Closed
Bug 616412
Opened 14 years ago
Closed 14 years ago
"Conditional jump or move depends on uninitialised value(s)" in nsScriptSecurityManager::CheckFunctionAccess
Categories
(Core :: Security: CAPS, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: cjones, Assigned: cjones)
Details
(Keywords: valgrind)
Attachments
(1 file)
1.41 KB,
patch
|
mrbkap
:
review+
bzbarsky
:
approval2.0+
|
Details | Diff | Splinter Review |
The problematic code appears to be nsScriptSecurityManager::CheckFunctionAccess(JSContext *aCx, void *aFunObj, void *aTargetObj) { // This check is called for event handlers nsresult rv; nsIPrincipal* subject = GetFunctionObjectPrincipal(aCx, (JSObject *)aFunObj, nsnull, &rv); // If subject is null, get a principal from the function object's scope. if (NS_SUCCEEDED(rv) && !subject) nsIPrincipal* nsScriptSecurityManager::GetFunctionObjectPrincipal(JSContext *cx, JSObject *obj, JSStackFrame *fp, nsresult *rv) { NS_PRECONDITION(rv, "Null out param"); if (!JS_ObjectIsFunction(cx, obj)) { // Protect against pseudo-functions (like SJOWs). nsIPrincipal *result = doGetObjectPrincipal(obj); if (!result) *rv = NS_ERROR_FAILURE; return result; } If we hit the |!JS_ObjectIsFunction(cx, obj)| case, and then we get a non-null |result|, |rv| won't be written. Maybe the condition in the first if-stmt in CheckFunctionAccess should be reversed? Or is it OK to to have a non-null |result| in the |!JS_ObjectIsFunction(cx, obj)| case? (And so the *rv = NS_OK should be moved before the first if-stmt.)
Comment 1•14 years ago
|
||
> (And so the *rv = NS_OK should be moved before the first if-stmt.)
I believe this is what we want. Blake?
blocking2.0: --- → ?
Comment 2•14 years ago
|
||
Looks right to me. Chris, want to attach a patch?
Assignee | ||
Comment 3•14 years ago
|
||
Sure.
Assignee: nobody → jones.chris.g
Attachment #495648 -
Flags: review?(mrbkap)
Comment 4•14 years ago
|
||
Comment on attachment 495648 [details] [diff] [review] Fix use-before-init bug Thanks!
Attachment #495648 -
Flags: review?(mrbkap) → review+
Assignee | ||
Updated•14 years ago
|
Attachment #495648 -
Flags: approval2.0?
Assignee | ||
Comment 5•14 years ago
|
||
Ping re: blocking/approval triage.
Comment 6•14 years ago
|
||
Comment on attachment 495648 [details] [diff] [review] Fix use-before-init bug a=me; this waiting is silly.
Attachment #495648 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6e9e376c146b
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•14 years ago
|
||
Not easily, the only observable and deterministic effect is to silence this valgrind warning.
Comment 10•14 years ago
|
||
Any objections to me just marking this verified?
Assignee | ||
Comment 11•14 years ago
|
||
Nope! I did numerous valgrind runs after this patch, clean wrt this bug.
Updated•13 years ago
|
blocking2.0: ? → betaN+
You need to log in
before you can comment on or make changes to this bug.
Description
•