Bug 25932
| Summary: | Unitialized variable used at JSC::Heap::markConservatively and JSC::CollectorBitmap::set | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | xxx <webkit> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Linux | ||
xxx
valgrind detected an Unitialized variable used at JSC::Heap::markConservatively.
1)
Thanks to --track-origins=yes below you can see that the source unitialized value comes from JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:700)
==8572== Conditional jump or move depends on uninitialised value(s)
==8572== at 0x42776D7: JSC::Heap::markConservatively(void*, void*) (Collector.cpp:669)
==8572== by 0x427780C: JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:704)
==8572== by 0x427783D: JSC::Heap::markCurrentThreadConservatively() (Collector.cpp:720)
==8572== by 0x4277858: JSC::Heap::markStackObjectsConservatively() (Collector.cpp:872)
==8572== by 0x4277C14: JSC::Heap::collect() (Collector.cpp:1084)
==8572== by 0x4317A76: WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) (GCController.cpp:74)
==8572== by 0x4317C39: WebCore::Timer<WebCore::GCController>::fired() (Timer.h:99)
==8572== by 0x46FF8AB: WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0u> const&) (Timer.cpp:347)
==8572== by 0x46FF944: WebCore::TimerBase::sharedTimerFired() (Timer.cpp:368)
==8572== by 0x485BA6D: WebCore::SharedTimerQt::timerEvent(QTimerEvent*) (SharedTimerQt.cpp:105)
==8572== by 0x63AB203: QObject::event(QEvent*) (qobject.cpp:1073)
==8572== by 0x546488A: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4057)
==8572== by 0x5462CEB: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3604)
==8572== by 0x63957AC: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:610)
==8572== by 0x48564E8: QCoreApplication::sendEvent(QObject*, QEvent*) (qcoreapplication.h:213)
==8572== Uninitialised value was created by a stack allocation
==8572== at 0x42777E3: JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:700)
2) In this case value comes from QApplication::notify
==8572== Use of uninitialised value of size 4
==8572== at 0x41A9C2F: JSC::CollectorBitmap::set(unsigned int) (Collector.h:191)
==8572== by 0x41A9CA5: JSC::Heap::markCell(JSC::JSCell*) (Collector.h:276)
==8572== by 0x427773F: JSC::Heap::markConservatively(void*, void*) (Collector.cpp:677)
==8572== by 0x427780C: JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:704)
==8572== by 0x427783D: JSC::Heap::markCurrentThreadConservatively() (Collector.cpp:720)
==8572== by 0x4277858: JSC::Heap::markStackObjectsConservatively() (Collector.cpp:872)
==8572== by 0x4277C14: JSC::Heap::collect() (Collector.cpp:1084)
==8572== by 0x4317A76: WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) (GCController.cpp:74)
==8572== by 0x4317C39: WebCore::Timer<WebCore::GCController>::fired() (Timer.h:99)
==8572== by 0x46FF8AB: WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0u> const&) (Timer.cpp:347)
==8572== by 0x46FF944: WebCore::TimerBase::sharedTimerFired() (Timer.cpp:368)
==8572== by 0x485BA6D: WebCore::SharedTimerQt::timerEvent(QTimerEvent*) (SharedTimerQt.cpp:105)
==8572== by 0x63AB203: QObject::event(QEvent*) (qobject.cpp:1073)
==8572== by 0x546488A: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4057)
==8572== by 0x5462CEB: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3604)
==8572== Uninitialised value was created by a stack allocation
==8572== at 0x54629BA: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3532)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mark Rowe (bdash)
A conservative garbage collector inherently depends on reading memory that may not have been explicitly initialized.
xxx
(In reply to comment #1)
> A conservative garbage collector inherently depends on reading memory that may
> not have been explicitly initialized.
>
Exceuse my ignorance, but I can't imagine any single application where it makes sense to read a memory address which has not been initialized.
Any way, I forgot 2 things:
1) You can reproduce this with WebKit-r43887/WebKit/qt/tests/qwebpage> valgrind --track-origins=yes
./tst_qwebpage
2) I'm using the QtWebKit version which comes with qt 4.5. Looking at 528+ nightly build the unitialized variable is used at line 569 of JavaScriptCore/runtime/Collector.cpp, which is the last line of this code section
while (p != e) {
char* x = *p++;
if (IS_HALF_CELL_ALIGNED(x) && x) {
thanks
Alexey Proskuryakov
That's how the garbage collector works - it reads all values from the stack, and has no way to know whether they were initialized. Googling for "garbage collector valgrind uninitialized", you could see that this is the case with other languages' GC implementations, as well.