Closed Bug 1275184 Opened 4 years ago Closed 4 years ago

Uninitialised value use in nsDocShellTreeOwner::HandleEvent

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla49

Tracking Flags:

Tracking

Status

firefox49

---

fixed

People

(Reporter: jseward, Unassigned)

Details

Attachments

(2 files, 1 obsolete file)

valgrind complaint 4 years ago Julian Seward [:jseward] 2.51 KB, text/plain		Details
bug1275184-1.cset 4 years ago Julian Seward [:jseward] 1.26 KB, patch		Details \| Diff \| Splinter Review
bug1275184-2.cset 4 years ago Julian Seward [:jseward] 1.08 KB, patch	smaug : review+	Details \| Diff \| Splinter Review

Julian Seward [:jseward]

Reporter

Description

•

4 years ago

Valgrind complains about this fragment in nsDocShellTreeOwner::HandleEvent:

      bool canDropLink;
      handler->CanDropLink(dragEvent, false, &canDropLink);
      if (canDropLink) {
        aEvent->PreventDefault();
      }

It seems that |handler->CanDropLink| can return without writing any value
into |canDropLink|.  A bit of grepping for the possible call target produces
this, in <objdir>/dist/include/nsIDroppedLinkHandler.h as the only call
target, so perhaps this is not surprising:

/* boolean canDropLink (in nsIDOMDragEvent aEvent, in boolean aAllowSameDocument); */
NS_IMETHODIMP nsDroppedLinkHandler::CanDropLink(nsIDOMDragEvent *aEvent,
                                bool aAllowSameDocument, bool *_retval)
{
    return NS_ERROR_NOT_IMPLEMENTED;
}

Maybe the call in nsDocShellTreeOwner::HandleEvent should check the return
value before looking at |canDropLink| ?

STR:

DISPLAY=:1.0 ./mach mochitest -f plain --keep-open=no \
  --valgrind=/home/sewardj/VgTRUNK/asert/Inst/bin/valgrind \
  --valgrind-args=--show-mismatched-frees=no,--track-origins=yes \
  dom/events/test/test_bug1264380.html  2>&1 | tee spew-29-05-mc

Julian Seward [:jseward]

Reporter

Comment 1

•

4 years ago

Attached file valgrind complaint — Details

Julian Seward [:jseward]

Reporter

Comment 2

•

4 years ago

Attached patch bug1275184-1.cset (obsolete) — Details — Splinter Review

A possible fix.

Olli Pettay [:smaug]

Comment 3

•

4 years ago

That code ends up calling JS implemented nsIDroppedLinkHandler.
http://mxr.mozilla.org/mozilla-central/source/dom/base/contentAreaDropListener.js#93

Julian Seward [:jseward]

Reporter

Comment 4

•

4 years ago

Attached patch bug1275184-2.cset — Details — Splinter Review

Attachment #8755728 - Attachment is obsolete: true

Julian Seward [:jseward]

Reporter

Updated

•

4 years ago

Attachment #8755874 - Flags: review?(bugs)

Olli Pettay [:smaug]

Updated

•

4 years ago

Attachment #8755874 - Flags: review?(bugs) → review+

Pulsebot

Comment 5

•

4 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/83a0dff3856c

Ryan VanderMeulen [:RyanVM]

Comment 6

•

4 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/83a0dff3856c

Status: NEW → RESOLVED

Closed: 4 years ago

status-firefox49: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla49

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Uninitialised value use in nsDocShellTreeOwner::HandleEvent

Categories

(Core :: DOM: Navigation, defect)

Tracking

()

People

(Reporter: jseward, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files, 1 obsolete file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Updated

Comment 5

Comment 6