Closed Bug 18622 Opened 20 years ago Closed 20 years ago

UMR in nsLineLayout::CanPlaceFrame

Categories

(Core :: Layout, defect, P3)

x86
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: kinmoz)

References

Details

Saw this in Purify:

[W] UMR: Uninitialized memory read in
nsLineLayout::CanPlaceFrame(PerFrameData::nsLineLayout *,nsHTMLReflowState
const&,int,nsHTMLReflowMetrics&,UINT&) {18 occurrences}
    Reading 4 bytes from 0x08f2dfc4 (4 bytes at 0x08f2dfc4 uninitialized)
    Address 0x08f2dfc4 is 420 bytes into a 1964 byte block at 0x08f2de20
    Address 0x08f2dfc4 points to a C++ new block in heap 0x03c10000
    Thread ID: 0xf0
    Error location
        nsLineLayout::CanPlaceFrame(PerFrameData::nsLineLayout
*,nsHTMLReflowState const&,int,nsHTMLReflowMetrics&,UINT&)
[nsLineLayout.cpp:1330]

                  // If this is a piece of text inside a letter frame...
                  if (pfd->mIsNonEmptyTextFrame) {
             =>     if (psd->mFrame && psd->mFrame->mIsLetterFrame) {
                      nsIFrame* prevInFlow;
                      psd->mFrame->mFrame->GetPrevInFlow(&prevInFlow);
                      if (prevInFlow) {
        nsLineLayout::ReflowFrame(nsIFrame *,nsIFrame *
*,UINT&,nsHTMLReflowMetrics *) [nsLineLayout.cpp:1107]
        nsInlineFrame::ReflowInlineFrame(nsIPresContext *,nsHTMLReflowState
const&,InlineReflowState::nsInlineFrame&,nsIFrame *,UINT&)
[nsInlineFrame.cpp:489]
        nsInlineFrame::ReflowFrames(nsIPresContext *,nsHTMLReflowState
const&,InlineReflowState::nsInlineFrame&,nsHTMLReflowMetrics&,UINT&)
[nsInlineFrame.cpp:347]

nsInlineFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,nsHTMLReflowState
const&,UINT&) [nsInlineFrame.cpp:274]
        nsLineLayout::ReflowFrame(nsIFrame *,nsIFrame *
*,UINT&,nsHTMLReflowMetrics *) [nsLineLayout.cpp:951]

nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,nsLineLayout&,nsLineBox
*,nsIFrame *,BYTE *) [nsBlockFrame.cpp:3654]

nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&,nsLineLayout&,nsLineBox
*,int *,BYTE *) [nsBlockFrame.cpp:3578]
        nsBlockFrame::DoReflowInlineFramesMalloc(nsBlockReflowState&,nsLineBox
*,int *,BYTE *) [nsBlockFrame.cpp:3471]
        nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&,nsLineBox *,int *)
[nsBlockFrame.cpp:3434]
    Allocation location
        new(UINT)      [new.cpp:23]
        nsBlockFrame::DoReflowInlineFramesMalloc(nsBlockReflowState&,nsLineBox
*,int *,BYTE *) [nsBlockFrame.cpp:3464]
        nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&,nsLineBox *,int *)
[nsBlockFrame.cpp:3434]
        nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox *,int *,int)
[nsBlockFrame.cpp:2665]
        nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
[nsBlockFrame.cpp:2425]

nsBlockFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,nsHTMLReflowState
const&,UINT&) [nsBlockFrame.cpp:1489]
        nsContainerFrame::ReflowChild(nsIFrame
*,nsIPresContext&,nsHTMLReflowMetrics&,nsHTMLReflowState const&,UINT&)
[nsContainerFrame.cpp:405]

nsTableCellFrame::Reflow(nsIPresContext&,nsHTMLReflowMetrics&,nsHTMLReflowState
const&,UINT&) [nsTableCellFrame.cpp:653]
        nsContainerFrame::ReflowChild(nsIFrame
*,nsIPresContext&,nsHTMLReflowMetrics&,nsHTMLReflowState const&,UINT&)
[nsContainerFrame.cpp:405]

nsTableRowFrame::ResizeReflow(nsIPresContext&,nsHTMLReflowMetrics&,RowReflowStat
e&,UINT&,int) [nsTableRowFrame.cpp:890]
Assignee: troy → kipp
Assignee: kipp → kin
The problem is that psd->mFrame (PerFrameData) is allocated in
nsLineLayout::ReflowFrame(), but it's mIsLetterFrame, and other flags, are not
initialized till after aFrame->Reflow() is called. aFrame->Reflow() ends up
calling CanPlaceFrame() which triggers the UMR.

Here's a patch that seems to fix the problem. I can check it in if someone code
reviews it.

Index: nsLineLayout.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/html/base/src/nsLineLayout.cpp,v
retrieving revision 3.57
diff -c -r3.57 nsLineLayout.cpp
*** nsLineLayout.cpp	1999/12/06 15:49:49	3.57
--- nsLineLayout.cpp	1999/12/10 18:01:38
***************
*** 952,967 ****
    nscoord tx = x - psd->mReflowState->mComputedBorderPadding.left;
    nscoord ty = y - psd->mReflowState->mComputedBorderPadding.top;
    mSpaceManager->Translate(tx, ty);
    aFrame->Reflow(mPresContext, metrics, reflowState, aReflowStatus);

    // XXX See if the frame is a placeholderFrame and if it is process
    // the floater.
    nsIAtom* frameType;
    aFrame->GetFrameType(&frameType);
-   pfd->mIsTextFrame = PR_FALSE;
-   pfd->mIsLetterFrame = PR_FALSE;
-   pfd->mIsNonEmptyTextFrame = PR_FALSE;
-   pfd->mIsSticky = PR_FALSE;
    if (frameType) {
      if (frameType == nsLayoutAtoms::placeholderFrame) {
        nsIFrame* outOfFlowFrame =
((nsPlaceholderFrame*)aFrame)->GetOutOfFlowFrame();
--- 952,969 ----
    nscoord tx = x - psd->mReflowState->mComputedBorderPadding.left;
    nscoord ty = y - psd->mReflowState->mComputedBorderPadding.top;
    mSpaceManager->Translate(tx, ty);
+
+   pfd->mIsTextFrame = PR_FALSE;
+   pfd->mIsLetterFrame = PR_FALSE;
+   pfd->mIsNonEmptyTextFrame = PR_FALSE;
+   pfd->mIsSticky = PR_FALSE;
+
    aFrame->Reflow(mPresContext, metrics, reflowState, aReflowStatus);

    // XXX See if the frame is a placeholderFrame and if it is process
    // the floater.
    nsIAtom* frameType;
    aFrame->GetFrameType(&frameType);
    if (frameType) {
      if (frameType == nsLayoutAtoms::placeholderFrame) {
        nsIFrame* outOfFlowFrame =
((nsPlaceholderFrame*)aFrame)->GetOutOfFlowFrame();
Status: NEW → ASSIGNED
Target Milestone: M13
Accepting bug. Marking M13, should this fix go in for M12 if someone code
reviews it?
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: M13 → M12
Fix checked in:

    mozilla/layout/html/base/src/nsLineLayout.cpp    revision 3.58

r=troy@netscape.com,norris@netscape.com  a=chofmann@netscape.com
*** Bug 20105 has been marked as a duplicate of this bug. ***
Marking verified per last comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.