Closed Bug 910477 Opened 12 years ago Closed 12 years ago

Valgrind detects "Conditional jump or move depends on uninitialised value(s)" with js::DecompressString on the stack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gkw, Unassigned)

Details

(Keywords: regression, testcase, valgrind)

Merely starting up the js opt shell on m-c changeset dc7b76fcf7e4 without any CLI arguments shows the following error: $ valgrind --smc-check=all-non-file --track-origins=yes ./js-opt-64-dm-vg-ts-linux-dc7b76fcf7e4 ==12592== Memcheck, a memory error detector ==12592== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==12592== Using Valgrind-3.9.0.SVN and LibVEX; rerun with -h for copyright info ==12592== Command: ./js-opt-64-dm-vg-ts-linux-dc7b76fcf7e4 ==12592== ==12592== Conditional jump or move depends on uninitialised value(s) ==12592== at 0x52994E0: inflateReset2 (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4) ==12592== by 0x52995D8: inflateInit2_ (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4) ==12592== by 0x62ED88: js::DecompressString(unsigned char const*, unsigned long, unsigned char*, unsigned long) (jsutil.cpp:132) ==12592== by 0x4BB457: JSRuntime::initSelfHosting(JSContext*) (SelfHosting.cpp:748) ==12592== by 0x55978C: js::NewContext(JSRuntime*, unsigned long) (jscntxt.cpp:201) ==12592== by 0x40C152: NewContext(JSRuntime*) (js.cpp:4907) ==12592== by 0x40F393: main (js.cpp:5539) ==12592== Uninitialised value was created by a heap allocation ==12592== at 0x4C2C857: malloc (vg_replace_malloc.c:291) ==12592== by 0x52995B6: inflateInit2_ (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4) ==12592== by 0x62ED88: js::DecompressString(unsigned char const*, unsigned long, unsigned char*, unsigned long) (jsutil.cpp:132) ==12592== by 0x4BB457: JSRuntime::initSelfHosting(JSContext*) (SelfHosting.cpp:748) ==12592== by 0x55978C: js::NewContext(JSRuntime*, unsigned long) (jscntxt.cpp:201) ==12592== by 0x40C152: NewContext(JSRuntime*) (js.cpp:4907) ==12592== by 0x40F393: main (js.cpp:5539) ==12592== js> quit() ==12592== ==12592== HEAP SUMMARY: ==12592== in use at exit: 7,854 bytes in 81 blocks ==12592== total heap usage: 3,778 allocs, 3,697 frees, 2,354,412 bytes allocated ==12592== ==12592== LEAK SUMMARY: ==12592== definitely lost: 7 bytes in 1 blocks ==12592== indirectly lost: 0 bytes in 0 blocks ==12592== possibly lost: 0 bytes in 0 blocks ==12592== still reachable: 7,847 bytes in 80 blocks ==12592== suppressed: 0 bytes in 0 blocks ==12592== Rerun with --leak-check=full to see details of leaked memory ==12592== ==12592== For counts of detected and suppressed errors, rerun with: -v ==12592== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) My configure flags are: sh ./configure --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-valgrind --with-ccache --enable-threadsafe <NSPR flags, or use --with-system-nspr> I'm fairly sure this didn't used to happen, so setting s-s to be safe.
Might be a false positive? See http://zlib.net/zlib_faq.html#faq36
It goes on to say that zlib 1.2.4 was changed to stop V complaining, and it looks like you've got 1.2.3 involved. So, yes, probably a false positive -- one of the very rare cases where legit code fools Memcheck's definedness tracking.
Thanks Julian! Not an issue with the JS engine then. Opening up and resolving INVALID.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.