume that it could also be NULL so that's why it triggered dereference before null check.
So should this be treated as not a bug?
Flags: needinfo?(dbaron)
|
||
Comment 4•10 years ago
|
||
I think the correct fix here is to remove the useless null check here:
> if (presContext && presContext->GetDocShell() && isActiveLayerManager) {
We always promise the return value of PresContext() is not null, but Coverity deduces that presContext could be null from this line.
|
|
Assignee | |
Comment 5•10 years ago
|
||
yes this is what i was thinking as well.
|
|
Assignee | |
Comment 6•10 years ago
|
||
Attachment #8698411 -
Attachment is obsolete: true
Attachment #8699376 -
Flags: review?(dbaron)
|
|
Assignee | |
Comment 7•10 years ago
|
||
Comment on attachment 8699376 [details] [diff] [review]
Bug 1232635.diff
Review of attachment 8699376 [details] [diff] [review]:
-----------------------------------------------------------------
As David is probably very busy
Attachment #8699376 -
Flags: review?(dbaron) → review?(bzbarsky)
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(dbaron)
|
||
Comment 8•10 years ago
|
||
Comment on attachment 8699376 [details] [diff] [review]
Bug 1232635.diff
r=me, but Xidorn could totally have reviewed this.
Attachment #8699376 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 9•10 years ago
|
||
But I'm totally not a peer :/
|
|
||
Comment 10•10 years ago
|
||
OK, but I am, and I just totally delegated you to review patches like that if you're comfortable with them. ;)
|
|
||
Comment 11•10 years ago
|
||
OK, hopefully I won't ruin the code :)
|
|
Assignee | |
Updated•10 years ago
|
Keywords: checkin-needed
|
||
Comment 12•10 years ago
|
||
Keywords: checkin-needed
|
||
Comment 13•10 years ago
|
||
backout for test failures like https://hg.mozilla.org/integration/mozilla-inbound/rev/b6ac829c36bb
Flags: needinfo?(bogdan.postelnicu)
|
|
Assignee | |
Comment 14•10 years ago
|
||
This is only a null check and should't this be the issue.
Flags: needinfo?(bogdan.postelnicu)
|
|
Assignee | |
Updated•10 years ago
|
Keywords: checkin-needed
|
|
||
Comment 15•10 years ago
|
||
> backout for test failures like https://hg.mozilla.org/integration/mozilla-inbound/rev/b6ac829c36bb
That's not a link to a test failure... what were the actual failures? I'm not seeing them on https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=88e44bfba483 but maybe they only showed up later?
Flags: needinfo?(cbook)
|
|
||
Comment 16•10 years ago
|
||
Hi Boris, it was for failures like https://treeherder.mozilla.org/logviewer.html#?job_id=21413336&repo=mozilla-inbound
see https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&filter-searchStr=Linux%20opt%20Reftest%20e10s%20Crashtest%20e10s%20R-e10s%28C%29&fromchange=99bef2f7a333&tochange=88e44bfba483&selectedJob=21413336
Flags: needinfo?(cbook)
|
|
Assignee | |
Comment 17•10 years ago
|
||
I think the crash is associated with this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1247122
|
|
||
Comment 18•10 years ago
|
||
Keywords: checkin-needed
|
|
||
Comment 19•10 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox47:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•