Closed
Bug 767966
Opened 12 years ago
Closed 12 years ago
Uninitialised value use in obj_lookupGetter(JSContext*, unsigned int, JS::Value*)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 767273
People
(Reporter: jseward, Unassigned)
Details
(Keywords: valgrind, Whiteboard: [js:p2][sg:dupe 767273])
TEST_PATH=toolkit/components/passwordmgr/test/test_notifications.html produces a whole bunch of complaining along the lines of this: Conditional jump or move depends on uninitialised value(s) at 0x6C4F3F1: mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsINodeList, mozilla::dom::binding::Ops<mozilla::dom::binding::Getter<nsIContent*>, mozilla::dom::binding::NoOp>, mozilla::dom::binding::Ops<mozilla::dom::binding::NoOp, mozilla::dom::binding::NoOp> > >::getPropertyDescriptor(JSContext*, JSObject*, long, bool, JSPropertyDescriptor*) (dombindings.cpp:634) by 0x7483FA4: js::Proxy::getPropertyDescriptor(JSContext*, JSObject*, long, bool, JSPropertyDescriptor*) (jsproxy.cpp:1001) by 0x7462E40: obj_lookupGetter(JSContext*, unsigned int, JS::Value*) (jsobj.cpp:1453) by 0x7448516: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:400) by 0x7448AFA: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:100) by 0x74819AD: js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:445) by 0x74E1363: js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jswrapper.cpp:218) by 0x74E28F8: js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jswrapper.cpp:656) by 0x748521F: js::Proxy::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:1137) by 0x748526C: proxy_Call(JSContext*, unsigned int, JS::Value*) (jsproxy.cpp:1666) by 0x7448636: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:400) by 0x7439B85: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2437) Uninitialised value was created by a stack allocation at 0x7462C28: obj_lookupGetter(JSContext*, unsigned int, JS::Value*) (jsobj.cpp:1441)
Reporter | ||
Comment 1•12 years ago
|
||
I suspect this is a bug outside the JS engine. Anyway: obj_lookupGetter(JSContext *cx, unsigned argc, Value *vp) has this 1452 PropertyDescriptor desc; 1453 if (!Proxy::getPropertyDescriptor(cx, obj, id, false, &desc)) 1454 return JS_FALSE; 1455 if (desc.obj && (desc.attrs & JSPROP_GETTER) && desc.getter) 1456 *vp = CastAsObjectJsval(desc.getter); It would appear that the call to Proxy::getPropertyDescriptor returns |true|, but it does not initialise the fields of |desc| that are subsequently used. The trail of crumbs appears to lead to ListBase<LC>::getPropertyDescriptor in dombindings.cpp, and then to ListBase<LC>::getOwnPropertyDescriptor. This appears to be able to return |true| without writing anything to |*desc| along the following path: dombindings.cpp: 566 if (set) { // NOT TAKEN 580 if (hasIndexGetter) { // TAKEN 582 if (index >= 0) { // TAKEN 585 return true; // no assignment to |*desc| Am not sure about the above analysis. A second opinion would be good.
Comment 2•12 years ago
|
||
Hmm. Peter, what should happen when !getItemAt? Probably need to set desc->obj to null, right?
Updated•12 years ago
|
Whiteboard: [js:p2]
Reporter | ||
Comment 3•12 years ago
|
||
I can no longer reproduce this on m-c. OK to close?
Keywords: valgrind
Comment 4•12 years ago
|
||
Oh, I wish I'd seen this back when, it pointed right at the problem. ;) Probably silly to make this s-s at this point, but oh well.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•12 years ago
|
Group: core-security
Whiteboard: [js:p2] → [js:p2][sg:dupe 767273]
You need to log in
before you can comment on or make changes to this bug.
Description
•