Closed Bug 1551166 Opened 5 years ago Closed 5 years ago

[Automated review] Coverity thinks a pointer is potentially null if after a null-check that breaks a loop

Categories

(Developer Infrastructure :: Source Code Analysis, defect, P2)

Product:
Developer Infrastructure
Component:
Source Code Analysis
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hsivonen, Assigned: andi)

References

(Blocks 1 open bug)

Details

https://phabricator.services.mozilla.com/D30873

Unrelated to the changes in the patch, the file being patched, nsFocusManager.cpp has code like this

  while (1) {
    nsIFrame* frame = iterStartContent->GetPrimaryFrame();
    // if there is no frame, look for another content node that has a frame
    while (!frame) {
      // if the root content doesn't have a frame, just return
      if (iterStartContent == aRootContent) {
        return NS_OK;
      }

      // look for the next or previous content node in tree order
      iterStartContent = aForward ? iterStartContent->GetNextNode()
                                  : iterStartContent->GetPreviousContent();
      if (!iterStartContent) {
        break;
      }

      frame = iterStartContent->GetPrimaryFrame();

Coverity thinks that iterStartContent may be null on the last line quoted above despite the break immediately above in the null case.

Andi, what do you think?

Flags: needinfo?(bpostelnicu)
Assignee: nobody → bpostelnicu
Flags: needinfo?(bpostelnicu)

Obviously this is a serious problem with the way how the analyzer looks at iterStartContent, it's like it doesn't understand how container nsCOMPtr behaves. Here we can find more details about the issue in order to understand why the analyzer disregard the logic block where we break from the while loop.

From the above mention artifact we can see the last 2 stack events:

19	
line_number	3330
description	"Member function call \"iterStartContent\" returns field \"mRawPtr\"."
file_path	"/builds/worker/checkouts…base/nsFocusManager.cpp"
path_type	"identity_transfer"
20	
line_number	3330
description	"Dereferencing a pointer that might be \"nullptr\" \"iterStartContent\" when calling \"GetPrimaryFrame\"."
file_path	"/builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp"
path_type	"dereference"

This definitely looks like a bug in Coverity, but I think we have two solutions for this:

Blocks: coverity-analysis
No longer regressed by: coverity-analysis

The priority flag is not set for this bug.
:sylvestre, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sledru)
Flags: needinfo?(sledru)
Priority: -- → P2

This has been fixed in the latest reviewbot updates for the coverity try job.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.