Closed Bug 1278201 Opened 4 years ago Closed 4 years ago

[Static Analysis][Write to pointer after free] In function Release()

Categories

(Core :: MFBT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox49 --- affected
firefox50 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1362553)

Attachments

(1 file)

The Static Analysis tool Coverity added that |mRefCnt| is written after is freed:

>>    if (mRefCnt == 1) {
>>      delete this;
>>    }
>>    mRefCnt--;

I think the correct approach is:

>>    mRefCnt--;
>>    if (mRefCnt == 0) {
>>      delete this;
>>    }
>>    return mRefCnt;
https://reviewboard.mozilla.org/r/57870/#review54752

::: mfbt/tests/TestNotNull.cpp:74
(Diff revision 1)
> -    if (mRefCnt == 1) {
> +    mRefCnt--;
> +    if (mRefCnt == 0) {
>        delete this;
>      }
> -    mRefCnt--;
>      return mRefCnt;

This still sounds like a bad idea.
Comment on attachment 8760183 [details]
Bug 1278201 - prevent writing |mRefCnt| after it's freed.

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/57870/diff/1-2/
Attachment #8760183 - Flags: review?(jwalden+bmo) → review?(Ms2ger)
Comment on attachment 8760183 [details]
Bug 1278201 - prevent writing |mRefCnt| after it's freed.

https://reviewboard.mozilla.org/r/57870/#review54788
Attachment #8760183 - Flags: review?(Ms2ger) → review+
Pushed by Bogdan.Postelnicu@softvision.ro:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0773860ce60c
prevent writing |mRefCnt| after it's freed. r=Ms2ger
https://hg.mozilla.org/mozilla-central/rev/0773860ce60c
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.