Closed Bug 1361612 Opened 7 years ago Closed 7 years ago

Coverity report: nsPlaceholderFrame::mOutOfFlowFrame isn't initialized in the ctor

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla55

Tracking Flags:

Tracking

Status

firefox-esr52

---

unaffected

firefox53

---

wontfix

firefox54

---

wontfix

firefox55

---

fixed

People

(Reporter: MatsPalmgren_bugz, Assigned: emilio)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity, good-first-bug, regression, Whiteboard: [CID 1221326])

Mats Palmgren (inactive)

Reporter

Description

•

7 years ago

Coverity CID 1221326 Uninitialized pointer field

The pointer field will point to an arbitrary memory location, any attempt to write may cause corruption.

In nsPlaceholderFrame::nsPlaceholderFrame(nsStyleContext *, nsFrameState): A pointer field is not initialized in the constructor


 70  nsPlaceholderFrame(nsStyleContext* aContext, nsFrameState aTypeBit)
 71    : nsFrame(aContext, mozilla::FrameType::Placeholder)
 72  {
   1. Condition aTypeBit == PLACEHOLDER_FOR_FLOAT, taking false branch.
   2. Condition aTypeBit == PLACEHOLDER_FOR_ABSPOS, taking false branch.
   3. Condition aTypeBit == PLACEHOLDER_FOR_FIXEDPOS, taking false branch.
   4. Condition aTypeBit == PLACEHOLDER_FOR_POPUP, taking false branch.
   5. Condition aTypeBit == PLACEHOLDER_FOR_TOPLAYER, taking false branch.
 73    NS_PRECONDITION(aTypeBit == PLACEHOLDER_FOR_FLOAT ||
 74                    aTypeBit == PLACEHOLDER_FOR_ABSPOS ||
 75                    aTypeBit == PLACEHOLDER_FOR_FIXEDPOS ||
 76                    aTypeBit == PLACEHOLDER_FOR_POPUP ||
 77                    aTypeBit == PLACEHOLDER_FOR_TOPLAYER,
 78                    "Unexpected type bit");
 79    AddStateBits(aTypeBit);
   CID 1221326 (#1 of 1): Uninitialized pointer field (UNINIT_CTOR)7. uninit_member: Non-static class member mOutOfFlowFrame is not initialized in this constructor nor in any functions that it calls.
 80  }

Mats Palmgren (inactive)

Reporter

Comment 1

•

7 years ago

We only create an nsPlaceholderFrame in one place currently:
http://searchfox.org/mozilla-central/rev/abe68d5dad139e376d5521ca1d4b7892e1e7f1ba/layout/base/nsCSSFrameConstructor.cpp#3051,3057
and it unconditionally calls SetOutOfFlowFrame() which sets this member.

Still seems worth fixing by adding "mOutOfFlowFrame(nullptr)" to the ctor...

Pulsebot

Comment 2

•

7 years ago

Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/120285c6daa0
Initialize nsPlaceholderFrame::mOutOfFlowFrame. r=mats

Iris Hsiao [:ihsiao]

Comment 3

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/120285c6daa0

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox55: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla55

Ryan VanderMeulen [:RyanVM]

Updated

•

7 years ago

Assignee: nobody → emilio+bugs

status-firefox53: --- → wontfix

status-firefox54: --- → affected

status-firefox-esr52: --- → unaffected

Sylvestre Ledru [:Sylvestre]

Updated

•

7 years ago

Blocks: coverity-analysis

Sylvestre Ledru [:Sylvestre]

Updated

•

7 years ago

Whiteboard: [CID 1221326]

Ryan VanderMeulen [:RyanVM]

Updated

•

7 years ago

status-firefox54: affected → wontfix

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Coverity report: nsPlaceholderFrame::mOutOfFlowFrame isn't initialized in the ctor

Categories

(Core :: Layout, defect, P3)

Tracking

()

People

(Reporter: MatsPalmgren_bugz, Assigned: emilio)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity, good-first-bug, regression, Whiteboard: [CID 1221326])

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Comment 3

Updated

Updated

Updated

Updated