Closed Bug 1300769 Opened 8 years ago Closed 8 years ago

[Static Analysis][Dereference after null check] In function nsXBLPrototypeHandler::ReportKeyConflict

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla51

Tracking Flags:

Tracking

Status

firefox51

---

fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1372412)

Attachments

(1 file)

Bug 1300769 - call ConstructPrototype only if mType is NS_HANDLER_TYPE_XUL. 8 years ago Andi [:andi] 58 bytes, text/x-review-board-request	mrbkap : review+	Details

Andi [:andi]

Assignee

Description

•

8 years ago

The Static Analysis tool Coverity detected that |aKeyElement| is dereferenced after it's null checked but in a different context.

Null check:

>>  } else if (aKeyElement) {
>>    doc = aKeyElement->OwnerDoc();
>>  }

Dereference:

>>  aKeyElement->GetAttr(kNameSpaceID_None, nsGkAtoms::id, id);

I think the correct approach here is to call ReportKeyConflict only if in the callee function (mType & NS_HANDLER_TYPE_XUL) == true

Comment hidden (mozreview-request)

Review commit: https://reviewboard.mozilla.org/r/76950/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/76950/

Andrea Marchesini [:baku]

Comment 2

•

8 years ago

mozreview-review

Comment on attachment 8788449 [details]
Bug 1300769 - call ConstructPrototype only if mType is NS_HANDLER_TYPE_XUL.

https://reviewboard.mozilla.org/r/76950/#review75072

I cannot review XBL code. Ask a XBL peer.

Attachment #8788449 - Flags: review?(amarchesini)

Andi [:andi]

Assignee

Updated

•

8 years ago

Attachment #8788449 - Flags: review?(mrbkap)

Blake Kaplan (:mrbkap) (inactive)

Comment 3

•

8 years ago

mozreview-review

Comment on attachment 8788449 [details]
Bug 1300769 - call ConstructPrototype only if mType is NS_HANDLER_TYPE_XUL.

https://reviewboard.mozilla.org/r/76950/#review75176

r=me with an additional assertion to help clarify the control flow.

::: dom/xbl/nsXBLPrototypeHandler.cpp:739
(Diff revision 1)
>                                            const char16_t* aAllowUntrusted)
>  {
>    mType = 0;
>  
>    if (aKeyElement) {
>      mType |= NS_HANDLER_TYPE_XUL;

Please add MOZ_ASSERT(!mPrototypeBinding) to make the relationship between `mType & NS_HANDLER_TYPE_XUL` and `aKeyElement` more clear.

Attachment #8788449 - Flags: review?(mrbkap) → review+

Comment hidden (mozreview-request)

Comment on attachment 8788449 [details]
Bug 1300769 - call ConstructPrototype only if mType is NS_HANDLER_TYPE_XUL.

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/76950/diff/1-2/

Pulsebot

Comment 5

•

8 years ago

Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e6cb70f31562
call ConstructPrototype only if mType is NS_HANDLER_TYPE_XUL. r=mrbkap

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 6

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/e6cb70f31562

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox51: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla51

Nobody; OK to take it and work on it

Updated

•

5 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

[Static Analysis][Dereference after null check] In function nsXBLPrototypeHandler::ReportKeyConflict

Categories

(Core :: DOM: Core & HTML, defect)

Tracking

()

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1372412)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Attachment

General

Description

File Name

Content Type