Closed Bug 1236900 Opened 10 years ago Closed 10 years ago

[Static Analysis][Dereference before null check] In function nsFrameLoader::GetNewTabContext, mOwnerContent is null checked

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1346169)

Attachments

(1 file, 1 obsolete file)

Bug 1236900.diff
1.69 KB, patch
Details | Diff | Splinter Review
The Static Analysis tool Coverity added that variable mOwnerContent is null checked: >>if (mOwnerContent) { >> nsAutoString userContextIdStr; >> if (mOwnerContent->HasAttr(kNameSpaceID_None, nsGkAtoms::usercontextid)) { >> mOwnerContent->GetAttr(kNameSpaceID_None, >> nsGkAtoms::usercontextid, >> userContextIdStr); but earlier on is derefenced in function GetContainingApp that is called: >> nsCOMPtr<mozIApplication> containingApp = GetContainingApp(); In function GetContainingApp we have the dereference here: >> // See if our owner content's principal has an associated app. >> uint32_t appId = mOwnerContent->NodePrincipal()->GetAppId(); mOwnerContent is attributed a value in the constructor nsFrameLoader that is called from nsFrameLoader::Create: >> NS_ENSURE_TRUE(aOwner, nullptr); >> nsIDocument* doc = aOwner->OwnerDoc(); >> NS_ENSURE_TRUE(!doc->IsResourceDoc() && >> ((!doc->IsLoadedAsData() && aOwner->GetComposedDoc()) || >> doc->IsStaticDocument()), >> nullptr); >> >> return new nsFrameLoader(aOwner, aNetworkCreated); Each place whe nsFrameLoader::Create gets called a valid aOwnver will be passed: 1. >> mFrameLoader = nsFrameLoader::Create(thisContent->AsElement(), >> mNetworkCreated); 2. >> nsFrameLoader* fl = nsFrameLoader::Create(content->AsElement(), false); >> if (fl) { 3. >> // frameloader exists. It's more of a best-effort kind of thing. >> mFrameLoader = nsFrameLoader::Create(this, mNetworkCreated); >> if (mIsPrerendered) { 4. >> nsGenericHTMLFrameElement* dest = >> static_cast<nsGenericHTMLFrameElement*>(aDest); >> nsFrameLoader* fl = nsFrameLoader::Create(dest, false); 5. >> slots->mFrameLoader = nsFrameLoader::Create(this, false); >> NS_ENSURE_TRUE(slots->mFrameLoader, NS_OK); Following the above scenarios the check from function GetNewTabContext only confuses the static analyzer. I advise eliminating it.
Attached patch Bug 1236900.diff (obsolete) — Splinter Review
Attachment #8704125 - Flags: review?(jst)
Comment on attachment 8704125 [details] [diff] [review] Bug 1236900.diff I'm fine with this change given the call to GetContainingApp(), but I'm not convinced this code (before your change) is actually safe (though crash-stats tells me it's at least not far off). There's at least one case where we do set mOwnerContent to null (in StartDestroy()), but it's not at all clear how one would get a call in to GetNewTabContext() (or any of the other places where we dereference mOwnerContent w/o null checking it) after StartDestroy() has been called. r=jst
Attachment #8704125 - Flags: review?(jst) → review+
Attached patch Bug 1236900.diffSplinter Review
Thx for the review. I've inly updated the comment of the patch in order to include you as a reviewer.
Attachment #8704125 - Attachment is obsolete: true
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/1d17f829b464
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: