Bug 2177696

Summary: Qt V4 JIT engine generates bad JIT code on ARM64 (and potentially all arches)
Product: [Fedora] Fedora Reporter: Hector Martin <marcan>
Component: qt5-qtdeclarativeAssignee: Neal Gompa <ngompa13>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 37CC: jgrulich, jreznik, kde-sig, ngompa13, rdieter, than
Target Milestone: ---   
Target Release: ---   
Hardware: aarch64   
OS: Linux   
Whiteboard:
Fixed In Version: qt5-qtdeclarative-5.15.8-4.fc38 qt5-qtdeclarative-5.15.8-4.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2178624 (view as bug list) Environment:
Last Closed: 2023-03-18 00:18:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Tentative (untested) fix none

Description Hector Martin 2023-03-13 12:18:38 UTC 
Created attachment 1950222 [details]
Tentative (untested) fix

Description of problem:

Qt's V4 JIT engine generates bad JIT code that corrupts JS stack slots, causing random garbage collector crashes later on. On a vanilla KDE Plasma setup, this can cause plasmashell to sometimes or consistently crash, depending on the alignment of the stars (sometimes sessions are completely unusable). See below for a consistent repro.

Version-Release number of selected component (if applicable): 5.15.8-1.fc37

How reproducible:

Randomly by default, 100% with QV4_MM_AGGRESSIVE_GC=1, never with QV4_FORCE_INTERPRETER=1.

Steps to Reproduce:
1. Start a KDE Plasma session
2. killall plasmashell
3. QV4_MM_AGGRESSIVE_GC=1 plasmashell

Actual results:

plasmashell instantly segfaults

Expected results:

plasmashell does not segfault

Additional info:

Example of the bad JIT code here:

https://social.treehouse.systems/@marcan/110015722134175810

I believe the issue is a missing accumulator save/restore around a call to PushCallContext.

Tentative fix patch is attached (untested). This is generic code, so I think this is actually broken on *all architectures* in principle, it's just that ARM64 got unlucky with the register clobbering and value encoding lottery and ended up with actual crashes.

Upstream should probably audit the whole file to see if there are any other missed accumulator save/restores.

Also identically reproducible on Arch Linux ARM.
Comment 1 Neal Gompa 2023-03-15 01:08:55 UTC 
Jan Grulich wanted this forwarded upstream, so I've done so: https://bugreports.qt.io/browse/QTBUG-111935
Comment 2 Than Ngo 2023-03-15 09:46:11 UTC 
Neal, thanks for forwarding to upstream!
Comment 3 Than Ngo 2023-03-15 13:06:52 UTC 
the fix should be included in 5.15.8-4. Hector, thanks a lot for the patch
Comment 4 Fedora Update System 2023-03-15 14:33:42 UTC 
FEDORA-2023-77181dc3e2 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-77181dc3e2
Comment 5 Fedora Update System 2023-03-15 14:33:43 UTC 
FEDORA-2023-3e87d05e2c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-3e87d05e2c
Comment 6 Fedora Update System 2023-03-16 19:29:03 UTC 
FEDORA-2023-3e87d05e2c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-3e87d05e2c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-3e87d05e2c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-03-17 04:04:31 UTC 
FEDORA-2023-77181dc3e2 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-77181dc3e2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2023-03-18 00:18:27 UTC 
FEDORA-2023-77181dc3e2 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2023-03-20 01:37:32 UTC 
FEDORA-2023-3e87d05e2c has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.