-
Bug
-
Resolution: Fixed
-
P1: Critical
-
6.9.1
-
None
-
Windows 11 Qt 6.2.12 MSVC 2019 64bit
Windows 11 Qt 6.9.1 MSVC 2022 64bit
Windows 11 Qt dev branch MSVC 2022 64bit
Ubuntu Qt 6.9.1 GCC
-
Windows
-
27feb8ba8 (dev), 98f488af5 (6.10), 4f1de9f3f (6.9), 35bfbf1ae (tqtc/lts-6.8), bd801b6fa (tqtc/lts-6.5)
A crash occurs when a JavaScript exception is thrown inside a StateChangeScript or ScriptAction, and garbage collection is triggered during the exception handling process.
This can happen if the exception handling path allocates a new object, which in turn triggers a GC pass. During this GC run, the JS stack may contain invalid or stale values, leading to a crash.
Steps to Reproduce:
- Extract and build the attached qt_gc_crash.zip project.
- Run the application.
- The application crashes during execution.
The issue appears specifically when a script defined in StateChangeScript or ScriptAction throws an exception and GC is triggered within the exception handler.
Expected Behavior:
The runtime should safely handle GC even if an exception is thrown inside the script, without leaving invalid values on the JS stack.
Actual Behavior:
The GC encounters invalid values on the JS stack, causing a crash.
| For Gerrit Dashboard: QTBUG-138242 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 658653,1 | v4: Rewind JS stack before exception handling to avoid GC crash | dev | qt/qtdeclarative | Status: ABANDONED | 0 | 0 |
| 659977,5 | JIT: Always zero out the accumulator when an exception is thrown | dev | qt/qtdeclarative | Status: MERGED | +2 | +1 |
| 660578,2 | JIT: Always zero out the accumulator when an exception is thrown | 6.10 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 661270,2 | JIT: Always zero out the accumulator when an exception is thrown | 6.9 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 661471,2 | JIT: Always zero out the accumulator when an exception is thrown | tqtc/lts-6.8 | qt/tqtc-qtdeclarative | Status: MERGED | +2 | 0 |
| 661489,4 | JIT: Always zero out the accumulator when an exception is thrown | tqtc/lts-6.5 | qt/tqtc-qtdeclarative | Status: MERGED | +2 | +1 |