Closed Bug 558250 Opened 15 years ago Closed 15 years ago

Valgrind reports "Conditional jump or move depends on uninitialised value(s)" in nsSVGElement::GetAnimatedLengthValues

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 547964

People

(Reporter: ehsan.akhgari, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 547964])

I got this while running a set of mochitests under Valgrind: 4281 INFO Running /tests/dom/tests/mochitest/general/test_offsets.xul... 4282 INFO Error: Unable to restore focus, expect failures and timeouts. ==27032== Thread 1: ==27032== Conditional jump or move depends on uninitialised value(s) ==27032== at 0x5C5E921: nsSVGElement::GetAnimatedLengthValues(float*, ...) (nsSVGElement.cpp:1407) ==27032== by 0x5CA0182: nsSVGRectElement::ConstructPath(gfxContext*) (nsSVGRectElement.cpp:176) ==27032== by 0x5C4C193: nsSVGPathGeometryFrame::GeneratePath(gfxContext*, gfxMatrix const*) (nsSVGPathGeometryFrame.cpp:505) ==27032== by 0x5C4C8A2: nsSVGPathGeometryFrame::UpdateCoveredRegion() (nsSVGPathGeometryFrame.cpp:254) ==27032== by 0x5C4BA70: nsSVGOuterSVGFrame::UpdateAndInvalidateCoveredRegion(nsIFrame*) (nsSVGOuterSVGFrame.cpp:640) ==27032== by 0x5C52433: nsSVGUtils::UpdateGraphic(nsISVGChildFrame*) (nsSVGUtils.cpp:684) ==27032== by 0x5C4C34A: nsSVGPathGeometryFrame::NotifyRedrawUnsuspended() (nsSVGPathGeometryFrame.cpp:335) ==27032== by 0x5C4B97E: nsSVGOuterSVGFrame::UnsuspendRedraw() (nsSVGOuterSVGFrame.cpp:694) ==27032== by 0x5C4B8F3: nsSVGOuterSVGFrame::DidReflow(nsPresContext*, nsHTMLReflowState const*, int) (nsSVGOuterSVGFrame.cpp:402) ==27032== by 0x57AD8B8: nsContainerFrame::FinishReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowState const*, nsHTMLReflowMetrics const&, int, int, unsigned int) (nsContainerFrame.cpp:850) ==27032== by 0x57B3333: nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, nsHTMLReflowMetrics&, nsIRenderingContext*, int, int, int, int, int) (nsFrame.cpp:6523) ==27032== by 0x57B54D7: nsFrame::RefreshSizeCache(nsBoxLayoutState&) (nsFrame.cpp:6087) ==27032== by 0x57B58BA: nsFrame::GetPrefSize(nsBoxLayoutState&) (nsFrame.cpp:6171) ==27032== by 0x58B9846: nsSprocketLayout::GetPrefSize(nsIFrame*, nsBoxLayoutState&) (nsSprocketLayout.cpp:1366) ==27032== by 0x58B7334: nsBoxFrame::GetPrefSize(nsBoxLayoutState&) (nsBoxFrame.cpp:808) ==27032== by 0x58BA1F4: nsSprocketLayout::PopulateBoxSizes(nsIFrame*, nsBoxLayoutState&, nsBoxSize*&, int&, int&, int&) (nsSprocketLayout.cpp:783) ==27032== by 0x58BA619: nsSprocketLayout::Layout(nsIFrame*, nsBoxLayoutState&) (nsSprocketLayout.cpp:247) ==27032== by 0x58B6EC9: nsBoxFrame::DoLayout(nsBoxLayoutState&) (nsBoxFrame.cpp:951) ==27032== by 0x58B5F2F: nsIFrame::Layout(nsBoxLayoutState&) (nsBox.cpp:566) ==27032== by 0x58BBF94: nsStackLayout::Layout(nsIFrame*, nsBoxLayoutState&) (nsStackLayout.cpp:342) ==27032== by 0x58B6EC9: nsBoxFrame::DoLayout(nsBoxLayoutState&) (nsBoxFrame.cpp:951) ==27032== by 0x58B5F2F: nsIFrame::Layout(nsBoxLayoutState&) (nsBox.cpp:566) ==27032== by 0x58B7E51: nsBoxFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsBoxFrame.cpp:748) ==27032== by 0x58B43A2: nsRootBoxFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsRootBoxFrame.cpp:236) ==27032== by 0x57AE2EC: nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) (nsContainerFrame.cpp:736) ==27032== by 0x5805601: ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsViewportFrame.cpp:285) ==27032== by 0x5790D93: PresShell::DoReflow(nsIFrame*, int) (nsPresShell.cpp:7182) ==27032== by 0x57910B5: PresShell::ProcessReflowCommands(int) (nsPresShell.cpp:7315) ==27032== by 0x5791326: PresShell::FlushPendingNotifications(mozFlushType) (nsPresShell.cpp:4646) ==27032== by 0x591A568: nsDocument::FlushPendingNotifications(mozFlushType) (nsDocument.cpp:6356) ==27032== by 0x5D461E6: nsDocLoader::DocLoaderIsEmpty(int) (nsDocLoader.cpp:756) ==27032== by 0x5D462C6: nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsDocLoader.cpp:697) ==27032== by 0x56206ED: nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) (nsLoadGroup.cpp:680) ==27032== by 0x591ABE9: nsDocument::DoUnblockOnload() (nsDocument.cpp:7109) ==27032== by 0x591AC51: nsDocument::UnblockOnload(int) (nsDocument.cpp:7056) ==27032== by 0x5A7CA4E: nsBindingManager::DoProcessAttachedQueue() (nsBindingManager.cpp:996) ==27032== by 0x5A7D5CA: nsRunnableMethod<nsBindingManager, void>::Run() (nsThreadUtils.h:282) ==27032== by 0x6078FCA: nsThread::ProcessNextEvent(int, int*) (nsThread.cpp:527) ==27032== by 0x6042669: NS_ProcessNextEvent_P(nsIThread*, int) (nsThreadUtils.cpp:250) ==27032== by 0x5FDEF90: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (MessagePump.cpp:118) ==27032== by 0x60BFB98: MessageLoop::RunInternal() (message_loop.cc:216) ==27032== by 0x60BFBA4: MessageLoop::RunHandler() (message_loop.cc:199) ==27032== by 0x60BFC13: MessageLoop::Run() (message_loop.cc:173) ==27032== by 0x5F1F577: nsBaseAppShell::Run() (nsBaseAppShell.cpp:174) ==27032== by 0x5DABEC4: nsAppStartup::Run() (nsAppStartup.cpp:182) ==27032== by 0x5552D1A: XRE_main (nsAppRunner.cpp:3545) ==27032== by 0x400F5E: main (nsBrowserApp.cpp:158) Reading the code, I don't quite get what this means. As far as I can see, there are no uninitialized values being used here. I even went to make sure that the var arg list contains the correct number of elements, and it seems to be that it does (it's 6, and the call is being made from: http://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/nsSVGRectElement.cpp#176. I'm filing this anyway so that folks who know more about this code can follow up on this. I'm filing this as a security bug for now, since if we're really using an uninitialized value here, there is the potential of a security risk.
I saw this on Linux, BTW.
OS: Mac OS X → Linux
Are you on a 64-bit system?
If so, btw, this is bug 547964.
Yes, I'm on a 64-bit VM. Unfortunately, I can't see bug 547964, so I can't make sure if this is the same issue.
This should take care of the problem!
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 547964]
Group: core-security
You need to log in before you can comment on or make changes to this bug.