Closed Bug 726590 Opened 13 years ago Closed 13 years ago

Uninitialised value use in nsEventListenerManager::HandleEventInternal

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: jseward, Assigned: jseward)

Details

Attachments

(1 file)

trivial fix
806 bytes, patch
smaug
: review+
Details | Diff | Splinter Review
Not sure if Event Handling is the right component, but anyway .. TEST_PATH=dom/workers/test (DISPLAY=:3.0 make -C ff-opt mochitest-plain TEST_PATH=dom/workers/test EXTRA_TEST_ARGS='--close-when-done --debugger=/home/sewardj/VgTRUNK/merge/Inst/bin/valgrind --debugger-args="--smc-check=all-non-file --suppressions=/home/sewardj/MOZ/SUPPS/mochitest-mc.supp --error-limit=no --stats=yes --trace-children=yes --child-silent-after-fork=yes '--trace-children-skip=/usr/bin/hg,/bin/rm,*/bin/certutil,*/bin/pk12util,*/bin/ssltunnel,*/bin/uname,*/bin/which,*/bin/ps,*/bin/grep' --tool=memcheck --track-origins=yes --stats=yes"') 2>&1 | cat produces the two complaints below. If you look at where the uninitialised value comes from, it's clear they are both caused by the same problem. Conditional jump or move depends on uninitialised value(s) at 0x64F94C7: nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) (nsEventListenerManager.cpp:763) by 0x6514093: nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) (nsEventListenerManager.h:169) by 0x6514FEE: nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) (nsEventDispatcher.cpp:681) by 0x6629475: NS_HandleScriptError(nsIScriptGlobalObject*, nsScriptErrorEvent*, nsEventStatus*) (nsJSEnvironment.cpp:294) by 0x65F3138: nsIScriptGlobalObject::HandleScriptError(nsScriptErrorEvent*, nsEventStatus*) (nsIScriptGlobalObject.h:163) by 0x66BB89F: (anonymous namespace)::ReportErrorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) (WorkerPrivate.cpp:1136) by 0x66B94DF: mozilla::dom::workers::WorkerRunnable::Run() (WorkerPrivate.cpp:1717) by 0x6D90E7D: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:657) by 0x6D58D59: NS_ProcessNextEvent_P(nsIThread*, bool) (nsThreadUtils.cpp:245) by 0x6CB1B65: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (MessagePump.cpp:134) by 0x6DB9671: MessageLoop::Run() (message_loop.cc:208) by 0x6BDDBAF: nsBaseAppShell::Run() (nsBaseAppShell.cpp:189) Uninitialised value was created by a stack allocation at 0x66BB350: (anonymous namespace)::ReportErrorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) (WorkerPrivate.cpp:1030) Conditional jump or move depends on uninitialised value(s) at 0x64F94C7: nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) (nsEventListenerManager.cpp:763) by 0x65141B3: nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) (nsEventListenerManager.h:169) by 0x6514FEE: nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) (nsEventDispatcher.cpp:681) by 0x6629475: NS_HandleScriptError(nsIScriptGlobalObject*, nsScriptErrorEvent*, nsEventStatus*) (nsJSEnvironment.cpp:294) by 0x65F3138: nsIScriptGlobalObject::HandleScriptError(nsScriptErrorEvent*, nsEventStatus*) (nsIScriptGlobalObject.h:163) by 0x66BB89F: (anonymous namespace)::ReportErrorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) (WorkerPrivate.cpp:1136) by 0x66B94DF: mozilla::dom::workers::WorkerRunnable::Run() (WorkerPrivate.cpp:1717) by 0x6D90E7D: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:657) by 0x6D58D59: NS_ProcessNextEvent_P(nsIThread*, bool) (nsThreadUtils.cpp:245) by 0x6CB1B65: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (MessagePump.cpp:134) by 0x6DB9671: MessageLoop::Run() (message_loop.cc:208) by 0x6BDDBAF: nsBaseAppShell::Run() (nsBaseAppShell.cpp:189) Uninitialised value was created by a stack allocation at 0x66BB350: (anonymous namespace)::ReportErrorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) (WorkerPrivate.cpp:1030)
Here is what I believe to be the chain that leads from the stack allocation to the uninitialised use. The line numbers are marginally different from those in the stack traces above due to debugging printfs etc I added. dom/workers/WorkerPrivate.cpp: static bool ReportError(JSContext* aCx, ...) creates the undefined value 1157 nsEventStatus status; 1158 if (NS_FAILED(sgo->HandleScriptError(&event, &status))) { 1159 NS_WARNING("Failed to dispatch main thread error event!"); 1160 status = nsEventStatus_eIgnore; 1161 } dom/base/nsIScriptGlobalObject.h passes through unchanged as 2nd arg 161 virtual nsresult HandleScriptError(nsScriptErrorEvent *aErrorEvent, 162 nsEventStatus *aEventStatus) 163 return NS_HandleScriptError(this, aErrorEvent, aEventStatus); 164 } dom/base/nsJSEnvironment.cpp: bool NS_HandleScriptError(...) passed onwards as 5th arg 307 nsEventDispatcher::Dispatch(win, presContext, aErrorEvent, nsnull, 308 aStatus); content/events/src/nsEventDispatcher.cpp nsEventDispatcher::Dispatch not sure how the undefined value is passed on (wrapped up in some object, I think) 682 rv = topEtci->HandleEventTargetChain(postVisitor, NS_EVENT_FLAG_BUBBLE | NS_EVENT_FLAG_CAPTURE, aCallback, false, &pusher); content/events/src/nsEventListenerManager.h passed in as *aEventStatus void HandleEvent(nsPresContext* aPresContext, nsEvent* aEvent, nsIDOMEvent** aDOMEvent, nsIDOMEventTarget* aCurrentTarget, PRUint32 aFlags, nsEventStatus* aEventStatus, nsCxPusher* aPusher) 170 HandleEventInternal(aPresContext, aEvent, aDOMEvent, aCurrentTarget, 171 aFlags, aEventStatus, aPusher); content/events/src/nsEventListenerManager.cpp nsEventListenerManager::HandleEventInternal 766 if (*aEventStatus == nsEventStatus_eConsumeNoDefault) { 767 aEvent->flags |= NS_EVENT_FLAG_NO_DEFAULT; 768 }
nsEventStatus is in general used as a inout parameter, and should be initialized to some value.
Attached patch trivial fixSplinter Review
Initialises status before the call, as per comment #2. No idea if nsEventStatus_eIgnore is the right value.
Attachment #608663 - Flags: review?(bent.mozilla)
Attachment #608663 - Flags: review?(bent.mozilla) → review+
Keywords: checkin-needed
Assignee: nobody → jseward
https://hg.mozilla.org/integration/mozilla-inbound/rev/a268ac68fb58
Keywords: checkin-needed
OS: Linux → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/a268ac68fb58
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: