Closed Bug 1213711 Opened 10 years ago Closed 10 years ago

Conditional jump or move depends on uninitialised value(s) in nsDisplayTransform::GetBounds

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox42 --- unaffected
firefox43 --- unaffected
firefox44 --- unaffected
firefox45 --- unaffected
firefox46 --- fixed
b2g-v2.5 --- unaffected
b2g-master --- fixed

People

(Reporter: bc, Assigned: n.nethercote)

References

Details

(Keywords: valgrind)

Attachments

(3 files)

full valgrind error
2.22 KB, text/plain
Details
logfile.2015-10-15-2.txt
31.99 KB, text/plain
Details
Initialize Preserves3DContext::mAccumulatedRectLevels
1.13 KB, patch
sinker
: review+
Details | Diff | Splinter Review
Attached file full valgrind error
While running reftests under a recent svn trunk build of valgrind on Fedora 22 I found one instance of Conditional jump or move depends on uninitialised value(s) at nsDisplayTransform::GetBounds(nsDisplayListBuilder*, bool*) vncserver :1 vncviewer :1 (DISPLAY=:1.0 make -C firefox-debug reftest EXTRA_TEST_ARGS='--timeout=86400 --debugger=/usr/local/bin/valgrind --debugger-args=" --fair-sched=yes --smc-check=all-non-file --soname-synonyms=somalloc=NONE --vex-iropt-register-updates=allregs-at-mem-access --partial-loads-ok=yes --error-limit=no --trace-children=yes --child-silent-after-fork=yes --trace-children-skip=/usr/bin/hg,/bin/rm,*/bin/certutil,*/bin/pk12util,*/bin/ssltunnel,*/bin/uname,*/bin/which,*/bin/ps,*/bin/grep,*/bin/java --tool=memcheck --stats=yes --read-inline-info=yes --fullpath-after=/mozilla/builds/nightly/mozilla"' ) 2>&1 | tee logfile
Group: core-security → layout-core-security
Bob, if you still have the logfile can you determine which reftest triggered the error? Even narrowing it down to a directory would be useful. If you can re-run with Valgrind's --track-origins=yes option that would be also useful. It'll run slower but give more information in the error report. Thank you.
Flags: needinfo?(bob)
It is in the attachment REFTEST TEST-START | file:///mozilla/builds/nightly/mozilla/layout/reftests/bugs/1081185-1.html REFTEST TEST-LOAD | file:///mozilla/builds/nightly/mozilla/layout/reftests/bugs/1081185-1.html I'll see about re-running a more limited set.
What revision of mozilla-central were you testing against? nsDisplayList.cpp changes pretty frequently, and it would be useful to know what's on line 5562.
http://hg.mozilla.org/mozilla-central/rev/2387ada86428 if (mFrame->Combines3DTransformWithAncestors()) { ==> if (!mFrame->Extend3DContext() && !aBuilder->GetAccumulatedRectLevels()) { // For preserve-3d, only leaf frames and frames start // preserve-3d chain have non-empty bounds. return rect; }
(In reply to Bob Clary [:bc:] from comment #4) I pulled the revision from the wrong log. It should have been http://hg.mozilla.org/mozilla-central/rev/23b7f289df92 pulled at 2015-10-09 06:08:01 -0700 I'm rebuilding now and will give complete answers shortly.
http://hg.mozilla.org/mozilla-central/rev/e193b4da0a8c1025aa76a403c64663ff1cd41709 TEST_PATH=layout/reftests/bugs/1081185-1.html (DISPLAY=:1.0 make -C firefox-debug reftest EXTRA_TEST_ARGS=' --suite=reftest --timeout=86400 --debugger=/usr/local/bin/valgrind --debugger-args=" --track-origins=yes --fair-sched=yes --smc-check=all-non-file --soname-synonyms=somalloc=NONE --vex-iropt-register-updates=allregs-at-mem-access --partial-loads-ok=yes --error-limit=no --trace-children=yes --child-silent-after-fork=yes --trace-children-skip=/usr/bin/hg,/bin/rm,*/bin/certutil,*/bin/pk12util,*/bin/ssltunnel,*/bin/uname,*/bin/which,*/bin/ps,*/bin/grep,*/bin/java --tool=memcheck --stats=yes --read-inline-info=yes --fullpath-after=/mozilla/builds/nightly/mozilla"' ) 2>&1 | tee logfile.2015-10-15-2.txt ==25350== Conditional jump or move depends on uninitialised value(s) ==25350== at 0x9B83E00: nsDisplayTransform::GetBounds(nsDisplayListBuilder*, bool*) (/layout/base/nsDisplayList.cpp:5573) if (mFrame->Combines3DTransformWithAncestors()) { ==> if (!mFrame->Extend3DContext() && !aBuilder->GetAccumulatedRectLevels()) { // For preserve-3d, only leaf frames and frames start // preserve-3d chain have non-empty bounds. return rect; } ==25350== Conditional jump or move depends on uninitialised value(s) ==25350== at 0xAE598A6: js::Fprinter::~Fprinter() (/js/src/vm/Printer.cpp:399) Fprinter::~Fprinter() { ==> MOZ_ASSERT_IF(init_, !file_); }
Flags: needinfo?(bob)
> if (mFrame->Combines3DTransformWithAncestors()) { > ==> if (!mFrame->Extend3DContext() && > !aBuilder->GetAccumulatedRectLevels()) { I did some digging with the VALGRIND_CHECK_VALUE_IS_DEFINED macro from <valgrind/memcheck.h> and determined that it's the aBuilder->GetAccumulatedRectLevels() call that's the problem.
This patch is enough to satisfy Valgrind.
Attachment #8674705 - Flags: review?(tlee)
Assignee: nobody → n.nethercote
Status: NEW → ASSIGNED
Comment on attachment 8674705 [details] [diff] [review] Initialize Preserves3DContext::mAccumulatedRectLevels Thanks!
Attachment #8674705 - Flags: review?(tlee) → review+
I think this doesn't need to be security sensitive. The code that introduced the problem (bug 1097464) hasn't made it to any other channels and I think this will only cause visual problems.
Blocks: 1097464
Group: layout-core-security
https://hg.mozilla.org/mozilla-central/rev/732305d424f4
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Backed out from Aurora44 so that bug 1097464 could be backed out cleanly. It remains fixed on Fx45+ where bug 1097464 is still landed. https://hg.mozilla.org/releases/mozilla-aurora/rev/59717b623c8f
status-firefox43: --- → unaffected
status-firefox44: fixedunaffected
status-firefox45: --- → fixed
Blocks: 1240783
This along with the change that caused this regression were backed out from Firefox 45. https://hg.mozilla.org/releases/mozilla-aurora/rev/64ec448f156d
status-firefox45: fixedunaffected
status-firefox46: --- → fixed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: