Closed
Bug 289695
Opened 20 years ago
Closed 20 years ago
nsFormHistory.cpp, nsAutoVoidArray should call PR_Free on matchingValues, and not delete it.
Categories
(Toolkit :: Form Manager, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: itay.perl, Assigned: itay.perl)
References
()
Details
Attachments
(2 files, 2 obsolete files)
|
1.45 KB,
patch
|
mconnor
:
first-review+
asa
:
approval-aviary1.1a2+
|
Details | Diff | Splinter Review |
|
763 bytes,
patch
|
benjamin
:
first-review+
benjamin
:
approval-aviary1.1a2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050409 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050409 Firefox/1.0+
In mozilla\toolkit\components\satchel\src\nsFormHistory.cpp:
Line 790: delete (PRUnichar *) matchingValues[i];
but, while filling matchingValues with values, we actually call:
AppendElement->InsertElementAt:
nsVoidArray.cpp (InsertElementAt):
394 if (oldCount >= GetArraySize())
395 {
396 if (!GrowArrayBy(1))
397 return PR_FALSE;
398 }
Then we go to GrowArrayBy, which calls nsAutoVoidArray::SizeTo, which
calls...nsVoidArray::SizeTo
in nsVoidArray::SizeTo we have:
186 char* bytes = (char *) PR_Realloc(mImpl,SIZEOF_IMPL(aSize));
-or-
214 char* bytes = (char *) PR_Malloc(SIZEOF_IMPL(aSize));
Which uses malloc and realloc, which come from the malloc family after all.
AFAIK, this is a very easy fix: just change delete matchingValues[i];, to
free(matchingValues[i]);
Reproducible: Always
Steps to Reproduce:
Leak detected with BoundsChecker Version 7.2.0A little correction: AFAIK, this is a very easy fix: just change delete (PRUnichar *) matchingValues[i];, to free((PRUnichar *)matchingValues[i]); (CMIIW)
|
||
Comment 2•20 years ago
|
||
[quote]Memory allocated by PR_Malloc, PR_Calloc, or PR_Realloc must be freed by PR_Free.[/quote] (Source: http://www.mozilla.org/projects/nspr/reference/html/prmem2.html) Matching Value's Used at: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/toolkit/components/satchel/src/nsFormHistory.cpp&rev=1.24&mark=755,768,782,783,790#754 And actually the bug is not that the wrong free is called, it is that the free is done here, nsAutoVoidArray Frees its allocated values on destruction. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/xpcom/ds/nsVoidArray.cpp&rev=3.41&mark=357,361#357 (Note no Allocation in NS_QuickSort)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Memory allocated with PR_Malloc and released with delete: nsFormHistory.cpp → nsFormHistory.cpp, nsAutoVoidArray matchingValues should not manually call free
|
||
Updated•20 years ago
|
Assignee: firefox → nobody
Component: General → Satchel
Product: Firefox → Toolkit
QA Contact: general → nobody
|
|
||
Comment 3•20 years ago
|
||
Fix as I understand it.
Attachment #180351 -
Flags: second-review?(bryner)
Attachment #180351 -
Flags: first-review?(bryner)
I guess you're right, but still I'm kinda sure something is wrong here.
I got my mistake. I looked for the wrong thing. I found the real bug (I hope).
the problematic line, as I said, is: delete (PRUnichar *) matchingValues[i];
which is the variable in the array, not the array itself. See this:
in line 766 (mozilla\toolkit\components\satchel\src\nsFormHistory.cpp):
if (RowMatch(row, aInputName, aInputValue, &value)) {
so I went to nsFormHistory::RowMatch.
Look at line 834 of mozilla/toolkit/components/satchel/src/nsFormHistory.cpp, we
have:
GetRowValue(aRow, kToken_ValueColumn, value);
so I went to nsFormHistory::GetRowValue.
OK?
OK!
now nsFormHistory::GetRowValue's aValue is a nsAString, which is, depends on
I-dunno-what, a nsTAString_CharT or nsTSubstring_CharT
(http://lxr.mozilla.org/seamonkey/source/xpcom/string/public/string-template-def-unichar.h).
now look. in nsFormHistory::GetRowValue, we have this (line 707):
aValue.Assign((const PRUnichar *)yarn.mYarn_Buf,
yarn.mYarn_Fill/sizeof(PRUnichar));
nsTAString_CharT::Assign( const char_type* data, size_type length )
(http://lxr.mozilla.org/seamonkey/source/xpcom/string/src/nsTAString.cpp#257)
Is calling nsTSubstring_CharT::Assign (I'm leaving the Obselete one for now)
nsTSubstring_CharT::Assign((http://lxr.mozilla.org/seamonkey/source/xpcom/string/src/nsTSubstring.cpp#287)
which calls nsTSubstring_CharT::ReplacePrep in line 306.
nsTSubstring_CharT::ReplacePrep is calling nsTSubString_CharT::MutatePrep
(http://lxr.mozilla.org/seamonkey/source/xpcom/string/src/nsTSubstring.cpp#189)
in nsTSubString::MutatePrep we have a few cases, but you can see that for
allocating we are calling nsStringBuffer::Alloc or nsStringBuffer::Realloc.
nsStringBuffer::Alloc calls malloc (btw, Why doesn't it call PR_Malloc?) here:
http://lxr.mozilla.org/seamonkey/source/xpcom/string/src/nsSubstring.cpp#204
and nsStringBuffer::Realloc calls realloc (Why not PR_Realloc?) here:
http://lxr.mozilla.org/seamonkey/source/xpcom/string/src/nsSubstring.cpp#223
that's the right explanation to the bug. sorry for the mistake, and I hope this
one is true.My solution is to change delete (PRUnichar *) matchingValues[i]; to free((PRUnichar *) matchingValues[i]); or something equivalent
It's even shorter than I thought.
