Closed
Bug 304444
Opened 19 years ago
Closed 19 years ago
[W] UMR: Uninitialized memory read in nsDiskCacheEntry::Swap(void) {1 occurrence}
Categories
(Core :: Networking: Cache, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: timeless, Assigned: darin.moz)
Details
(Keywords: fixed1.8)
Attachments
(1 file)
|
811 bytes,
patch
|
timeless
:
review+
darin.moz
:
superreview+
dbaron
:
approval1.8b4+
|
Details | Diff | Splinter Review |
[W] UMR: Uninitialized memory read in nsDiskCacheEntry::Swap(void) {1
occurrence}
Reading 4 bytes from 0x14bc2e90 (4 bytes at 0x14bc2e90 uninitialized)
Address 0x14bc2e90 is 16 bytes into a 256 byte block at 0x14bc2e80
Address 0x14bc2e90 points to a C++ new block in heap 0x01c30000
Thread ID: 0x38c
Error location
nsDiskCacheEntry::Swap(void)
[r:\mozilla\netwerk\cache\src\nsdiskcacheentry.h:88]
PRUint32 Size() { return offsetof(nsDiskCacheEntry,mKeyStart)
+
mKeySize + mMetaDataSize;
}
nsCacheEntry * CreateCacheEntry(nsCacheDevice * device);
PRBool CheckConsistency(PRUint32 size);
void Swap() // host to network (memory to disk)
{
#if defined(IS_LITTLE_ENDIAN)
mHeaderVersion = ::PR_htonl(mHeaderVersion);
mMetaLocation = ::PR_htonl(mMetaLocation);
mFetchCount = ::PR_htonl(mFetchCount);
mLastFetched = ::PR_htonl(mLastFetched);
=> mLastModified = ::PR_htonl(mLastModified);
mExpirationTime = ::PR_htonl(mExpirationTime);
mDataSize = ::PR_htonl(mDataSize);
mKeySize = ::PR_htonl(mKeySize);
mMetaDataSize = ::PR_htonl(mMetaDataSize);
#endif
}
void Unswap() // network to host (disk to memory)
{
#if defined(IS_LITTLE_ENDIAN)
mHeaderVersion = ::PR_ntohl(mHeaderVersion);
mMetaLocation = ::PR_ntohl(mMetaLocation);
mFetchCount = ::PR_ntohl(mFetchCount);
mLastFetched = ::PR_ntohl(mLastFetched);
mLastModified = ::PR_ntohl(mLastModified);
nsDiskCacheMap::WriteDiskCacheEntry(nsDiskCacheBinding *)
[r:\mozilla\netwerk\cache\src\nsdiskcachemap.cpp:796]
// write entry data to disk cache block file
PRInt32 startBlock = mBlockFile[fileIndex - 1].AllocateBlocks
(blocks);
if (startBlock < 0) {
rv = NS_ERROR_UNEXPECTED;
goto exit;
}
// update binding and cache map record
binding->mRecord.SetMetaBlocks(fileIndex, startBlock, blocks);
rv = UpdateRecord(&binding->mRecord);
if (NS_FAILED(rv)) goto exit;
// XXX we should probably write out bucket ourselves
// write data
=> diskEntry->Swap();
rv = mBlockFile[fileIndex - 1].WriteBlocks(diskEntry, startBlock,
blocks);
if (NS_FAILED(rv)) goto exit;
IncrementTotalSize(blocks * blockSize);
}
exit:
delete [] (char *)diskEntry;
return rv;
}
nsresult
nsDiskCacheMap::ReadDataCacheBlocks(nsDiskCacheBinding * binding, char *
buffer, PRUint32 size)
{
nsDiskCacheDevice::DeactivateEntry(nsCacheEntry *)
[r:\mozilla\netwerk\cache\src\nsdiskcachedevice.cpp:489]
nsCacheService::DeactivateEntry(nsCacheEntry *)
[r:\mozilla\netwerk\cache\src\nscacheservice.cpp:1462]
nsCacheService::CloseDescriptor(nsCacheEntryDescriptor *)
[r:\mozilla\netwerk\cache\src\nscacheservice.cpp:1342]
nsCacheEntryDescriptor::Close(void)
[r:\mozilla\netwerk\cache\src\nscacheentrydescriptor.cpp:420]
nsCacheEntryDescriptor::~nsCacheEntryDescriptor(void)
[r:\mozilla\netwerk\cache\src\nscacheentrydescriptor.cpp:73]
nsCacheEntryDescriptor::`vector deleting destructor'(UINT)
[R:\mozilla\opt71-i686-pc-cygwin\dist\bin\components\necko.dll]
nsCacheEntryDescriptor::Release(void)
[r:\mozilla\netwerk\cache\src\nscacheentrydescriptor.cpp:53]
nsCOMPtr_base::assign_assuming_AddRef(nsISupports *)
[r:\mozilla\xpcom\glue\nscomptr.h:531]
Allocation location
CreateDiskCacheEntry(nsDiskCacheBinding *)
[r:\mozilla\netwerk\cache\src\nsdiskcacheentry.cpp:129]
{
nsCacheEntry * entry = binding->mCacheEntry;
if (!entry) return nsnull;
PRUint32 keySize = entry->Key()->Length() + 1;
PRUint32 metaSize = entry->MetaDataSize();
PRUint32 size = sizeof(nsDiskCacheEntry) + keySize + metaSize;
// pad size so we can write to block files without overrunning buffer
PRInt32 pad;
if (size <= 1024) pad = (((size-1)/ 256) + 1) * 256;
else if (size <= 4096) pad = (((size-1)/1024) + 1) * 1024;
else if (size <= 16384) pad = (((size-1)/4096) + 1) * 4096;
else return nsnull; // unexpected size!
=> nsDiskCacheEntry * diskEntry = (nsDiskCacheEntry *)new char[pad];
if (!diskEntry) return nsnull;
diskEntry->mHeaderVersion = nsDiskCache::kCurrentVersion;
diskEntry->mMetaLocation = binding->mRecord.MetaLocation();
diskEntry->mFetchCount = entry->FetchCount();
diskEntry->mLastFetched = entry->LastFetched();
diskEntry->mLastModified = entry->LastModified();
diskEntry->mExpirationTime = entry->ExpirationTime();
diskEntry->mDataSize = entry->DataSize();
diskEntry->mKeySize = keySize;
diskEntry->mMetaDataSize = metaSize;
memcpy(diskEntry->mKeyStart, entry->Key()->get(),keySize);
nsresult rv = entry->FlattenMetaData(&diskEntry->mKeyStart
[keySize], metaSize);
nsDiskCacheMap::WriteDiskCacheEntry(nsDiskCacheBinding *)
[r:\mozilla\netwerk\cache\src\nsdiskcachemap.cpp:719]
nsDiskCacheDevice::DeactivateEntry(nsCacheEntry *)
[r:\mozilla\netwerk\cache\src\nsdiskcachedevice.cpp:489]
nsCacheService::DeactivateEntry(nsCacheEntry *)
[r:\mozilla\netwerk\cache\src\nscacheservice.cpp:1462]
nsCacheService::CloseDescriptor(nsCacheEntryDescriptor *)
[r:\mozilla\netwerk\cache\src\nscacheservice.cpp:1342]
nsCacheEntryDescriptor::Close(void)
[r:\mozilla\netwerk\cache\src\nscacheentrydescriptor.cpp:420]
nsCacheEntryDescriptor::~nsCacheEntryDescriptor(void)
[r:\mozilla\netwerk\cache\src\nscacheentrydescriptor.cpp:73]
nsCacheEntryDescriptor::`vector deleting destructor'(UINT)
[R:\mozilla\opt71-i686-pc-cygwin\dist\bin\components\necko.dll]
nsCacheEntryDescriptor::Release(void)
[r:\mozilla\netwerk\cache\src\nscacheentrydescriptor.cpp:53]
nsCOMPtr_base::assign_assuming_AddRef(nsISupports *)
[r:\mozilla\xpcom\glue\nscomptr.h:531]
0:000> dt diskeNtry
xpcom__core_Purify_R_mozilla_!diskEntry
Local var @ 0x13eed0 Type nsDiskCacheEntry*
0x14bc2e80
+0x000 mHeaderVersion : 0x6000100
+0x004 mMetaLocation : 0
+0x008 mFetchCount : 16777216
+0x00c mLastFetched : 0x42fcc296
+0x010 mLastModified : 0xcdcdcdcd
+0x014 mExpirationTime : 0xffffffff
+0x018 mDataSize : 0
+0x01c mKeySize : 0x31
+0x020 mMetaDataSize : 0
+0x024 mKeyStart : [1] "H"
|
Assignee | |
Comment 1•19 years ago
|
||
Alfred: can you take this bug?
|
||
Comment 2•19 years ago
|
||
This should fix this uninitialized use of mLastModified.
Attachment #192612 -
Flags: review?(darin)
|
|
||
Updated•19 years ago
|
Attachment #192612 -
Flags: review?(darin) → review?(timeless)
Attachment #192612 -
Flags: review?(timeless) → review+
|
|
||
Updated•19 years ago
|
Attachment #192612 -
Flags: superreview?(darin)
|
|
Assignee | |
Comment 3•19 years ago
|
||
Comment on attachment 192612 [details] [diff] [review] Quick and simple patch to initialize mLastModified of nsCacheEntry sr=darin
Attachment #192612 -
Flags: superreview?(darin)
Attachment #192612 -
Flags: superreview+
Attachment #192612 -
Flags: approval1.8b4?
|
|
Assignee | |
Updated•19 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → mozilla1.8beta4
|
||
Comment 4•19 years ago
|
||
Comment on attachment 192612 [details] [diff] [review] Quick and simple patch to initialize mLastModified of nsCacheEntry please land this on the trunk and re-request review when it's been resolved as fixed there. thanks.
Attachment #192612 -
Flags: approval1.8b4?
|
|
||
Comment 5•19 years ago
|
||
s/review/approval/
|
|
Assignee | |
Comment 6•19 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 7•19 years ago
|
||
Comment on attachment 192612 [details] [diff] [review] Quick and simple patch to initialize mLastModified of nsCacheEntry ok, it's checked in on the trunk. seems like a no-brainer for the branch :-)
Attachment #192612 -
Flags: approval1.8b4?
Attachment #192612 -
Flags: approval1.8b4? → approval1.8b4+
|
||
Updated•19 years ago
|
Flags: blocking1.8b4+
|
|
||
Comment 8•19 years ago
|
||
time is short for beta so if this is gonna make the branch, it needs to land ASAP.
You need to log in
before you can comment on or make changes to this bug.
Description
•