Closed
Bug 1345352
Opened 8 years ago
Closed 8 years ago
Use of iterator past end of container in nsTableFrame::AddDeletedRowIndex()
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | + | wontfix |
firefox55 | + | wontfix |
People
(Reporter: jesup, Assigned: neerja)
References
Details
(Keywords: regression)
** CID 1401685: API usage errors (INVALIDATE_ITERATOR)
/layout/tables/nsTableFrame.cpp: 1017 in nsTableFrame::AddDeletedRowIndex(int)()
________________________________________________________________________________________________________
*** CID 1401685: API usage errors (INVALIDATE_ITERATOR)
/layout/tables/nsTableFrame.cpp: 1017 in nsTableFrame::AddDeletedRowIndex(int)()
1011 // merge current index with smaller and greater range as they are consecutive
1012 smallerIter->second = greaterIter->second;
1013 mDeletedRowIndexRanges.erase(greaterIter);
1014 }
1015 else {
1016 // add aDeletedRowStoredIndex in the smaller range as it is consecutive
>>> CID 1401685: API usage errors (INVALIDATE_ITERATOR)
>>> Dereferencing iterator "smallerIter" though it is already past the end of its container.
1017 smallerIter->second = aDeletedRowStoredIndex;
1018 }
1019 } else if (greaterIter != mDeletedRowIndexRanges.end() &&
1020 greaterIter->first == aDeletedRowStoredIndex + 1) {
1021 // add aDeletedRowStoredIndex in the greater range as it is consecutive
1022 mDeletedRowIndexRanges.insert(std::pair<int32_t, int32_t>
Comment 1•8 years ago
|
||
Looks like this code was added in bug 1285874.
Blocks: 1285874
Flags: needinfo?(npancholi)
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → All
Version: 52 Branch → 54 Branch
Assignee | ||
Comment 2•8 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #1)
> Looks like this code was added in bug 1285874.
Thanks Mats, I'll take a look.
:jesup, can you please tell me how you were able to reproduce this? Thanks!
Flags: needinfo?(npancholi) → needinfo?(rjesup)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → npancholi
Updated•8 years ago
|
status-firefox52:
--- → affected
status-firefox53:
--- → affected
status-firefox54:
--- → affected
status-firefox55:
--- → affected
Reporter | ||
Comment 3•8 years ago
|
||
> :jesup, can you please tell me how you were able to reproduce this? Thanks!
This is from static analysis - Coverity looked at the code and says this will (or may) happen.
Flags: needinfo?(rjesup)
Assignee | ||
Comment 4•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #3)
> > :jesup, can you please tell me how you were able to reproduce this? Thanks!
>
> This is from static analysis - Coverity looked at the code and says this
> will (or may) happen.
Cool, thanks :jesup.
Updated•8 years ago
|
Comment 5•8 years ago
|
||
[Tracking Requested - why for this release]: misusing APIs can have serious consequences.
tracking-firefox54:
--- → ?
tracking-firefox55:
--- → ?
Comment 6•8 years ago
|
||
Neerja, do you have an estimate of when this will be done?
Flags: needinfo?(npancholi)
Assignee | ||
Comment 7•8 years ago
|
||
(In reply to Nathan Froyd [:froydnj] from comment #6)
> Neerja, do you have an estimate of when this will be done?
Hi Nathan, I'll fix it this week.
Thanks!
Flags: needinfo?(npancholi)
Comment 9•8 years ago
|
||
(In reply to Neerja Pancholi[:neerja] from comment #7)
> (In reply to Nathan Froyd [:froydnj] from comment #6)
> > Neerja, do you have an estimate of when this will be done?
>
> Hi Nathan, I'll fix it this week.
> Thanks!
Gentle ping on this bug, since we've now moved 54 to Beta.
Flags: needinfo?(npancholi)
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Nathan Froyd [:froydnj] from comment #9)
> (In reply to Neerja Pancholi[:neerja] from comment #7)
> > (In reply to Nathan Froyd [:froydnj] from comment #6)
> > > Neerja, do you have an estimate of when this will be done?
> >
> > Hi Nathan, I'll fix it this week.
> > Thanks!
>
> Gentle ping on this bug, since we've now moved 54 to Beta.
Hi Nathan,
Sorry, I got distracted with something else. I'm keeping your needinfo as a reminder and I'll clear it when I'm finished fixing this which will be this week.
Thanks!
Assignee | ||
Comment 11•8 years ago
|
||
After looking at this I can't see a way in which "smallerItr" could ever be out of bounds because of this check: https://dxr.mozilla.org/mozilla-central/source/layout/tables/nsTableFrame.cpp#1006 and also that the list can never be empty because of: https://dxr.mozilla.org/mozilla-central/source/layout/tables/nsTableFrame.cpp#982
(:dholbert helped me cross check this in case I was missing something so thank you!)
I would suggest that this be closed as invalid. Or if someone could point me to what might be making Coverity flag this then I might be able to refactor it to remove the error? What do you think :froydnj and :jesup?
Some possible suggestions by dholbert as to why Coverity might be complaining -
1. It doesn't know that the list can never be empty because of: https://dxr.mozilla.org/mozilla-central/source/layout/tables/nsTableFrame.cpp#982
2. The equality for greaterItr and smallerItr (https://dxr.mozilla.org/mozilla-central/source/layout/tables/nsTableFrame.cpp#1005) and then a check on greaterItr to not be end of list (https://dxr.mozilla.org/mozilla-central/source/layout/tables/nsTableFrame.cpp#1011) might make Coverity think that smallerIter here could be end of list?
Flags: needinfo?(rjesup)
Flags: needinfo?(npancholi)
Flags: needinfo?(nfroyd)
Reporter | ||
Comment 12•8 years ago
|
||
If you're certain it's invalid, go ahead. (or mark it invalid and add a comment about it in the code -- "smallerItr can't be out of bounds because XXXX" and/or add a debug assertion if it's not a hot path
Flags: needinfo?(rjesup)
Comment 13•8 years ago
|
||
Yeah, after staring at this, I'm not sure why Coverity thinks it can be beyond the *end* of the container--unless the error message is bad, and they meant before the *start* of the container. If the access being flagged is beyond the end, then surely the access to smallerIter that dominates this use is *also* beyond the end...
Debug assertions might encourage Coverity to understand the code better, but flagging it in Coverity's database itself is also a reasonable option.
Flags: needinfo?(nfroyd)
Comment 14•8 years ago
|
||
Thanks for looking at this!
Assignee | ||
Comment 15•8 years ago
|
||
Thanks jesup and froydnj!
I'm closing this bug as invalid and I've created another bug to add a comment and an assertion to further clarify why smallerItr cannot be out of bounds here.
Assignee | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Comment 16•8 years ago
|
||
Per comment #15, mark 54/55 won't fix.
You need to log in
before you can comment on or make changes to this bug.
Description
•