Uninitialized value usage in JSExceptionReporter: mIsDestroyPending, mDestroyPending.

RESOLVED DUPLICATE of bug 1153173

Status

()

RESOLVED DUPLICATE of bug 1153173
4 years ago
3 years ago

People

(Reporter: ishikawa, Unassigned)

Tracking

Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox40 affected)

Details

(Reporter)

Description

4 years ago
(I think this is platform-neutral.)


During testing C-C TB under valgrind
I got an uninitialiation report from valgrind.
The usage is from within JS engine, I think.

The error report.

==20163== Conditional jump or move depends on uninitialised value(s)
==20163==    at 0x90974BC: nsJSObjWrapper::NP_SetProperty(NPObject*, void*, _NPVariant const*) (nsJSNPRuntime.cpp:137)
==20163==    by 0x906815C: mozilla::plugins::parent::_setproperty(_NPP*, NPObject*, void*, _NPVariant const*) (nsNPAPIPlugin.cpp:1705)
==20163==    by 0x90B9801: mozilla::plugins::PluginScriptableObjectParent::AnswerSetProperty(mozilla::plugins::PluginIdentifier const&, mozilla::plugins::Variant const&, bool*) (PluginScriptableObjectParent.cpp:1100)
==20163==    by 0x77C54CF: mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginScriptableObjectParent.cpp:946)
==20163==    by 0x77A22BE: mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginModuleParent.cpp:1368)
==20163==    by 0x763B95A: mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (MessageChannel.cpp:1315)
==20163==    by 0x7645E62: mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) (MessageChannel.cpp:1009)
==20163==    by 0x77DC1FA: mozilla::plugins::PPluginModuleParent::CallSyncNPP_New(mozilla::plugins::PPluginInstanceParent*, short*) (PPluginModuleParent.cpp:337)
==20163==    by 0x90C5702: mozilla::plugins::PluginModuleParent::NPP_NewInternal(char*, _NPP*, unsigned short, nsTArray<nsCString>&, nsTArray<nsCString>&, _NPSavedData*, short*) (PluginModuleParent.cpp:2571)
==20163==    by 0x90C6141: mozilla::plugins::PluginModuleParent::NPP_New(char*, _NPP*, unsigned short, short, char**, char**, _NPSavedData*, short*) (PluginModuleParent.cpp:2505)
==20163==    by 0x9094300: nsNPAPIPluginInstance::Start() (nsNPAPIPluginInstance.cpp:509)
==20163==    by 0x9094513: nsNPAPIPluginInstance::Initialize(nsNPAPIPlugin*, nsPluginInstanceOwner*, nsACString_internal const&) (nsNPAPIPluginInstance.cpp:294)
==20163==    by 0x907958D: nsPluginHost::TrySetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:975)
==20163==    by 0x907A24A: nsPluginHost::SetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:894)
==20163==    by 0x907C764: nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) (nsPluginHost.cpp:826)
==20163==    by 0x80CB8BC: nsObjectLoadingContent::InstantiatePluginInstance(bool) (nsObjectLoadingContent.cpp:793)
==20163==    by 0x80CC32B: nsObjectLoadingContent::SyncStartPluginInstance() (nsObjectLoadingContent.cpp:2851)
==20163==    by 0x80C809E: nsAsyncInstantiateEvent::Run() (nsObjectLoadingContent.cpp:169)
==20163==    by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163==    by 0x729A685: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:265)
==20163==    by 0x726A7B0: nsThread::Shutdown() (nsThread.cpp:667)
==20163==    by 0x72E9C98: mozilla::net::(anonymous namespace)::PredictorThreadShutdownRunner::Run() (Predictor.cpp:622)
==20163==    by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163==    by 0x7278C39: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176)
==20163==    by 0x7B70634: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2080)
==20163==    by 0x7B746E3: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1140)
==20163==    by 0x2430634E: ???
==20163==    by 0x238B976F: ???
==20163==    by 0x41F1D20: ???
==20163==    by 0xA8E7ED7: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:125)
==20163==    by 0xA8FA57F: js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (BaselineJIT.cpp:156)
==20163==    by 0xA775FA2: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:667)
==20163==    by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163==    by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163==    by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77)
==20163==    by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289)
==20163==    by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391)
==20163==    by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697)
==20163==    by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235)
==20163==    by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720)
==20163==    by 0xA7702FE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2956)
==20163==    by 0xA775C3A: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:677)
==20163==    by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163==    by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163==    by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77)
==20163==    by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289)
==20163==    by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391)
==20163==    by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697)
==20163==    by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235)
==20163==    by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720)
==20163==  Uninitialised value was created by a heap allocation
==20163==    at 0x4028BFF: malloc (vg_replace_malloc.c:299)
==20163==    by 0x40675B: moz_xmalloc (mozalloc.cpp:83)
==20163==    by 0x9082306: nsJSObjWrapper::NP_Allocate(_NPP*, NPClass*) (mozalloc.h:187)
==20163==    by 0x9066ABD: mozilla::plugins::parent::_createobject(_NPP*, NPClass*) (nsNPAPIPlugin.cpp:1377)
==20163==    by 0x9094CE0: nsJSObjWrapper::GetNewOrUsed(_NPP*, JSContext*, JS::Handle<JSObject*>) (nsJSNPRuntime.cpp:1190)
==20163==    by 0x9069C2B: mozilla::plugins::parent::_getpluginelement(_NPP*) (nsNPAPIPlugin.cpp:1260)
==20163==    by 0x906CE89: mozilla::plugins::parent::_getvalue(_NPP*, NPNVariable, void*) (nsNPAPIPlugin.cpp:2037)
==20163==    by 0x90B7E41: mozilla::plugins::PluginInstanceParent::InternalGetValueForNPObject(NPNVariable, mozilla::plugins::PPluginScriptableObjectParent**, short*) (PluginInstanceParent.cpp:297)
==20163==    by 0x90B7F1D: mozilla::plugins::PluginInstanceParent::AnswerNPN_GetValue_NPNVPluginElementNPObject(mozilla::plugins::PPluginScriptableObjectParent**, short*) (PluginInstanceParent.cpp:332)
==20163==    by 0x77B55D3: mozilla::plugins::PPluginInstanceParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginInstanceParent.cpp:1610)
==20163==    by 0x77A22BE: mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginModuleParent.cpp:1368)
==20163==    by 0x763B95A: mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (MessageChannel.cpp:1315)
==20163==    by 0x7645E62: mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) (MessageChannel.cpp:1009)
==20163==    by 0x77DC1FA: mozilla::plugins::PPluginModuleParent::CallSyncNPP_New(mozilla::plugins::PPluginInstanceParent*, short*) (PPluginModuleParent.cpp:337)
==20163==    by 0x90C5702: mozilla::plugins::PluginModuleParent::NPP_NewInternal(char*, _NPP*, unsigned short, nsTArray<nsCString>&, nsTArray<nsCString>&, _NPSavedData*, short*) (PluginModuleParent.cpp:2571)
==20163==    by 0x90C6141: mozilla::plugins::PluginModuleParent::NPP_New(char*, _NPP*, unsigned short, short, char**, char**, _NPSavedData*, short*) (PluginModuleParent.cpp:2505)
==20163==    by 0x9094300: nsNPAPIPluginInstance::Start() (nsNPAPIPluginInstance.cpp:509)
==20163==    by 0x9094513: nsNPAPIPluginInstance::Initialize(nsNPAPIPlugin*, nsPluginInstanceOwner*, nsACString_internal const&) (nsNPAPIPluginInstance.cpp:294)
==20163==    by 0x907958D: nsPluginHost::TrySetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:975)
==20163==    by 0x907A24A: nsPluginHost::SetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:894)
==20163==    by 0x907C764: nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) (nsPluginHost.cpp:826)
==20163==    by 0x80CB8BC: nsObjectLoadingContent::InstantiatePluginInstance(bool) (nsObjectLoadingContent.cpp:793)
==20163==    by 0x80CC32B: nsObjectLoadingContent::SyncStartPluginInstance() (nsObjectLoadingContent.cpp:2851)
==20163==    by 0x80C809E: nsAsyncInstantiateEvent::Run() (nsObjectLoadingContent.cpp:169)
==20163==    by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163==    by 0x729A685: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:265)
==20163==    by 0x726A7B0: nsThread::Shutdown() (nsThread.cpp:667)
==20163==    by 0x72E9C98: mozilla::net::(anonymous namespace)::PredictorThreadShutdownRunner::Run() (Predictor.cpp:622)
==20163==    by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866)
==20163==    by 0x7278C39: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176)
==20163==    by 0x7B70634: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2080)
==20163==    by 0x7B746E3: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1140)
==20163==    by 0x2430634E: ???
==20163==    by 0x238B976F: ???
==20163==    by 0x41F1D20: ???
==20163==    by 0xA8E7ED7: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:125)
==20163==    by 0xA8FA57F: js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (BaselineJIT.cpp:156)
==20163==    by 0xA775FA2: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:667)
==20163==    by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163==    by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163==    by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77)
==20163==    by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289)
==20163==    by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391)
==20163==    by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697)
==20163==    by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235)
==20163==    by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720)
==20163==    by 0xA7702FE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2956)
==20163==    by 0xA775C3A: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:677)
==20163==    by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746)
==20163==    by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783)
==20163==

