QNativeSocketEngine: fix reuse address problems on Linux #5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
qtprojectorg
pushed a commit
that referenced
this pull request
Jul 30, 2015
If the data fits inline, let's store it using the dummy member. GCC,
Clang and ICC optimize the code on all architectures I tested to one
single store.
Previously, the function for "return QVersionNumber(5,4,0);" was:
x86-64:
movb $7, (%rdi)
movb $5, 1(%rdi)
movb $4, 2(%rdi)
movb $0, 3(%rdi)
x86:
movb $7, (%eax)
movb $5, 1(%eax)
movb $4, 2(%eax)
movb $0, 3(%eax)
ia64:
addl r17 = 7, r0
adds r16 = 1, in0
adds r15 = 2, in0
adds r14 = 3, in0
st1 [in0] = r17
addl r17 = 5, r0
;;
st1 [r16] = r17
addl r16 = 4, r0
;;
st1 [r15] = r16
st1 [r14] = r0
armv7a:
mov r1, #7
mov r2, #5
strb r1, [r0]
mov r1, #4
strb r2, [r0, #1]
mov r2, #0
strb r1, [r0, #2]
strb r2, [r0, #3]
mips32:
li $3,7 # 0x7
sb $3,3($4)
li $3,5 # 0x5
sb $3,0($4)
li $3,4 # 0x4
sb $3,1($4)
sb $0,2($4)
mips64:
li $3,7 # 0x7
sb $3,7($4)
li $3,5 # 0x5
sb $3,0($4)
li $3,4 # 0x4
sb $3,1($4)
sb $0,2($4)
ppc32:
li 10,7
stb 10,3(3)
li 10,5
stb 10,0(3)
li 10,4
stb 10,1(3)
li 10,0
stb 10,2(3)
ppc64:
li 10,7
stb 10,7(3)
li 10,5
stb 10,0(3)
li 10,4
stb 10,1(3)
li 10,0
stb 10,2(3)
Now it is:
x86-64:
movq $263431, (%rdi)
x86:
movl $263431, (%eax)
ia64:
addl r14 = 263431, r0
;;
st8 [in0] = r14
armv7a:
movw r3, #1287
movt r3, 4
str r3, [r0]
mips32:
li $3,84148224 # 0x5040000
addiu $3,$3,7
sw $3,0($4)
mips64:
li $3,321 # 0x141
dsll $3,$3,50
daddiu $3,$3,7
sd $3,0($4)
ppc64:
lis 9,0x504
sldi 9,9,32
ori 9,9,7
std 9,0(3)
ppc32:
lis 9,0x504
ori 9,9,7
stw 9,0(3)
All assembly listings from GCC 4.8.1, but the Clang and ICC outputs are
identical or at least very similar (I tested Clang for ARM, MIPS and
PowerPC). Both MIPS and PowerPC were compiled in big-endian mode and this
listing shows that the 64-bit implementation is correct.
Additionally, the output is also the same for GCC when using brace
initialization (that is, return QVersionNumber{5,4,0}). Clang and ICC
couldn't optimize that.
Change-Id: I9a4a4c9fc83f1182401f63fd2da829c935a8c9da
Reviewed-by: Keith Gardner <[email protected]>
Reviewed-by: Marc Mutz <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jul 31, 2016
Before actually deleting QTreeWidgetItems from QTree{Model,Widget{,Item}} dtors,
their 'view' members need to be set to nullptr, lest they attempt to delist
themselves from the list of top-level items.
For the QTreeModel::headerItem, this was forgottten.
Found by UBSan:
qtreewidget.cpp:1488:70: runtime error: member call on address 0x7ffd843dd470 which does not point to an object of type 'QAbstractItemView'
0x7ffd843dd470: note: object is of type 'QWidget'
#0 0x2b83d5b48323 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1488
#1 0x2b83d5b48860 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1535
#2 0x2b83d5b41659 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:143
#3 0x2b83d5b41bc0 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:146
#4 0x2b83df220747 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:2010
#5 0x2b83d4603dd0 in QWidget::~QWidget() src/widgets/kernel/qwidget.cpp:1675
#6 0x2b83d4d76066 in QFrame::~QFrame() src/widgets/widgets/qframe.cpp:256
#7 0x2b83d5270442 in QAbstractScrollArea::~QAbstractScrollArea() src/widgets/widgets/qabstractscrollarea.cpp:575
#8 0x2b83d5733eb9 in QAbstractItemView::~QAbstractItemView() src/widgets/itemviews/qabstractitemview.cpp:617
#9 0x2b83d598b216 in QTreeView::~QTreeView() src/widgets/itemviews/qtreeview.cpp:206
#10 0x2b83d5b218b6 in QTreeWidget::~QTreeWidget() src/widgets/itemviews/qtreewidget.cpp:2549
#11 0x4eef42 in tst_QTreeWidgetItemIterator::updateIfModifiedFromWidget() tests/auto/widgets/itemviews/qtreewidgetitemiterator/tst_qtreewidgetitemiterator.cpp:1089
Change-Id: I57c277adee8c99eb07b274d6d8ea1f6fbf3575be
Reviewed-by: Olivier Goffart (Woboq GmbH) <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 22, 2016
…in Private::canBeNativeDialog()
Found by UBSan:
qfontdialog_p.h:77:5: runtime error: downcast of address 0x7ffc3ceadc90 which does not point to an object of type 'QFontDialog'
0x7ffc3ceadc90: note: object is of type 'QDialog'
fc 7f 00 00 38 5f a8 27 fc 2a 00 00 60 e2 14 02 00 00 00 00 10 61 a8 27 fc 2a 00 00 00 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2afc24d29490 in QFontDialogPrivate::q_func() const qfontdialog_p.h:77
#1 0x2afc24d29490 in QFontDialogPrivate::canBeNativeDialog() const qfontdialog.cpp:1033
#2 0x2afc24c93f56 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2afc24c7b27a in QDialog::~QDialog() qdialog.cpp:357
#4 0x2afc24d286a6 in QFontDialog::~QFontDialog() qfontdialog.cpp:339
#5 0x2afc24d481a2 in QFontDialogPrivate::getFont(bool*, QFont const&, QWidget*, QString const&, QFlags<QFontDialog::FontDialogOption>) qfontdialog.cpp:402
#6 0x2afc24d483f1 in QFontDialog::getFont(bool*, QWidget*) qfontdialog.cpp:396
#7 0x407652 in tst_QFontDialog::testGetFont() tst_qfontdialog.cpp:120
qcolordialog.cpp:86:5: runtime error: downcast of address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog'
0x7ffdf50c1ec0: note: object is of type 'QDialog'
fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2ab720e4ec97 in QColorDialogPrivate::q_func() const qcolordialog.cpp:86
#1 0x2ab720e4ec97 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1865
#2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357
#4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187
#5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148
#6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176
#7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118
qfiledialog_p.h:112:5: runtime error: downcast of address 0x7ffd6858cc60 which does not point to an object of type 'QFileDialog'
0x7ffd6858cc60: note: object is of type 'QDialog'
a1 2b 00 00 d8 1e 5e 0c a1 2b 00 00 b0 af 01 20 a1 2b 00 00 b0 20 5e 0c a1 2b 00 00 00 00 46 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2ba10980a9e7 in QFileDialogPrivate::q_func() const qfiledialog_p.h:112
#1 0x2ba10980a9e7 in QFileDialogPrivate::canBeNativeDialog() const qfiledialog.cpp:695
#2 0x2ba1097efe36 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2ba1097d715a in QDialog::~QDialog() qdialog.cpp:357
#4 0x2ba109854c4b in QFileDialog::~QFileDialog() qfiledialog.cpp:380
#5 0x4179dc in tst_QFiledialog::init() tst_qfiledialog.cpp:175
Fix by replacing Q_Q with the the equivalent expression for QDialog.
We can't re-use QDialogPrivate::q_func() here, since that is private,
and probably should stay like that.
Also fix an invalid member call in
QColorDialogPrivate::canBeNativeDialog():
qcolordialog.cpp:2050:5: runtime error: member call on address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog'
0x7ffdf50c1ec0: note: object is of type 'QDialog'
fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2ab720e4e5ea in QColorDialog::options() const qcolordialog.cpp:2050
#1 0x2ab720e4e8c8 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1870
#2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357
#4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187
#5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148
#6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176
#7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118
by accessing the data member directly instead of through the Public API.
Fix the same code in QFileDialog, even though the autotest coverage is
too limited for UBSan to point that one out explicitly.
