Closed Bug 1300518 Opened 8 years ago Closed 8 years ago

[Static Analysis][Dereference after null check] In function nsCSSFrameConstructor::IsValidSibling

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla51

Tracking Flags:

Tracking

Status

firefox51

---

fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1372468)

Attachments

(1 file)

Bug 1300518 - removed nullcheck for parentFrame in nsCSSFrameConstructor::IsValidSibling. 8 years ago Andi [:andi] (deleted), text/x-review-board-request	xidorn : review+	Details

Andi [:andi]

Assignee

Description

•

8 years ago

The Static Analysis tool Coverity detected that a null pointer dereference may happen in the following context for |parentFrame|: >> if (IsFrameForFieldSet(parentFrame, parentType)) { >> // Legends can be sibling of legends but not of other content in the fieldset >> if (nsContainerFrame* cif = aSibling->GetContentInsertionFrame()) { >> aSibling = cif; >> } |parentFrame| is null checked but dereference occurs outside of the null check scope: >> if (parentFrame) { >> parentType = parentFrame->GetType(); >> }

Comment hidden (mozreview-request)

Xidorn Quan [:xidorn] UTC+11

Comment 2

•

8 years ago

mozreview-review

Comment on attachment 8788144 [details] Bug 1300518 - removed nullcheck for parentFrame in nsCSSFrameConstructor::IsValidSibling. https://reviewboard.mozilla.org/r/76740/#review74844 Viewing the only callsite of this function, I believe parentFrame would never be nullptr... The code checking parentFrame was introduced in bug 403733, while parentFrame->GetType() preexists that check, and the check was added there without any justification. I guess we can try removing the check of parentFrame directly rather than adding more check.

Attachment #8788144 - Flags: review?(xidorn+moz)

Comment hidden (mozreview-request)

Xidorn Quan [:xidorn] UTC+11

Comment 4

•

8 years ago

mozreview-review

Comment on attachment 8788144 [details] Bug 1300518 - removed nullcheck for parentFrame in nsCSSFrameConstructor::IsValidSibling. https://reviewboard.mozilla.org/r/76740/#review74848

Attachment #8788144 - Flags: review?(xidorn+moz) → review+

Pulsebot

Comment 5

•

8 years ago

Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6e805e28151d removed nullcheck for parentFrame in nsCSSFrameConstructor::IsValidSibling. r=xidorn

Phil Ringnalda (:philor)

Comment 6

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/6e805e28151d

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox51: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla51

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

[Static Analysis][Dereference after null check] In function nsCSSFrameConstructor::IsValidSibling

Categories

(Core :: Layout, defect)

Tracking

()

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1372468)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type