Closed Bug 334541 Opened 19 years ago Closed 18 years ago

Use after free in XPCOM testcase

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: dveditz, Assigned: dveditz)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Attachments

(1 file, 2 obsolete files)

return after delete 19 years ago Daniel Veditz [:dveditz] (deleted), patch		Details \| Diff \| Splinter Review
TestCOMPtr.cpp has the same problem (combined patch) 19 years ago Daniel Veditz [:dveditz] (deleted), patch	benjamin : review-	Details \| Diff \| Splinter Review
Don't drop the wrap message 19 years ago Daniel Veditz [:dveditz] (deleted), patch	benjamin : review+	Details \| Diff \| Splinter Review

Daniel Veditz [:dveditz]

Assignee

Description

•

19 years ago

in TestHashtables.cpp IFoo::Release references its refcount_ member after deleting 'this'. Found by coverity

Daniel Veditz [:dveditz]

Assignee

Comment 1

•

19 years ago

Attached patch return after delete (obsolete) (deleted) — Details — Splinter Review

Looking for trivial r/sr

Attachment #218889 - Flags: superreview?

Attachment #218889 - Flags: review?(benjamin)

Daniel Veditz [:dveditz]

Assignee

Comment 2

•

19 years ago

Attached patch TestCOMPtr.cpp has the same problem (combined patch) (obsolete) (deleted) — Details — Splinter Review

Attachment #218889 - Attachment is obsolete: true

Attachment #218891 - Flags: superreview?

Attachment #218891 - Flags: review?(benjamin)

Attachment #218889 - Flags: superreview?

Attachment #218889 - Flags: review?(benjamin)

Jesse Ruderman

Comment 3

•

19 years ago

I think this patch changes the behavior when wrap_message is true, by making it skip a printf. I don't understand what the code is trying to accomplish or why wrap_message is a different test than !refcount_, though.

Benjamin Smedberg

Comment 4

•

19 years ago

Comment on attachment 218891 [details] [diff] [review] TestCOMPtr.cpp has the same problem (combined patch) You would just be introducing another coverity warning, I think... it seems like if (!refcount_) and if (wrap_message) are the exact same test. The easy way out is to store int stored_refcount = --refcount_ and return that.

Attachment #218891 - Flags: superreview?

Attachment #218891 - Flags: review?(benjamin)

Attachment #218891 - Flags: review-

Daniel Veditz [:dveditz]

Assignee

Comment 5

•

19 years ago

Attached patch Don't drop the wrap message (deleted) — Details — Splinter Review

> if (!refcount_) and if (wrap_message) are the exact same test. Not quite: refcount_ is a member, wrap_message is safely on the stack. This version keeps us from dropping the closing wrap message.

Attachment #218891 - Attachment is obsolete: true

Attachment #219385 - Flags: review?(benjamin)

Benjamin Smedberg

Updated

•

19 years ago

Attachment #219385 - Flags: review?(benjamin) → review+

Daniel Veditz [:dveditz]

Assignee

Comment 6

•

18 years ago

/cvsroot/mozilla/xpcom/tests/TestCOMPtr.cpp,v <-- TestCOMPtr.cpp new revision: 1.29; previous revision: 1.28 /cvsroot/mozilla/xpcom/tests/TestHashtables.cpp,v <-- TestHashtables.cpp new revision: 1.9; previous revision: 1.8

Status: NEW → RESOLVED

Closed: 18 years ago

Resolution: --- → FIXED

Sylvestre Ledru [:Sylvestre]

Updated

•

6 years ago

Blocks: coverity-analysis

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Use after free in XPCOM testcase

Categories

(Core :: XPCOM, defect)

Tracking

()

People

(Reporter: dveditz, Assigned: dveditz)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Crash Data

Security

(public)

User Story

Attachments

(1 file, 2 obsolete files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Updated

Comment 6

Updated

Attachment

General

Description

File Name

Content Type