Change-Id: Idd278744961435e417d91fb2f89b6d91a94e0c71
Reviewed-by: Friedemann Kleint <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 22, 2016
Found by UBSan:
qgraphicsscene.cpp:1000:40: runtime error: downcast of address 0x2af0d4072b00 which does not point to an object of type 'QGraphicsWidget'
0x2af0d4072b00: note: object is of type 'QGraphicsObject'
00 00 00 00 30 f5 26 bd f0 2a 00 00 90 e1 05 d4 f0 2a 00 00 a8 e3 26 bd f0 2a 00 00 d0 33 0f d4
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QGraphicsObject'
#0 0x2af0badf1305 in QGraphicsScenePrivate::ungrabMouse(QGraphicsItem*, bool) qgraphicsscene.cpp:1000
#1 0x2af0bae0fc24 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:692
#2 0x2af0bacd21f6 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555
#3 0x2af0bacd4c48 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
#4 0x2af0baf7e99c in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
#5 0x2af0baf7f8c0 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:282
#6 0x2af0badcee34 in QGraphicsScene::clear() qgraphicsscene.cpp:2388
#7 0x2af0badcf3fc in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682
#8 0x4b26f0 in tst_QGraphicsWidget::popupMouseGrabber() tst_qgraphicswidget.cpp:47
Fix by using the existing graphics widget pointer,
determined a line above to be equivalent to 'item',
for the removePopup() function call instead of
casting 'item' itself.
The rest of removePopup() appears to be well-behaved
and doesn't trigger any more UBSan errors, so it was
indeed just the cast which was undefined, no member
calls.
Change-Id: Ia54da90262a7a02f527914a90b0208be0ffc0f0b
Reviewed-by: Thiago Macieira <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 24, 2016
…ivate::canBeNativeDialog()
Found by UBSan:
qcolordialog.cpp:86:5: runtime error: downcast of address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog'
0x7ffdf50c1ec0: note: object is of type 'QDialog'
fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2ab720e4ec97 in QColorDialogPrivate::q_func() const qcolordialog.cpp:86
#1 0x2ab720e4ec97 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1865
#2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357
#4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187
#5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148
#6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176
#7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118
qfiledialog_p.h:112:5: runtime error: downcast of address 0x7ffd6858cc60 which does not point to an object of type 'QFileDialog'
0x7ffd6858cc60: note: object is of type 'QDialog'
a1 2b 00 00 d8 1e 5e 0c a1 2b 00 00 b0 af 01 20 a1 2b 00 00 b0 20 5e 0c a1 2b 00 00 00 00 46 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2ba10980a9e7 in QFileDialogPrivate::q_func() const qfiledialog_p.h:112
#1 0x2ba10980a9e7 in QFileDialogPrivate::canBeNativeDialog() const qfiledialog.cpp:695
#2 0x2ba1097efe36 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2ba1097d715a in QDialog::~QDialog() qdialog.cpp:357
#4 0x2ba109854c4b in QFileDialog::~QFileDialog() qfiledialog.cpp:380
#5 0x4179dc in tst_QFiledialog::init() tst_qfiledialog.cpp:175
Fix by replacing Q_Q with the the equivalent expression for QDialog.
We can't re-use QDialogPrivate::q_func() here, since that is private,
and probably should stay like that.
Also fix an invalid member call in
QColorDialogPrivate::canBeNativeDialog():
qcolordialog.cpp:2050:5: runtime error: member call on address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog'
0x7ffdf50c1ec0: note: object is of type 'QDialog'
fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QDialog'
#0 0x2ab720e4e5ea in QColorDialog::options() const qcolordialog.cpp:2050
#1 0x2ab720e4e8c8 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1870
#2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696
#3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357
#4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187
#5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148
#6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176
#7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118
by accessing the data member directly instead of through the Public API.
Fix the same code in QFileDialog, even though the autotest coverage is
too limited for UBSan to point that one out explicitly.
This commit amends abe8b4a, in which
it should have been included in the first place...
Change-Id: Iff0538eba61d2381359f0b61f35918d643f7aa0c
Reviewed-by: Thiago Macieira <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 27, 2016
Found by UBSan:
qlayout.cpp:612:50: runtime error: downcast of address 0x7ffcd4c39a70 which does not point to an object of type 'QWidget'
0x7ffcd4c39a70: note: object is of type 'QObject'
00 00 00 00 b0 43 4c 7b f5 2a 00 00 70 c9 28 02 00 00 00 00 08 93 9a 77 f5 2a 00 00 00 00 c3 d4
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QObject'
#0 0x2af56f189960 in QLayout::widgetEvent(QEvent*) qlayout.cpp:612
#1 0x2af56f037660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3732
#2 0x2af56f06ae5b in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704
#3 0x2af57989e383 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
#4 0x2af5799c1696 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231
#5 0x2af5799c1696 in QObjectPrivate::setParent_helper(QObject*) qobject.cpp:2043
#6 0x2af5799c4823 in QObject::~QObject() qobject.cpp:1095
#7 0x2af56f2d205d in QWidget::~QWidget() qwidget.cpp:1549
#8 0x2af56f9c1366 in QFrame::~QFrame() qframe.cpp:262
#9 0x2af56f9e76cb in QLabel::~QLabel() qlabel.cpp:247
#10 0x458077 in tst_QStyleSheetStyle::emptyStyleSheet() tst_qstylesheetstyle.cpp:1400
Fix by not casting at all (or, to be precise, casting implicitly up
instead of explicitly down).
Change-Id: Ic19fd29e0cabd1aee5b1c93ca4c0fc70bc7a5927
Reviewed-by: Thiago Macieira <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 28, 2016
…nize()
As found by UBSan:
qstandardgestures.cpp:511:67: runtime error: downcast of address 0x7ffc9beb1b90 which does not point to an object of type 'QTouchEvent'
0x7ffc9beb1b90: note: object is of type 'QPlatformSurfaceEvent'
fc 7f 00 00 08 93 b1 6f f5 2a 00 00 00 00 00 00 00 00 00 00 d9 00 ec 9b 00 00 00 00 49 01 c1 5e
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QPlatformSurfaceEvent'
#0 0x2af55edfa66a in QTapAndHoldGestureRecognizer::recognize(QGesture*, QObject*, QEvent*) qstandardgestures.cpp:511
#1 0x2af55ee3d9bb in QGestureManager::filterEventThroughContexts(QMultiMap<QObject*, Qt::GestureType> const&, QEvent*) qgesturemanager.cpp:276
#2 0x2af55ee4565b in QGestureManager::filterEvent(QWidget*, QEvent*) qgesturemanager.cpp:512
#3 0x2af55ee53945 in QGestureManager::filterEvent(QObject*, QEvent*) qgesturemanager.cpp:556
#4 0x2af55ea1b83a in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3053
#5 0x2af573949d0f in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
#6 0x2af56982ff94 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231
#7 0x2af56982ff94 in QWindowPrivate::create(bool) qwindow.cpp:435
#8 0x2af55ecd10fe in QWidgetPrivate::create_sys(unsigned long long, bool, bool) qwidget.cpp:1471
#9 0x2af55ecc770e in QWidget::create(unsigned long long, bool, bool) qwidget.cpp:1333
#10 0x2af55ed80618 in QWidget::setVisible(bool) qwidget.cpp:8156
#11 0x4feec4 in tst_QWidget::touchEventsForGesturePendingWidgets() tst_qwidget.cpp:9824
qstandardgestures.cpp:512:67: runtime error: downcast of address 0x7ffc9beb1b90 which does not point to an object of type 'QMouseEvent'
0x7ffc9beb1b90: note: object is of type 'QPlatformSurfaceEvent'
fc 7f 00 00 08 93 b1 6f f5 2a 00 00 00 00 00 00 00 00 00 00 d9 00 ec 9b 00 00 00 00 49 01 c1 5e
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QPlatformSurfaceEvent'
#0 0x2af55edfaa19 in QTapAndHoldGestureRecognizer::recognize(QGesture*, QObject*, QEvent*) qstandardgestures.cpp:512
[... skipping common lines ...]
qstandardgestures.cpp:514:95: runtime error: downcast of address 0x
0x7ffc9beb1b90: note: object is of type 'QPlatformSurfaceEvent'
fc 7f 00 00 08 93 b1 6f f5 2a 00 00 00 00 00 00 00 00 00 00 d9 00 ec 9b 00 00 00 0
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QPlatformSurfaceEvent'
#0 0x2af55edfa966 in QTapAndHoldGestureRecognizer::recognize(QGesture*, QObject*, QEvent*) qstandardgestures.cpp:514
[... skipping common lines ...]
The problem is that the casts are done outside the switch that
determines the event's type, so for any given event object, at least
any two of the casts are invalid.
This could actually be a real problem, because it's trivial for a
compiler to prove that these three lines unconditionally invoke UB, so
it has all the right in the world to decide to drop the complete rest
of the function, using this line of reasoning:
1. The only way for these three casts not to be UB is if event ==
nullptr.
2. If event == nullptr, then event->type() invokes UB, so event cannot
be nullptr.
3. The only way both can be true is if this code path is never
taken. I can thus assume that
object == state && event->type() == QEvent::Timer
is always true, drop the check and execute the if block
unconditionally (I need to call QEvent::type(), to satisfy the
as-if-rule, but I needn't check its return value).
Fix by moving the casts where they belong: into each case of the
switch, where the type of the event has been checked to match the
target type of the cast.
Change-Id: I3aee8e213dc19d2f51636bcc5221cc92b3142e58
Reviewed-by: Thiago Macieira <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 5, 2016
The slot is invoked from QObject::destroyed(), which is emitted
from ~QObject. By that time the object is no longer a QShortcut,
so the static_cast it invalid.
Found by UBSan:
tst_qshortcut.cpp:1210:53: runtime error: downcast of address 0x6020000289d0 which does not point to an object of type 'QShortcut'
0x6020000289d0: note: object is of type 'QObject'
10 00 80 17 c0 ce 63 df 93 2b 00 00 b0 02 00 00 d0 60 00 00 02 00 00 00 ff ff ff 04 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QObject'
#0 0x42b3bb in tst_QShortcut::shortcutDestroyed(QObject*) tst_qshortcut.cpp:1210
#1 0x446cc9 in tst_QShortcut::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/tst_qshortcut.moc:186
#2 0x2b93dba52c86 in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3787
#3 0x2b93dba55400 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213
#4 0x2b93dba8d80d in QObject::~QObject() qobject.cpp:967
#5 0x2b93c6b6e032 in QShortcut::~QShortcut() qshortcut.cpp:476
#6 0x2b93c6b6e370 in QShortcut::~QShortcut() qshortcut.cpp:481
#7 0x42a5de in void qDeleteAll<QList<QShortcut*>::const_iterator>(QList<QShortcut*>::const_iterator, QList<QShortcut*>::const_iterator) qalgorithms.h:317
#8 0x42a5de in void qDeleteAll<QList<QShortcut*> >(QList<QShortcut*> const&) qalgorithms.h:325
#9 0x42a5de in tst_QShortcut::clearAllShortcuts() tst_qshortcut.cpp:1136
Fix by replacing QVector::replaceAll() with the erase-remove idiom,
which does not require the cast, because it can perform mixed-type
lookups.
Change-Id: I4251c1895fa4398023f489dbfd7108d90c1a6c94
Reviewed-by: Giuseppe D'Angelo <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 6, 2016
Found by UBSan:
qgraphicswidget_p.h:72:5: runtime error: downcast of address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
0x2ab6a8021400: note: object is of type 'QGraphicsObject'
00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QGraphicsObject'
#0 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::q_func() qgraphicswidget_p.h:72
#1 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:775
#2 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
#3 0x2ab68f024f73 in QGraphicsItem::setParentItem(QGraphicsItem*) qgraphicsitem.cpp:1781
#4 0x2ab68f168401 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:620
#5 0x2ab68f02c166 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555
#6 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
#7 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
#8 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
#9 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
#10 0x2ab68f02c9ec in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1550
#11 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
#12 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
#13 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
#14 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
#15 0x2ab68f128da4 in QGraphicsScene::clear() qgraphicsscene.cpp:2388
#16 0x2ab68f12936c in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682
#17 0x44d44c in tst_QGraphicsWidget::focusWidget() /tst_qgraphicswidget.cpp:435
qgraphicswidget_p.cpp:805:24: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
0x2ab6a8021400: note: object is of type 'QGraphicsObject'
00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QGraphicsObject'
#0 0x2ab68f2fdc68 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:805
#1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
[... identical lines omitted ...]
qgraphicswidget_p.cpp:806:23: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
0x2ab6a8021400: note: object is of type 'QGraphicsObject'
00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QGraphicsObject'
#0 0x2ab68f2fdb6b in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:806
#1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
[... identical lines omitted ...]
qgraphicswidget_p.cpp:827:26: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
0x2ab6a8021400: note: object is of type 'QGraphicsObject'
00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QGraphicsObject'
#0 0x2ab68f2fdf91 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:827
#1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
[... identical lines omitted ...]
Fix by moving the setParentItem(nullptr) call up the call stack
into ~QGraphicsWidget(), ensuring that the object is still a
QGraphicsWidget when these calls are made.
Change-Id: I264779e33098e9752de9a312a146fb203578a3cc
Reviewed-by: Thiago Macieira <[email protected]>
Reviewed-by: Giuseppe D'Angelo <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 12, 2016
…ventFilter()
Found by UBSan:
tst_qwidget.cpp:10207:29: runtime error: member access within address 0x6060000e8880 which does not point to an object of type 'EnterTestModalDialog'
0x6060000e8880: note: object is of type 'QWidget'
eb 00 80 45 10 4b 32 ab 11 2b 00 00 80 df 08 00 60 61 00 00 c0 4c 32 ab 11 2b 00 00 00 00 be be
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QWidget'
#0 0x6ca13f in EnterTestMainDialog::eventFilter(QObject*, QEvent*) tst_qwidget.cpp:10207
#1 0x2b11b8bc90c3 in QCoreApplicationPrivate::sendThroughApplicationEventFilters(QObject*, QEvent*) qcoreapplication.cpp:1081
#2 0x2b11a3c49b4a in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3716
#3 0x2b11a3c8ec72 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704
#4 0x2b11b8bccd0f in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
#5 0x2b11aea5c34d in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231
#6 0x2b11aea5c34d in QGuiApplicationPrivate::_q_updateFocusObject(QObject*) qguiapplication.cpp:3690
#7 0x2b11aea61360 in QGuiApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qguiapplication.cpp:177
#8 0x2b11b8d1dc86 in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3787
#9 0x2b11aea784a3 in QWindow::focusObjectChanged(QObject*) .moc/moc_qwindow.cpp:760
#10 0x2b11a3fb24f2 in QWidget::clearFocus() qwidget.cpp:6705
#11 0x2b11a3fc87b1 in QWidget::~QWidget() qwidget.cpp:1608
#12 0x2b11a526688c in QDialog::~QDialog() qdialog.cpp:352
#13 0x6c43e2 in EnterTestModalDialog::~EnterTestModalDialog() tst_qwidget.cpp:10160
#14 0x6c43e2 in EnterTestModalDialog::~EnterTestModalDialog() tst_qwidget.cpp:10160
#15 0x492be3 in EnterTestMainDialog::buttonPressed() tst_qwidget.cpp:10188
#16 0x492be3 in EnterTestMainDialog::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/tst_qwidget.moc:2056
#17 0x2b11b8d1dc86 in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3787
#18 0x2b11a45cb833 in QAbstractButton::clicked(bool) .moc/moc_qabstractbutton.cpp:307
#19 0x2b11a45cd54b in QAbstractButtonPrivate::emitClicked() qabstractbutton.cpp:411
#20 0x2b11a45df73a in QAbstractButtonPrivate::click() qabstractbutton.cpp:404
[...]
#41 0x6bb2cf in tst_QWidget::taskQTBUG_27643_enterEvents() tst_qwidget.cpp:10249
[...]
Fix by checking the event type first, and accessing
modal->button only if it's QEvent::Enter.
Change-Id: I2c7df3a1f43ecbfe14741b5861729078a91a32d6
Reviewed-by: Friedemann Kleint <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 20, 2016
Found by UBSan:
qnetworkreplyhttpimpl.cpp:457:29: runtime error: member call on address 0x602000009cf0 which does not point to an object of type 'QNetworkReplyHttpImpl'
0x602000009cf0: note: object is of type 'QObject'
1e 00 80 18 20 e0 bb 12 54 7f 00 00 00 f2 00 00 70 61 00 00 02 00 00 00 ff ff ff 06 08 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QObject'
#0 0x7f541461b71b in QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate() qnetworkreplyhttpimpl.cpp:457
#1 0x7f541461b7f0 in QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate() qnetworkreplyhttpimpl.cpp:458
#2 0x7f540f26df1a in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) qscopedpointer.h:54
#3 0x7f540f26df1a in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() qscopedpointer.h:101
#4 0x7f540f26df1a in QObject::~QObject() qobject.cpp:940
#5 0x7f540e915f6e in QIODevice::~QIODevice() qiodevice.cpp:416
#6 0x7f5414599bae in QNetworkReply::~QNetworkReply() qnetworkreply.cpp:444
#7 0x7f54145e6f5e in QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl() qnetworkreplyhttpimpl.cpp:239
#8 0x7f54145e6f5e in QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl() qnetworkreplyhttpimpl.cpp:242
#9 0x7f54144b3539 in void qDeleteAll<QList<QNetworkReply*>::const_iterator>(QList<QNetworkReply*>::const_iterator, QList<QNetworkReply*>::const_iterator) qalgorithms.h:317
#10 0x7f54144b3539 in void qDeleteAll<QList<QNetworkReply*> >(QList<QNetworkReply*> const&) qalgorithms.h:325
#11 0x7f54144b3539 in QNetworkAccessManager::~QNetworkAccessManager() qnetworkaccessmanager.cpp:496
Fix by moving the emission of the QNetworkReplyHttpImpl::abortHttpRequest()
signal from ~Private, when the public object is merely a QObject anymore,
to ~QNetworkReplyHttpImpl(), when the public class is still itself.
Change-Id: Ifb3b19f6d180452bdf3fc26f54629ef780a5d9d9
Reviewed-by: Timur Pocheptsov <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Mar 22, 2017
QString::toUtf8() returns QByteArray, which got implicitly converted to
C strings and promptly deleted. Instead, return the QByteArray to the
caller.
