Page MenuHomeWildfire Games
Paste P170

Conditional jump or move depends on uninitialised value IGUIObject::SendEvent IXmppClient::create JS_CallFunctionValue
ActivePublic

Authored by elexis on Sep 9 2019, 7:08 PM.
==336190== Conditional jump or move depends on uninitialised value(s)
==336190== at 0x511AF5D: GetValueType (TypeInference-inl.h:168)
==336190== by 0x511AF5D: js::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) (TypeInference.cpp:3251)
==336190== by 0x4C9FFB3: Monitor (TypeInference-inl.h:556)
==336190== by 0x4C9FFB3: js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (BaselineIC.cpp:6166)
==336190== by 0x484F0D9: ???
==336190== by 0xE3CD19F: ???
==336190== by 0x4847809: ???
==336190== by 0x4C73A5A: EnterBaseline(JSContext*, js::jit::EnterJitData&) (BaselineJIT.cpp:145)
==336190== by 0x4C76F92: js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) (BaselineJIT.cpp:256)
==336190== by 0x509547F: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:1787)
==336190== by 0x5095656: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:391)
==336190== by 0x509591C: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:462)
==336190== by 0x50962FB: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:496)
==336190== by 0x4EF44B8: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (jsapi.cpp:2790)
==336190== Uninitialised value was created by a heap allocation
==336190== at 0x4838DEF: operator new(unsigned long) (vg_replace_malloc.c:334)
==336190== by 0x6FA6FB: IXmppClient::create(ScriptInterface const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (XmppClient.cpp:66)
==336190== by 0x6F66DD: JSI_Lobby::StartXmppClient(ScriptInterface::CxPrivate*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, int) (JSInterface_Lobby.cpp:96)
==336190== by 0x6F83D3: call<void(ScriptInterface::CxPrivate*, const std::__cxx11::basic_string<wchar_t>&, const std::__cxx11::basic_string<wchar_t>&, const std::__cxx11::basic_string<wchar_t>&, const std::__cxx11::basic_string<wchar_t>&, int), std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, int> (NativeWrapperDefns.h:85)
==336190== by 0x6F83D3: bool ScriptInterface::call<void, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >, int, &JSI_Lobby::StartXmppClient>(JSContext*, unsigned int, JS::Value*) (NativeWrapperDefns.h:124)
==336190== by 0x50959E7: CallJSNative (jscntxtinlines.h:235)
==336190== by 0x50959E7: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:444)
==336190== by 0x508B4DB: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2766)
==336190== by 0x5095656: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:391)
==336190== by 0x509591C: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:462)
==336190== by 0x50962FB: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:496)
==336190== by 0x4EF44B8: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (jsapi.cpp:2790)
==336190== by 0x6544DF: IGUIObject::ScriptEvent(CStr8 const&) (IGUIObject.cpp:421)
==336190== by 0x652CB7: IGUIObject::SendEvent(EGUIMessageType, CStr8 const&) (IGUIObject.cpp:391)

Event Timeline

elexis created this paste.Sep 9 2019, 7:08 PM
elexis changed the visibility from "All Users" to "Public (No Login Required)".Sep 9 2019, 7:29 PM
Stan added a subscriber: Stan.Sep 9 2019, 7:59 PM

https://github.com/0ad/0ad/blob/master/source/lobby/XmppClient.cpp

Offending code ?

IXmppClient* IXmppClient::create(const ScriptInterface* scriptInterface, const std::string& sUsername, const std::string& sPassword, const std::string& sRoom, const std::string& sNick, const int historyRequestSize,bool regOpt)
{
	return new XmppClient(scriptInterface, sUsername, sPassword, sRoom, sNick, historyRequestSize, regOpt);
}
elexis added a comment.Sep 9 2019, 8:03 PM

Affected JS_CallFunctionValue in IGUIObject::ScriptEvent:

	JS::AutoValueVector paramData(cx);
	paramData.append(mouse);
	JS::RootedObject obj(cx, GetJSObject());
	JS::RootedValue handlerVal(cx, JS::ObjectValue(*it->second));
	JS::RootedValue result(cx, JS::UndefinedValue());
	if (!JS_CallFunctionValue(cx, obj, handlerVal, paramData, &result))
	{
		// We have no way to propagate the script exception, so just ignore it
		// and hope the caller checks JS_IsExceptionPending
	}
elexis added a comment.Sep 9 2019, 8:35 PM

After commenting out the create XmppClient call, the conditional jump warning is gone.

So it seems IGUIObject itself is innocent.

elexis added a comment.Sep 9 2019, 9:31 PM

It seems this is my fault for not initializing XmppClient primitive members m_certStatus and m_PresenceUpdate in rP21901 and rP22855...
Good news is that valgrind reveals stupidity systematically.
The conditional jump warning is gone after initializing all members of XmppClient properly.

Nope, that still doesn't fix the conditional jump.

Same as in D2223, that error message occurs only with clang but not gcc.

The valgrind track-origin option was already enabled, so I don't know what it wants.