Note: There are a few cases of duplicates in user autocompletion which are being worked on.

nsAttrAndChildArray::AddAttrSlot() sets the new (empty) Attr slot to two nullptrs rather than zeroing the size of the structure that will go there

RESOLVED FIXED in Firefox 55

Status

()

Core
DOM
RESOLVED FIXED
3 months ago
3 months ago

People

(Reporter: bytesized, Assigned: bytesized)

Tracking

(Blocks: 1 bug)

unspecified
mozilla55
Points:
---

Firefox Tracking Flags

(firefox55 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Assignee)

Description

3 months ago
The implementation of nsAttrAndChildArray::AddAttrSlot sets the new Attribute slot using two nullptr assignments [1]. The rest of the code properly determines the size of the structure using the sizeof operator, but this line makes the assumption that the structure will be the size of two pointers.

This should be fixed such that the memory in a region the size of the structure that will be stored there (nsAttrAndChildArray::InternalAttr) is zeroed instead of assuming that the structure will be a specific size.

The memory should be zeroed rather than an InternalAttr being constructed there in order to guarantee that nsAttrAndChildArray::AttrSlotIsTaken [2] continues to work correctly.

[1] http://searchfox.org/mozilla-central/rev/4bd7a206dea5382c97a8a0c30beef668cc449f5b/dom/base/nsAttrAndChildArray.cpp#883-884
[2] http://searchfox.org/mozilla-central/rev/4bd7a206dea5382c97a8a0c30beef668cc449f5b/dom/base/nsAttrAndChildArray.h#173-177
(Assignee)

Updated

3 months ago
Component: DOM: Core & HTML → DOM
Comment hidden (mozreview-request)
(Assignee)

Updated

3 months ago
Attachment #8859701 - Flags: review?(bzbarsky)
(Assignee)

Comment 2

3 months ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=866de54cc546f5edbf7a941f6f748c7553bf2262

Comment 3

3 months ago
mozreview-review
Comment on attachment 8859701 [details]
Bug 1357865 - Correctly zero the size of an InternalAttr in nsAttrAndChildArray::AddAttrSlot

https://reviewboard.mozilla.org/r/131708/#review134514

r=me
Attachment #8859701 - Flags: review?(bzbarsky) → review+

Comment 4

3 months ago
Pushed by ksteuber@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b31ecedca670
Correctly zero the size of an InternalAttr in nsAttrAndChildArray::AddAttrSlot r=bz

Comment 5

3 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b31ecedca670
Status: ASSIGNED → RESOLVED
Last Resolved: 3 months ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.