Found by ASAN:
==13935==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000dffb8 at pc 0x7f764f27320b bp 0x7ffd49b11bb0 sp 0x7ffd49b11358
READ of size 7 at 0x6060000dffb8 thread T0
#1 0x7f7649d174e2 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x684e2)
#2 0x7f763f7abe5b (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x39e5b)
#3 0x7f763f78915a in g_object_new_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1715a)
#4 0x7f763f789520 in g_object_new (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x17520)
#5 0x7f7640f6bcb0 in gtk_dialog_add_button (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x186cb0)
#6 0x7f7640f8d2c9 in gtk_file_chooser_dialog_new (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1a82c9)
#7 0x7f7641727281 (/opt/Qt5.8.0/5.8/gcc_64/plugins/platformthemes/libqgtk3.so+0x13281)
Task-number: QTBUG-59611
Change-Id: I37cc967e689f4523b504fffd14adbf944b53b754
Reviewed-by: J-P Nurmi <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Apr 19, 2017
Delete the QGraphicsEffect from the QWidget destructor instead of from
the QWidgetPrivate destructor. The destructor of QGraphicsEffect still
access methods of the QWidget, but the QObjectPrivate being destroyed
from ~QObject, the pointer is no longer a QWidget.
Fix warning with UB sanitizer in tst_QWidget::setGraphicsEffect
qwidget_p.h:900:23: runtime error: member call on address 0x000001d822c0 which does not point to an object of type 'QWidget'
0x000001d822c0: note: object is of type 'QObject'
00 00 00 00 b0 46 5f 40 e5 7f 00 00 00 23 d8 01 00 00 00 00 f0 e6 00 44 e5 7f 00 00 00 00 74 47
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QObject'
#0 0x7fe54767db76 in QWidgetEffectSourcePrivate::detach()
#1 0x7fe548f29815 in QGraphicsEffect::~QGraphicsEffect()
#2 0x7fe548f2a1b7 in QGraphicsBlurEffect::~QGraphicsBlurEffect()
#3 0x7fe548f2a208 in QGraphicsBlurEffect::~QGraphicsBlurEffect()
#4 0x7fe5475cd463 in QWidgetPrivate::~QWidgetPrivate()
#5 0x7fe5475ce62c in QWidgetPrivate::~QWidgetPrivate()
#6 0x7fe5400d0dda in QObject::~QObject()
#7 0x7fe54763d411 in QWidget::~QWidget()
#8 0x7fe54763d7f4 in QWidget::~QWidget()
#9 0x4cc309 in QScopedPointerDeleter<QWidget>::cleanup(QWidget*)
#10 0x4cc309 in QScopedPointer<QWidget, QScopedPointerDeleter<QWidget> >::reset(QWidget*)
#11 0x4cc309 in tst_QWidget::setGraphicsEffect()
Change-Id: I19c049e979cfce2adda908af8336cb4adac8f6c4
Reviewed-by: Marc Mutz <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Aug 27, 2017
I'm getting crashes in Akonadi processes due to libproxy. I don't have direct evidence that this was caused by a threading condition, but it's clear from the source code of libproxy that the plugins it runs for expanding PAC scripts are not thread-safe. To overcome this problem, we only run libproxy functions in one thread only. #0 0x00007f745f0ac1d8 in JSC::HeapTimer::timerDidFire() () at /usr/lib64/libjavascriptcoregtk-4.0.so.18 #1 0x00007f745f0ac287 in () at /usr/lib64/libjavascriptcoregtk-4.0.so.18 #2 0x00007f748e5ae9c5 in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0 #3 0x00007f748e5aed88 in () at /usr/lib64/libglib-2.0.so.0 #4 0x00007f748e5aee1c in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0 #5 0x00007f7494f4268f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5 #6 0x00007f7494eeb35a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5 #7 0x00007f7494d1b31a in QThread::exec() () at /usr/lib64/libQt5Core.so.5 #8 0x00007f7494d1fd2e in () at /usr/lib64/libQt5Core.so.5 #9 0x00007f74913174e7 in start_thread () at /lib64/libpthread.so.0 The pacrunner implementation of libproxy uses libdbus-1 which (officially) is thread-safe, but experience tells that it has problems. Since it is not running a JS engine, we don't need a thread, but we do need to lock around it. Change-Id: I84e45059a888497fb55ffffd14d2f638f21e807d Reviewed-by: Edward Welbourne <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jun 27, 2018
NSOpenGLContext should be re-entrant, but is not in practice, resulting in deadlocks when there are two render threads, eg: thread #23, name = 'QSGRenderThread' frame #0: 0x00007fff5c6dda4e libsystem_kernel.dylib`__psynch_mutexwait + 10 frame #1: 0x00007fff5c8a5b9d libsystem_pthread.dylib`_pthread_mutex_lock_wait + 83 frame #2: 0x00007fff5c8a34c8 libsystem_pthread.dylib`_pthread_mutex_lock_slow + 253 frame #3: 0x00007fff31ebb52e AppKit`flush_notify + 110 frame #4: 0x00007fff3e75ee2a GLEngine`glSwap_Exec + 186 frame #5: 0x00007fff3e740797 OpenGL`CGLFlushDrawable + 59 frame #6: 0x00007fff31ad43ac AppKit`-[NSOpenGLContext flushBuffer] + 27 ... Task-number: QTBUG-69040 Change-Id: I6f28b4cc5faf61ae93f66353ce2abdf8c223d994 Reviewed-by: Simon Hausmann <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 10, 2018
Calling setView or update on NSOpenGLContext results in recreating the internal GL surfaces of the view. Unfortunately there seems to be a fixed amount of these surfaces available, so if we spin a loop where we for some reason end up recreating them, we'll easily run out, and lock up the whole window system: thread #6, name = 'SwapThread' frame #0: 0x00007fff7b45220a libsystem_kernel.dylib`mach_msg_trap + 10 frame #1: 0x00007fff7b451724 libsystem_kernel.dylib`mach_msg + 60 frame #2: 0x00007fff751c1675 SkyLight`SLSBindSurface + 247 frame #3: 0x00007fff5d9c4328 OpenGL`___lldb_unnamed_symbol29$$OpenGL + 255 frame #4: 0x00007fff6bf42c33 libGPUSupportMercury.dylib`gldAttachDrawable + 364 frame #5: 0x00007fff5d9e61e7 GLEngine`gliAttachDrawableWithOptions + 257 frame #6: 0x00007fff5d9c4bb0 OpenGL`___lldb_unnamed_symbol38$$OpenGL + 969 frame #7: 0x00007fff5d9c8b0e OpenGL`___lldb_unnamed_symbol57$$OpenGL + 82 frame #8: 0x00007fff5d9c8e55 OpenGL`CGLSetSurface + 330 frame #9: 0x00007fff50d0eb2c AppKit`NSOpenGLContextAttachOffScreenViewSurface + 352 This can happen e.g. when resizing the application, where AppKit itself spins a loop where we don't end up back in QCocoaEventDispatcher::processEvents() for each pass (where we do have a local pool). Or it can happen in the render-loop of a render-thread that doesn't use the event dispatcher. Change-Id: Iaf2f879dd01e3d807d0f35705ccc978dbc89036b Reviewed-by: Morten Johan Sørvig <[email protected]> Reviewed-by: Simon Hausmann <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 26, 2018
By making the hardcoded values unsigned
image/qppmhandler.cpp:126:36: runtime error: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
#0 0x4cef10 in scale_pbm_color(unsigned short, unsigned short, unsigned short, unsigned short) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:126:36
#1 0x4cb1d5 in read_pbm_body(QIODevice*, char, int, int, int, QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:274:39
#2 0x4ca3d8 in QPpmHandler::read(QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:509:10
#3 0x4b238d in QImageReader::read(QImage*) /src/qt/qtbase/src/gui/image/qimagereader.cpp:1253:22
#4 0x4b1b61 in QImageReader::read() /src/qt/qtbase/src/gui/image/qimagereader.cpp:1201:12
#5 0x486f66 in QImage::fromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3624:37
#6 0x486cd8 in QImage::loadFromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3590:13
#7 0x434b2e in LLVMFuzzerTestOneInput /src/qimage_fuzzer.cc:28:7
#8 0x44b167 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#9 0x43c8bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#10 0x4407bb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#11 0x434bf8 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#12 0x7fd4d93b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x409bb8 in _start (/out/qimage_fuzzer+0x409bb8)
Change-Id: I56674d0c2e59a30095552eb84aba17d7b516dd4a
Reviewed-by: Eirik Aavitsland <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 3, 2018
