Closed
Bug 767966
Opened 12 years ago
Closed 12 years ago
Uninitialised value use in obj_lookupGetter(JSContext*, unsigned int, JS::Value*)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 767273
People
(Reporter: jseward, Unassigned)
Details
(Keywords: valgrind, Whiteboard: [js:p2][sg:dupe 767273])
TEST_PATH=toolkit/components/passwordmgr/test/test_notifications.html produces a whole bunch of complaining along the lines of this: Conditional jump or move depends on uninitialised value(s) at 0x6C4F3F1: mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsINodeList, mozilla::dom::binding::Ops<mozilla::dom::binding::Getter<nsIContent*>, mozilla::dom::binding::NoOp>, mozilla::dom::binding::Ops<mozilla::dom::binding::NoOp, mozilla::dom::binding::NoOp> > >::getPropertyDescriptor(JSContext*, JSObject*, long, bool, JSPropertyDescriptor*) (dombindings.cpp:634) by 0x7483FA4: js::Proxy::getPropertyDescriptor(JSContext*, JSObject*, long, bool, JSPropertyDescriptor*) (jsproxy.cpp:1001) by 0x7462E40: obj_lookupGetter(JSContext*, unsigned int, JS::Value*) (jsobj.cpp:1453) by 0x7448516: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:400) by 0x7448AFA: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:100) by 0x74819AD: js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:445) by 0x74E1363: js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jswrapper.cpp:218) by 0x74E28F8: js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jswrapper.cpp:656) by 0x748521F: js::Proxy::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:1137) by 0x748526C: proxy_Call(JSContext*, unsigned int, JS::Value*) (jsproxy.cpp:1666) by 0x7448636: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:400) by 0x7439B85: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2437) Uninitialised value was created by a stack allocation at 0x7462C28: obj_lookupGetter(JSContext*, unsigned int, JS::Value*) (jsobj.cpp:1441)
|
Reporter | |
Comment 1•12 years ago
|
||
I suspect this is a bug outside the JS engine. Anyway:
obj_lookupGetter(JSContext *cx, unsigned argc, Value *vp) has this
1452 PropertyDescriptor desc;
1453 if (!Proxy::getPropertyDescriptor(cx, obj, id, false, &desc))
1454 return JS_FALSE;
1455 if (desc.obj && (desc.attrs & JSPROP_GETTER) && desc.getter)
1456 *vp = CastAsObjectJsval(desc.getter);
It would appear that the call to Proxy::getPropertyDescriptor returns
|true|, but it does not initialise the fields of |desc| that are
subsequently used.
The trail of crumbs appears to lead to
ListBase<LC>::getPropertyDescriptor in dombindings.cpp, and then to
ListBase<LC>::getOwnPropertyDescriptor.
This appears to be able to return |true| without writing anything
to |*desc| along the following path:
dombindings.cpp:
566 if (set) { // NOT TAKEN
580 if (hasIndexGetter) { // TAKEN
582 if (index >= 0) { // TAKEN
585 return true; // no assignment to |*desc|
Am not sure about the above analysis. A second opinion would be good.
|
||
Comment 2•12 years ago
|
||
Hmm. Peter, what should happen when !getItemAt? Probably need to set desc->obj to null, right?
|
||
Updated•12 years ago
|
Whiteboard: [js:p2]
|
|
Reporter | |
Comment 3•12 years ago
|
||
I can no longer reproduce this on m-c. OK to close?
Keywords: valgrind
|
||
Comment 4•12 years ago
|
||
Oh, I wish I'd seen this back when, it pointed right at the problem. ;) Probably silly to make this s-s at this point, but oh well.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•12 years ago
|
Group: core-security
Whiteboard: [js:p2] → [js:p2][sg:dupe 767273]
You need to log in
before you can comment on or make changes to this bug.
Description
•