Ubuntu
qtdeclarative-opensource-src package

qmlscene crashed with SIGSEGV in mark()

Bug #1295119 reported by Martin Kaistra on 2014-03-20

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	qtdeclarative-opensource-src (Ubuntu)	Fix Released	Medium	Timo Jyrinki

Bug Description

Running my app https://launchpad.net/akari on Ubuntu Trusty sometimes gives me a segfault at the start.

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: qmlscene 5.2.1-3ubuntu10
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Mar 20 14:06:36 2014
EcryptfsInUse: Yes
ExecutablePath: /usr/lib/x86_64-linux-gnu/qt5/bin/qmlscene
InstallationDate: Installed on 2014-03-16 (3 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140316)
ProcCmdline: /usr/lib/x86_64-linux-gnu/qt5/bin/qmlscene akari.qml
SegvAnalysis:
Segfault happened at: 0x7f481c54bc9e <_ZN3QV46Object11markObjectsEPNS_7ManagedEPNS_15ExecutionEngineE+94>: movzbl 0x8(%rax),%ecx
PC (0x7f481c54bc9e) ok
source "0x8(%rax)" (0x00000098) not located in a known VMA region (needed readable region)!
destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: qtdeclarative-opensource-src
StacktraceTop:
QV4::Object::markObjects(QV4::Managed*, QV4::ExecutionEngine*) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
QV4::MemoryManager::mark() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
QV4::MemoryManager::runGC() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
QV4::MemoryManager::alloc(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
QV4::ExecutionEngine::newString(QString const&) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
Title: qmlscene crashed with SIGSEGV in QV4::Object::markObjects()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm autopilot cdrom dip lpadmin plugdev sambashare sudo

Tags:

Related branches

lp:ubuntu/vivid-proposed/qtdeclarative-opensource-src

lp:~timo-jyrinki/kubuntu-packaging/qtdeclarative_crashers_fixes_trigger_CI

Merged into lp:~kubuntu-packagers/kubuntu-packaging/qtdeclarative-opensource-src at revision 173

PS Jenkins bot: Needs Fixing (continuous-integration) on 2014-12-16

Timo Jyrinki: Approve on 2014-12-09

Revision history for this message

Martin Kaistra (djfun) wrote on 2014-03-20:

Dependencies.txt Edit (5.8 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (1.9 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (336 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (88.0 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (837 bytes, text/plain; charset="utf-8")
Registers.txt Edit (824 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (1.4 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (11.0 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2014-03-20:

StacktraceTop:
mark (engine=0x1157820, this=<optimized out>) at jsruntime/qv4engine_p.h:373
mark (e=0x1157820, this=0x1457cd0) at jsruntime/qv4value_p.h:93
QV4::Object::markObjects (that=0x7f47f0fe0480, e=0x1157820) at jsruntime/qv4object.cpp:263
QV4::MemoryManager::mark (this=this@entry=0x1152810) at jsruntime/qv4mm.cpp:433
QV4::MemoryManager::runGC (this=0x1152810) at jsruntime/qv4mm.cpp:564

Revision history for this message

Apport retracing service (apport) wrote on 2014-03-20: Stacktrace.txt

Stacktrace.txt Edit (1.7 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2014-03-20: StacktraceSource.txt

StacktraceSource.txt Edit (1.8 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2014-03-20: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (6.6 KiB, text/plain)

Changed in qtdeclarative-opensource-src (Ubuntu):
importance:	Undecided → Medium
summary:	- qmlscene crashed with SIGSEGV in QV4::Object::markObjects() + qmlscene crashed with SIGSEGV in mark()
tags:	removed: need-amd64-retrace

Martin Kaistra (djfun) on 2014-03-20

information type:

Private → Public

Revision history for this message

Martin Kaistra (djfun) wrote on 2014-03-20:

I dug a bit deeper into this and I think I have found the cause for this:

When you have an array sort function that is inconsistent (that returns for two given values a and b not always the same value), the new Qml V4 Javascript engine gives you sometimes back a reference to a memory location that doesn't belong to the array (anymore?).

So for the following example:

var a = [1, 2];

                    var random_values = [
                                0.4,
                                0.9,
                                0.8,
                                0.6];

                    var c = 0;
                    a.sort(function() { var r = random_values[c]; c++; console.log(r); return 0.5 - r; });
                    console.log(a);

I get sometimes something like [-4.528848823629493e-224,1] or errors like
QV4::__qmljs_convert_to_string(QV4::ExecutionContext*, QV4::ValueRef) or
QV4::Value::toString(QV4::ExecutionContext*) const () etc.

Even though the behavior of array sort with an inconsistent function is not defined it should NOT lead to a segmentation fault (or who knows what memory locations it gives back and what can be done with that).

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-07-17:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qtdeclarative-opensource-src (Ubuntu):
status:	New → Confirmed

Revision history for this message

Timo Jyrinki (timo-jyrinki) wrote on 2014-07-17:

I can confirm this still happens with Qt 5.3.0 and Qt 5.3.1.

I took the liberty to report this to upstream to https://bugreports.qt-project.org/browse/QTBUG-40280

Revision history for this message

Timo Jyrinki (timo-jyrinki) wrote on 2014-11-20:

Upstream has committed a post-5.3.2 fix to their Qt 5.3 stable branch that I can cherry-pick to the next vivid upload.

Changed in qtdeclarative-opensource-src (Ubuntu):
assignee:	nobody → Timo Jyrinki (timo-jyrinki)
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-12-08:

#10

This bug was fixed in the package qtdeclarative-opensource-src - 5.3.2-3ubuntu2

---------------
qtdeclarative-opensource-src (5.3.2-3ubuntu2) vivid; urgency=medium

  * debian/patches/Avoid-race-condition-in-QQmlEngine-on-shutdown.patch
    - Cherry-pick an app shutdown crash fix (LP: #1373039)
  * debian/patches/Fix-crashes-when-calling-Array.sort-with-imperfect-s.patch
    - Cherry-pick a fix for a crasher in Array.sort (LP: #1295119)
-- Timo Jyrinki <email address hidden> Wed, 03 Dec 2014 08:32:46 +0000

Changed in qtdeclarative-opensource-src (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuqtdeclarative-opensource-src package

qmlscene crashed with SIGSEGV in mark()

Bug Description

Related branches

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
qtdeclarative-opensource-src package