[Static Analysis][Dereference after null check] In function nsCaseTransformTextRunFactory::TransformString

RESOLVED FIXED in Firefox 51

Status

()

Product:
Core
Component:
Layout
Status:
RESOLVED FIXED
Reported:
2 years ago
Modified:
2 years ago

People

(Reporter: andi, Assigned: andi)

Tracking

(Blocks: 1 bug, {coverity})

Version:
Trunk
Target:
mozilla51
Keywords:
coverity
Points:
---

Firefox Tracking Flags

(firefox51 fixed)

Details

(Whiteboard: CID 1372296)

Attachments

(1 attachment)

Bug 1299102 - swap NS_PRECONDITION with MOZ_ASSERT in TransformString.
58 bytes, text/x-review-board-request
jfkthame
: review+
Details
(Assignee)

Description

2 years ago 
The Static Analysis tool Coverity detected that pointer |aTextRun| is dereferenced after is being null checked witch implies a possible null pointer dereference.

Null check:

>>    if (aTextRun) {
>>      charStyle = aTextRun->mStyles[aOffsetInTextRun];
>>      style = aAllUppercase ? NS_STYLE_TEXT_TRANSFORM_UPPERCASE :
>>        charStyle->mTextTransform;
>>      forceNonFullWidth = charStyle->mForceNonFullWidth;

Dereference:

>>      if (auxiliaryOutputArrays) {
>>        aStyleArray->AppendElement(charStyle);
>>        aCanBreakBeforeArray->AppendElement(
>>          inhibitBreakBefore ? gfxShapedText::CompressedGlyph::FLAG_BREAK_TYPE_NONE
>>                             : aTextRun->CanBreakBefore(aOffsetInTextRun));
>>      }
Comment hidden (mozreview-request)

Comment 2

2 years ago
mozreview-review 
Comment on attachment 8786296 [details]
Bug 1299102 - swap NS_PRECONDITION with MOZ_ASSERT in TransformString.

https://reviewboard.mozilla.org/r/75272/#review73162

Hmmm... actually it isn't needed, given there is a precondition at the beginning of this function which asserts "!auxiliaryOutputArrays || aTextRun", so presumably this wouldn't happen. Probably we can just replace the NS_PRECONDITION to MOZ_ASSERT to be sure.

Comment 3

2 years ago
mozreview-review 
Comment on attachment 8786296 [details]
Bug 1299102 - swap NS_PRECONDITION with MOZ_ASSERT in TransformString.

https://reviewboard.mozilla.org/r/75272/#review73336

As Xidorn noted, the extra test is not needed here; if `auxiliaryOutputArrays` is true, `aTextRun` will always be non-null, as per the precondition at the top of the method. Any violation of this precondition indicates a fundamental coding error in the caller.

If it makes coverity any happier, I will r+ a patch that changes the NS_PRECONDITION there into a MOZ_ASSERT.
Attachment #8786296 - Flags: review?(jfkthame) → review-
Comment hidden (mozreview-request)

Comment 5

2 years ago
mozreview-review 
Comment on attachment 8786296 [details]
Bug 1299102 - swap NS_PRECONDITION with MOZ_ASSERT in TransformString.

https://reviewboard.mozilla.org/r/75272/#review73526

::: layout/generic/nsTextRunTransformations.cpp:289
(Diff revision 2)
> -  NS_PRECONDITION(!auxiliaryOutputArrays || aTextRun,
> +  MOZ_ASSERT(!auxiliaryOutputArrays || aTextRun,
>                    "text run must be provided to use aux output arrays");

Please also adjust the indent of the wrapped line, to maintain the alignment.
Attachment #8786296 - Flags: review?(jfkthame) → review+
Comment hidden (mozreview-request)

Comment 7

2 years ago 
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a4204b1030f2
swap NS_PRECONDITION with MOZ_ASSERT in TransformString. r=jfkthame

Comment 8

2 years ago
bugherder 
https://hg.mozilla.org/mozilla-central/rev/a4204b1030f2
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.