Closed Bug 1539013 Opened 7 months ago Closed 7 months ago

Parameters coming from caller isn't allowed to use arguments of MOZ_CAN_RUN_SCRIPT methods if they are changed with `&`

Categories

(Firefox Build System :: Source Code Analysis, defect)

defect
Not set

Tracking

(firefox68 fixed)

RESOLVED FIXED
mozilla68
Tracking Status
firefox68 --- fixed

People

(Reporter: masayuki, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Example 1:
https://searchfox.org/mozilla-central/rev/2c912888e3b7ae4baf161d98d7a01434f31830aa/editor/libeditor/HTMLStyleEditor.cpp#518,526

nsresult HTMLEditor::SetInlinePropertyOnNode(nsIContent& aNode,
                                             nsAtom& aProperty,
                                             nsAtom* aAttribute,
                                             const nsAString& aValue) {
  nsCOMPtr<nsIContent> previousSibling = aNode.GetPreviousSibling(),
                       nextSibling = aNode.GetNextSibling();
  NS_ENSURE_STATE(aNode.GetParentNode());
  OwningNonNull<nsINode> parent = *aNode.GetParentNode();

  nsresult rv = RemoveStyleInside(aNode, &aProperty, aAttribute);

If RemoveStyleInside() is marked as MOZ_CAN_RUN_SCRIPT, &aProperty becomes error in this case even though it's a parameter.

Example 2:
https://searchfox.org/mozilla-central/rev/2c912888e3b7ae4baf161d98d7a01434f31830aa/editor/libeditor/HTMLStyleEditor.cpp#509-510

  RefPtr<Element> tmp = InsertContainerWithTransaction(
      aNode, aProperty, aAttribute ? *aAttribute : *nsGkAtoms::_empty, aValue);

aAttribute ? *aAttribute : *nsGkAtoms::_empty becomes error too.

*aParam on its own works fine. The ?: usage is covered by bug 1539016; thank you for filing that.

Resummarizing to focus on the '&' case.

Summary: Parameters coming from caller isn't allowed to use arguments of MOZ_CAN_RUN_SCRIPT methods if they are changed with `*` or `&` → Parameters coming from caller isn't allowed to use arguments of MOZ_CAN_RUN_SCRIPT methods if they are changed with `&`
Assignee: nobody → bzbarsky
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45e9712fb50e
Teach MOZ_CAN_RUN_SCRIPT about taking pointers to live references.  r=andi
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.