qmlscene crashed with SIGSEGV in mark()

Bug #1295119 reported by Martin Kaistra
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
qtdeclarative-opensource-src (Ubuntu)
Fix Released
Medium
Timo Jyrinki

Bug Description

Running my app https://launchpad.net/akari on Ubuntu Trusty sometimes gives me a segfault at the start.

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: qmlscene 5.2.1-3ubuntu10
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Mar 20 14:06:36 2014
EcryptfsInUse: Yes
ExecutablePath: /usr/lib/x86_64-linux-gnu/qt5/bin/qmlscene
InstallationDate: Installed on 2014-03-16 (3 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140316)
ProcCmdline: /usr/lib/x86_64-linux-gnu/qt5/bin/qmlscene akari.qml
SegvAnalysis:
 Segfault happened at: 0x7f481c54bc9e <_ZN3QV46Object11markObjectsEPNS_7ManagedEPNS_15ExecutionEngineE+94>: movzbl 0x8(%rax),%ecx
 PC (0x7f481c54bc9e) ok
 source "0x8(%rax)" (0x00000098) not located in a known VMA region (needed readable region)!
 destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: qtdeclarative-opensource-src
StacktraceTop:
 QV4::Object::markObjects(QV4::Managed*, QV4::ExecutionEngine*) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::MemoryManager::mark() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::MemoryManager::runGC() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::MemoryManager::alloc(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::ExecutionEngine::newString(QString const&) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
Title: qmlscene crashed with SIGSEGV in QV4::Object::markObjects()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm autopilot cdrom dip lpadmin plugdev sambashare sudo

Related branches

Revision history for this message
Martin Kaistra (djfun) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 mark (engine=0x1157820, this=<optimized out>) at jsruntime/qv4engine_p.h:373
 mark (e=0x1157820, this=0x1457cd0) at jsruntime/qv4value_p.h:93
 QV4::Object::markObjects (that=0x7f47f0fe0480, e=0x1157820) at jsruntime/qv4object.cpp:263
 QV4::MemoryManager::mark (this=this@entry=0x1152810) at jsruntime/qv4mm.cpp:433
 QV4::MemoryManager::runGC (this=0x1152810) at jsruntime/qv4mm.cpp:564

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in qtdeclarative-opensource-src (Ubuntu):
importance: Undecided → Medium
summary: - qmlscene crashed with SIGSEGV in QV4::Object::markObjects()
+ qmlscene crashed with SIGSEGV in mark()
tags: removed: need-amd64-retrace
Martin Kaistra (djfun)
information type: Private → Public
Revision history for this message
Martin Kaistra (djfun) wrote :

I dug a bit deeper into this and I think I have found the cause for this:

When you have an array sort function that is inconsistent (that returns for two given values a and b not always the same value), the new Qml V4 Javascript engine gives you sometimes back a reference to a memory location that doesn't belong to the array (anymore?).

So for the following example:

                    var a = [1, 2];

                    var random_values = [
                                0.4,
                                0.9,
                                0.8,
                                0.6];

                    var c = 0;
                    a.sort(function() { var r = random_values[c]; c++; console.log(r); return 0.5 - r; });
                    console.log(a);

I get sometimes something like [-4.528848823629493e-224,1] or errors like
QV4::__qmljs_convert_to_string(QV4::ExecutionContext*, QV4::ValueRef) or
QV4::Value::toString(QV4::ExecutionContext*) const () etc.

Even though the behavior of array sort with an inconsistent function is not defined it should NOT lead to a segmentation fault (or who knows what memory locations it gives back and what can be done with that).

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qtdeclarative-opensource-src (Ubuntu):
status: New → Confirmed
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

I can confirm this still happens with Qt 5.3.0 and Qt 5.3.1.

I took the liberty to report this to upstream to https://bugreports.qt-project.org/browse/QTBUG-40280

Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

Upstream has committed a post-5.3.2 fix to their Qt 5.3 stable branch that I can cherry-pick to the next vivid upload.

Changed in qtdeclarative-opensource-src (Ubuntu):
assignee: nobody → Timo Jyrinki (timo-jyrinki)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtdeclarative-opensource-src - 5.3.2-3ubuntu2

---------------
qtdeclarative-opensource-src (5.3.2-3ubuntu2) vivid; urgency=medium

  * debian/patches/Avoid-race-condition-in-QQmlEngine-on-shutdown.patch
    - Cherry-pick an app shutdown crash fix (LP: #1373039)
  * debian/patches/Fix-crashes-when-calling-Array.sort-with-imperfect-s.patch
    - Cherry-pick a fix for a crasher in Array.sort (LP: #1295119)
 -- Timo Jyrinki <email address hidden> Wed, 03 Dec 2014 08:32:46 +0000

Changed in qtdeclarative-opensource-src (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.