Closed
Bug 1158398
Opened 10 years ago
Closed 10 years ago
Uninitialized value usage in JSExceptionReporter: mIsDestroyPending, mDestroyPending.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1153173
Tracking | Status | |
---|---|---|
firefox40 | --- | affected |
People
(Reporter: ishikawa, Unassigned)
Details
(I think this is platform-neutral.)
During testing C-C TB under valgrind
I got an uninitialiation report from valgrind.
The usage is from within JS engine, I think.
The error report.
==20163== Conditional jump or move depends on uninitialised value(s)
==20163== at 0x90974BC: nsJSObjWrapper::NP_SetProperty(NPObject*, void*, _NPVariant const*) (nsJSNPRuntime.cpp:137)
==20163== by 0x906815C: mozilla::plugins::parent::_setproperty(_NPP*, NPObject*, void*, _NPVariant const*) (nsNPAPIPlugin.cpp:1705)
==20163== by 0x90B9801: mozilla::plugins::PluginScriptableObjectParent::AnswerSetProperty(mozilla::plugins::PluginIdentifier const&, mozilla::plugins::Variant const&, bool*) (PluginScriptableObjectParent.cpp:1100)
==20163== by 0x77C54CF: mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginScriptableObjectParent.cpp:946)
==20163== by 0x77A22BE: mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginModuleParent.cpp:1368)
==20163== by 0x763B95A: mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (MessageChannel.cpp:1315)
==20163== by 0x7645E62: mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) (MessageChannel.cpp:1009)
==20163== by 0x77DC1FA: mozilla::plugins::PPluginModuleParent::CallSyncNPP_New(mozilla::plugins::PPluginInstanceParent*, short*) (PPluginModuleParent.cpp:337)
==20163== by 0x90C5702: mozilla::plugins::PluginModuleParent::NPP_NewInternal(char*, _NPP*, unsigned short, nsTArray<nsCString>&, nsTArray<nsCString>&, _NPSavedData*, short*) (PluginModuleParent.cpp:2571)
==20163== by 0x90C6141: mozilla::plugins::PluginModuleParent::NPP_New(char*, _NPP*, unsigned short, short, char**, char**, _NPSavedData*, short*) (PluginModuleParent.cpp:2505)
==20163== by 0x9094300: nsNPAPIPluginInstance::Start() (nsNPAPIPluginInstance.cpp:509)
==20163== by 0x9094513: nsNPAPIPluginInstance::Initialize(nsNPAPIPlugin*, nsPluginInstanceOwner*, nsACString_internal const&) (nsNPAPIPluginInstance.cpp:294)
==20163== by 0x907958D: nsPluginHost::TrySetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:975)
==20163== by 0x907A24A: nsPluginHost::SetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:894)
==20163== by 0x907C764: nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) (nsPluginHost.cpp:826)
==20163== by 0x80CB8BC: nsObjectLoadingContent::InstantiatePluginInstance(bool) (nsObjectLoadingContent.cpp:793)
==20163== by 0x80CC32B: nsObjectLoadingContent::SyncStartPluginInstance() (nsObjectLoadingContent.cpp:2851)
==20163== by 0x80C809E: nsAsyncInstantiateEvent::Run() (nsObjectLoadingContent.cpp:169)
==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163== by 0x729A685: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:265)
==20163== by 0x726A7B0: nsThread::Shutdown() (nsThread.cpp:667)
==20163== by 0x72E9C98: mozilla::net::(anonymous namespace)::PredictorThreadShutdownRunner::Run() (Predictor.cpp:622)
==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163== by 0x7278C39: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176)
==20163== by 0x7B70634: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2080)
==20163== by 0x7B746E3: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1140)
==20163== by 0x2430634E: ???
==20163== by 0x238B976F: ???
==20163== by 0x41F1D20: ???
==20163== by 0xA8E7ED7: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:125)
==20163== by 0xA8FA57F: js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (BaselineJIT.cpp:156)
==20163== by 0xA775FA2: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:667)
==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163== by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77)
==20163== by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289)
==20163== by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391)
==20163== by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697)
==20163== by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235)
==20163== by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720)
==20163== by 0xA7702FE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2956)
==20163== by 0xA775C3A: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:677)
==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163== by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77)
==20163== by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289)
==20163== by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391)
==20163== by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697)
==20163== by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235)
==20163== by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720)
==20163== Uninitialised value was created by a heap allocation
==20163== at 0x4028BFF: malloc (vg_replace_malloc.c:299)
==20163== by 0x40675B: moz_xmalloc (mozalloc.cpp:83)
==20163== by 0x9082306: nsJSObjWrapper::NP_Allocate(_NPP*, NPClass*) (mozalloc.h:187)
==20163== by 0x9066ABD: mozilla::plugins::parent::_createobject(_NPP*, NPClass*) (nsNPAPIPlugin.cpp:1377)
==20163== by 0x9094CE0: nsJSObjWrapper::GetNewOrUsed(_NPP*, JSContext*, JS::Handle<JSObject*>) (nsJSNPRuntime.cpp:1190)
==20163== by 0x9069C2B: mozilla::plugins::parent::_getpluginelement(_NPP*) (nsNPAPIPlugin.cpp:1260)
==20163== by 0x906CE89: mozilla::plugins::parent::_getvalue(_NPP*, NPNVariable, void*) (nsNPAPIPlugin.cpp:2037)
==20163== by 0x90B7E41: mozilla::plugins::PluginInstanceParent::InternalGetValueForNPObject(NPNVariable, mozilla::plugins::PPluginScriptableObjectParent**, short*) (PluginInstanceParent.cpp:297)
