Closed Bug 1158398 Opened 10 years ago Closed 10 years ago

Uninitialized value usage in JSExceptionReporter: mIsDestroyPending, mDestroyPending.

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1153173
Tracking Status
firefox40 --- affected

People

(Reporter: ishikawa, Unassigned)

Details

(I think this is platform-neutral.) During testing C-C TB under valgrind I got an uninitialiation report from valgrind. The usage is from within JS engine, I think. The error report. ==20163== Conditional jump or move depends on uninitialised value(s) ==20163== at 0x90974BC: nsJSObjWrapper::NP_SetProperty(NPObject*, void*, _NPVariant const*) (nsJSNPRuntime.cpp:137) ==20163== by 0x906815C: mozilla::plugins::parent::_setproperty(_NPP*, NPObject*, void*, _NPVariant const*) (nsNPAPIPlugin.cpp:1705) ==20163== by 0x90B9801: mozilla::plugins::PluginScriptableObjectParent::AnswerSetProperty(mozilla::plugins::PluginIdentifier const&, mozilla::plugins::Variant const&, bool*) (PluginScriptableObjectParent.cpp:1100) ==20163== by 0x77C54CF: mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginScriptableObjectParent.cpp:946) ==20163== by 0x77A22BE: mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginModuleParent.cpp:1368) ==20163== by 0x763B95A: mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (MessageChannel.cpp:1315) ==20163== by 0x7645E62: mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) (MessageChannel.cpp:1009) ==20163== by 0x77DC1FA: mozilla::plugins::PPluginModuleParent::CallSyncNPP_New(mozilla::plugins::PPluginInstanceParent*, short*) (PPluginModuleParent.cpp:337) ==20163== by 0x90C5702: mozilla::plugins::PluginModuleParent::NPP_NewInternal(char*, _NPP*, unsigned short, nsTArray<nsCString>&, nsTArray<nsCString>&, _NPSavedData*, short*) (PluginModuleParent.cpp:2571) ==20163== by 0x90C6141: mozilla::plugins::PluginModuleParent::NPP_New(char*, _NPP*, unsigned short, short, char**, char**, _NPSavedData*, short*) (PluginModuleParent.cpp:2505) ==20163== by 0x9094300: nsNPAPIPluginInstance::Start() (nsNPAPIPluginInstance.cpp:509) ==20163== by 0x9094513: nsNPAPIPluginInstance::Initialize(nsNPAPIPlugin*, nsPluginInstanceOwner*, nsACString_internal const&) (nsNPAPIPluginInstance.cpp:294) ==20163== by 0x907958D: nsPluginHost::TrySetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:975) ==20163== by 0x907A24A: nsPluginHost::SetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:894) ==20163== by 0x907C764: nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) (nsPluginHost.cpp:826) ==20163== by 0x80CB8BC: nsObjectLoadingContent::InstantiatePluginInstance(bool) (nsObjectLoadingContent.cpp:793) ==20163== by 0x80CC32B: nsObjectLoadingContent::SyncStartPluginInstance() (nsObjectLoadingContent.cpp:2851) ==20163== by 0x80C809E: nsAsyncInstantiateEvent::Run() (nsObjectLoadingContent.cpp:169) ==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866) ==20163== by 0x729A685: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:265) ==20163== by 0x726A7B0: nsThread::Shutdown() (nsThread.cpp:667) ==20163== by 0x72E9C98: mozilla::net::(anonymous namespace)::PredictorThreadShutdownRunner::Run() (Predictor.cpp:622) ==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866) ==20163== by 0x7278C39: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176) ==20163== by 0x7B70634: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2080) ==20163== by 0x7B746E3: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1140) ==20163== by 0x2430634E: ??? ==20163== by 0x238B976F: ??? ==20163== by 0x41F1D20: ??? ==20163== by 0xA8E7ED7: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:125) ==20163== by 0xA8FA57F: js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (BaselineJIT.cpp:156) ==20163== by 