Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
5.15.8, 6.4.2
-
Fedora Linux 37
KDE Plasma 5.27.2
Apple MacBook Pro (2021)
-
-
15ec02415 (dev), 904acaed8 (6.5), 3bd18f41c (tqtc/lts-5.15), 19e4dae2a (tqtc/lts-6.2)
Description
From marcan in downstream Red Hat/Fedora bug 2177696:
Qt's V4 JIT engine generates bad JIT code that corrupts JS stack slots, causing random garbage collector crashes later on. On a vanilla KDE Plasma setup, this can cause plasmashell to sometimes or consistently crash, depending on the alignment of the stars (sometimes sessions are completely unusable).
It crops up randomly by default, 100% with QV4_MM_AGGRESSIVE_GC=1, never with QV4_FORCE_INTERPRETER=1.
Steps to Reproduce:
1. Start a KDE Plasma session
2. killall plasmashell
3. QV4_MM_AGGRESSIVE_GC=1 plasmashell
Actual results:
plasmashell instantly segfaults
Expected results:
plasmashell does not segfault
Additional info:
Example of the bad JIT code here.
I believe the issue is a missing accumulator save/restore around a call to PushCallContext.
Tentative fix patch is attached (untested). This is generic code, so I think this is actually broken on all architectures in principle, it's just that ARM64 got unlucky with the register clobbering and value encoding lottery and ended up with actual crashes.
You should probably audit the whole file to see if there are any other missed accumulator save/restores.