RESOLVED INVALID25932
Unitialized variable used at JSC::Heap::markConservatively and JSC::CollectorBitmap::set 
https://bugs.webkit.org/show_bug.cgi?id=25932
Summary Unitialized variable used at JSC::Heap::markConservatively and JSC::Collector...
xxx
Reported 2009-05-21 07:10:35 PDT
valgrind detected an Unitialized variable used at JSC::Heap::markConservatively. 1) Thanks to --track-origins=yes below you can see that the source unitialized value comes from JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:700) ==8572== Conditional jump or move depends on uninitialised value(s) ==8572== at 0x42776D7: JSC::Heap::markConservatively(void*, void*) (Collector.cpp:669) ==8572== by 0x427780C: JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:704) ==8572== by 0x427783D: JSC::Heap::markCurrentThreadConservatively() (Collector.cpp:720) ==8572== by 0x4277858: JSC::Heap::markStackObjectsConservatively() (Collector.cpp:872) ==8572== by 0x4277C14: JSC::Heap::collect() (Collector.cpp:1084) ==8572== by 0x4317A76: WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) (GCController.cpp:74) ==8572== by 0x4317C39: WebCore::Timer<WebCore::GCController>::fired() (Timer.h:99) ==8572== by 0x46FF8AB: WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0u> const&) (Timer.cpp:347) ==8572== by 0x46FF944: WebCore::TimerBase::sharedTimerFired() (Timer.cpp:368) ==8572== by 0x485BA6D: WebCore::SharedTimerQt::timerEvent(QTimerEvent*) (SharedTimerQt.cpp:105) ==8572== by 0x63AB203: QObject::event(QEvent*) (qobject.cpp:1073) ==8572== by 0x546488A: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4057) ==8572== by 0x5462CEB: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3604) ==8572== by 0x63957AC: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:610) ==8572== by 0x48564E8: QCoreApplication::sendEvent(QObject*, QEvent*) (qcoreapplication.h:213) ==8572== Uninitialised value was created by a stack allocation ==8572== at 0x42777E3: JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:700) 2) In this case value comes from QApplication::notify ==8572== Use of uninitialised value of size 4 ==8572== at 0x41A9C2F: JSC::CollectorBitmap::set(unsigned int) (Collector.h:191) ==8572== by 0x41A9CA5: JSC::Heap::markCell(JSC::JSCell*) (Collector.h:276) ==8572== by 0x427773F: JSC::Heap::markConservatively(void*, void*) (Collector.cpp:677) ==8572== by 0x427780C: JSC::Heap::markCurrentThreadConservativelyInternal() (Collector.cpp:704) ==8572== by 0x427783D: JSC::Heap::markCurrentThreadConservatively() (Collector.cpp:720) ==8572== by 0x4277858: JSC::Heap::markStackObjectsConservatively() (Collector.cpp:872) ==8572== by 0x4277C14: JSC::Heap::collect() (Collector.cpp:1084) ==8572== by 0x4317A76: WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) (GCController.cpp:74) ==8572== by 0x4317C39: WebCore::Timer<WebCore::GCController>::fired() (Timer.h:99) ==8572== by 0x46FF8AB: WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0u> const&) (Timer.cpp:347) ==8572== by 0x46FF944: WebCore::TimerBase::sharedTimerFired() (Timer.cpp:368) ==8572== by 0x485BA6D: WebCore::SharedTimerQt::timerEvent(QTimerEvent*) (SharedTimerQt.cpp:105) ==8572== by 0x63AB203: QObject::event(QEvent*) (qobject.cpp:1073) ==8572== by 0x546488A: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4057) ==8572== by 0x5462CEB: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3604) ==8572== Uninitialised value was created by a stack allocation ==8572== at 0x54629BA: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3532)
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-05-21 16:09:17 PDT
A conservative garbage collector inherently depends on reading memory that may not have been explicitly initialized.
xxx
Comment 2 2009-05-22 06:51:26 PDT
(In reply to comment #1) > A conservative garbage collector inherently depends on reading memory that may > not have been explicitly initialized. > Exceuse my ignorance, but I can't imagine any single application where it makes sense to read a memory address which has not been initialized. Any way, I forgot 2 things: 1) You can reproduce this with WebKit-r43887/WebKit/qt/tests/qwebpage> valgrind --track-origins=yes ./tst_qwebpage 2) I'm using the QtWebKit version which comes with qt 4.5. Looking at 528+ nightly build the unitialized variable is used at line 569 of JavaScriptCore/runtime/Collector.cpp, which is the last line of this code section while (p != e) { char* x = *p++; if (IS_HALF_CELL_ALIGNED(x) && x) { thanks
Alexey Proskuryakov
Comment 3 2009-05-22 08:13:16 PDT
That's how the garbage collector works - it reads all values from the stack, and has no way to know whether they were initialized. Googling for "garbage collector valgrind uninitialized", you could see that this is the case with other languages' GC implementations, as well.
Note You need to log in before you can comment on or make changes to this bug.