Bug#895375: libqt5qml5: segfault in QV4::ExecutionContext::newCallContext on x32
Package: libqt5qml5
Version: 5.10.1-3
Hi,
during package build of, for example, qtwebsockets-opensource-src
(5.10.1-2) its testsuite gets a segfault.
I can get a backtrace; unfortunately, most values for inspection
are optimised out though:
(gdb) bt
#0 0xf7f96035 in ?? ()
#1 0x02290450 in ?? ()
#2 0xf4a345f7 in memcpy (__len=<optimized out>, __src=0xffe44df0, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnux32/bits/string_fortified.h:34
#3 QV4::ExecutionContext::newCallContext (this=<optimized out>, function=<optimized out>,
callData=<optimized out>) at jsruntime/qv4context.cpp:94
#4 0xf4a37204 in QV4::ExecutionContext::call (this=<optimized out>, scope=..., callData=<optimized out>,
function=<optimized out>, f=f@entry=0x0) at jsruntime/qv4context.cpp:274
#5 0xf4a8a648 in QV4::Script::run (this=<optimized out>) at jsruntime/qv4script.cpp:178
#6 0xf4b36b5d in QQmlScriptData::scriptValueForContext (this=<optimized out>, parentCtxt=<optimized out>)
at qml/qqmltypeloader.cpp:2923
#7 0xf4ba74ed in QQmlObjectCreator::create (this=<optimized out>, subComponentIndex=<optimized out>,
parent=<optimized out>, interrupt=<optimized out>) at qml/qqmlobjectcreator.cpp:196
#8 0xf4ba65ae in QQmlObjectCreator::createInstance (this=this@entry=0x22aa940, index=3,
parent=<optimized out>, isContextObject=isContextObject@entry=false) at qml/qqmlobjectcreator.cpp:1183
#9 0xf4ba47d6 in QQmlObjectCreator::setPropertyBinding (this=this@entry=0x22aa940,
property=property@entry=0xe85723f8, binding=binding@entry=0xf7f97630) at qml/qqmlobjectcreator.cpp:827
#10 0xf4ba5114 in QQmlObjectCreator::setupBindings (this=this@entry=0x22aa940,
applyDeferredBindings=applyDeferredBindings@entry=false) at qml/qqmlobjectcreator.cpp:779
#11 0xf4ba5973 in QQmlObjectCreator::populateInstance (this=this@entry=0x22aa940, index=-1, index@entry=0,
instance=0x0, bindingTarget=0x0, valueTypeProperty=valueTypeProperty@entry=0x0)
at qml/qqmlobjectcreator.cpp:1408
#12 0xf4ba672b in QQmlObjectCreator::createInstance (this=this@entry=0x22aa940, index=index@entry=0,
parent=parent@entry=0x0, isContextObject=isContextObject@entry=true) at qml/qqmlobjectcreator.cpp:1272
#13 0xf4ba72cb in QQmlObjectCreator::create (this=<optimized out>, subComponentIndex=<optimized out>,
parent=parent@entry=0x0, interrupt=interrupt@entry=0x0) at qml/qqmlobjectcreator.cpp:202
#14 0xf4b18269 in QQmlComponentPrivate::beginCreate (this=<optimized out>, context=<optimized out>)
at qml/qqmlcomponent.cpp:864
#15 0xf4b1640f in QQmlComponent::create (this=<optimized out>, context=0x20b3f30) at qml/qqmlcomponent.cpp:773
#16 0xf5121134 in QQuickView::continueExecute() () from /usr/lib/x86_64-linux-gnux32/libQt5Quick.so.5
#17 0xf51216d2 in QQuickViewPrivate::execute() () from /usr/lib/x86_64-linux-gnux32/libQt5Quick.so.5
#18 0xf775f18c in quick_test_main(int, char**, char const*, char const*) ()
from /usr/lib/x86_64-linux-gnux32/libQt5QuickTest.so.5
#19 0xf632e6a7 in __libc_start_main () from /lib/x86_64-linux-gnux32/libc.so.6
#20 0x004005bb in _start ()
(gdb) frame 3
#3 QV4::ExecutionContext::newCallContext (this=<optimized out>, function=<optimized out>,
callData=<optimized out>) at jsruntime/qv4context.cpp:94
(gdb) print *c
value has been optimized out
(gdb) print c->callData
value has been optimized out
(gdb) print callData
$8 = <optimized out>
(gdb) print sizeof(CallData)
$9 = 24
(gdb) print sizeof(Value)
$10 = 8
(gdb) print c->locals.values
value has been optimized out
(gdb) print c->locals
value has been optimized out
(gdb) print sizeof(CallContext::Data)
$11 = 64
(gdb) print localsAndFormals
$12 = 0
(gdb) print callData->argc
value has been optimized out
(gdb) frame 2
#2 0xf4a345f7 in memcpy (__len=<optimized out>, __src=0xffe44df0, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnux32/bits/string_fortified.h:34
34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) disas
Dump of assembler code for function QV4::ExecutionContext::newCallContext(QV4::Function*, QV4::CallData*):
0xf4a344e0 <+0>: push %r15
[…]
0xf4a345d7 <+247>: cmp %eax,%edi
0xf4a345d9 <+249>: jne 0xf4a345d0 <QV4::ExecutionContext::newCallContext(QV4::Function*, QV4::CallData*)+240>
0xf4a345db <+251>: mov %edi,0x4(%ebx)
0xf4a345df <+255>: mov 0x0(%ebp),%eax
0xf4a345e3 <+259>: mov %rbp,%rsi
0xf4a345e6 <+262>: mov %ecx,0xc(%esp)
0xf4a345eb <+267>: lea 0x10(,%rax,8),%edx
0xf4a345f2 <+274>: callq 0xf4927b70 <memcpy@plt>
=> 0xf4a345f7 <+279>: mov 0xc(%esp),%ecx
0xf4a345fc <+284>: mov 0x14(%ecx),%eax
0xf4a34600 <+288>: cmp %eax,0x0(%ebp)
0xf4a34604 <+292>: jge 0xf4a34633 <QV4::ExecutionContext::newCallContext(QV4::Function*, QV4::CallData*)+339>
[…]
(gdb) frame 1
#1 0x02290450 in ?? ()
(gdb) disas
No function contains program counter for selected frame.
(gdb) frame 0
#0 0xf7f96035 in ?? ()
(gdb) disas
No function contains program counter for selected frame.
This looks like a jump into nothing… from a call to memcpy?
Reply to: