Details
-
Bug
-
Resolution: Done
-
Not Evaluated
-
None
-
5.15.4
-
None
-
f0425d31701d96e8c048b889c9ca8b59e910e043 (pyside/pyside-setup/dev) 6a2634867fd6d241582dbdd45dc303922fcf2d49 (pyside/tqtc-pyside-setup/5.15)
Description
compiling shiboken with ASAN enabled will uncover a ton of issues, most importantly it is accessing invalid memory.
A common pattern in the typesystemparser.cpp code is this (taken from our Qt 5.15 branch):
$ ack -- '->takeAt\(.*\)\.value\(\);' typesystemparser.cpp 1289: const QStringRef typeName = attributes->takeAt(typeIndex).value(); 1362: const auto extendsPackageName = attributes->takeAt(i).value(); 1624: const QStringRef modeName = attributes->takeAt(i).value(); 1631: const QStringRef format = attributes->takeAt(i).value(); 1800: const QStringRef languageAttribute = attributes->takeAt(i).value(); 2002: const QStringRef className = attributes->takeAt(i).value(); 2070: const QStringRef value = attributes->takeAt(classIndex).value(); 2121: const QStringRef modifier = attributes->takeAt(modifierIndex).value(); 2500: const QStringRef action = attributes->takeAt(i).value(); 2572: const QStringRef className = attributes->takeAt(i).value(); 2579: const QStringRef value = attributes->takeAt(i).value();
But even in current dev we still find it:
typesystemparser.cpp 1363: const auto typeName = attributes->takeAt(typeIndex).value(); 1438: const auto extendsPackageName = attributes->takeAt(i).value();
This is unsafe, as the QStringRef returned by value() will reference memory that is part of the QXmlStreamAttribute which gets destroyed at the end of the line due to the takeAt call. This then leads to:
================================================================= ==182832==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f45df6a6c00 at pc 0x5629da4d6295 bp 0x7ffc77b810c0 sp 0x7ffc77b810b0 READ of size 8 at 0x7f45df6a6c00 thread T0 #0 0x5629da4d6294 in QString::unicode() const /usr/include/qt/QtCore/qstring.h:1080 #1 0x5629da4d701d in QStringRef::unicode() const /usr/include/qt/QtCore/qstring.h:1726 #2 0x5629da4d707d in QStringRef::data() const /usr/include/qt/QtCore/qstring.h:1728 #3 0x5629da646ea0 in TypeSystemParser::parseInjectCode(QXmlStreamReader const&, StackElement const&, StackElement*, QXmlStreamAttributes*) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:2581 #4 0x5629da650573 in TypeSystemParser::startElement(QXmlStreamReader const&) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:3090 #5 0x5629da6112b6 in TypeSystemParser::parseXml(QXmlStreamReader&) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:663 #6 0x5629da610df0 in TypeSystemParser::parse(QXmlStreamReader&) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:640 #7 0x5629da67b2b9 in TypeDatabase::parseFile(QIODevice*, bool) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typedatabase.cpp:655
the line numbers and head of this message are slightly off, as I was trying to figure out what this is. In an unpatched version it will be `QStringRef::isNull` that triggers this issue.
Attachments
For Gerrit Dashboard: PYSIDE-1655 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
368754,3 | shiboken6: Fix stack-use-after-scope ASAN issues in TypeSystemParser | dev | pyside/pyside-setup | Status: MERGED | +2 | 0 |
368953,3 | shiboken6: Fix stack-use-after-scope ASAN issues in TypeSystemParser | tqtc/lts-5.15 | pyside/tqtc-pyside-setup | Status: MERGED | +2 | 0 |
369068,2 | cmake: Fix option --sanitize-address | dev | pyside/pyside-setup | Status: MERGED | +2 | 0 |
369102,2 | cmake: Fix option --sanitize-address | 6.1 | pyside/pyside-setup | Status: MERGED | +2 | 0 |
369110,2 | cmake: Fix option --sanitize-address, take two | dev | pyside/pyside-setup | Status: MERGED | +2 | 0 |
369144,3 | cmake: Fix option --sanitize-address | tqtc/lts-5.15 | pyside/tqtc-pyside-setup | Status: MERGED | +2 | 0 |
369191,2 | cmake: Fix option --sanitize-address, take two | 6.1 | pyside/pyside-setup | Status: MERGED | +2 | 0 |
369205,3 | cmake: Fix option --sanitize-address, take two | tqtc/lts-5.15 | pyside/tqtc-pyside-setup | Status: MERGED | +2 | 0 |