[Webkit-unassigned] [Bug 200863] Crash in JSC::SlotVisitor::visitChildren

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 17 15:07:13 PST 2022


https://bugs.webkit.org/show_bug.cgi?id=200863

--- Comment #28 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Mark Lam from comment #25)
> However, JSSymbolTableObject::m_symbolTable is a WriteBarrier<SymbolTable>,
> and all WriteBarriers have a default constructor:
> ```
>     WriteBarrier()
>     {
>         this->setWithoutWriteBarrier(nullptr);
>     }
> ```
> ... which implies that Valgrind is wrong here.

That just means that my assumption that m_cell is never initialized was wrong. A bug in WebKit is drastically more likely than a bug in valgrind. So if the m_cell is initially initialized, then it must be overwritten with uninitialized memory from someplace else later on. valgrind should be able to pinpoint where it's coming from, but not by default: you need to use --track-origins flag (which is slow!) to show that. There's a good chance that will give us the remaining info we need to fix this. Hopefully.

(In reply to Krzysztof Konopko from comment #27)
> Also Michael claimed in Comment #12 that he can "see this crash every once
> in a while", presumably on a more recent (?) WebKit and on x86_64 (?)

Unfortunately, I don't remember when the last time I saw this crash was. That suggests it's probably not an important top crasher.

Honestly, if the crashes stopped after you upgraded GCC, then my primary concern here would be fixing the errors that valgrind is reporting. That seems likely to be the underlying bug here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221117/3834a30f/attachment-0001.htm>


More information about the webkit-unassigned mailing list