Details
-
Bug
-
Resolution: Unresolved
-
P1: Critical
-
6.9.1
-
None
-
Windows 11 Qt 6.9.1 MSVC 2022 64bit
Windows 11 Qt dev branch MSVC 2022 64bit
Ubuntu Qt 6.9.1 GCC
-
Windows
-
Linux/X11, Windows
Description
A crash occurs when a JavaScript exception is thrown inside a StateChangeScript or ScriptAction, and garbage collection is triggered during the exception handling process.
This can happen if the exception handling path allocates a new object, which in turn triggers a GC pass. During this GC run, the JS stack may contain invalid or stale values, leading to a crash.
Steps to Reproduce:
- Extract and build the attached qt_gc_crash.zip project.
- Run the application.
- The application crashes during execution.
The issue appears specifically when a script defined in StateChangeScript or ScriptAction throws an exception and GC is triggered within the exception handler.
Expected Behavior:
The runtime should safely handle GC even if an exception is thrown inside the script, without leaving invalid values on the JS stack.
Actual Behavior:
The GC encounters invalid values on the JS stack, causing a crash.
Attachments
Gerrit Reviews
| For Gerrit Dashboard: QTBUG-138242 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 658653,1 | v4: Rewind JS stack before exception handling to avoid GC crash | dev | qt/qtdeclarative | Status: NEW | 0 | 0 |