The Static Analysis tool Coverity detected that a null pointer deference will happen in: >> TraceRootRange(trc, numArgSlots() + isConstructing_ + script_->nfixed(), >> slots_, "remat ion frame stack"); for variable |callee_| The checker is triggered since |callee_| is checked against null check prior of calling TraceRootRange in a different statement. The callstack for the dereference is: nargs() numArgSlots() TraceRootRange() nargs gets called from |callee_| that is returned via callee() function that has the following code block: >> JSFunction* callee() const { >> MOZ_ASSERT(isFunctionFrame()); >> return callee_; >> } The static analysis tool cannot correlate the validity of the assert with the validity of callee_ so i suggest adding null check on callee_ before calling TraceRootRange

So if I understand correctly, we're calling RematerializedFrame::numArgSlots, which calls RematerializedFrame::numFormalArgs: unsigned numFormalArgs() const { return isFunctionFrame() ? callee()->nargs() : 0; } callee() shouldn't return nullptr if isFunctionFrame(). Can we shut up Coverity by adding MOZ_ASSERT(callee_) to RematerializedFrame::callee()?

Comment on attachment 8799673 [details] Bug 1309160 - prevent null pointer dereference when calling TraceRootRange/ https://reviewboard.mozilla.org/r/84812/#review83412

Sure we can do this! I will update the patch.

Comment on attachment 8799673 [details] Bug 1309160 - prevent null pointer dereference when calling TraceRootRange/ https://reviewboard.mozilla.org/r/84812/#review83414 Thanks!

Pushed by bpostelnicu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6173757aa33a prevent null pointer dereference when calling TraceRootRange/ r=jandem