Closed
Bug 1361612
Opened 7 years ago
Closed 7 years ago
Coverity report: nsPlaceholderFrame::mOutOfFlowFrame isn't initialized in the ctor
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox53 | --- | wontfix |
firefox54 | --- | wontfix |
firefox55 | --- | fixed |
People
(Reporter: MatsPalmgren_bugz, Assigned: emilio)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity, good-first-bug, regression, Whiteboard: [CID 1221326])
Coverity CID 1221326 Uninitialized pointer field The pointer field will point to an arbitrary memory location, any attempt to write may cause corruption. In nsPlaceholderFrame::nsPlaceholderFrame(nsStyleContext *, nsFrameState): A pointer field is not initialized in the constructor 70 nsPlaceholderFrame(nsStyleContext* aContext, nsFrameState aTypeBit) 71 : nsFrame(aContext, mozilla::FrameType::Placeholder) 72 { 1. Condition aTypeBit == PLACEHOLDER_FOR_FLOAT, taking false branch. 2. Condition aTypeBit == PLACEHOLDER_FOR_ABSPOS, taking false branch. 3. Condition aTypeBit == PLACEHOLDER_FOR_FIXEDPOS, taking false branch. 4. Condition aTypeBit == PLACEHOLDER_FOR_POPUP, taking false branch. 5. Condition aTypeBit == PLACEHOLDER_FOR_TOPLAYER, taking false branch. 73 NS_PRECONDITION(aTypeBit == PLACEHOLDER_FOR_FLOAT || 74 aTypeBit == PLACEHOLDER_FOR_ABSPOS || 75 aTypeBit == PLACEHOLDER_FOR_FIXEDPOS || 76 aTypeBit == PLACEHOLDER_FOR_POPUP || 77 aTypeBit == PLACEHOLDER_FOR_TOPLAYER, 78 "Unexpected type bit"); 79 AddStateBits(aTypeBit); CID 1221326 (#1 of 1): Uninitialized pointer field (UNINIT_CTOR)7. uninit_member: Non-static class member mOutOfFlowFrame is not initialized in this constructor nor in any functions that it calls. 80 }
Reporter | ||
Comment 1•7 years ago
|
||
We only create an nsPlaceholderFrame in one place currently: http://searchfox.org/mozilla-central/rev/abe68d5dad139e376d5521ca1d4b7892e1e7f1ba/layout/base/nsCSSFrameConstructor.cpp#3051,3057 and it unconditionally calls SetOutOfFlowFrame() which sets this member. Still seems worth fixing by adding "mOutOfFlowFrame(nullptr)" to the ctor...
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/120285c6daa0 Initialize nsPlaceholderFrame::mOutOfFlowFrame. r=mats
Comment 3•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/120285c6daa0
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Assignee: nobody → emilio+bugs
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Blocks: coverity-analysis
Updated•7 years ago
|
Whiteboard: [CID 1221326]
Updated•7 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•