When the font changes in NSFontPanel, it notifies NSFontManager via -[NSFontManager modifyFontViaPanel:], which in turn sends the font manager's action (by default changeFont:) to its target (nil, unless set). Sending the action in -[NSApplication(NSResponder) sendAction:to:from:] will sanitize the 'to' argument via _NSTargetForSendAction. If the argument is non-nill (if we've set the NSFontManager target explicitly), and we're running in an app-modal session (which we are), the target is checked for worksWhenModal -- a property which is defined on NSWindow, and only supposed to be set for subclasses of NSPanel. Since our QNSFontPanelDelegate class doesn't implement this method, the _NSTargetForSendAction function will return nil, and the action is never sent. If we don't set the NSFontManager target (leaving it as nil), the function will skip the worksWhenModal check, and fall back to resolving the target via the responder chain, which includes taking the NSPanel's delegate into account: #0 -[NSWindow delegate] () #1 -[NSWindow(NSEventRouting) supplementalTargetForAction:sender:] () #2 _objectFromResponderChainWhichRespondsToAction () #3 _NSTargetForSendAction () #4 -[NSApplication(NSResponder) sendAction:to:from:] () #5 -[NSFontManager sendAction] () ... Since we want to end up in the QNSFontPanelDelegate, we can rely on the default logic to resolve the target based on the responder chain. But in case _NSTargetForSendAction will at some point also check the resolved target for worksWhenModal, we also implement the worksWhenModal method, to be on the safe side. Fixes: QTBUG-69878 Change-Id: Ie739d016fe0efd17b3d8a99cc1fb1ace81807aff Reviewed-by: Timur Pocheptsov <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 5, 2018
image/qppmhandler.cpp:77:25: runtime error: signed integer overflow: 10 * 300000000 cannot be represented in type 'int'
#0 0x4cecb5 in read_pbm_int(QIODevice*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:77:25
#1 0x4cb1ac in read_pbm_body(QIODevice*, char, int, int, int, QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:271:29
#2 0x4ca3d8 in QPpmHandler::read(QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:509:10
#3 0x4b238d in QImageReader::read(QImage*) /src/qt/qtbase/src/gui/image/qimagereader.cpp:1253:22
#4 0x4b1b61 in QImageReader::read() /src/qt/qtbase/src/gui/image/qimagereader.cpp:1201:12
#5 0x486f66 in QImage::fromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3624:37
#6 0x486cd8 in QImage::loadFromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3590:13
#7 0x434b2e in LLVMFuzzerTestOneInput /src/qimage_fuzzer.cc:28:7
#8 0x44b167 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#9 0x44a535 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3
#10 0x44c428 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19
#11 0x44d1b5 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5
#12 0x440a29 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6
#13 0x434bf8 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#14 0x7fba939a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x409bb8 in _start (/out/qimage_fuzzer+0x409bb8)
Change-Id: I9ad78afc4ea9c5c8b7530aa17013abe91202e84b
Reviewed-by: Eirik Aavitsland <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 5, 2018
image/qppmhandler.cpp:260:53: runtime error: signed integer overflow: 44444444 * 255 cannot be represented in type 'int'
#0 0x4cbc8a in read_pbm_body(QIODevice*, char, int, int, int, QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:260:53
#1 0x4ca3d8 in QPpmHandler::read(QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:514:10
#2 0x4b238d in QImageReader::read(QImage*) /src/qt/qtbase/src/gui/image/qimagereader.cpp:1253:22
#3 0x4b1b61 in QImageReader::read() /src/qt/qtbase/src/gui/image/qimagereader.cpp:1201:12
#4 0x486f66 in QImage::fromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3624:37
#5 0x486cd8 in QImage::loadFromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3590:13
#6 0x434b2e in LLVMFuzzerTestOneInput /src/qimage_fuzzer.cc:28:7
#7 0x44b167 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#8 0x44a535 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3
#9 0x44c428 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19
#10 0x44d1b5 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5
#11 0x440a29 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6
#12 0x434bf8 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#13 0x7fe01697282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x409bb8 in _start (/out/qimage_fuzzer+0x409bb8)
Change-Id: Ibc5df6db52639f12319910b927f6443d927206d8
Reviewed-by: Eirik Aavitsland <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Nov 9, 2018
It crashes in the render thread: thread #7, name = 'SceneRenderingThread' frame #0: libsystem_kernel.dylib`__wait4_nocancel + 10 frame #1: libsystem_c.dylib`system + 452 frame #2: QtTest`stackTrace() + 325 frame #3: QtTest`QTest::FatalSignalHandler::signal(int) + 207 frame #4: libsystem_platform.dylib`_sigtramp + 26 frame #5: libsystem_platform.dylib`_platform_bzero$VARIANT$Base + 23 frame #6: GLRendererFloat`gldSetZero + 63 frame #7: GLRendererFloat`gldClearDrawBuffer + 3792 frame #8: GLRendererFloat`gldClearFramebufferData + 49 frame #9: GLEngine`glClear_Exec + 541 frame #10: tst_qglthreads`SceneRenderingThread::run() + 227 Task-number: QTBUG-68524 Change-Id: I6bc67cb342f77dc1a590a25af535f9bb7f0d325a Reviewed-by: Morten Johan Sørvig <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 17, 2021
We can't guarantee that the library didn't define Objective-C classes that still have lingering references, resulting in warnings such as: Attempt to use unknown class 0x10e52e110. And possibly crashes such as: thread #1, queue = 'com.apple.main-thread' frame #0: 0x00007fff203829ee libsystem_kernel.dylib`__ulock_wait + 10 frame #1: 0x00007fff203fa0c5 libsystem_platform.dylib`_os_unfair_lock_lock_slow + 162 frame #2: 0x00007fff2026226b libobjc.A.dylib`unmap_image + 85 frame #3: 0x000000010001e11f dyld`dyld::removeImage(ImageLoader*) + 557 frame #4: 0x000000010002291d dyld`dyld::garbageCollectImages() + 956 frame #5: 0x000000010002e35d dyld`dlclose + 191 frame #6: 0x00007fff203cf1c9 libdyld.dylib`dlclose + 183 frame #7: 0x0000000103f9f2f1 libQt6Core_debug.6.dylib`QLibraryPrivate::unload_sys(this=0x000000011ba2c7d0) at qlibrary_unix.cpp:294:9 frame #8: 0x0000000103f93f3f libQt6Core_debug.6.dylib`QLibraryPrivate::unload(this=0x000000011ba2c7d0, flag=UnloadSys) at qlibrary.cpp:614:36 frame #9: 0x0000000103f971fb libQt6Core_debug.6.dylib`QLibraryStore::cleanup() at qlibrary.cpp:425:22 frame #10: 0x0000000103f970f9 libQt6Core_debug.6.dylib`qlibraryCleanup() at qlibrary.cpp:447:5 frame #11: 0x0000000103f970d1 libQt6Core_debug.6.dylib`(anonymous namespace)::qlibraryCleanup_dtor_class_::~qlibraryCleanup_dtor_class_(this=0x00000001041edd38) at qlibrary.cpp:449:1 frame #12: 0x0000000103f930f5 libQt6Core_debug.6.dylib`(anonymous namespace)::qlibraryCleanup_dtor_class_::~qlibraryCleanup_dtor_class_(this=0x00000001041edd38) at qlibrary.cpp:449:1 frame #13: 0x00007fff202e5d25 libsystem_c.dylib`__cxa_finalize_ranges + 316 frame #14: 0x00007fff202e6010 libsystem_c.dylib`exit + 53 frame #15: 0x00007fff203d1f44 libdyld.dylib`start + 8 frame #16: 0x00007fff203d1f3d libdyld.dylib`start + 1 thread #5, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT frame #0: 0x00007fff203a356e libsystem_kernel.dylib`__abort_with_payload + 10 frame #1: 0x00007fff203a4fbd libsystem_kernel.dylib`abort_with_payload_wrapper_internal + 80 frame #2: 0x00007fff203a4f6d libsystem_kernel.dylib`abort_with_reason + 19 frame #3: 0x00007fff202749e3 libobjc.A.dylib`_objc_fatalv(unsigned long long, unsigned long long, char const*, __va_list_tag*) + 114 frame #4: 0x00007fff20274971 libobjc.A.dylib`_objc_fatal(char const*, ...) + 135 frame #5: 0x00007fff20255ccb libobjc.A.dylib`lookUpImpOrForward + 881 frame #6: 0x00007fff2025539b libobjc.A.dylib`_objc_msgSend_uncached + 75 frame #7: 0x00007fff22f368d6 AppKit`-[_NSWindowTransformAnimation setCurrentProgress:] + 42 frame #8: 0x00007fff22f37a8a AppKit`__55-[NSAnimation(NSInternal) _advanceTimeWithDisplayLink:]_block_invoke + 31 frame #9: 0x00007fff22d0774f AppKit`NSPerformVisuallyAtomicChange + 132 frame #10: 0x00007fff22f379dc AppKit`-[NSAnimation(NSInternal) _advanceTimeWithDisplayLink:] + 172 frame #11: 0x00007fff22e9a184 AppKit`-[NSScreenDisplayLink _fire] + 180 frame #12: 0x00007fff2362f0b4 AppKit`___NSRunLoopTimerCreateWithHandler_block_invoke + 34 frame #13: 0x00007fff204c6be9 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #14: 0x00007fff204c66dd CoreFoundation`__CFRunLoopDoTimer + 927 frame #15: 0x00007fff204c623a CoreFoundation`__CFRunLoopDoTimers + 307 frame #16: 0x00007fff204ace13 CoreFoundation`__CFRunLoopRun + 1988 frame #17: 0x00007fff204abf8c CoreFoundation`CFRunLoopRunSpecific + 563 frame #18: 0x00007fff2123d607 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 frame #19: 0x00007fff22f378f0 AppKit`-[NSAnimation(NSInternal) _runBlocking] + 453 frame #20: 0x00007fff22f376ae AppKit`__42-[NSAnimation(NSInternal) _runInNewThread]_block_invoke + 97 frame #21: 0x0000000104edb032 libdispatch.dylib`_dispatch_call_block_and_release + 12 frame #22: 0x0000000104edc264 libdispatch.dylib`_dispatch_client_callout + 8 frame #23: 0x0000000104ef04ac libdispatch.dylib`_dispatch_root_queue_drain + 828 frame #24: 0x0000000104ef0d3f libdispatch.dylib`_dispatch_worker_thread2 + 127 frame #25: 0x0000000104f7eac7 libsystem_pthread.dylib`_pthread_wqthread + 244 frame #26: 0x0000000104f7dae3 libsystem_pthread.dylib`start_wqthread + 15 This has been e.g. observed when a QNSWindow isn't closed and released at application quit as expected. Although that is a corner case that shouldn't happen, the general case is still valid. Fixes: QTBUG-96208 Pick-to: 6.2 5.15 Change-Id: I6c9d220e6f5389707baf7ae983f3156e8e51c316 Reviewed-by: Timur Pocheptsov <[email protected]> Reviewed-by: Morten Johan Sørvig <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 17, 2021
We can't guarantee that the library didn't define Objective-C classes that still have lingering references, resulting in warnings such as: Attempt to use unknown class 0x10e52e110. And possibly crashes such as: thread #1, queue = 'com.apple.main-thread' frame #0: 0x00007fff203829ee libsystem_kernel.dylib`__ulock_wait + 10 frame #1: 0x00007fff203fa0c5 libsystem_platform.dylib`_os_unfair_lock_lock_slow + 162 frame #2: 0x00007fff2026226b libobjc.A.dylib`unmap_image + 85 frame #3: 0x000000010001e11f dyld`dyld::removeImage(ImageLoader*) + 557 frame #4: 0x000000010002291d dyld`dyld::garbageCollectImages() + 956 frame #5: 0x000000010002e35d dyld`dlclose + 191 frame #6: 0x00007fff203cf1c9 libdyld.dylib`dlclose + 183 frame #7: 0x0000000103f9f2f1 libQt6Core_debug.6.dylib`QLibraryPrivate::unload_sys(this=0x000000011ba2c7d0) at qlibrary_unix.cpp:294:9 frame #8: 0x0000000103f93f3f libQt6Core_debug.6.dylib`QLibraryPrivate::unload(this=0x000000011ba2c7d0, flag=UnloadSys) at qlibrary.cpp:614:36 frame #9: 0x0000000103f971fb libQt6Core_debug.6.dylib`QLibraryStore::cleanup() at qlibrary.cpp:425:22 frame #10: 0x0000000103f970f9 libQt6Core_debug.6.dylib`qlibraryCleanup() at qlibrary.cpp:447:5 frame #11: 0x0000000103f970d1 libQt6Core_debug.6.dylib`(anonymous namespace)::qlibraryCleanup_dtor_class_::~qlibraryCleanup_dtor_class_(this=0x00000001041edd38) at qlibrary.cpp:449:1 frame #12: 0x0000000103f930f5 libQt6Core_debug.6.dylib`(anonymous namespace)::qlibraryCleanup_dtor_class_::~qlibraryCleanup_dtor_class_(this=0x00000001041edd38) at qlibrary.cpp:449:1 frame #13: 0x00007fff202e5d25 libsystem_c.dylib`__cxa_finalize_ranges + 316 frame #14: 0x00007fff202e6010 libsystem_c.dylib`exit + 53 frame #15: 0x00007fff203d1f44 libdyld.dylib`start + 8 frame #16: 0x00007fff203d1f3d libdyld.dylib`start + 1 thread #5, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT frame #0: 0x00007fff203a356e libsystem_kernel.dylib`__abort_with_payload + 10 frame #1: 0x00007fff203a4fbd libsystem_kernel.dylib`abort_with_payload_wrapper_internal + 80 frame #2: 0x00007fff203a4f6d libsystem_kernel.dylib`abort_with_reason + 19 frame #3: 0x00007fff202749e3 libobjc.A.dylib`_objc_fatalv(unsigned long long, unsigned long long, char const*, __va_list_tag*) + 114 frame #4: 0x00007fff20274971 libobjc.A.dylib`_objc_fatal(char const*, ...) + 135 frame #5: 0x00007fff20255ccb libobjc.A.dylib`lookUpImpOrForward + 881 frame #6: 0x00007fff2025539b libobjc.A.dylib`_objc_msgSend_uncached + 75 frame #7: 0x00007fff22f368d6 AppKit`-[_NSWindowTransformAnimation setCurrentProgress:] + 42 frame #8: 0x00007fff22f37a8a AppKit`__55-[NSAnimation(NSInternal) _advanceTimeWithDisplayLink:]_block_invoke + 31 frame #9: 0x00007fff22d0774f AppKit`NSPerformVisuallyAtomicChange + 132 frame #10: 0x00007fff22f379dc AppKit`-[NSAnimation(NSInternal) _advanceTimeWithDisplayLink:] + 172 frame #11: 0x00007fff22e9a184 AppKit`-[NSScreenDisplayLink _fire] + 180 frame #12: 0x00007fff2362f0b4 AppKit`___NSRunLoopTimerCreateWithHandler_block_invoke + 34 frame #13: 0x00007fff204c6be9 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #14: 0x00007fff204c66dd CoreFoundation`__CFRunLoopDoTimer + 927 frame #15: 0x00007fff204c623a CoreFoundation`__CFRunLoopDoTimers + 307 frame #16: 0x00007fff204ace13 CoreFoundation`__CFRunLoopRun + 1988 frame #17: 0x00007fff204abf8c CoreFoundation`CFRunLoopRunSpecific + 563 frame #18: 0x00007fff2123d607 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 frame #19: 0x00007fff22f378f0 AppKit`-[NSAnimation(NSInternal) _runBlocking] + 453 frame #20: 0x00007fff22f376ae AppKit`__42-[NSAnimation(NSInternal) _runInNewThread]_block_invoke + 97 frame #21: 0x0000000104edb032 libdispatch.dylib`_dispatch_call_block_and_release + 12 frame #22: 0x0000000104edc264 libdispatch.dylib`_dispatch_client_callout + 8 frame #23: 0x0000000104ef04ac libdispatch.dylib`_dispatch_root_queue_drain + 828 frame #24: 0x0000000104ef0d3f libdispatch.dylib`_dispatch_worker_thread2 + 127 frame #25: 0x0000000104f7eac7 libsystem_pthread.dylib`_pthread_wqthread + 244 frame #26: 0x0000000104f7dae3 libsystem_pthread.dylib`start_wqthread + 15 This has been e.g. observed when a QNSWindow isn't closed and released at application quit as expected. Although that is a corner case that shouldn't happen, the general case is still valid. Fixes: QTBUG-96208 Change-Id: I6c9d220e6f5389707baf7ae983f3156e8e51c316 Reviewed-by: Timur Pocheptsov <[email protected]> Reviewed-by: Morten Johan Sørvig <[email protected]> (cherry picked from commit b6200de) Reviewed-by: Qt Cherry-pick Bot <[email protected]>
sh-zam
added a commit
to sh-zam/qtbase
that referenced
this pull request
Mar 10, 2022
********** Crash dump: ********** #00 0x0000000000592f8c /apex/com.android.runtime/lib64/libart.so (artQuickToInterpreterBridge+1036) (BuildId: a5b81c452e2ce0b9c64167ee12585bec) qt#1 0x0000000000140468 /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+88) (BuildId: a5b81c452e2ce0b9c64167ee12585bec) qt#2 0x000000000201598c /memfd:/jit-cache (deleted) (android.view.GestureDetector.onTouchEvent+4268) qt#3 0x00000000020188ac /memfd:/jit-cache (deleted) (org.qtproject.qt5.android.QtLayout.onTouchEvent+108) qt#4 0x00000000020161d4 /memfd:/jit-cache (deleted) (android.view.View.dispatchTouchEvent+996) qt#5 0x000000000201333c /memfd:/jit-cache (deleted) (android.view.ViewGroup.dispatchTransformedTouchEvent+252) qt#6 0x0000000002012d08 /memfd:/jit-cache (deleted) (android.view.ViewGroup.dispatchTouchEvent+4104) qt#7 0x0000000002013394 /memfd:/jit-cache (deleted) (android.view.ViewGroup.dispatchTransformedTouchEvent+340) qt#8 0x00000000020129e4 /memfd:/jit-cache (deleted) (android.view.ViewGroup.dispatchTouchEvent+3300) qt#9 0x0000000002013394 /memfd:/jit-cache (deleted) (android.view.ViewGroup.dispatchTransformedTouchEvent+340) [...]
qtprojectorg
pushed a commit
that referenced
this pull request
Oct 27, 2022
We can't guarantee that the library didn't define Objective-C classes that still have lingering references, resulting in warnings such as: Attempt to use unknown class 0x10e52e110. And possibly crashes such as: thread #1, queue = 'com.apple.main-thread' frame #0: 0x00007fff203829ee libsystem_kernel.dylib`__ulock_wait + 10 frame #1: 0x00007fff203fa0c5 libsystem_platform.dylib`_os_unfair_lock_lock_slow + 162 frame #2: 0x00007fff2026226b libobjc.A.dylib`unmap_image + 85 frame #3: 0x000000010001e11f dyld`dyld::removeImage(ImageLoader*) + 557 frame #4: 0x000000010002291d dyld`dyld::garbageCollectImages() + 956 frame #5: 0x000000010002e35d dyld`dlclose + 191 frame #6: 0x00007fff203cf1c9 libdyld.dylib`dlclose + 183 frame #7: 0x0000000103f9f2f1 libQt6Core_debug.6.dylib`QLibraryPrivate::unload_sys(this=0x000000011ba2c7d0) at qlibrary_unix.cpp:294:9 frame #8: 0x0000000103f93f3f libQt6Core_debug.6.dylib`QLibraryPrivate::unload(this=0x000000011ba2c7d0, flag=UnloadSys) at qlibrary.cpp:614:36 frame #9: 0x0000000103f971fb libQt6Core_debug.6.dylib`QLibraryStore::cleanup() at qlibrary.cpp:425:22 frame #10: 0x0000000103f970f9 libQt6Core_debug.6.dylib`qlibraryCleanup() at qlibrary.cpp:447:5 frame #11: 0x0000000103f970d1 libQt6Core_debug.6.dylib`(anonymous namespace)::qlibraryCleanup_dtor_class_::~qlibraryCleanup_dtor_class_(this=0x00000001041edd38) at qlibrary.cpp:449:1 frame #12: 0x0000000103f930f5 libQt6Core_debug.6.dylib`(anonymous namespace)::qlibraryCleanup_dtor_class_::~qlibraryCleanup_dtor_class_(this=0x00000001041edd38) at qlibrary.cpp:449:1 frame #13: 0x00007fff202e5d25 libsystem_c.dylib`__cxa_finalize_ranges + 316 frame #14: 0x00007fff202e6010 libsystem_c.dylib`exit + 53 frame #15: 0x00007fff203d1f44 libdyld.dylib`start + 8 frame #16: 0x00007fff203d1f3d libdyld.dylib`start + 1 thread #5, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT frame #0: 0x00007fff203a356e libsystem_kernel.dylib`__abort_with_payload + 10 frame #1: 0x00007fff203a4fbd libsystem_kernel.dylib`abort_with_payload_wrapper_internal + 80 frame #2: 0x00007fff203a4f6d libsystem_kernel.dylib`abort_with_reason + 19 frame #3: 0x00007fff202749e3 libobjc.A.dylib`_objc_fatalv(unsigned long long, unsigned long long, char const*, __va_list_tag*) + 114 frame #4: 0x00007fff20274971 libobjc.A.dylib`_objc_fatal(char const*, ...) + 135 frame #5: 0x00007fff20255ccb libobjc.A.dylib`lookUpImpOrForward + 881 frame #6: 0x00007fff2025539b libobjc.A.dylib`_objc_msgSend_uncached + 75 frame #7: 0x00007fff22f368d6 AppKit`-[_NSWindowTransformAnimation setCurrentProgress:] + 42 frame #8: 0x00007fff22f37a8a AppKit`__55-[NSAnimation(NSInternal) _advanceTimeWithDisplayLink:]_block_invoke + 31 frame #9: 0x00007fff22d0774f AppKit`NSPerformVisuallyAtomicChange + 132 frame #10: 0x00007fff22f379dc AppKit`-[NSAnimation(NSInternal) _advanceTimeWithDisplayLink:] + 172 frame #11: 0x00007fff22e9a184 AppKit`-[NSScreenDisplayLink _fire] + 180 frame #12: 0x00007fff2362f0b4 AppKit`___NSRunLoopTimerCreateWithHandler_block_invoke + 34 frame #13: 0x00007fff204c6be9 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #14: 0x00007fff204c66dd CoreFoundation`__CFRunLoopDoTimer + 927 frame #15: 0x00007fff204c623a CoreFoundation`__CFRunLoopDoTimers + 307 frame #16: 0x00007fff204ace13 CoreFoundation`__CFRunLoopRun + 1988 frame #17: 0x00007fff204abf8c CoreFoundation`CFRunLoopRunSpecific + 563 frame #18: 0x00007fff2123d607 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 frame #19: 0x00007fff22f378f0 AppKit`-[NSAnimation(NSInternal) _runBlocking] + 453 frame #20: 0x00007fff22f376ae AppKit`__42-[NSAnimation(NSInternal) _runInNewThread]_block_invoke + 97 frame #21: 0x0000000104edb032 libdispatch.dylib`_dispatch_call_block_and_release + 12 frame #22: 0x0000000104edc264 libdispatch.dylib`_dispatch_client_callout + 8 frame #23: 0x0000000104ef04ac libdispatch.dylib`_dispatch_root_queue_drain + 828 frame #24: 0x0000000104ef0d3f libdispatch.dylib`_dispatch_worker_thread2 + 127 frame #25: 0x0000000104f7eac7 libsystem_pthread.dylib`_pthread_wqthread + 244 frame #26: 0x0000000104f7dae3 libsystem_pthread.dylib`start_wqthread + 15 This has been e.g. observed when a QNSWindow isn't closed and released at application quit as expected. Although that is a corner case that shouldn't happen, the general case is still valid. Fixes: QTBUG-96208 Change-Id: I6c9d220e6f5389707baf7ae983f3156e8e51c316 Reviewed-by: Timur Pocheptsov <[email protected]> Reviewed-by: Morten Johan Sørvig <[email protected]> (cherry picked from commit b6200de) Reviewed-by: Qt Cherry-pick Bot <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Apr 29, 2023
The result is retained so long as we don't attempt to change our locale,
but failing to change that is the reason why we printed anything.
==20227==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107312696 at pc 0x000103c48088 bp 0x00016ee180c0 sp 0x00016ee17880
READ of size 9 at 0x000107312696 thread T0
#0 0x103c48084 in wrap_strlen+0x164 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x18084) (BuildId: f0a7ac5c49bc3abc851181b6f92b308a32000000200000000100000000000b00)
#1 0x1023804bc in QString::vasprintf(char const*, char*) qstring.cpp:7112
#2 0x102243578 in qt_message(QtMsgType, QMessageLogContext const&, char const*, char*) qlogging.cpp:368
#3 0x10252630c in QMessageLogger::warning(char const*, ...) const qlogging.cpp:647
#4 0x10229f940 in QCoreApplicationPrivate::initLocale() qcoreapplication.cpp:664
#5 0x10229fba0 in QCoreApplicationPrivate::init() qcoreapplication.cpp:826
#6 0x1022a07c0 in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:799
#7 0x101454ef8 in main+0xeb0 (WSgen:arm64+0x100470ef8) (BuildId: ae9b4fec1fd73c1693047a6b9d9ce91432000000200000000100000000000b00)
Pick-to: 6.5
Task-number: QTBUG-111443
Change-Id: I6f518d59e63249ddbf43fffd1759d28738124797
Reviewed-by: Tor Arne Vestbø <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Apr 29, 2023
The result is retained so long as we don't attempt to change our locale,
but failing to change that is the reason why we printed anything.