That's the last time I'll nag.
That's how it happens:
toolkit/components/satchel/src/nsFormHistory.cpp#766: RowMatch(row, aInputName,
aInputValue, &value)
[Same file]#827, in RowMatch: *aValue = ToNewUnicode(value).
This means our Value (which his freeing is the matter of this bug), will be
ToNewUnicode(value)'s return value. simple.
xpcom/string/src/nsReadableUtils.cpp#375: PRUnichar* result =
AllocateStringCopy(asource, (PRUnichar*)0);
xpcom/string/src/nsReadableUtils.cpp#310: we allocate memory using
nsMemory::Alloc
nsMemory::Alloc in
xpcom\glue\nsmemory.h#68: { return NS_Alloc(size); }
xpcom/base/nsMemoryImpl.cpp#363:
NS_Alloc calls MALLOC1 which is a macro that calls (directly or through
mallocator) to PR_Malloc.
http://lxr.mozilla.org/seamonkey/source/toolkit/components/satchel/src/nsFormHistory.cpp#790:
here we delete it instead of PR_Freeing it.
Attachment #182271 -
Flags: second-review?
Attachment #182271 -
Flags: first-review?
Attachment #182271 -
Flags: approval1.8b2?
|
|
||
Comment 7•20 years ago
|
||
Comment on attachment 180351 [details] [diff] [review] remove free I think I was wrong.
Attachment #180351 -
Attachment is obsolete: true
Attachment #180351 -
Flags: second-review?(bryner)
Attachment #180351 -
Flags: first-review?(bryner)
|
||
Comment 8•20 years ago
|
||
Comment on attachment 182271 [details] [diff] [review] Delete to PR_Free [checked in] Please hold off on requesting approval until you've got the required reviews and can provide a specific request to drivers that includes justification for taking the patch during the freeze. Thanks.
Attachment #182271 -
Flags: approval1.8b2?
Attachment #182271 -
Flags: second-review?
Attachment #182271 -
Flags: first-review?(bryner)
Attachment #182271 -
Flags: first-review?
Summary: nsFormHistory.cpp, nsAutoVoidArray matchingValues should not manually call free → nsFormHistory.cpp, nsAutoVoidArray should call PR_Free on matchingValues, and not delete it.
|
|
||
Updated•20 years ago
|
Attachment #182271 -
Flags: first-review?(bryner) → first-review+
Attachment #182271 -
Flags: approval-aviary1.1a2?
|
|
||
Updated•20 years ago
|
Attachment #182271 -
Flags: approval-aviary1.1a2? → approval-aviary1.1a2+
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Comment 9•20 years ago
|
||
The patch is wrong. ToNewUnicode uses nsMemory as allocator, so it must be freed using nsMemory too (or NS_Free, which is the same).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Comment 10•20 years ago
|
||
Comment on attachment 182271 [details] [diff] [review] Delete to PR_Free [checked in] This patch was checked in by Daniel Brooks.
Attachment #182271 -
Attachment description: Delete to PR_Free → Delete to PR_Free [checked in]
|
Assignee | |
Comment 11•20 years ago
|
||
Well...if it's important...
Attachment #186304 -
Flags: first-review?
Attachment #186304 -
Flags: first-review? → first-review?(mconnor)
|
|
||
Comment 12•20 years ago
|
||
is the cast required?
|
|
||
Comment 13•20 years ago
|
||
Comment on attachment 186304 [details] [diff] [review] Patch 2 flipping to bsmedberg, since my C++ mojo is obviously not strong enough in this case.
Attachment #186304 -
Flags: first-review?(mconnor) → first-review?(benjamin)
|
|
Assignee | |
Comment 14•20 years ago
|
||
well, it compiles without the cast, but I don't know, it may change something...reviewer (benjamin?), please tell me if it's needed. thanks
|
||
Comment 15•20 years ago
|
||
Comment on attachment 186304 [details] [diff] [review] Patch 2 1) please use NS_Free in all new code and 2) the cast is unneeded, please remove
Attachment #186304 -
Flags: first-review?(benjamin) → first-review-
|
|
Assignee | |
Comment 16•20 years ago
|
||
Attachment #186304 -
Attachment is obsolete: true
Attachment #186473 -
Flags: first-review?
Attachment #186473 -
Flags: first-review? → first-review?(benjamin)
|
|
||
Comment 17•20 years ago
|
||
Comment on attachment 186473 [details] [diff] [review] Patch 2b [checked in] r=me, but please make sure to use spaces instead of a tab before getting this checked in
Attachment #186473 -
Flags: first-review?(benjamin)
Attachment #186473 -
Flags: first-review+
Attachment #186473 -
Flags: approval-aviary1.1a2+
|
|
||
Updated•20 years ago
|
Assignee: nobody → itay.perl
Status: REOPENED → NEW
|
|
||
Comment 18•20 years ago
|
||
Checking in toolkit/components/satchel/src/nsFormHistory.cpp; /cvsroot/mozilla/toolkit/components/satchel/src/nsFormHistory.cpp,v <-- nsFormHistory.cpp new revision: 1.26; previous revision: 1.25 done
Status: NEW → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → FIXED
Attachment #186473 -
Attachment description: Patch 2b → Patch 2b [checked in]
|
||
Updated•16 years ago
|
Component: Satchel → Form Manager
You need to log in
before you can comment on or make changes to this bug.
Description
•