0xA775FA2: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:667) ==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746) ==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783) ==20163== by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77) ==20163== by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289) ==20163== by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391) ==20163== by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697) ==20163== by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235) ==20163== by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720) ==20163== by 0xA7702FE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2956) ==20163== by 0xA775C3A: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:677) ==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746) ==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783) ==20163== by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77) ==20163== by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289) ==20163== by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391) ==20163== by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697) ==20163== by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235) ==20163== by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720) ==20163== Uninitialised value was created by a heap allocation ==20163== at 0x4028BFF: malloc (vg_replace_malloc.c:299) ==20163== by 0x40675B: moz_xmalloc (mozalloc.cpp:83) ==20163== by 0x9082306: nsJSObjWrapper::NP_Allocate(_NPP*, NPClass*) (mozalloc.h:187) ==20163== by 0x9066ABD: mozilla::plugins::parent::_createobject(_NPP*, NPClass*) (nsNPAPIPlugin.cpp:1377) ==20163== by 0x9094CE0: nsJSObjWrapper::GetNewOrUsed(_NPP*, JSContext*, JS::Handle<JSObject*>) (nsJSNPRuntime.cpp:1190) ==20163== by 0x9069C2B: mozilla::plugins::parent::_getpluginelement(_NPP*) (nsNPAPIPlugin.cpp:1260) ==20163== by 0x906CE89: mozilla::plugins::parent::_getvalue(_NPP*, NPNVariable, void*) (nsNPAPIPlugin.cpp:2037) ==20163== by 0x90B7E41: mozilla::plugins::PluginInstanceParent::InternalGetValueForNPObject(NPNVariable, mozilla::plugins::PPluginScriptableObjectParent**, short*) (PluginInstanceParent.cpp:297) ==20163== by 0x90B7F1D: mozilla::plugins::PluginInstanceParent::AnswerNPN_GetValue_NPNVPluginElementNPObject(mozilla::plugins::PPluginScriptableObjectParent**, short*) (PluginInstanceParent.cpp:332) ==20163== by 0x77B55D3: mozilla::plugins::PPluginInstanceParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginInstanceParent.cpp:1610) ==20163== by 0x77A22BE: mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PPluginModuleParent.cpp:1368) ==20163== by 0x763B95A: mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (MessageChannel.cpp:1315) ==20163== by 0x7645E62: mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) (MessageChannel.cpp:1009) ==20163== by 0x77DC1FA: mozilla::plugins::PPluginModuleParent::CallSyncNPP_New(mozilla::plugins::PPluginInstanceParent*, short*) (PPluginModuleParent.cpp:337) ==20163== by 0x90C5702: mozilla::plugins::PluginModuleParent::NPP_NewInternal(char*, _NPP*, unsigned short, nsTArray<nsCString>&, nsTArray<nsCString>&, _NPSavedData*, short*) (PluginModuleParent.cpp:2571) ==20163== by 0x90C6141: mozilla::plugins::PluginModuleParent::NPP_New(char*, _NPP*, unsigned short, short, char**, char**, _NPSavedData*, short*) (PluginModuleParent.cpp:2505) ==20163== by 0x9094300: nsNPAPIPluginInstance::Start() (nsNPAPIPluginInstance.cpp:509) ==20163== by 0x9094513: nsNPAPIPluginInstance::Initialize(nsNPAPIPlugin*, nsPluginInstanceOwner*, nsACString_internal const&) (nsNPAPIPluginInstance.cpp:294) ==20163== by 0x907958D: nsPluginHost::TrySetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:975) ==20163== by 0x907A24A: nsPluginHost::SetUpPluginInstance(nsACString_internal const&, nsIURI*, nsPluginInstanceOwner*) (nsPluginHost.cpp:894) ==20163== by 0x907C764: nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) (nsPluginHost.cpp:826) ==20163== by 0x80CB8BC: nsObjectLoadingContent::InstantiatePluginInstance(bool) (nsObjectLoadingContent.cpp:793) ==20163== by 0x80CC32B: nsObjectLoadingContent::SyncStartPluginInstance() (nsObjectLoadingContent.cpp:2851) ==20163== by 0x80C809E: nsAsyncInstantiateEvent::Run() (nsObjectLoadingContent.cpp:169) ==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866) ==20163== by 0x729A685: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:265) ==20163== by 0x726A7B0: nsThread::Shutdown() (nsThread.cpp:667) ==20163== by 0x72E9C98: mozilla::net::(anonymous namespace)::PredictorThreadShutdownRunner::Run() (Predictor.cpp:622) ==20163== by 0x72642CC: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:866) ==20163== by 0x7278C39: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:176) ==20163== by 0x7B70634: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2080) ==20163== by 0x7B746E3: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1140) ==20163== by 0x2430634E: ??? ==20163== by 0x238B976F: ??? ==20163== by 0x41F1D20: ??? ==20163== by 0xA8E7ED7: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:125) ==20163== by 0xA8FA57F: js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (BaselineJIT.cpp:156) ==20163== by 0xA775FA2: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:667) ==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746) ==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783) ==20163== by 0xAC34AE0: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (DirectProxyHandler.cpp:77) ==20163== by 0xAC3B493: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (CrossCompartmentWrapper.cpp:289) ==20163== by 0xAC46C0A: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (Proxy.cpp:391) ==20163== by 0xAC46CEF: js::proxy_Call(JSContext*, unsigned int, JS::Value*) (Proxy.cpp:697) ==20163== by 0xA784118: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:235) ==20163== by 0xA7763F8: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:720) ==20163== by 0xA7702FE: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2956) ==20163== by 0xA775C3A: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:677) ==20163== by 0xA776204: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:746) ==20163== by 0xA777BB1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:783) ==20163== The line where the error was detected. mozilla/dom/plugins/base/nsJSNPRuntime.cpp nsJSNPRuntime.cpp: 137 ~AutoJSExceptionReporter() { if (mIsDestroyPending) { <--- line 137 mJsapi.ClearException(); } } So this |mIsDestroyPending| is not properly initialized? Searching for this variable, I find this in the same file. DECLARATION: class MOZ_STACK_CLASS AutoJSExceptionReporter { ... protected: dom::AutoJSAPI& mJsapi; bool mIsDestroyPending; }; INITIALIZATION: Yes, it is initialized. class MOZ_STACK_CLASS AutoJSExceptionReporter { public: AutoJSExceptionReporter(dom::AutoJSAPI& jsapi, nsJSObjWrapper* aWrapper) : mJsapi(jsapi) ===> , mIsDestroyPending(aWrapper->mDestroyPending) { jsapi.TakeOwnershipOfErrorReporting(); } So this |mIsDestroyPending| has a copy of the value of |aWrapper->mDetroyPending|. The way valgrind works, this |aWarpper->mDestroyPending| was uninitialized. Copying of uninitialized value does not trigger a warning in valgrind. Only its use for conditional branching or output does. So the uninitialized value copy from |aWrapper->mDetroyPending| to |mIsDestgroyPending| did not trigger warning, but only the usage in |if (mIsDestroyPending)| did. So we have to look where this mDestroyPending is created and not uninitialized... I am busy doing other bug hunting and fixing, and so I wonder if I can leave this to a knowledgeable JavaScript engine developer? TIA
Hmm... I think there is something strange about the file:line indicator. Maybe I should be looking at nsNPAPIPlugin.cpp:1705 instead? But that is at http://mxr.mozilla.org/comm-central/source/mozilla/dom/plugins/base/nsNPAPIPlugin.cpp#1705 1701 NPN_PLUGIN_LOG(PLUGIN_LOG_NOISY, 1702 ("NPN_SetProperty(npp %p, npobj %p, property %p) called\n", 1703 npp, npobj, property)); 1704 *1705 return npobj->_class->setProperty(npobj, property, value); 1706 } 1707 TIA
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.