Open
Bug 711479
Opened 13 years ago
Updated 2 years ago
potential NULL pointer dereference in content/base/src/nsDocument.cpp
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
NEW
People
(Reporter: julia.lawall, Unassigned)
Details
Attachments
(2 files, 1 obsolete file)
|
2.31 KB,
patch
|
cpearce
:
review+
|
Details | Diff | Splinter Review |
|
2.11 KB,
patch
|
cpearce
:
review-
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Ubuntu; X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 Build ID: 20111115183158 Steps to reproduce: The following potential NULL pointer dereference was found by Coccinelle (http://coccinelle.lip6.fr) in the file content/base/src/nsDocument.cpp in the function nsDocument::FullScreenStackPop. Element can be NULL in the then branch of the conditional, in which case the dereference is invalid. if (!element || !element->IsInDoc() || element->OwnerDoc() != this) { NS_ASSERTION(!element->IsFullScreenAncestor(), "Should have already removed full-screen styles");
Thanks, the problem looks valid.
Status: UNCONFIRMED → NEW
Component: General → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
|
||
Comment 2•13 years ago
|
||
In fact, the null-check is redundant. FullScreenStackTop() asserts that it returns non-null if !mFullScreenStack.IsEmpty(), and this check is in a while (!mFullScreenStack.IsEmpty()) loop.
|
||
Comment 3•13 years ago
|
||
Chris, can you take a look?
|
|
||
Comment 4•13 years ago
|
||
Attachment #582760 -
Flags: review?(chris)
|
||
Comment 5•13 years ago
|
||
Comment on attachment 582760 [details] [diff] [review] Assert that FullScreenStackTop() returns a non-null element when mFullScreenStack.IsEmpty() is false; Review of attachment 582760 [details] [diff] [review]: ----------------------------------------------------------------- FullScreenStackTop() can return a null element; it returns the front element in a queue of weak references, the weak references can be annulled if the object they point to are GC'd. We should just change the assertion on line 8777 to: NS_ASSERTION(!element || !element->IsFullScreenAncestor(), "Should have already removed full-screen styles"); Thanks for pointing out this issue!
Attachment #582760 -
Flags: review?(chris) → review-
|
|
||
Comment 6•13 years ago
|
||
So the assertions in <http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsDocument.cpp#8757> are all lies?
|
|
||
Comment 7•13 years ago
|
||
Yes. Oops.
|
|
||
Comment 8•13 years ago
|
||
Actually no, they're not. FullScreenStackTop() will always return non-null, because the only way the full-screen element can be GC'd is if it's removed from the document, and we exit full-screen in that case. The only way the full-screen element can change is when we call FullScreenStackPop() which makes the top-most non-null element as the full-screen element, so then we'd be covered by the former case to ensure it's non-null. So those assertions are still correct, but we could definitely use a comment explaining the above...
|
|
||
Updated•13 years ago
|
Attachment #582760 -
Attachment is obsolete: true
|
|
||
Comment 11•13 years ago
|
||
Comment on attachment 583104 [details] [diff] [review] Correct assertions around FullScreenStackTop(); Review of attachment 583104 [details] [diff] [review]: ----------------------------------------------------------------- r=cpearce with the assertion "NS_ASSERTION(element, "Should have full-screen element!");" put back in. ::: content/base/src/nsDocument.cpp @@ -8760,5 @@ > return nsnull; > } > PRUint32 last = mFullScreenStack.Length() - 1; > nsCOMPtr<Element> element(do_QueryReferent(mFullScreenStack[last])); > - NS_ASSERTION(element, "Should have full-screen element!"); Leave this assertion in; if the full-screen stack non-empty and the top-most element in the stack is null, we're in an incorrect state. @@ -8762,5 @@ > PRUint32 last = mFullScreenStack.Length() - 1; > nsCOMPtr<Element> element(do_QueryReferent(mFullScreenStack[last])); > - NS_ASSERTION(element, "Should have full-screen element!"); > - NS_ASSERTION(element->IsInDoc(), "Full-screen element should be in doc"); > - NS_ASSERTION(element->OwnerDoc() == this, "Full-screen element should be in this doc"); Yup, go ahead and remove these assertions and replace them with your new one.
Attachment #583104 -
Flags: review?(chris) → review+
|
|
||
Comment 12•13 years ago
|
||
Comment on attachment 583109 [details] [diff] [review] Assert that FullScreenStackTop() returns a non-null element when mFullScreenStack.IsEmpty() is false; Review of attachment 583109 [details] [diff] [review]: ----------------------------------------------------------------- Let's take the other patch instead. Thanks! ::: content/base/src/nsDocument.cpp @@ +8753,5 @@ > } > } > } > > +// FullScreenStackTop() will always return non-null, because the only way the Let's move this comment into the other patch, but let's make that "FullScreenStackTop() should always return non-null..."
Attachment #583109 -
Flags: review?(chris) → review-
|
||
Comment 13•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•