Ubuntu
qtdeclarative-opensource-src package

Crash in QML compiler if terminated whilst compiling asynchronous components

Bug #1373039 reported by Michael Sheldon
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
camera-app (Ubuntu)
Fix Released
Undecided
Unassigned
qtdeclarative-opensource-src (Ubuntu)
Fix Released
High
Lorn Potter

Bug Description

Reproducible on mako and krillin using devel-proposed r248 or rtm r50

This is easiest to reproduce with the camera-app, as this has a number of large components that get loaded asynchronously on start-up, however I believe it should be possible to trigger in any app that contains asynchronous Loaders.

Steps to reproduce

1. Start camera-app

2. Whilst loading, swipe to the app switcher.

3. Close camera-app.

Expected result

App closes cleanly

Actual result

Sometimes the app segfaults whilst closing

It may take multiple attempts to cause a crash, as the SIGTERM signal has to be received at a certain point during the compilation process for the crash to occur.

Back trace of an example crash:

"There are still "1" items in the process of being created at engine destruction."
[Thread 0xac267450 (LWP 5576) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb1a3e450 (LWP 5561)]
0xb6618dd6 in createNode (left=false, parent=0x0, v=@0x31: <error reading variable>, k=@0x2d: <error reading variable>, this=0xae598538)
    at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:216
216 new (&n->key) Key(k);
(gdb) bt
#0 0xb6618dd6 in createNode (left=false, parent=0x0, v=@0x31: <error reading variable>, k=@0x2d: <error reading variable>, this=0xae598538)
    at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:216
#1 QMapNode<unsigned int, QV4::ExecutableAllocator::ChunkOfPages*>::copy (this=0x21, d=d@entry=0xae598538)
    at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:246
#2 0xb6618e02 in QMapNode<unsigned int, QV4::ExecutableAllocator::ChunkOfPages*>::copy (this=0xb11a5c28, d=d@entry=0xae598538)
    at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:249
#3 0xb6618e02 in QMapNode<unsigned int, QV4::ExecutableAllocator::ChunkOfPages*>::copy (this=0xae54a2f8, d=d@entry=0xae598538)
    at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:249
#4 0xb6618e4e in QMap<unsigned int, QV4::ExecutableAllocator::ChunkOfPages*>::detach_helper (this=0x6ae34)
    at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:969
#5 0xb6618950 in detach (this=0x6ae34) at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:378
#6 insert (avalue=<synthetic pointer>, akey=<optimized out>, this=0x6ae34) at /usr/include/arm-linux-gnueabihf/qt5/QtCore/qmap.h:676
#7 QV4::ExecutableAllocator::allocate (this=0x6ae30, size=592, size@entry=578) at jsruntime/qv4executableallocator.cpp:179
#8 0xb65bc900 in ExecutableMemoryHandle (size=578, allocator=<optimized out>, this=0xae5af100) at ../3rdparty/masm/stubs/ExecutableAllocator.h:66
#9 allocate (size=578, this=0xb1a3cfbc) at ../3rdparty/masm/stubs/ExecutableAllocator.h:97
#10 JSC::LinkBuffer::linkCode (this=this@entry=0xb1a3d068, ownerUID=ownerUID@entry=0x0, effort=effort@entry=JSC::JITCompilationMustSucceed)
    at ../3rdparty/masm/assembler/LinkBuffer.cpp:79
#11 0xb65b18de in LinkBuffer (effort=JSC::JITCompilationMustSucceed, ownerUID=0x0, masm=0xae5a9aa0, globalData=..., this=0xb1a3d068)
    at ../3rdparty/masm/assembler/LinkBuffer.h:92
#12 QV4::JIT::Assembler::link (this=0xae5a9aa0, codeSize=codeSize@entry=0xb1a3d0e8) at jit/qv4isel_masm.cpp:141
#13 0xb65b2918 in QV4::JIT::InstructionSelection::run (this=<optimized out>, functionIndex=<optimized out>) at jit/qv4isel_masm.cpp:360
#14 0xb65658f0 in QV4::EvalInstructionSelection::compile (this=this@entry=0xae564070, generateUnitData=generateUnitData@entry=false)
    at compiler/qv4isel_p.cpp:85
#15 0xb6617608 in QV4::Script::precompile (module=module@entry=0xb1a3d460, unitGenerator=unitGenerator@entry=0xb1a3d49c, engine=engine@entry=0x6b290,
    url=..., source=..., reportedErrors=reportedErrors@entry=0xb1a3d414) at jsruntime/qv4script.cpp:397
#16 0xb666b5ac in QQmlScriptBlob::dataReceived (this=0xae5a8a18, data=...) at qml/qqmltypeloader.cpp:2698
#17 0xb66650ac in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0xae5a8a18, d=...) at qml/qqmltypeloader.cpp:1198
#18 0xb6665292 in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0xae5a8a18, file=file@entry=0xb1a3d558)
    at qml/qqmltypeloader.cpp:1190
#19 0xb66679f8 in QQmlDataLoader::loadThread (this=this@entry=0x6ac44, blob=blob@entry=0xae5a8a18) at qml/qqmltypeloader.cpp:1068
#20 0xb6667dd2 in QQmlDataLoader::load (this=0x6ac44, blob=0xae5a8a18, mode=QQmlDataLoader::PreferSynchronous) at qml/qqmltypeloader.cpp:932
#21 0xb6667fc2 in QQmlTypeLoader::getScript (this=0x6ac44, url=...) at qml/qqmltypeloader.cpp:1649
#22 0xb666a818 in QQmlTypeLoader::Blob::addImport (this=this@entry=0xb11033f0, import=import@entry=0xae58a7c0, errors=errors@entry=0xb1a3d67c)
    at qml/qqmltypeloader.cpp:1312
#23 0xb666aaa8 in QQmlTypeData::continueLoadFromIR (this=this@entry=0xb11033f0) at qml/qqmltypeloader.cpp:2267
#24 0xb666afda in QQmlTypeData::dataReceived (this=0xb11033f0, data=...) at qml/qqmltypeloader.cpp:2224
#25 0xb66650ac in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0xb11033f0, d=...) at qml/qqmltypeloader.cpp:1198
#26 0xb6665292 in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0xb11033f0, file=file@entry=0xb1a3d7a0)
    at qml/qqmltypeloader.cpp:1190
#27 0xb66679f8 in QQmlDataLoader::loadThread (this=this@entry=0x6ac44, blob=blob@entry=0xb11033f0) at qml/qqmltypeloader.cpp:1068
#28 0xb6667dd2 in QQmlDataLoader::load (this=0x6ac44, blob=0xb11033f0, mode=QQmlDataLoader::PreferSynchronous) at qml/qqmltypeloader.cpp:932
#29 0xb6667eaa in QQmlTypeLoader::getType (this=this@entry=0x6ac44, url=..., mode=mode@entry=QQmlDataLoader::PreferSynchronous)
    at qml/qqmltypeloader.cpp:1606
#30 0xb666912c in QQmlTypeData::resolveTypes (this=0xae549db8) at qml/qqmltypeloader.cpp:2452
#31 0xb6669710 in QQmlTypeData::allDependenciesDone (this=0xae549db8) at qml/qqmltypeloader.cpp:2312
#32 0xb666510e in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0xae549db8, d=...) at qml/qqmltypeloader.cpp:1201
#33 0xb6665292 in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0xae549db8, file=file@entry=0xb1a3d9b8)
    at qml/qqmltypeloader.cpp:1190
#34 0xb66679f8 in QQmlDataLoader::loadThread (this=this@entry=0x6ac44, blob=blob@entry=0xae549db8) at qml/qqmltypeloader.cpp:1068
#35 0xb6667dd2 in QQmlDataLoader::load (this=0x6ac44, blob=0xae549db8, mode=QQmlDataLoader::PreferSynchronous) at qml/qqmltypeloader.cpp:932
#36 0xb6667eaa in QQmlTypeLoader::getType (this=this@entry=0x6ac44, url=..., mode=mode@entry=QQmlDataLoader::PreferSynchronous)
    at qml/qqmltypeloader.cpp:1606
#37 0xb666912c in QQmlTypeData::resolveTypes (this=0x18ee08) at qml/qqmltypeloader.cpp:2452
#38 0xb6669710 in QQmlTypeData::allDependenciesDone (this=0x18ee08) at qml/qqmltypeloader.cpp:2312
#39 0xb666510e in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0x18ee08, d=...) at qml/qqmltypeloader.cpp:1201
#40 0xb6665292 in QQmlDataLoader::setData (this=this@entry=0x6ac44, blob=blob@entry=0x18ee08, file=file@entry=0xb1a3dbd0)
    at qml/qqmltypeloader.cpp:1190
#41 0xb66679f8 in QQmlDataLoader::loadThread (this=0x6ac44, blob=blob@entry=0x18ee08) at qml/qqmltypeloader.cpp:1068
#42 0xb6667d32 in QQmlDataLoaderThread::loadThread (this=<optimized out>, b=0x18ee08) at qml/qqmltypeloader.cpp:816
#43 0xb66a2320 in QQmlThreadPrivate::threadEvent (this=0x6ad08) at qml/ftw/qqmlthread.cpp:198
#44 0xb66a26e8 in QQmlThreadPrivate::event (this=0x6ad08, e=<optimized out>) at qml/ftw/qqmlthread.cpp:136
#45 0xb6e11f92 in QCoreApplication::notify(QObject*, QEvent*) () from /usr/lib/arm-linux-gnueabihf/libQt5Core.so.5
#46 0xb6e11d88 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/arm-linux-gnueabihf/libQt5Core.so.5
#47 0xb6e138ae in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/arm-linux-gnueabihf/libQt5Core.so.5
#48 0xb6e4bea8 in ?? () from /usr/lib/arm-linux-gnueabihf/libQt5Core.so.5
#49 0xb5facf58 in g_main_context_dispatch () from /lib/arm-linux-gnueabihf/libglib-2.0.so.0
#50 0xb5fad104 in ?? () from /lib/arm-linux-gnueabihf/libglib-2.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Related branches

lp:ubuntu/vivid-proposed/camera-app
lp:ubuntu/vivid-proposed/qtdeclarative-opensource-src
lp:~timo-jyrinki/kubuntu-packaging/qtdeclarative_crashers_fixes_trigger_CI
PS Jenkins bot: Needs Fixing (continuous-integration)
Timo Jyrinki: Approve
Diff: 275 lines (+250/-0)
4 files modified
debian/changelog (+9/-0)
debian/patches/Avoid-race-condition-in-QQmlEngine-on-shutdown.patch (+84/-0)
debian/patches/Fix-crashes-when-calling-Array.sort-with-imperfect-s.patch (+155/-0)
debian/patches/series (+2/-0)
Chris Gagnon (chris.gagnon)
tags: added: qa-daily-testing rtm14
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

I found one commit from the 5.3 branch that sounds possibly associated - https://codereview.qt-project.org/#/c/88153/ - and I've built it so that you can test it by:

sudo apt-add-repository ppa:canonical-qt5-edgers/qt5-daily
sudo apt update
sudo apt dist-upgrade

It should work both on rtm and utopic images.

In a certainly promising way I was able to crash it once before upgrading, and I don't get it to crash after updating, but it might be luck also.

Can you confirm Michael if that helps with the issue? If so, we don't need actual development resources allocated and I can start landing/testing process for that backported patch.

Changed in qtdeclarative-opensource-src (Ubuntu):
status: New → Incomplete
Revision history for this message
Michael Sheldon (michael-sheldon) wrote :

Unfortunately I'm still able to reproduce the crash with the new packages.

One extra thing to be aware of when testing this with camera-app is that until https://code.launchpad.net/~michael-sheldon/qtubuntu-camera/fix-1368436/+merge/235673 lands there is a separate, unrelated crash in qtubuntu-camera.

