UMR in GetNumericSubstring()

RESOLVED FIXED in M14

Status

()

P3
normal
RESOLVED FIXED
19 years ago
19 years ago

People

(Reporter: kinmoz, Assigned: rickg)

Tracking

Trunk
x86
Other
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

19 years ago
Just starting up the browser while under purify, I see several hundred
Uninitialized Memory Reads being thrown from GetNumericSubstring().

This could probably be fixed by just checking to see if aString.mLength was
greater than zero before looping through the characters.

Here are the purify warnings:

[W] UMR: Uninitialized memory read in GetNumericSubstring {126 occurrences}
        Reading 1 byte from 0x0013f251 (1 byte at 0x0013f251 uninitialized)
        Address 0x0013f251 points into a thread's stack
        Address 0x0013f251 is 25 bytes past the start of local variable
'theString' in nsString::ToInteger(int *,UINT)const
        Thread ID: 0x111
        Error location
            GetNumericSubstring [nsString2.cpp:887]
            nsString::ToInteger(int *,UINT)const [nsString2.cpp:980]
            nsWebShellWindow::SetBoundsFromXUL(int,int) [nsWebShellWindow.cpp:2171]
            nsWebShellWindow::OnEndDocumentLoad(nsIDocumentLoader *,nsIChannel
*,UINT) [nsWebShellWindow.cpp:1941]
            nsWebShell::OnEndDocumentLoad(nsIDocumentLoader *,nsIChannel *,UINT)
[nsWebShell.cpp:3188]
            nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl *,nsIChannel
*,UINT) [nsDocLoader.cpp:833]
            nsDocLoaderImpl::DocLoaderIsEmpty(UINT) [nsDocLoader.cpp:723]
            nsDocLoaderImpl::OnStopRequest(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsDocLoader.cpp:668]
            nsLoadGroup::RemoveChannel(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsLoadGroup.cpp:535]
            nsFileChannel::OnStopRequest(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsFileChannel.cpp:450]
[W] UMR: Uninitialized memory read in GetNumericSubstring {126 occurrences}
        Reading 1 byte from 0x0013f251 (1 byte at 0x0013f251 uninitialized)
        Address 0x0013f251 points into a thread's stack
        Address 0x0013f251 is 25 bytes past the start of local variable
'theString' in nsString::ToInteger(int *,UINT)const
        Thread ID: 0x111
        Error location
            GetNumericSubstring [nsString2.cpp:887]
            nsString::ToInteger(int *,UINT)const [nsString2.cpp:980]
            nsWebShellWindow::SetBoundsFromXUL(int,int) [nsWebShellWindow.cpp:2176]
            nsWebShellWindow::OnEndDocumentLoad(nsIDocumentLoader *,nsIChannel
*,UINT) [nsWebShellWindow.cpp:1941]
            nsWebShell::OnEndDocumentLoad(nsIDocumentLoader *,nsIChannel *,UINT)
[nsWebShell.cpp:3188]
            nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl *,nsIChannel
*,UINT) [nsDocLoader.cpp:833]
            nsDocLoaderImpl::DocLoaderIsEmpty(UINT) [nsDocLoader.cpp:723]
            nsDocLoaderImpl::OnStopRequest(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsDocLoader.cpp:668]
            nsLoadGroup::RemoveChannel(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsLoadGroup.cpp:535]
            nsFileChannel::OnStopRequest(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsFileChannel.cpp:450]
[W] UMR: Uninitialized memory read in GetNumericSubstring {63 occurrences}
        Reading 1 byte from 0x0013f20d (1 byte at 0x0013f20d uninitialized)
        Address 0x0013f20d points into a thread's stack
        Address 0x0013f20d is 25 bytes past the start of local variable
'theString' in nsString::ToInteger(int *,UINT)const
        Thread ID: 0x111
        Error location
            GetNumericSubstring [nsString2.cpp:887]
            nsString::ToInteger(int *,UINT)const [nsString2.cpp:980]
            nsEventStateManager::SendFocusBlur(nsIPresContext *,nsIContent *)
[nsEventStateManager.cpp:2212]
            nsEventStateManager::SetContentState(nsIContent *,int)
[nsEventStateManager.cpp:2024]
            nsXULElement::SetFocus(nsIPresContext *) [nsXULElement.cpp:3712]
            nsEventStateManager::ChangeFocus(nsIContent *,nsIFrame *,int)
[nsEventStateManager.cpp:1603]
            nsEventStateManager::PostHandleEvent(nsIPresContext *,nsGUIEvent
*,nsIFrame *,nsEventStatus *,nsIView *) [nsEventStateManager.cpp:773]
            PresShell::HandleEvent(nsIView *,nsGUIEvent *,nsEventStatus *)
[nsPresShell.cpp:2822]
            nsView::HandleEvent(nsGUIEvent *,UINT,nsEventStatus *,int&)
[nsView.cpp:796]
            nsView::HandleEvent(nsGUIEvent *,UINT,nsEventStatus *,int&)
[nsView.cpp:780]
[W] UMR: Uninitialized memory read in GetNumericSubstring {63 occurrences}
        Reading 1 byte from 0x0013f255 (1 byte at 0x0013f255 uninitialized)
        Address 0x0013f255 points into a thread's stack
        Address 0x0013f255 is 25 bytes past the start of local variable
'theString' in nsString::ToInteger(int *,UINT)const
        Thread ID: 0x111
        Error location
            GetNumericSubstring [nsString2.cpp:887]
            nsString::ToInteger(int *,UINT)const [nsString2.cpp:980]
            nsEventStateManager::SendFocusBlur(nsIPresContext *,nsIContent *)
[nsEventStateManager.cpp:2212]
            nsEventStateManager::SetContentState(nsIContent *,int)
[nsEventStateManager.cpp:2024]
            nsXULElement::SetFocus(nsIPresContext *) [nsXULElement.cpp:3712]
            nsEventStateManager::ChangeFocus(nsIContent *,nsIFrame *,int)
[nsEventStateManager.cpp:1603]
            nsEventStateManager::PostHandleEvent(nsIPresContext *,nsGUIEvent
*,nsIFrame *,nsEventStatus *,nsIView *) [nsEventStateManager.cpp:773]
            PresShell::HandleEvent(nsIView *,nsGUIEvent *,nsEventStatus *)
[nsPresShell.cpp:2822]
            nsView::HandleEvent(nsGUIEvent *,UINT,nsEventStatus *,int&)
[nsView.cpp:796]
            nsViewManager::DispatchEvent(nsGUIEvent *,nsEventStatus *)
[nsViewManager.cpp:1684]
[W] UMR: Uninitialized memory read in GetNumericSubstring {63 occurrences}
        Reading 1 byte from 0x0013f349 (1 byte at 0x0013f349 uninitialized)
        Address 0x0013f349 points into a thread's stack
        Address 0x0013f349 is 25 bytes past the start of local variable
'theString' in nsString::ToInteger(int *,UINT)const
        Thread ID: 0x111
        Error location
            GetNumericSubstring [nsString2.cpp:887]
            nsString::ToInteger(int *,UINT)const [nsString2.cpp:980]
            nsWebShellWindow::SetBoundsFromXUL(int,int) [nsWebShellWindow.cpp:2202]
            nsWebShellWindow::OnEndDocumentLoad(nsIDocumentLoader *,nsIChannel
*,UINT) [nsWebShellWindow.cpp:1941]
            nsWebShell::OnEndDocumentLoad(nsIDocumentLoader *,nsIChannel *,UINT)
[nsWebShell.cpp:3188]
            nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl *,nsIChannel
*,UINT) [nsDocLoader.cpp:833]
            nsDocLoaderImpl::DocLoaderIsEmpty(UINT) [nsDocLoader.cpp:723]
            nsDocLoaderImpl::OnStopRequest(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsDocLoader.cpp:668]
            nsLoadGroup::RemoveChannel(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsLoadGroup.cpp:535]
            nsFileChannel::OnStopRequest(nsIChannel *,nsISupports *,UINT,WORD
const*) [nsFileChannel.cpp:450]
[W] UMR: Uninitialized memory read in GetNumericSubstring {63 occurrences}
        Reading 1 byte from 0x0013ec45 (1 byte at 0x0013ec45 uninitialized)
        Address 0x0013ec45 is argument #4 of GetNumericSubstring
        Address 0x0013ec45 points into a thread's stack
        Address 0x0013ec45 is 25 bytes past the start of local variable
'theString' in nsString::ToInteger(int *,UINT)const
        Thread ID: 0x111
        Error location
            GetNumericSubstring [nsString2.cpp:887]
            nsString::ToInteger(int *,UINT)const [nsString2.cpp:980]
            nsEventStateManager::SendFocusBlur(nsIPresContext *,nsIContent *)
[nsEventStateManager.cpp:2212]
            nsEventStateManager::SetContentState(nsIContent *,int)
[nsEventStateManager.cpp:2024]
            nsHTMLInputElement::SetFocus(nsIPresContext *)
[nsHTMLInputElement.cpp:615]
            nsEventStateManager::ChangeFocus(nsIContent *,nsIFrame *,int)
[nsEventStateManager.cpp:1603]
            nsEventStateManager::PostHandleEvent(nsIPresContext *,nsGUIEvent
*,nsIFrame *,nsEventStatus *,nsIView *) [nsEventStateManager.cpp:773]
            nsEnderEventListener::DispatchMouseEvent(nsIDOMMouseEvent *,int)
[nsGfxTextControlFrame.cpp:3623]
            nsEnderEventListener::MouseDown(nsIDOMEvent *)
[nsGfxTextControlFrame.cpp:3690]
            nsEventListenerManager::HandleEvent(nsIPresContext *,nsEvent
*,nsIDOMEvent * *,UINT,nsEventStatus *) [nsEventListenerManager.cpp:740]
[I] Program terminated at 01/26/00 11:37:26
(Reporter)

Comment 1

19 years ago
Accepting bug. Marking M14. Currently trying out the fix I proposed above.
Status: NEW → ASSIGNED
Target Milestone: M14
(Reporter)

Comment 2

19 years ago
Created attachment 4583 [details] [diff] [review]
Proposed fix.
(Reporter)

Comment 3

19 years ago
I can check in the fix if someone code reviews it for me.
(Assignee)

Comment 4

19 years ago
I'll take it, since I caused it.
Assignee: kin → rickg
Status: ASSIGNED → NEW
(Assignee)

Comment 5

19 years ago
Fixed in my tree awaiting chance to land.
Status: NEW → ASSIGNED

Comment 6

19 years ago
It seems to me that this logic in the first loop is backwards...
        default:
          cp++;
          done=cp<endcp;
          break;

Isn't "cp<endcp" the case that should make it keep looping?

Also, The function doc header's @param list is out of sync.
(Assignee)

Comment 7

19 years ago
Jband is right: the first loop was wrong. It's seen fixed in my tree for awhile, 
awaiting an opportunity to land a largish change.
(Assignee)

Comment 8

19 years ago
Fixed by improvement to nsString.
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.