Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-52057

Undefined behavior in QV4::ExecutionEngine::newArrayObject lead to crashes

    XMLWordPrintable

Details

    Description

      Upcoming gcc-6 has much more aggressive dead-store elimination.
      See: http://gcc.gnu.org/gcc-6/porting_to.html (-flifetime-dse section).

      Due to undefined behavior in QV4::ExecutionEngine::newArrayObject(int)
      this will lead to segfaults, e.g.:

      Thread 1 "kdevelop" received signal SIGSEGV, Segmentation fault.
      0x00007ffff4aac61a in QV4::ExecutionEngine::newArrayObject(int) () from /usr/lib/libQt5Qml.so.5
      (gdb) bt
      #0 0x00007ffff4aac61a in QV4::ExecutionEngine::newArrayObject(int) () from /usr/lib/libQt5Qml.so.5
      #1 0x00007ffff4beadeb in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) () from /usr/lib/libQt5Qml.so.5
      #2 0x00007ffff4bea830 in QQmlObjectCreator::createInstance(int, QObject*, bool) () from /usr/lib/libQt5Qml.so.5
      #3 0x00007ffff4beac11 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) () from /usr/lib/libQt5Qml.so.5
      #4 0x00007ffff4bea830 in QQmlObjectCreator::createInstance(int, QObject*, bool) () from /usr/lib/libQt5Qml.so.5
      #5 0x00007ffff4bec495 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) () from /usr/lib/libQt5Qml.so.5
      #6 0x00007ffff4bec68e in QQmlObjectCreator::setupBindings(QBitArray const&) () from /usr/lib/libQt5Qml.so.5
      #7 0x00007ffff4be942f in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QBitArray const&) () from /usr/lib/libQt5Qml.so.5
      #8 0x00007ffff4bea3da in QQmlObjectCreator::createInstance(int, QObject*, bool) () from /usr/lib/libQt5Qml.so.5
      #9 0x00007ffff4beac11 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) () from /usr/lib/libQt5Qml.so.5
      #10 0x00007ffff4b71a47 in QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) () from /usr/lib/libQt5Qml.so.5
      #11 0x00007ffff4b720d6 in QQmlEnginePrivate::incubate(QQmlIncubator&, QQmlContextData*) () from /usr/lib/libQt5Qml.so.5
      #12 0x00007ffff4b6d6f1 in QQmlComponent::create(QQmlIncubator&, QQmlContext*, QQmlContext*) () from /usr/lib/libQt5Qml.so.5
      #13 0x00007ffff7a31dba in QQuickLoaderPrivate::_q_sourceLoaded() () from /usr/lib/libQt5Quick.so.5
      #14 0x00007ffff7a32a10 in QQuickLoader::componentComplete() () from /usr/lib/libQt5Quick.so.5
      #15 0x00007ffff4be6f28 in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) () from /usr/lib/libQt5Qml.so.5
      #16 0x00007ffff4b716c2 in QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) () from /usr/lib/libQt5Qml.so.5
      #17 0x00007ffff4b720d6 in QQmlEnginePrivate::incubate(QQmlIncubator&, QQmlContextData*) () from /usr/lib/libQt5Qml.so.5
      #18 0x00007ffff4b6d6f1 in QQmlComponent::create(QQmlIncubator&, QQmlContext*, QQmlContext*) () from /usr/lib/libQt5Qml.so.5
      #19 0x00007ffff7a31dba in QQuickLoaderPrivate::_q_sourceLoaded() () from /usr/lib/libQt5Quick.so.5
      #20 0x00007ffff7a33979 in QQuickLoader::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib/libQt5Quick.so.5
      #21 0x00007ffff685c854 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQt5Core.so.5
      #22 0x00007ffff4c3f96e in QQmlComponent::statusChanged(QQmlComponent::Status) () from /usr/lib/libQt5Qml.so.5
      #23 0x00007ffff4b6c720 in QQmlComponentPrivate::typeDataReady(QQmlTypeData*) () from /usr/lib/libQt5Qml.so.5
      #24 0x00007ffff4b8656d in QQmlTypeData::completed() () from /usr/lib/libQt5Qml.so.5
      #25 0x00007ffff4b86f5c in QQmlTypeLoaderThread::callCompletedMain(QQmlDataBlob*) () from /usr/lib/libQt5Qml.so.5
      #26 0x00007ffff4bf2051 in QQmlThreadPrivate::mainEvent() () from /usr/lib/libQt5Qml.so.5
      #27 0x00007ffff4bf288e in QQmlThreadPrivate::MainObject::event(QEvent*) () from /usr/lib/libQt5Qml.so.5
      #28 0x00007ffff714c09f in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt5Widgets.so.5
      #29 0x00007ffff71531d4 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQt5Widgets.so.5
      #30 0x00007ffff6830d00 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt5Core.so.5
      #31 0x00007ffff68334a5 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQt5Core.so.5
      #32 0x00007ffff6884c73 in postEventSourceDispatch(_GSource*, int (void*), void*) () from /usr/lib/libQt5Core.so.5
      #33 0x00007ffff286720e in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
      #34 0x00007ffff2867478 in g_main_context_iterate.isra () from /usr/lib/libglib-2.0.so.0
      #35 0x00007ffff286752c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
      #36 0x00007ffff688509f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
      #37 0x00007ffff682f16a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt5Core.so.5
      #38 0x00007ffff683764d in QCoreApplication::exec() () from /usr/lib/libQt5Core.so.5
      #39 0x000000000040cb40 in main ()

      -flifetime-dse=1 "fixes" the issue, but of course it would be best to get rid of the UB.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-53373 qtdeclarative doesn't build with GCC 6.1.1 - self-comparison always evaluates to true

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-55482 Crash on application startup if Qt5Qml library compiled with GCC 6.1.1/6.2.0

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              shausman Simon Hausmann
              octoploid octoploid
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes