Closed Bug 910477 Opened 11 years ago Closed 11 years ago

Valgrind detects "Conditional jump or move depends on uninitialised value(s)" with js::DecompressString on the stack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gkw, Unassigned)

Details

(Keywords: regression, testcase, valgrind) 

Merely starting up the js opt shell on m-c changeset dc7b76fcf7e4 without any CLI arguments shows the following error:

$ valgrind --smc-check=all-non-file --track-origins=yes ./js-opt-64-dm-vg-ts-linux-dc7b76fcf7e4
==12592== Memcheck, a memory error detector
==12592== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==12592== Using Valgrind-3.9.0.SVN and LibVEX; rerun with -h for copyright info
==12592== Command: ./js-opt-64-dm-vg-ts-linux-dc7b76fcf7e4
==12592==
==12592== Conditional jump or move depends on uninitialised value(s)
==12592==    at 0x52994E0: inflateReset2 (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==12592==    by 0x52995D8: inflateInit2_ (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==12592==    by 0x62ED88: js::DecompressString(unsigned char const*, unsigned long, unsigned char*, unsigned long) (jsutil.cpp:132)
==12592==    by 0x4BB457: JSRuntime::initSelfHosting(JSContext*) (SelfHosting.cpp:748)
==12592==    by 0x55978C: js::NewContext(JSRuntime*, unsigned long) (jscntxt.cpp:201)
==12592==    by 0x40C152: NewContext(JSRuntime*) (js.cpp:4907)
==12592==    by 0x40F393: main (js.cpp:5539)
==12592==  Uninitialised value was created by a heap allocation
==12592==    at 0x4C2C857: malloc (vg_replace_malloc.c:291)
==12592==    by 0x52995B6: inflateInit2_ (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==12592==    by 0x62ED88: js::DecompressString(unsigned char const*, unsigned long, unsigned char*, unsigned long) (jsutil.cpp:132)
==12592==    by 0x4BB457: JSRuntime::initSelfHosting(JSContext*) (SelfHosting.cpp:748)
==12592==    by 0x55978C: js::NewContext(JSRuntime*, unsigned long) (jscntxt.cpp:201)
==12592==    by 0x40C152: NewContext(JSRuntime*) (js.cpp:4907)
==12592==    by 0x40F393: main (js.cpp:5539)
==12592==
js> quit()

==12592==
==12592== HEAP SUMMARY:
==12592==     in use at exit: 7,854 bytes in 81 blocks
==12592==   total heap usage: 3,778 allocs, 3,697 frees, 2,354,412 bytes allocated
==12592==
==12592== LEAK SUMMARY:
==12592==    definitely lost: 7 bytes in 1 blocks
==12592==    indirectly lost: 0 bytes in 0 blocks
==12592==      possibly lost: 0 bytes in 0 blocks
==12592==    still reachable: 7,847 bytes in 80 blocks
==12592==         suppressed: 0 bytes in 0 blocks
==12592== Rerun with --leak-check=full to see details of leaked memory
==12592==
==12592== For counts of detected and suppressed errors, rerun with: -v
==12592== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)


My configure flags are:

sh ./configure --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-valgrind --with-ccache --enable-threadsafe <NSPR flags, or use --with-system-nspr>

I'm fairly sure this didn't used to happen, so setting s-s to be safe.
Might be a false positive?  See http://zlib.net/zlib_faq.html#faq36
It goes on to say that zlib 1.2.4 was changed to stop V complaining,
and it looks like you've got 1.2.3 involved.  So, yes, probably a 
false positive -- one of the very rare cases where legit code fools
Memcheck's definedness tracking.
Thanks Julian! Not an issue with the JS engine then. Opening up and resolving INVALID.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.