Closed
Bug 510281
Opened 15 years ago
Closed 15 years ago
uninitialized memory access in BigInteger
Categories
(Tamarin Graveyard :: Virtual Machine, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
flash10.1
People
(Reporter: edwsmith, Assigned: lhansen)
References
Details
Attachments
(1 file)
|
825 bytes,
patch
|
stejohns
:
review+
|
Details | Diff | Splinter Review |
valgrind reports: ==32034== Conditional jump or move depends on uninitialised value(s) ==32034== at 0x812D9DE: avmplus::BigInteger::addOrSubtract(avmplus::BigInteger const*, bool, avmplus::BigInteger*) const (BigInteger.cpp:630) ==32034== by 0x80C228E: avmplus::BigInteger::compareOffset(avmplus::BigInteger const*, avmplus::BigInteger const*) (BigInteger.h:106) ==32034== by 0x80BFFAE: avmplus::D2A::nextDigit() (MathUtils.cpp:1781) ==32034== by 0x80C13CE: avmplus::MathUtils::convertDoubleToString(avmplus::AvmCore*, double, int, int) (MathUtils.cpp:983) ==32034== by 0x809B80C: avmplus::AvmCore::string(int) (AvmCore.cpp:3560) ==32034== Uninitialised value was created by a stack allocation ==32034== at 0x80C2254: avmplus::BigInteger::compareOffset(avmplus::BigInteger const*, avmplus::BigInteger const*) (BigInteger.h:89) ==32034== how to run: 1. build with AVMFEATURE_USE_SYSTEM_MALLOC=1 2. on release builds, use -O3 -g to get symbols (haven't tried debug builds) 3. get supressions file MMgc/mmgc.supp from Bug 509020 3. valgrind -q --track-origins=yes --suppressions=MMgc/mmgc.supp shell/avmshell <files> seen in these tests: ecma3/GlobalObject/e15_1_2_2_2.abc ecma3/TypeConversion/e9_3_1_3_rt.abc ecma3/LexicalConventions/e7_7_3_1.abc
|
Reporter | |
Updated•15 years ago
|
Flags: flashplayer-triage?
|
||
Comment 1•15 years ago
|
||
Confirmed that valgrind does report "Conditional jump or move depends on uninitialised value(s)" in avmplus::BigInteger when running the above testcases. NOTE: The suppression file is out of date and you will see a lot of MMgc related messages when you run the tests.
Flags: flashplayer-triage?
Flags: flashplayer-triage+
Flags: flashplayer-qrb?
|
Assignee | |
Updated•15 years ago
|
Priority: -- → P3
Target Milestone: --- → flash10.1
|
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → lhansen
|
|
Assignee | |
Comment 2•15 years ago
|
||
The error is signaled also with -O1 (so it's probably right) and is probably caused by the backward scan stepping beyond the start of the workBuffer when it's discarding leading zeroes. This can happen if the operation is 'add' and the inputs are both zero; the test for a zero result earlier in addOrSubtract does not catch this case.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•15 years ago
|
||
Add a missing check for a zero result in addOrSubtract; add an assert that will catch the problem if there are other corner cases.
Attachment #405733 -
Flags: review?(stejohns)
|
|
Assignee | |
Updated•15 years ago
|
Priority: P3 → P2
|
||
Updated•15 years ago
|
Attachment #405733 -
Flags: review?(stejohns) → review+
|
|
Assignee | |
Comment 4•15 years ago
|
||
redux changeset: 2759:c0a53a3f9cb8 (also 2758)
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•15 years ago
|
Status: VERIFIED → RESOLVED
Closed: 15 years ago → 15 years ago
|
|
||
Updated•15 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•