Closed Bug 295116 Opened 20 years ago Closed 20 years ago

variable pn2->pn_slot can be read while uninitialised

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: ferdinandw+bmo, Assigned: brendan)

References

(
URL
)

Details

(Keywords: js1.5)

Attachments

(1 file)

fix
1.02 KB, patch
shaver
: review+
brendan
: approval1.8b2+
Details | Diff | Splinter Review
I ran firefox through valgrind, and I saw a lot of these come up: ==5433== Conditional jump or move depends on uninitialised value(s) ==5433== at 0x1BCBDA22: js_EmitTree (jsemit.c:4081) ==5433== by 0x1BCBD044: js_EmitTree (jsemit.c:3891) ==5433== by 0x1BCBA568: js_EmitTree (jsemit.c:3009) ==5433== by 0x1BD0DA74: Statements (jsparse.c:1056) ==5433== by 0x1BD0C85A: FunctionBody (jsparse.c:656) The traces varied slightly, but just running firefox in gdb with a break at jsemit.c:4081 with display pn2->pn_u.name.slot will show some interesting values (some of the time). It only seems to happen at this particular if. CC'ing Brendan based on lxr blame.
Regression introduced by fix for bug 155081. /be
Assignee: general → brendan
Flags: blocking1.8b2+
Keywords: js1.5
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta2
Attached patch fixSplinter Review
cvs diff -r3.1{09,10} jsemit.c and look for DOT: to see the regression. I will check this in soon, with imputed r=shaver. /be
Attachment #184254 - Flags: review?(shaver)
Attachment #184254 - Flags: approval1.8b2+
Ferdinand, thanks very much for catching this. /be
Status: NEW → ASSIGNED
Fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment on attachment 184254 [details] [diff] [review] fix r=shaver
Attachment #184254 - Flags: review?(shaver) → review+
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: