qmlscene crashed with SIGSEGV in mark()

Bug #1295119 reported by Martin Kaistra
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
qtdeclarative-opensource-src (Ubuntu)
Medium
Timo Jyrinki

Bug Description

Running my app https://launchpad.net/akari on Ubuntu Trusty sometimes gives me a segfault at the start.

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: qmlscene 5.2.1-3ubuntu10
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Mar 20 14:06:36 2014
EcryptfsInUse: Yes
ExecutablePath: /usr/lib/x86_64-linux-gnu/qt5/bin/qmlscene
InstallationDate: Installed on 2014-03-16 (3 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140316)
ProcCmdline: /usr/lib/x86_64-linux-gnu/qt5/bin/qmlscene akari.qml
SegvAnalysis:
 Segfault happened at: 0x7f481c54bc9e <_ZN3QV46Object11markObjectsEPNS_7ManagedEPNS_15ExecutionEngineE+94>: movzbl 0x8(%rax),%ecx
 PC (0x7f481c54bc9e) ok
 source "0x8(%rax)" (0x00000098) not located in a known VMA region (needed readable region)!
 destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: qtdeclarative-opensource-src
StacktraceTop:
 QV4::Object::markObjects(QV4::Managed*, QV4::ExecutionEngine*) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::MemoryManager::mark() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::MemoryManager::runGC() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::MemoryManager::alloc(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
 QV4::ExecutionEngine::newString(QString const&) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
Title: qmlscene crashed with SIGSEGV in QV4::Object::markObjects()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm autopilot cdrom dip lpadmin plugdev sambashare sudo

Related branches

Revision history for this message
Martin Kaistra (djfun) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 mark (engine=0x1157820, this=<optimized out>) at jsruntime/qv4engine_p.h:373
 mark (e=0x1157820, this=0x1457cd0) at jsruntime/qv4value_p.h:93
 QV4::Object::markObjects (that=0x7f47f0fe0480, e=0x1157820) at jsruntime/qv4object.cpp:263
 QV4::MemoryManager::mark (this=this@entry=0x1152810) at jsruntime/qv4mm.cpp:433
 QV4::MemoryManager::runGC (this=0x1152810) at jsruntime/qv4mm.cpp:564

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in qtdeclarative-opensource-src (Ubuntu):
importance: Undecided → Medium
summary: - qmlscene crashed with SIGSEGV in QV4::Object::markObjects()
+ qmlscene crashed with SIGSEGV in mark()
tags: removed: need-amd64-retrace
Martin Kaistra (djfun)
information type: Private → Public
Revision history for this message
Martin Kaistra (djfun) wrote :

I dug a bit deeper into this and I think I have found the cause for this:

When you have an array sort function that is inconsistent (that returns for two given values a and b not always the same value), the new Qml V4 Javascript engine gives you sometimes back a reference to a memory location that doesn't belong to the array (anymore?).

So for the following example:

                    var a = [1, 2];

                    var random_values = [
                                0.4,
                                0.9,
                                0.8,
                                0.6];

                    var c = 0;
                    a.sort(function() { var r = random_values[c]; c++; console.log(r); return 0.5 - r; });
                    console.log(a);

I get sometimes something like [-4.528848823629493e-224,1] or errors like
QV4::__qmljs_convert_to_string(QV4::ExecutionContext*, QV4::ValueRef) or
QV4::Value::toString(QV4::ExecutionContext*) const () etc.

Even though the behavior of array sort with an inconsistent function is not defined it should NOT lead to a segmentation fault (or who knows what memory locations it gives back and what can be done with that).

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qtdeclarative-opensource-src (Ubuntu):
status: New → Confirmed
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

I can confirm this still happens with Qt 5.3.0 and Qt 5.3.1.

I took the liberty to report this to upstream to https://bugreports.qt-project.org/browse/QTBUG-40280

Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

Upstream has committed a post-5.3.2 fix to their Qt 5.3 stable branch that I can cherry-pick to the next vivid upload.

Changed in qtdeclarative-opensource-src (Ubuntu):
assignee: nobody → Timo Jyrinki (timo-jyrinki)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtdeclarative-opensource-src - 5.3.2-3ubuntu2

---------------
qtdeclarative-opensource-src (5.3.2-3ubuntu2) vivid; urgency=medium

  * debian/patches/Avoid-race-condition-in-QQmlEngine-on-shutdown.patch
    - Cherry-pick an app shutdown crash fix (LP: #1373039)
  * debian/patches/Fix-crashes-when-calling-Array.sort-with-imperfect-s.patch
    - Cherry-pick a fix for a crasher in Array.sort (LP: #1295119)
 -- Timo Jyrinki <email address hidden> Wed, 03 Dec 2014 08:32:46 +0000

Changed in qtdeclarative-opensource-src (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers