Closed
Bug 616412
Opened 15 years ago
Closed 15 years ago
"Conditional jump or move depends on uninitialised value(s)" in nsScriptSecurityManager::CheckFunctionAccess
Categories
(Core :: Security: CAPS, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: cjones, Assigned: cjones)
Details
(Keywords: valgrind)
Attachments
(1 file)
1.41 KB,
patch
|
mrbkap
:
review+
bzbarsky
:
approval2.0+
|
Details | Diff | Splinter Review |
The problematic code appears to be
nsScriptSecurityManager::CheckFunctionAccess(JSContext *aCx, void *aFunObj,
void *aTargetObj)
{
// This check is called for event handlers
nsresult rv;
nsIPrincipal* subject =
GetFunctionObjectPrincipal(aCx, (JSObject *)aFunObj, nsnull, &rv);
// If subject is null, get a principal from the function object's scope.
if (NS_SUCCEEDED(rv) && !subject)
nsIPrincipal*
nsScriptSecurityManager::GetFunctionObjectPrincipal(JSContext *cx,
JSObject *obj,
JSStackFrame *fp,
nsresult *rv)
{
NS_PRECONDITION(rv, "Null out param");
if (!JS_ObjectIsFunction(cx, obj))
{
// Protect against pseudo-functions (like SJOWs).
nsIPrincipal *result = doGetObjectPrincipal(obj);
if (!result)
*rv = NS_ERROR_FAILURE;
return result;
}
If we hit the |!JS_ObjectIsFunction(cx, obj)| case, and then we get a non-null |result|, |rv| won't be written. Maybe the condition in the first if-stmt in CheckFunctionAccess should be reversed? Or is it OK to to have a non-null |result| in the |!JS_ObjectIsFunction(cx, obj)| case? (And so the *rv = NS_OK should be moved before the first if-stmt.)
![]() |
||
Comment 1•15 years ago
|
||
> (And so the *rv = NS_OK should be moved before the first if-stmt.)
I believe this is what we want. Blake?
blocking2.0: --- → ?
Comment 2•15 years ago
|
||
Looks right to me. Chris, want to attach a patch?
Assignee | ||
Comment 3•15 years ago
|
||
Sure.
Assignee: nobody → jones.chris.g
Attachment #495648 -
Flags: review?(mrbkap)
Comment 4•15 years ago
|
||
Comment on attachment 495648 [details] [diff] [review]
Fix use-before-init bug
Thanks!
Attachment #495648 -
Flags: review?(mrbkap) → review+
Assignee | ||
Updated•15 years ago
|
Attachment #495648 -
Flags: approval2.0?
Assignee | ||
Comment 5•15 years ago
|
||
Ping re: blocking/approval triage.
![]() |
||
Comment 6•15 years ago
|
||
Comment on attachment 495648 [details] [diff] [review]
Fix use-before-init bug
a=me; this waiting is silly.
Attachment #495648 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 7•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•15 years ago
|
||
Not easily, the only observable and deterministic effect is to silence this valgrind warning.
Comment 10•15 years ago
|
||
Any objections to me just marking this verified?
Assignee | ||
Comment 11•15 years ago
|
||
Nope! I did numerous valgrind runs after this patch, clean wrt this bug.
Updated•14 years ago
|
blocking2.0: ? → betaN+
You need to log in
before you can comment on or make changes to this bug.
Description
•