[Static Analysis][Dereference after null check] In Codegen

RESOLVED FIXED in Firefox 51

Status

()

Core
DOM
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: andi, Assigned: andi)

Tracking

(Blocks: 1 bug, {coverity})

Trunk
mozilla51
coverity
Points:
---

Firefox Tracking Flags

(firefox51 fixed)

Details

(Whiteboard: CID 1365069 - 1365146)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
The Static Analysis tool Coverity detected that there could;d be a possible null pointer dereference in this context:

>>                bool isNull = val.isNullOrUndefined();
>>                // We only need these if !isNull, in which case we have |cx|.
>>                Maybe<JS::Rooted<JSObject *> > object;
>>                Maybe<JS::Rooted<JS::Value> > temp;
>>                if (!isNull) {  
>>                  object.emplace(cx, &val.toObject());
>>                  temp.emplace(cx);
>>                }

This is triggered because of this check earlier on the code:

>>               if (cx) {
>>                  atomsCache = GetAtomCache<${dictName}Atoms>(cx);
>>                  if (!*reinterpret_cast<jsid**>(atomsCache) && !InitIds(cx, atomsCache)) {
>>                    return false;
>>                  }
>>                }

Even though the comment says that if !isNull then we have |cx|, in order to eliminate the number of false-positives regarding this issue around 80, we should add a MOZ_ASSERT(cx)
Comment hidden (mozreview-request)

Comment 2

2 years ago
mozreview-review
Comment on attachment 8788867 [details]
Bug 1301033 - add assert cx on generated code in order to prevent false-positive from static analysis tools.

https://reviewboard.mozilla.org/r/77204/#review75426

::: dom/bindings/Codegen.py:12324
(Diff revision 1)
>                  bool isNull = val.isNullOrUndefined();
>                  // We only need these if !isNull, in which case we have |cx|.
>                  Maybe<JS::Rooted<JSObject *> > object;
>                  Maybe<JS::Rooted<JS::Value> > temp;
>                  if (!isNull) {
> +                  MOZ_ASSERT(cx);    

Remove the extra spaces.
Attachment #8788867 - Flags: review?(amarchesini) → review+
Comment hidden (mozreview-request)

Comment 4

2 years ago
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/22cea8abf7e4
add assert cx on generated code in order to prevent false-positive from static analysis tools. r=baku

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/22cea8abf7e4
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.