nsTHashtable and nsBaseHashtable memory reporter functions crash if given a null sizeOfEntryExcludingThis function

RESOLVED FIXED in mozilla14

Status

()

Core
XPCOM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jfkthame, Assigned: njn)

Tracking

Trunk
mozilla14
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 607538 [details] [diff] [review]
patch, check the user function pointer for null

The comments in nsBaseHashtable.h and nsTHashtable.h imply that it would be OK to call SizeOfExcludingThis() with a null sizeOfEntryExcludingThis:

http://mxr.mozilla.org/mozilla-central/source/xpcom/glue/nsBaseHashtable.h#263
263    * Measure the size of the table's entry storage, and if
264    * |sizeOfEntryExcludingThis| is non-nsnull, measure the size of things pointed
265    * to by entries.

and similarly at http://mxr.mozilla.org/mozilla-central/source/xpcom/glue/nsTHashtable.h#277.

However, the s_SizeOfStub functions in those classes actually call the provided sizeOfEntryExcludingThis pointer *without* checking that it is non-null, and will therefore crash.
Attachment #607538 - Flags: review?(n.nethercote)
Attachment #607538 - Attachment is patch: true
(Assignee)

Comment 1

5 years ago
Created attachment 607775 [details] [diff] [review]
alternative patch

Apologies for the false advertising!

Your patch works, but I'd rather handle the NULL case within SizeOfExcludingThis instead of in s_SizeOfStub, as the attached patch does.  IMHO it's easier to understand, and it doesn't result in unnecessary enumeration of the hash table in the NULL case.

(BTW, I've tested this lightly in a trunk build, but not with any code that passes in NULL.  I assume your patch in bug 688125 needs this?  Could you please test this patch with that patch?)
Attachment #607775 - Flags: review?(jfkthame)
(Assignee)

Updated

5 years ago
Attachment #607538 - Flags: review?(n.nethercote) → review-
(Reporter)

Comment 2

5 years ago
Comment on attachment 607775 [details] [diff] [review]
alternative patch

Review of attachment 607775 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine. The second patch (forthcoming...) in bug 688125 will rely on this behavior, so I'll test it together with that, but I'm confident it'll work as required.
Attachment #607775 - Flags: review?(jfkthame) → review+
(Reporter)

Updated

5 years ago
Blocks: 688125
(Reporter)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/18c70ab50559
Target Milestone: --- → mozilla14
One of the patches in this push caused winxp debug mochitests to perma-hang in test_memoryReporters.xul. Backed the entire push out.
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0dfb71a2df9
Assignee: nobody → n.nethercote
(Reporter)

Comment 5

5 years ago
I don't think this patch can be the culprit there, so I re-landed it:
https://hg.mozilla.org/integration/mozilla-inbound/rev/220f36e7f9f7

Comment 6

5 years ago
https://hg.mozilla.org/mozilla-central/rev/220f36e7f9f7
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.