Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-111935

Qt V4 JIT engine generates bad JIT code on ARM64 (and potentially all arches)

    XMLWordPrintable

Details

    • Linux/Wayland, Linux/X11
    • 15ec02415 (dev), 904acaed8 (6.5), 3bd18f41c (tqtc/lts-5.15), 19e4dae2a (tqtc/lts-6.2)

    Description

      From marcan in downstream Red Hat/Fedora bug 2177696:

      Qt's V4 JIT engine generates bad JIT code that corrupts JS stack slots, causing random garbage collector crashes later on. On a vanilla KDE Plasma setup, this can cause plasmashell to sometimes or consistently crash, depending on the alignment of the stars (sometimes sessions are completely unusable).

      It crops up randomly by default, 100% with QV4_MM_AGGRESSIVE_GC=1, never with QV4_FORCE_INTERPRETER=1.

      Steps to Reproduce:

      1. Start a KDE Plasma session
      2. killall plasmashell
      3. QV4_MM_AGGRESSIVE_GC=1 plasmashell

      Actual results:

      plasmashell instantly segfaults

      Expected results:

      plasmashell does not segfault

      Additional info:

      Example of the bad JIT code here.

      I believe the issue is a missing accumulator save/restore around a call to PushCallContext.

      Tentative fix patch is attached (untested). This is generic code, so I think this is actually broken on all architectures in principle, it's just that ARM64 got unlucky with the register clobbering and value encoding lottery and ended up with actual crashes.

      You should probably audit the whole file to see if there are any other missed accumulator save/restores.

      Attachments

        For Gerrit Dashboard: QTBUG-111935
        # Subject Branch Project Status CR V

        Activity

          People

            ulherman Ulf Hermann
            chaosgallantmon Neal Gompa
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes