[Webkit-unassigned] [Bug 200863] Crash in JSC::SlotVisitor::visitChildren
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 15 11:03:12 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=200863
--- Comment #25 from Mark Lam <mark.lam at apple.com> ---
(In reply to Justin Michaud from comment #21)
> > valgrind's memcheck tool is not prone to false positives, unless you are
> > running leak check.
>
> How does it check? I can't find any details in the documentation. Our write
> barrier class is intentionally used to read memory that it did not construct
> itself, so it doesn't seem strange to me that it would complain.
Justin, what you claimed here is not entirely accurate. We have conservative scanning of the stack. That's the only place that we would expect to access uninitialized memory. Everywhere else, we would expect initialized fields.
In comment #c8, Krzysztof's crash trace seems to imply that JSSymbolTableObject::m_symbolTable is uninitialized. Thanks to Michael's links, I've got a refresher on how Valgrind works. So, if Valgrind is working properly, then this error message is concerning.
However, JSSymbolTableObject::m_symbolTable is a WriteBarrier<SymbolTable>, and all WriteBarriers have a default constructor:
```
WriteBarrier()
{
this->setWithoutWriteBarrier(nullptr);
}
```
... which implies that Valgrind is wrong here.
Maybe the line number on Krzysztof's crash trace is just out of date. Regardless, please do build and test with the latest WebKit. Reporting on a super old build which has not picked up all the bug fixes is not helpful.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221115/0b4908c7/attachment.htm>
More information about the webkit-unassigned
mailing list