Closed Bug 295116 Opened 19 years ago Closed 19 years ago

variable pn2->pn_slot can be read while uninitialised

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.8beta2

People

(Reporter: ferdinandw+bmo, Assigned: brendan)

References

()

Details

(Keywords: js1.5)

Attachments

(1 file)

I ran firefox through valgrind, and I saw a lot of these come up:

==5433== Conditional jump or move depends on uninitialised value(s)
==5433==    at 0x1BCBDA22: js_EmitTree (jsemit.c:4081)
==5433==    by 0x1BCBD044: js_EmitTree (jsemit.c:3891)
==5433==    by 0x1BCBA568: js_EmitTree (jsemit.c:3009)
==5433==    by 0x1BD0DA74: Statements (jsparse.c:1056)
==5433==    by 0x1BD0C85A: FunctionBody (jsparse.c:656)

The traces varied slightly, but just running firefox in gdb with a
break at jsemit.c:4081 with display pn2->pn_u.name.slot will show
some interesting values (some of the time). It only seems to happen
at this particular if. CC'ing Brendan based on lxr blame.
Regression introduced by fix for bug 155081.

/be
Assignee: general → brendan
Flags: blocking1.8b2+
Keywords: js1.5
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta2
Attached patch fixSplinter Review
cvs diff -r3.1{09,10} jsemit.c and look for DOT: to see the regression.  I will
check this in soon, with imputed r=shaver.

/be
Attachment #184254 - Flags: review?(shaver)
Attachment #184254 - Flags: approval1.8b2+
Ferdinand, thanks very much for catching this.

/be
Status: NEW → ASSIGNED
Fixed.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: