+++ This bug was initially created as a clone of Bug #2177696 +++
Description of problem:
Qt's V4 JIT engine generates bad JIT code that corrupts JS stack slots, causing random garbage collector crashes later on. On a vanilla KDE Plasma setup, this can cause plasmashell to sometimes or consistently crash, depending on the alignment of the stars (sometimes sessions are completely unusable). See below for a consistent repro.
Version-Release number of selected component (if applicable):
5.15.3-1.el9
How reproducible:
Randomly by default, 100% with QV4_MM_AGGRESSIVE_GC=1, never with QV4_FORCE_INTERPRETER=1.
Steps to Reproduce:
1. Start a KDE Plasma session
2. killall plasmashell
3. QV4_MM_AGGRESSIVE_GC=1 plasmashell
Actual results:
plasmashell instantly segfaults
Expected results:
plasmashell does not segfault
Additional info:
Example of the bad JIT code here:
https://social.treehouse.systems/@marcan/110015722134175810
The issue is a missing accumulator save/restore around a call to PushCallContext.
This is generic code, so this is actually broken on *all architectures* in principle, it's just that ARM64 got unlucky with the register clobbering and value encoding lottery and ended up with actual crashes.
Upstream report: https://bugreports.qt.io/browse/QTBUG-111935
Upstream fix: https://codereview.qt-project.org/c/qt/qtdeclarative/+/466808
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: qt5 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:6369