Closed Bug 1153173 Opened 9 years ago Closed 9 years ago

Uninitialised value use in AutoJSExceptionReporter::~AutoJSExceptionReporter

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox37 unaffected, firefox38 fixed, firefox38.0.5 fixed, firefox39 fixed, firefox40 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 --- fixed
firefox38.0.5 --- fixed
firefox39 --- fixed
firefox40 --- fixed

People

(Reporter: jseward, Assigned: jseward)

References

Details

Attachments

(2 files)

Valgrind complainage
5.06 KB, text/plain
Details
bug1153173-1.diff
562 bytes, patch
bugzilla
: review+
lmandel
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-release+
Details | Diff | Splinter Review 
It appears that ~AutoJSExceptionReporter can check its mIsDestroyPending
field with that ever having been initialised.  Looking at the constructor
AutoJSExceptionReporter::AutoJSExceptionReporter, mIsDestroyPending is
simply copied from nsJSObjWrapper::mDestroyPending.  It may be that the
root error is that nsJSObjWrapper::nsJSObjWrapper doesn't set mDestroyPending.

Possibly related to bug 1135491.
STR: test path is dom/base/test/csp/test_CSP.html

It's pretty easy to demonstrate, though, happens on quite a lot
of runs.

I ran this:

DISPLAY=:1.0 G_SLICE=always-malloc MOZ_DISABLE_NONLOCAL_CONNECTIONS=0 \
  ./mach mochitest-plain --e10s \
  --debugger=/home/sewardj/VgTRUNK/mozhx/Inst/bin/valgrind \
  --debugger-args="--fair-sched=yes --smc-check=all-non-file \
    --suppressions=/home/sewardj/MOZ/SUPPS/mochitest-mc.supp --error-limit=no \
    --trace-children=yes --child-silent-after-fork=yes \
    --trace-children-skip=/usr/bin/hg,/bin/rm,*/bin/certutil,*/bin/pk12util,*/bin/ssltunnel,*/bin/uname,*/bin/which,*/bin/ps,*/bin/grep,*/bin/java \
    --num-transtab-sectors=24 --tool=memcheck --freelist-vol=500000000 \
    --redzone-size=256 --gen-suppressions=no \
    --px-default=allregs-at-mem-access \
    --px-file-backed=unwindregs-at-mem-access --stats=yes \
    --partial-loads-ok=yes --show-mismatched-frees=no --read-inline-info=yes \
    --fullpath-after=-CURR/ --num-callers=16 --track-origins=yes" \
  dom/base/test/csp/test_CSP.html 2>&1 | tee logfile-05-mc
Attached file Valgrind complainage 

    
    

    
  


  
A simple fix.

    
  

        Attachment #8590757 -
        Flags: review?(aklotz)

    
    

    
  
Comment on attachment 8590757 [details] [diff] [review]
bug1153173-1.diff

Review of attachment 8590757 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for catching this!

        Attachment #8590757 -
        Flags: review?(aklotz) → review+

    
    

    
  
Comment on attachment 8590757 [details] [diff] [review]
bug1153173-1.diff

Approval Request Comment
[Feature/regressing bug #]: bug 1135491
[User impact if declined]: Possibility of incorrect behavior of scripted plugin objects.
[Describe test coverage new/current, TreeHerder]: Caught by dom/base/test/csp/test_CSP.html + Valgrind
[Risks and why]: None, trivial patch that fixes an uninitialized variable
[String/UUID change made/needed]: None

        Attachment #8590757 -
        Flags: approval-mozilla-aurora?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ce79d0eb8636
Assignee: nobody → jseward
Status: NEW → RESOLVED
Closed: 9 years ago

          status-firefox40:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40

    
    

    
  
(In reply to Aaron Klotz [:aklotz] (please use needinfo) from comment #6)
> [Feature/regressing bug #]: bug 1135491

Bug 1135491 was fixed in 38. Do we need to take the fix in 38 as well?

          status-firefox37:
          --- → unaffected

          status-firefox38:
          --- → affected

          status-firefox39:
          --- → affected
Flags: needinfo?(aklotz)

    
    

    
  
Comment on attachment 8590757 [details] [diff] [review]
bug1153173-1.diff

Aurora+

        Attachment #8590757 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
Good point. I'd recommend that we do.
Flags: needinfo?(aklotz)

    
    

    
  
Comment on attachment 8590757 [details] [diff] [review]
bug1153173-1.diff

Approval Request Comment
[Feature/regressing bug #]: bug 1135491
[User impact if declined]: Possibility of incorrect behavior of scripted plugin objects.
[Describe test coverage new/current, TreeHerder]: Caught by dom/base/test/csp/test_CSP.html + Valgrind
[Risks and why]: None, trivial patch that fixes an uninitialized variable
[String/UUID change made/needed]: None

        Attachment #8590757 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8590757 [details] [diff] [review]
bug1153173-1.diff

Should be in 38 beta 7.

        Attachment #8590757 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
Comment on attachment 8590757 [details] [diff] [review]
bug1153173-1.diff

[Triage Comment]
uplift to m-r as we did the 38 merge already

        Attachment #8590757 -
        Flags: approval-mozilla-beta+ → approval-mozilla-release+

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: