Last Comment Bug 767370 - Uninitialised value use in nsIDOMKeyEvent_GetCharCode
: Uninitialised value use in nsIDOMKeyEvent_GetCharCode
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: mozilla16
Assigned To: Julian Seward [:jseward]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-22 07:15 PDT by Julian Seward [:jseward]
Modified: 2012-06-23 05:46 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (556 bytes, patch)
2012-06-22 07:18 PDT, Julian Seward [:jseward]
peterv: review+
Details | Diff | Review
as previous patch, with proper hg admin stuff (820 bytes, patch)
2012-06-22 08:59 PDT, Julian Seward [:jseward]
no flags Details | Diff | Review

Description Julian Seward [:jseward] 2012-06-22 07:15:17 PDT
TEST_PATH=content/events/test/test_dom_keyboard_event.html

nsIDOMKeyEvent_GetCharCode(JSContext*, JS::Handle<JSObject*>,
JS::Handle<long>, JS::Value*) has this

    PRUint32 result;
    rv = self->GetCharCode(&result);
    if (NS_FAILED(rv))
        return xpc_qsThrowGetterSetterFailed(cx, rv, JSVAL_TO_OBJECT(*vp), id);

GetCharCode can return a non-NS_FAILED |rv| without assigning anything
to |result|.  The resulting uninitialised values get copied far and
wide throughout the system and result in dozens of error reports from
Valgrind.  The first one is shown below.

Conditional jump or move depends on uninitialised value(s)
   at 0x6BF5B74: nsIDOMKeyEvent_GetCharCode(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::Value*) (jsapi.h:1849)
   by 0x7489207: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::Value*) (jscntxtinlines.h:444)
   by 0x7471E9B: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsobjinlines.h:162)
   by 0x7473BCE: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:267)
   by 0x74741A8: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:322)
   by 0x74746FA: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:100)
   by 0x7403EFD: JS_CallFunctionValue (jsapi.cpp:5489)
   by 0x689F2C9: nsJSContext::CallEventHandler(nsISupports*, JSObject*, JSObject*, nsIArray*, nsIVariant**) [clone .part.80] (nsJSEnvironment.cpp:1910)
   by 0x68BF291: nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) (nsGlobalWindow.cpp:9066)
   by 0x68BFF7F: nsGlobalWindow::RunTimeout(nsTimeout*) (nsGlobalWindow.cpp:9320)
   by 0x68C0088: nsGlobalWindow::TimerCallback(nsITimer*, void*) (nsGlobalWindow.cpp:9591)
   by 0x70BB351: nsTimerImpl::Fire() (nsTimerImpl.cpp:473)
 Uninitialised value was created by a stack allocation
   at 0x6BF5AC0: nsIDOMKeyEvent_GetCharCode(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::Value*) (dom_quickstubs.cpp:10965)
Comment 1 Julian Seward [:jseward] 2012-06-22 07:18:12 PDT
Created attachment 635733 [details] [diff] [review]
fix
Comment 2 Nathan Froyd [:froydnj] 2012-06-22 07:42:56 PDT
I'll check the patch in for you, but could you please export a proper hg patch with attribution, comment message, etc.?
Comment 3 Nathan Froyd [:froydnj] 2012-06-22 07:48:18 PDT
Clearing c-n while the patch gets tidied.
Comment 4 Julian Seward [:jseward] 2012-06-22 08:59:28 PDT
Created attachment 635771 [details] [diff] [review]
as previous patch, with proper hg admin stuff
Comment 6 Ryan VanderMeulen [:RyanVM] 2012-06-23 05:46:59 PDT
https://hg.mozilla.org/mozilla-central/rev/31cf3f1603d7

Note You need to log in before you can comment on or make changes to this bug.