Chris Gagnon (chris.gagnon)
tags: added: qasoak
Chris Gagnon (chris.gagnon)
Changed in qtdeclarative-opensource-src (Ubuntu):
status: Incomplete → Confirmed
Julien Funk (jaboing)
Changed in qtdeclarative-opensource-src (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

I think we can downgrade this bug since the crash happens when the user is closing the app anyway, it only happens on certain apps and it more time than not does not happen.

Changed in qtdeclarative-opensource-src (Ubuntu):
assignee: nobody → Timo Jyrinki (timo-jyrinki)
tags: removed: rtm14
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

Removed from rtm

Changed in qtdeclarative-opensource-src (Ubuntu):
importance: Critical → High
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

It was discussed in an e-mail thread that Albert could look at the remaining crasher at some point when there's some extra time.

Changed in qtdeclarative-opensource-src (Ubuntu):
assignee: Timo Jyrinki (timo-jyrinki) → Albert Astals Cid (aacid)
Michał Sawicz (saviq)
Changed in qtdeclarative-opensource-src (Ubuntu):
assignee: Albert Astals Cid (aacid) → Lorn Potter (lorn-potter)
Revision history for this message
Lorn Potter (lorn-potter) wrote :

This might be similar to this bug
https://bugreports.qt-project.org/browse/QTBUG-39905

which has this fix patch
https://codereview.qt-project.org/#/c/88823/

Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

Thanks Lorn! I've pushed another build to the qt5-daily PPA with the previous patch replaced by that new find. It will be ready for testing on armhf in around 2 hours.

The bug is currently not rtm tagged so this can wait a bit, especially with another rtm bug related qtdeclarative landing brewing at the moment by ricmm.

This new fix, if it fixes the problem, is not in Qt 5.3.2 so we will need to cherry-pick this anyway, even if we'd land 5.3.2 in November or so.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package camera-app - 3.0.0+15.04.20141202-0ubuntu1

---------------
camera-app (3.0.0+15.04.20141202-0ubuntu1) vivid; urgency=low

  [ Sebastien Bacher ]
  * Wrap the swipe hint, the elided version doesn't make sense in some
    locales... (LP: #1389611)

  [ Florian Boucault ]
  * Add support to multi selection on grid view when triggered by the
    user
  * Add self timer controlled by a new settings option

  [ Ubuntu daily release ]
  * New rebuild forced

  [ Chris Gagnon ]
  * wait at beginning of autopilot tests to work around bug #1373039
    (LP: #1376495, #1373039)

camera-app (3.0.0+14.10.20141028~rtm-0ubuntu1) 14.09; urgency=low

  [ Ubuntu daily release ]
  * New rebuild forced

  [ Florian Boucault ]
  * Add a hint to the existence of the photo roll displayed the first
    time the user takes a photo. (LP: #1368808)
  * [Autopilot] Do not stop/start the location service at the beginning
    of each test. (LP: #1380685)
  * Display message when no media present in photo roll. (LP: #1375270)

  [ Omer Akram ]
  * autopilot: fix camera zoom bar not showing in test due to small
    initial pinch (LP: #1366825)
 -- Ubuntu daily release <email address hidden> Tue, 02 Dec 2014 19:26:50 +0000

Changed in camera-app (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtdeclarative-opensource-src - 5.3.2-3ubuntu2

---------------
qtdeclarative-opensource-src (5.3.2-3ubuntu2) vivid; urgency=medium

  * debian/patches/Avoid-race-condition-in-QQmlEngine-on-shutdown.patch
    - Cherry-pick an app shutdown crash fix (LP: #1373039)
  * debian/patches/Fix-crashes-when-calling-Array.sort-with-imperfect-s.patch
    - Cherry-pick a fix for a crasher in Array.sort (LP: #1295119)
 -- Timo Jyrinki <email address hidden> Wed, 03 Dec 2014 08:32:46 +0000

Changed in qtdeclarative-opensource-src (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.