The line where the error was detected.

mozilla/dom/plugins/base/nsJSNPRuntime.cpp

nsJSNPRuntime.cpp: 137
  ~AutoJSExceptionReporter()
  {
    if (mIsDestroyPending) {     <--- line 137
      mJsapi.ClearException();
    }
  }

So this |mIsDestroyPending|  is not properly initialized?

Searching for this variable, I find this in the same file.

DECLARATION:

class MOZ_STACK_CLASS AutoJSExceptionReporter
{
            ...
protected:
  dom::AutoJSAPI& mJsapi;
  bool mIsDestroyPending;
};


INITIALIZATION: Yes, it is initialized.

    class MOZ_STACK_CLASS AutoJSExceptionReporter
    {
    public:
      AutoJSExceptionReporter(dom::AutoJSAPI& jsapi, nsJSObjWrapper* aWrapper)
        : mJsapi(jsapi)
===>    , mIsDestroyPending(aWrapper->mDestroyPending) 
      {
        jsapi.TakeOwnershipOfErrorReporting();
      }


So this |mIsDestroyPending| has a copy of the value of |aWrapper->mDetroyPending|.

The way valgrind works, this |aWarpper->mDestroyPending| was uninitialized.
Copying of uninitialized value does not trigger a warning in valgrind.
Only its use for conditional branching or output does.
So the uninitialized value copy from |aWrapper->mDetroyPending| to
|mIsDestgroyPending| did not trigger warning, but only the usage in
|if (mIsDestroyPending)| did.


So we have to look where this mDestroyPending is created and not uninitialized...

I am busy doing other bug hunting and fixing, and so I wonder if I  can leave this
to a knowledgeable JavaScript engine developer?

TIA
(Reporter)

Comment 1

4 years ago
Hmm...
I think there is something strange about the file:line indicator.
Maybe I should be looking at
nsNPAPIPlugin.cpp:1705 instead?

But that is at 
 http://mxr.mozilla.org/comm-central/source/mozilla/dom/plugins/base/nsNPAPIPlugin.cpp#1705

 1701   NPN_PLUGIN_LOG(PLUGIN_LOG_NOISY,
 1702                  ("NPN_SetProperty(npp %p, npobj %p, property %p) called\n",
 1703                   npp, npobj, property));
 1704 
*1705   return npobj->_class->setProperty(npobj, property, value);
 1706 }
 1707

TIA
(Reporter)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1153173
You need to log in before you can comment on or make changes to this bug.