==20163== by 0x90B7F1D: mozilla::plugins::PluginInstanceParent::AnswerNPN_GetValue_NPNVPluginElementNPObject(mozilla::plugins::PPluginScriptableObjectParent**, short*) (PluginInstanceParent.cpp:332)
==20163== by 0x77B55D3: mozilla::plugins::PPluginInstanceParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginInstanceParent.cpp:1610)
==20163== by 0x77A22BE: mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginModuleParent.cpp:1368)
==20163== by 0x763B95A: mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (MessageChannel.cpp:1315)
==20163== by 0x7645E62: mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) (MessageChannel.cpp:1009)
==20163== by 0x77DC1FA: mozilla::plugins::PPluginModuleParent::CallSyncNPP_New(mozilla::plugins::PPluginInstanceParent*, short*) (PPluginModuleParent.cpp:337)
==20163== by 0x90C5702: mozilla::plugins::PluginModuleParent::NPP_NewInternal(char*, _NPP*, unsigned short, nsTArray<nsCString>&, nsTArray<nsCString>&, _NPSavedData*, short*) (PluginModuleParent.cpp:2571)
==20163== by 0x90C6141: mozilla::plugins::PluginModuleParent::NPP_New(char*, _NPP*, unsigned short, short, char**, char**, _NPSavedData*, short*) (PluginModuleParent.cpp:2505)
==20163== by 0x9094300: nsNPAPIPluginInstance::Start() (nsNPAPIPluginInstance.cpp:509)
==20163== by 0x9094513: nsNPAPIPluginInstance::Initialize(nsNPAPIPlugin*, nsPluginInstanceOwner*, nsACString_internal const&) (nsNPAPIPluginInstance.cpp:294)
==20163== by 0x907958D: nsPluginHost::TrySetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:975)
==20163== by 0x907A24A: nsPluginHost::SetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:894)
==20163== by 0x907C764: nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) (nsPluginHost.cpp:826)
==20163== by 0x80CB8BC: nsObjectLoadingContent::InstantiatePluginInstance(bool) (nsObjectLoadingContent.cpp:793)
==20163== by 0x80CC32B: nsObjectLoadingContent::SyncStartPluginInstance() (nsObjectLoadingContent.cpp:2851)
==20163== by 0x80C809E: nsAsyncInstantiateEvent::Run() (nsObjectLoadingContent.cpp:169)
==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163== by 0x729A685: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:265)
==20163== by 0x726A7B0: nsThread::Shutdown() (nsThread.cpp:667)
==20163== by 0x72E9C98: mozilla::net::(anonymous namespace)::PredictorThreadShutdownRunner::Run() (Predictor.cpp:622)
==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163== by 0x7278C39: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176)
==20163== by 0x7B70634: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2080)
==20163== by 0x7B746E3: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1140)
==20163== by 0x2430634E: ???
==20163== by 0x238B976F: ???
==20163== by 0x41F1D20: ???
==20163== by 0xA8E7ED7: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:125)
==20163== by 0xA8FA57F: js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (BaselineJIT.cpp:156)
==20163== by 0xA775FA2: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:667)
==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163== by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77)
==20163== by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289)
==20163== by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391)
==20163== by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697)
==20163== by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235)
==20163== by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720)
==20163== by 0xA7702FE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2956)
==20163== by 0xA775C3A: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:677)
==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163==
The line where the error was detected.
mozilla/dom/plugins/base/nsJSNPRuntime.cpp
nsJSNPRuntime.cpp: 137
~AutoJSExceptionReporter()
{
if (mIsDestroyPending) { <--- line 137
mJsapi.ClearException();
}
}
So this |mIsDestroyPending| is not properly initialized?
Searching for this variable, I find this in the same file.
DECLARATION:
class MOZ_STACK_CLASS AutoJSExceptionReporter
{
...
protected:
dom::AutoJSAPI& mJsapi;
bool mIsDestroyPending;
};
INITIALIZATION: Yes, it is initialized.
class MOZ_STACK_CLASS AutoJSExceptionReporter
{
public:
AutoJSExceptionReporter(dom::AutoJSAPI& jsapi, nsJSObjWrapper* aWrapper)
: mJsapi(jsapi)
===> , mIsDestroyPending(aWrapper->mDestroyPending)
{
jsapi.TakeOwnershipOfErrorReporting();
}
So this |mIsDestroyPending| has a copy of the value of |aWrapper->mDetroyPending|.
The way valgrind works, this |aWarpper->mDestroyPending| was uninitialized.
Copying of uninitialized value does not trigger a warning in valgrind.
Only its use for conditional branching or output does.
So the uninitialized value copy from |aWrapper->mDetroyPending| to
|mIsDestgroyPending| did not trigger warning, but only the usage in
|if (mIsDestroyPending)| did.
So we have to look where this mDestroyPending is created and not uninitialized...
I am busy doing other bug hunting and fixing, and so I wonder if I can leave this
to a knowledgeable JavaScript engine developer?
TIA
Reporter | ||
Comment 1•10 years ago
|
||
Hmm...
I think there is something strange about the file:line indicator.
Maybe I should be looking at
nsNPAPIPlugin.cpp:1705 instead?
But that is at
http://mxr.mozilla.org/comm-central/source/mozilla/dom/plugins/base/nsNPAPIPlugin.cpp#1705
1701 NPN_PLUGIN_LOG(PLUGIN_LOG_NOISY,
1702 ("NPN_SetProperty(npp %p, npobj %p, property %p) called\n",
1703 npp, npobj, property));
1704
*1705 return npobj->_class->setProperty(npobj, property, value);
1706 }
1707
TIA
Reporter | ||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•