[Webkit-unassigned] [Bug 200863] Crash in JSC::SlotVisitor::visitChildren
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 21 08:06:11 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=200863
--- Comment #38 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Krzysztof Konopko from comment #37)
> Oh, missed this one. Indeed, looks like a genuine problem, unless anyone
> can tell otherwise?
It's hard to imagine that it could possibly not be a bug. It's the same as in comment #8 except with JSC::JSGlobalObject instead of JSC::SymbolTable: the code is returning a pointer to a JSC::JSGlobalObject but the pointer is uninitialized memory, so it's garbage. At least, that's what it looks like to me. (In comment #36 I said it's "almost certainly" causing your crash, but that was silly of me: I have no clue what's causing your crash. But clearly the WriteBarrier is guarding a bogus pointer.)
As for the rest of the valgrind warnings caused by the conservative GC: this might sound crazy, but I think we should just completely turn off GC when running under valgrind (unless it's possible to somehow avoid reading uninitialized memory, but I guess that's just not how the garbage collector works?) and just accept that will (likely drastically) reduce our ability to check for memory errors. The output isn't useful at all otherwise: I would never have found the WriteBarrierBase problem in that huge wall of warnings had Krzysztof not initially pointed it out separately in comment #8.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221121/15190200/attachment.htm>
More information about the webkit-unassigned
mailing list