Bizarre crash in JavaScript engine on macOS Monterey

[KockaAdmiralac]

Describe the bug

I had recently written a custom extension and tried to get two macOS users to run it. Both users are on macOS Monterey and for both of them Tiled unexpectedly crashed when they performed a specific action in my extension.

The crash narrows down to: a JavaScript function takes another function as an argument, runs it at least 4 times, and then Tiled crashes. The reported exception type is EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)). This could have something to do with QtQml's JavaScript engine, or Tiled's packaging of it.

I'm attaching two crash logs, first is from performing my reproduction steps below on macOS 12.7.6, second is when loading my above extension and performing the File > Publish to wiki action on macOS 12.7.4 (the specific part that crashes is the Array.prototype.map call in includes/auth.mjs:generateCodeChallenge).

crash1.txt
crash2.txt

This cannot be reproduced on Windows or Linux.

Steps to reproduce

1. Open Console
2. Run ((c)=>{c();c();c();c()})(()=>{})
3. Tiled crashes

Expected behavior

Expected behavior of the above function is to not do anything.

OS version

macOS 12.7.4 and 12.7.6

Tiled version

1.11.2

[bjorn]

Hmm, I can reproduce this as well on macOS 15.1 (Sequoia). I'll see if it still happens with the latest Qt release.

[bjorn]

I wasn't able to reproduce this at all in development builds. The reason is that only releases are code-signed, and the error happens because the code-signing apparently disallows running JIT-compiled (and thus unsigned) code. Likely the multiple calls to the function were triggering JIT-compilation (QV4_JIT_CALL_THRESHOLD defaults to 3).

I guess the easy solution should be to disable JIT-compilation. It will be a bit slower sometimes, but I don't expect there to be a way to allow running JIT-compiled code in a signed executable. According to https://doc.qt.io/qt-6/qtqml-javascript-finetuning.html, you can set the QV4_FORCE_INTERPRETER environment variable to disable JIT compilation entirely.

[KockaAdmiralac]

Do you plan to disable JIT compilation entirely in the new builds of Tiled, or is setting the environment variable a permanent workaround for this issue?

It seems that there is an entitlement you can enable during code signing to allow JIT-compiled code. QtQML has apparently been made to use the MAP_JIT flag on all macOS platforms in Qt versions 6.8.2 and newer since December 2024. Do you think this could work?

[bjorn]

@KockaAdmiralac I was planning to set that environment variable automatically on startup, but the entitlement might be a better solution, thanks for the research!