1275184 - Uninitialised value use in nsDocShellTreeOwner::HandleEvent

Status: RESOLVED FIXED

(Core :: DOM: Navigation, defect)

Description

[Julian Seward [:jseward]]

Valgrind complains about this fragment in nsDocShellTreeOwner::HandleEvent:

      bool canDropLink;
      handler->CanDropLink(dragEvent, false, &canDropLink);
      if (canDropLink) {
        aEvent->PreventDefault();
      }

It seems that |handler->CanDropLink| can return without writing any value
into |canDropLink|.  A bit of grepping for the possible call target produces
this, in <objdir>/dist/include/nsIDroppedLinkHandler.h as the only call
target, so perhaps this is not surprising:

/* boolean canDropLink (in nsIDOMDragEvent aEvent, in boolean aAllowSameDocument); */
NS_IMETHODIMP nsDroppedLinkHandler::CanDropLink(nsIDOMDragEvent *aEvent,
                                bool aAllowSameDocument, bool *_retval)
{
    return NS_ERROR_NOT_IMPLEMENTED;
}

Maybe the call in nsDocShellTreeOwner::HandleEvent should check the return
value before looking at |canDropLink| ?

STR:

DISPLAY=:1.0 ./mach mochitest -f plain --keep-open=no \
  --valgrind=/home/sewardj/VgTRUNK/asert/Inst/bin/valgrind \
  --valgrind-args=--show-mismatched-frees=no,--track-origins=yes \
  dom/events/test/test_bug1264380.html  2>&1 | tee spew-29-05-mc

Comment 1

[Julian Seward [:jseward]]

Attachment: valgrind complaint

Comment 2

[Julian Seward [:jseward]]

Attachment: bug1275184-1.cset

A possible fix.

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

That code ends up calling JS implemented nsIDroppedLinkHandler.
http://mxr.mozilla.org/mozilla-central/source/dom/base/contentAreaDropListener.js#93

Comment 4

[Julian Seward [:jseward]]

Attachment: bug1275184-2.cset

Comment 5

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/83a0dff3856c

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/83a0dff3856c