Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-100431

Crash in libQt5Qml V4 engine caused by wrong memory access



    • Other
    • 6aef29a731 (qt/qtdeclarative/dev) b43fa81bf6 (qt/qtdeclarative/6.2) f4a55f7633 (qt/tqtc-qtdeclarative/5.15) 005460e356 (qt/qtdeclarative/6.3) b43fa81bf6 (qt/tqtc-qtdeclarative/6.2) 005460e356 (qt/tqtc-qtdeclarative/6.3)


      I ported a huge JS project to use with QML server side (no GUI, no Quick). On Ubuntu 20.04.3 it runs fine, I checked with Valgrind, no obvious issues.
      But when used on my target board Onion Omega2+ running OpenWRT LEDE 17.01-snapshot,
      the app crashes randomly, changing the time when it crashes when I comment out particular code lines.
      I recompiled QML lib and ran valgrind:

      ==4301== Thread 1:
      ==4301== Invalid read of size 4
      ==4301== at 0x4EDC694: QV4::Chunk::sweep(QV4::ExecutionEngine*) (qv4mm.cpp:345)
      ==4301== by 0x4EDD80C: QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}::operator()(QV4::Chunk*) const (qv4mm.cpp:631)
      ==4301== by 0x4EE35DC: __gnu_cxx::__normal_iterator<QV4::Chunk**, std::vector<QV4::Chunk*, std::allocator<QV4::Chunk*> > > std::__partition<__gnu_cxx::__normal_iterator<QV4::Chunk**, std::vector<QV4::Chunk*, std::allocator<QV4::Chunk*> > >, QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}>(QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}, QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}, QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}, std::bidirectional_iterator_tag) (stl_algo.h:1518)
      ==4301== by 0x4EE3068: __gnu_cxx::__normal_iterator<QV4::Chunk**, std::vector<QV4::Chunk*, std::allocator<QV4::Chunk*> > > std::partition<__gnu_cxx::__normal_iterator<QV4::Chunk**, std::vector<QV4::Chunk*, std::allocator<QV4::Chunk*> > >, QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}>(QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}, QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}, QV4::BlockAllocator::sweep()::{lambda(QV4::Chunk*)#1}) (stl_algo.h:4521)
      ==4301== by 0x4EDDAE8: QV4::BlockAllocator::sweep() (qv4mm.cpp:631)
      ==4301== by 0x4EE0540: QV4::MemoryManager::sweep(bool, void (*)(char const*)) (qv4mm.cpp:994)
      ==4301== by 0x4EE0C74: QV4::MemoryManager::runGC() (qv4mm.cpp:1054)
      ==4301== by 0x4EE8254: QV4::MemoryManager::allocate(QV4::BlockAllocator*, unsigned int) (qv4mm_p.h:328)
      ==4301== by 0x4EDF3A4: QV4::MemoryManager::allocData(unsigned int) (qv4mm.cpp:806)
      ==4301== by 0x4EDF57C: QV4::MemoryManager::allocObjectWithMemberData(QV4::VTable const*, unsigned int) (qv4mm.cpp:829)
      ==4301== by 0x5213740: QV4::StrictArgumentsObject::Data* QV4::MemoryManager::allocateObject<QV4::StrictArgumentsObject>(QV4::Heap::InternalClass*) (qv4mm_p.h:191)
      ==4301== by 0x52130D8: QV4::StrictArgumentsObject::Data* QV4::MemoryManager::allocObject<QV4::StrictArgumentsObject, QV4::CppStackFrame*>(QV4::Heap::InternalClass*, QV4::CppStackFrame*) (qv4mm_p.h:227)
      ==4301== Address 0x8 is not stack'd, malloc'd or (recently) free'd
      ==4301== Process terminating with default action of signal 11 (SIGSEGV)

      I played with V4 envs listed in the docs with no luck, except that when I set too small QV4_JS_MAX_STACK_SIZE "RangeError: Maximum call stack size exceeded" appear and occasionally i might not crash, but at most times it still does.
      Setting QV4_MM_AGGRESSIVE_GC=1 causes th app to run veeeeeery slowly but as far as i remember it finally crashed too.
      Setting QV4_FORCE_INTERPRETER=1 did not help either.

      Any hints are appreciated, especially if you are not going to fix the bug on this rarely used platform



        Issue Links

          For Gerrit Dashboard: QTBUG-100431
          # Subject Branch Project Status CR V



              qtqmlteam Qt Qml Team User
              rightaway717 Ivan Belyakov
              0 Vote for this issue
              4 Start watching this issue