==20227==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107312696 at pc 0x000103c48088 bp 0x00016ee180c0 sp 0x00016ee17880
READ of size 9 at 0x000107312696 thread T0
#0 0x103c48084 in wrap_strlen+0x164 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x18084) (BuildId: f0a7ac5c49bc3abc851181b6f92b308a32000000200000000100000000000b00)
#1 0x1023804bc in QString::vasprintf(char const*, char*) qstring.cpp:7112
#2 0x102243578 in qt_message(QtMsgType, QMessageLogContext const&, char const*, char*) qlogging.cpp:368
#3 0x10252630c in QMessageLogger::warning(char const*, ...) const qlogging.cpp:647
#4 0x10229f940 in QCoreApplicationPrivate::initLocale() qcoreapplication.cpp:664
#5 0x10229fba0 in QCoreApplicationPrivate::init() qcoreapplication.cpp:826
#6 0x1022a07c0 in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:799
#7 0x101454ef8 in main+0xeb0 (WSgen:arm64+0x100470ef8) (BuildId: ae9b4fec1fd73c1693047a6b9d9ce91432000000200000000100000000000b00)
Task-number: QTBUG-111443
Change-Id: I6f518d59e63249ddbf43fffd1759d28738124797
Reviewed-by: Tor Arne Vestbø <[email protected]>
(cherry picked from commit 3690c20)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jul 18, 2023
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jul 18, 2023
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jul 22, 2023
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>
Martchus
pushed a commit
to Martchus/qtbase
that referenced
this pull request
Aug 12, 2023
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
qtprojectorg
pushed a commit
that referenced
this pull request
Sep 6, 2023
This reverts commit f20adcd. The implementation had the right idea, but this is not expected to work reliably in C++. It's jumping out of several frames without cleaning them out properly and our ASan-based memory leak-checker has started complaining (the next commit will move this test elsewhere). ==19313==ERROR: LeakSanitizer: detected memory leaks Direct leak of 258 byte(s) in 1 object(s) allocated from: #0 0x7ffa505c8e48 in __interceptor_malloc (/usr/lib64/libasan.so.5+0x109e48) #1 0x7ffa4f2d7ff9 (/home/qt/work/install/lib/libQt6Core.so.6+0x896ff9) #2 0x7ffa4f2d834d in QArrayData::allocate(QArrayData**, long long, long long, long long, QArrayData::AllocationOption) (/home/qt/work/install/lib/libQt6Core.so.6+0x89734d) #3 0x7ffa4f23b700 (/home/qt/work/install/lib/libQt6Core.so.6+0x7fa700) #4 0x7ffa4f1f6cc8 in QString::reallocData(long long, QArrayData::AllocationOption) (/home/qt/work/install/lib/libQt6Core.so.6+0x7b5cc8) #5 0x7ffa4f1f68a7 in QString::resize(long long) (/home/qt/work/install/lib/libQt6Core.so.6+0x7b58a7) #6 0x7ffa4f2092ff (/home/qt/work/install/lib/libQt6Core.so.6+0x7c82ff) #7 0x7ffa4f209e09 in QString::vasprintf(char const*, __va_list_tag*) (/home/qt/work/install/lib/libQt6Core.so.6+0x7c8e09) #8 0x7ffa4ed0d83d (/home/qt/work/install/lib/libQt6Core.so.6+0x2cc83d) #9 0x7ffa4ed114a9 in QMessageLogger::fatal(char const*, ...) const (/home/qt/work/install/lib/libQt6Core.so.6+0x2d04a9) #10 0x5641d2604c40 in tst_Silent::messages() /home/qt/work/qt/qtbase/tests/auto/testlib/selftests/silent/tst_silent.cpp:77 #11 0x5641d26050fb in tst_Silent::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/testlib/selftests/silent/silent_autogen/include/tst_silent.moc:118 The restoration of the signal handler (which QtTest now has) is also wrong: this needed to use sigaction() instead. Change-Id: Ifa1111900d6945ea8e05fffd177f14fbc09a1d7d Reviewed-by: Edward Welbourne <[email protected]>
Martchus
pushed a commit
to Martchus/qtbase
that referenced
this pull request
Oct 8, 2023
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
Martchus
pushed a commit
to Martchus/qtbase
that referenced
this pull request
Jan 7, 2024
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
Martchus
pushed a commit
to Martchus/qtbase
that referenced
this pull request
Mar 15, 2024
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
Martchus
pushed a commit
to Martchus/qtbase
that referenced
this pull request
May 28, 2024
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
qtprojectorg
pushed a commit
that referenced
this pull request
Jun 9, 2024
Amends e524724. Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f73b50fc1d8 in operator new(unsigned long) (/lib64/libasan.so.8+0xfc1d8) (BuildId: 1827a4c72065a9f25ba519b25166029eebbf519f) #1 0x7f73b4cc18d4 in std::__detail::_MakeUniq<QSignalSpyPrivate>::__single_object std::make_unique<QSignalSpyPrivate, QSignalSpy*>(QSignalSpy*&&) /usr/include/c++/13/bits/unique_ptr.h:1070 #2 0x7f73b4cbf0a4 in QSignalSpy::QSignalSpy(QSignalSpy::ObjectSignal) src/testlib/qsignalspy.cpp:259 #3 0x55c0e313cd7d in QSignalSpy::QSignalSpy<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>(QtPrivate::FunctionPointer<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>::Object const*, void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)) (build/tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel+0x83d7d) (BuildId: b2e416794e25fdb925a191cc4a5efe3cb04efb0e) #4 0x55c0e30eccac in tst_QFileSystemModel::prepareTestModelRoot(QFileSystemModel*, QString const&, QSignalSpy**, QSignalSpy**) tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:392 #5 0x55c0e30edacf in tst_QFileSystemModel::rowCount() tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:420 Pick-to: 6.8 6.7 6.5 6.2 Change-Id: Ia085f9235f3bec252290f4fbe5ea0958f91a5e5a Reviewed-by: Volker Hilsheimer <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jun 9, 2024
Amends e524724. Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f73b50fc1d8 in operator new(unsigned long) (/lib64/libasan.so.8+0xfc1d8) (BuildId: 1827a4c72065a9f25ba519b25166029eebbf519f) #1 0x7f73b4cc18d4 in std::__detail::_MakeUniq<QSignalSpyPrivate>::__single_object std::make_unique<QSignalSpyPrivate, QSignalSpy*>(QSignalSpy*&&) /usr/include/c++/13/bits/unique_ptr.h:1070 #2 0x7f73b4cbf0a4 in QSignalSpy::QSignalSpy(QSignalSpy::ObjectSignal) src/testlib/qsignalspy.cpp:259 #3 0x55c0e313cd7d in QSignalSpy::QSignalSpy<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>(QtPrivate::FunctionPointer<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>::Object const*, void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)) (build/tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel+0x83d7d) (BuildId: b2e416794e25fdb925a191cc4a5efe3cb04efb0e) #4 0x55c0e30eccac in tst_QFileSystemModel::prepareTestModelRoot(QFileSystemModel*, QString const&, QSignalSpy**, QSignalSpy**) tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:392 #5 0x55c0e30edacf in tst_QFileSystemModel::rowCount() tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:420 Pick-to: 6.7 6.5 6.2 Change-Id: Ia085f9235f3bec252290f4fbe5ea0958f91a5e5a Reviewed-by: Volker Hilsheimer <[email protected]> (cherry picked from commit 5686af2) Reviewed-by: Qt Cherry-pick Bot <[email protected]>
qtprojectorg
pushed a commit
that referenced
this pull request
Jun 10, 2024
Amends e524724. Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f73b50fc1d8 in operator new(unsigned long) (/lib64/libasan.so.8+0xfc1d8) (BuildId: 1827a4c72065a9f25ba519b25166029eebbf519f) #1 0x7f73b4cc18d4 in std::__detail::_MakeUniq<QSignalSpyPrivate>::__single_object std::make_unique<QSignalSpyPrivate, QSignalSpy*>(QSignalSpy*&&) /usr/include/c++/13/bits/unique_ptr.h:1070 #2 0x7f73b4cbf0a4 in QSignalSpy::QSignalSpy(QSignalSpy::ObjectSignal) src/testlib/qsignalspy.cpp:259 #3 0x55c0e313cd7d in QSignalSpy::QSignalSpy<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>(QtPrivate::FunctionPointer<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>::Object const*, void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)) (build/tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel+0x83d7d) (BuildId: b2e416794e25fdb925a191cc4a5efe3cb04efb0e) #4 0x55c0e30eccac in tst_QFileSystemModel::prepareTestModelRoot(QFileSystemModel*, QString const&, QSignalSpy**, QSignalSpy**) tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:392 #5 0x55c0e30edacf in tst_QFileSystemModel::rowCount() tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:420 Pick-to: 6.5 6.2 Change-Id: Ia085f9235f3bec252290f4fbe5ea0958f91a5e5a Reviewed-by: Volker Hilsheimer <[email protected]> (cherry picked from commit 5686af2) Reviewed-by: Qt Cherry-pick Bot <[email protected]> (cherry picked from commit 741c1d0)
qtprojectorg
pushed a commit
that referenced
this pull request
Aug 30, 2024
Says ASAN:
Direct leak of 524 byte(s) in 1 object(s) allocated from:
#0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196
#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65
#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45
#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54
#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435
#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139
#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285
#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94
#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98
[...]
The pointer returned in the out-parameter of a i2d_DHparams() call is
supposed to be OPENSSL_free()ed by the user (this is not at all
obvious from the docs¹, but an SO answer² indicates that's how it
should be (as well as asan stopping from complaining with this
patch applied)).
¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html
² https://stackoverflow.com/a/53563669.
Amends 2cf63c7.
[ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of
PEM-encoded Diffie-Hellman parameters.
Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd
Reviewed-by: Mårten Nordheim <[email protected]>
Reviewed-by: Timur Pocheptsov <[email protected]>
(cherry picked from commit 676087e)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix for https://bugreports.qt.io/browse/QTBUG-47011