If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent

VERIFIED FIXED in mozilla1.5alpha

Status

()

Core
DOM: Events
P2
major
VERIFIED FIXED
15 years ago
15 years ago

People

(Reporter: stephend@netscape.com (gone - use stephen.donner@gmail.com instead), Assigned: bz)

Tracking

Trunk
mozilla1.5alpha
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

716 bytes, patch
Brian Ryner (not reading)
: review+
(not reading, please use seth@sspitzer.org instead)
: approval1.4b+
Details | Diff | Splinter Review
With the trunk build on Windows 2000, loading:

http://people.netscape.com/stephend/contact.html, and selecting from right to 
left the partial text in 'technutz@netscape.net', I get the following UMR.

    [W] UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext 
*,nsEvent *,nsAString const&) {6 occurrences}
        Reading 4 bytes from 0x0013aae8 (4 bytes at 0x0013aae8 uninitialized)
        Address 0x0013aae8 points into a thread's stack 
        Address 0x0013aae8 is 12 bytes past the start of local variable 'event' 
in nsXULCommandDispatcher::UpdateCommands(nsAString const&)
        Thread ID: 0x568
        Error location
        nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) 
[nsDOMEvent.cpp:221]
            mScreenPoint.x = aEvent->refPoint.x;
            mScreenPoint.y = aEvent->refPoint.y;
            mClientPoint.x = aEvent->point.x;
     =>     mClientPoint.y = aEvent->point.y;
          } else
            mScreenPoint.x = mScreenPoint.y = mClientPoint.x = mClientPoint.y = 
0;
        
        NS_NewDOMUIEvent(nsIDOMEvent * *,nsIPresContext *,nsAString 
const&,nsEvent *) [nsDOMEvent.cpp:1633]
                         nsIPresContext* aPresContext, const nsAString& 
aEventType,
                         nsEvent *aEvent)
        {
     =>   nsDOMEvent* it = new nsDOMEvent(aPresContext, aEvent, aEventType);
        
          if (nsnull == it) {
            return NS_ERROR_OUT_OF_MEMORY;
        nsEventListenerManager::CreateEvent(nsIPresContext *,nsEvent 
*,nsAString const&,nsIDOMEvent * *) [nsEventListenerManager.cpp:2343]
          if ((aEvent && aEvent->eventStructType == NS_MUTATION_EVENT) ||
              (!aEvent && str.EqualsIgnoreCase("MutationEvents")))
            return NS_NewDOMMutationEvent(aDOMEvent, aPresContext, aEvent);
     =>   return NS_NewDOMUIEvent(aDOMEvent, aPresContext, aEventType, aEvent);
        }
        
        /**
        nsXULElement::HandleDOMEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * 
*,UINT,nsEventStatus *) [nsXULElement.cpp:3173]
                            return ret;
                        }
                        nsAutoString empty;
     =>                 if (NS_FAILED(ret = listenerManager->CreateEvent
(aPresContext, aEvent, empty, aDOMEvent))) {
                            NS_ERROR("This event will fail without the ability 
to create the event early.");
                            return ret;
                        }
        nsXULCommandDispatcher::UpdateCommands(nsAString const&) 
[nsXULCommandDispatcher.cpp:389]
              nsEvent event;
              event.eventStructType = NS_EVENT;
              event.message = NS_XUL_COMMAND_UPDATE;
     =>       content->HandleDOMEvent(context, &event, nsnull, 
NS_EVENT_FLAG_INIT, &status);
            }
          }
          return NS_OK;
        GlobalWindowImpl::UpdateCommands(nsAString const&) 
[nsGlobalWindow.cpp:3427]
              // Retrieve the command dispatcher and call updateCommands on it.
              nsCOMPtr<nsIDOMXULCommandDispatcher> xulCommandDispatcher;
              xulDoc->GetCommandDispatcher(getter_AddRefs
(xulCommandDispatcher));
     =>       xulCommandDispatcher->UpdateCommands(anAction);
            }
          }
        
        nsFocusController::UpdateCommands(nsAString const&) 
[nsFocusController.cpp:162]
        nsFocusController::UpdateCommands(const nsAString& aEventName)
        {
          if (mCurrentWindow) {
     =>     mCurrentWindow->UpdateCommands(aEventName);
          }
          else if (mCurrentElement) {
            nsCOMPtr<nsIDOMDocument> domDoc;
    nsFocusController::Focus(nsIDOMEvent *) [nsFocusController.cpp:316]
                }
        
                if (!mCurrentElement)
     =>           UpdateCommands(NS_LITERAL_STRING("focus"));
              }
            }
          }
    nsEventListenerManager::HandleEvent(nsIPresContext *,nsEvent *,nsIDOMEvent 
* *,nsIDOMEventTarget *,UINT,nsEventStatus *) [nsEventListenerManager.cpp:1688]
                      if (focusListener) {
                        switch(aEvent->message) {
                          case NS_FOCUS_CONTENT:
     =>                     ret = focusListener->Focus(*aDOMEvent);
                            break;
                          case NS_BLUR_CONTENT:
                            ret = focusListener->Blur(*aDOMEvent);
    nsWindowRoot::HandleChromeEvent(nsIPresContext *,nsEvent *,nsIDOMEvent * 
*,UINT,nsEventStatus *) [nsWindowRoot.cpp:214]
          //Local handling stage
          if (mListenerManager && !(aEvent->flags & 
NS_EVENT_FLAG_STOP_DISPATCH)) {
            aEvent->flags |= aFlags;
     =>     mListenerManager->HandleEvent(aPresContext, aEvent, aDOMEvent, 
this, aFlags, aEventStatus);
            aEvent->flags &= ~aFlags;
reassigning to boris
Assignee: saari → bzbarsky
Summary: [W] UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences} → UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences}
This is probably the same underlying problem as bug 20953
Blocks: 20953
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.5alpha
Created attachment 121833 [details] [diff] [review]
I bet this fixes it...
Attachment #121833 - Flags: superreview?(jst)
Attachment #121833 - Flags: review?(bryner)
I tested with the patch in attachment 121833 [details] [diff] [review] and ran it under Purify, and the
UMRs are fixed.
Comment on attachment 121833 [details] [diff] [review]
I bet this fixes it...

sr=jst
Attachment #121833 - Flags: superreview?(jst) → superreview+
Summary: UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences} → [FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences}
Attachment #121833 - Flags: review?(bryner) → review+
Comment on attachment 121833 [details] [diff] [review]
I bet this fixes it...

Could this be approved for 1.4b please?  This just makes sure to initialize the
point and refPoint member vars of nsEvent to sane values in the constructor.
Attachment #121833 - Flags: approval1.4b?
Comment on attachment 121833 [details] [diff] [review]
I bet this fixes it...

a=sspitzer
Attachment #121833 - Flags: approval1.4b? → approval1.4b+
Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Verified FIXED under Purify, debug Win2k build.

Thanks Boris!
Status: RESOLVED → VERIFIED
Summary: [FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent(nsIPresContext *,nsEvent *,nsAString const&) {6 occurrences} → [FIX]UMR: Uninitialized memory read in nsDOMEvent::nsDOMEvent
You need to log in before you can comment on or make changes to this bug.