Closed Bug 767370 Opened 12 years ago Closed 12 years ago

Uninitialised value use in nsIDOMKeyEvent_GetCharCode

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16

People

(Reporter: jseward, Assigned: jseward)

Details

Attachments

(1 file, 1 obsolete file)

as previous patch, with proper hg admin stuff
820 bytes, patch
Details | Diff | Splinter Review 
TEST_PATH=content/events/test/test_dom_keyboard_event.html

nsIDOMKeyEvent_GetCharCode(JSContext*, JS::Handle<JSObject*>,
JS::Handle<long>, JS::Value*) has this

    PRUint32 result;
    rv = self->GetCharCode(&result);
    if (NS_FAILED(rv))
        return xpc_qsThrowGetterSetterFailed(cx, rv, JSVAL_TO_OBJECT(*vp), id);

GetCharCode can return a non-NS_FAILED |rv| without assigning anything
to |result|.  The resulting uninitialised values get copied far and
wide throughout the system and result in dozens of error reports from
Valgrind.  The first one is shown below.

Conditional jump or move depends on uninitialised value(s)
   at 0x6BF5B74: nsIDOMKeyEvent_GetCharCode(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::Value*) (jsapi.h:1849)
   by 0x7489207: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::Value*) (jscntxtinlines.h:444)
   by 0x7471E9B: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsobjinlines.h:162)
   by 0x7473BCE: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:267)
   by 0x74741A8: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:322)
   by 0x74746FA: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:100)
   by 0x7403EFD: JS_CallFunctionValue (jsapi.cpp:5489)
   by 0x689F2C9: nsJSContext::CallEventHandler(nsISupports*, JSObject*, JSObject*, nsIArray*, nsIVariant**) [clone .part.80] (nsJSEnvironment.cpp:1910)
   by 0x68BF291: nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) (nsGlobalWindow.cpp:9066)
   by 0x68BFF7F: nsGlobalWindow::RunTimeout(nsTimeout*) (nsGlobalWindow.cpp:9320)
   by 0x68C0088: nsGlobalWindow::TimerCallback(nsITimer*, void*) (nsGlobalWindow.cpp:9591)
   by 0x70BB351: nsTimerImpl::Fire() (nsTimerImpl.cpp:473)
 Uninitialised value was created by a stack allocation
   at 0x6BF5AC0: nsIDOMKeyEvent_GetCharCode(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::Value*) (dom_quickstubs.cpp:10965)
Attached patch fix (obsolete) — Splinter Review 

    
  

        Attachment #635733 -
        Flags: review?(peterv)

        Attachment #635733 -
        Flags: review?(peterv) → review+

    
  
Keywords: checkin-needed

    
    

    
  
I'll check the patch in for you, but could you please export a proper hg patch with attribution, comment message, etc.?

    
    

    
  
Clearing c-n while the patch gets tidied.
Keywords: checkin-needed

    
    

    
  


  

        Attachment #635733 -
        Attachment is obsolete: true

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/31cf3f1603d7
Assignee: nobody → jseward
Status: NEW → ASSIGNED

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/31cf3f1603d7
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: