-
Bug
-
Resolution: Done
-
P2: Important
-
6.4
-
Linux/X11
-
2a1122f465 (qt/qtbase/dev) 2a1122f465 (qt/tqtc-qtbase/dev) 34a130a2da (qt/qtbase/6.4) 34a130a2da (qt/tqtc-qtbase/6.4)
NOTE: It is a custom optimised debug build using clang-13. In particular I use configure -debug but also add CMAKE_CXX_FLAGS=-Og -DNDEBUG.
$ tests/auto/corelib/text/qstringconverter/tst_qstringconverter roundtrip
********* Start testing of tst_QStringConverter ********* Config: Using QtTest library 6.5.0, Qt 6.5.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by Ubuntu Clang 13.0.1), ubuntu 20.04 QINFO : tst_QStringConverter::initTestCase() System locale is UTF-8 PASS : tst_QStringConverter::initTestCase() PASS : tst_QStringConverter::roundtrip(UTF-8:empty) PASS : tst_QStringConverter::roundtrip(UTF-8:null-character) PASS : tst_QStringConverter::roundtrip(UTF-8:ascii-text) PASS : tst_QStringConverter::roundtrip(UTF-8:ascii-with-carriage-return) PASS : tst_QStringConverter::roundtrip(UTF-8:ascii-with-control) PASS : tst_QStringConverter::roundtrip(UTF-8:nbsp) PASS : tst_QStringConverter::roundtrip(UTF-8:latin1-text) PASS : tst_QStringConverter::roundtrip(UTF-8:euro) PASS : tst_QStringConverter::roundtrip(UTF-8:character+bom) PASS : tst_QStringConverter::roundtrip(UTF-8:last-bmp) PASS : tst_QStringConverter::roundtrip(UTF-8:character+last-bmp) PASS : tst_QStringConverter::roundtrip(UTF-8:replacement) PASS : tst_QStringConverter::roundtrip(UTF-8:supplementary-plane) PASS : tst_QStringConverter::roundtrip(UTF-8:mahjong) PASS : tst_QStringConverter::roundtrip(UTF-8:emojis) PASS : tst_QStringConverter::roundtrip(UTF-8:last-valid) PASS : tst_QStringConverter::roundtrip(UTF-8:mixed-bmp-only) PASS : tst_QStringConverter::roundtrip(UTF-8:mixed-full) PASS : tst_QStringConverter::roundtrip(UTF-8:xml) =================================================================
==1793072==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd886744b0 at pc 0x7f7b22cd3e83 bp 0x7ffd88673560 sp 0x7ffd88673558
READ of size 2 at 0x7ffd886744b0 thread T0
#0 0x7f7b22cd3e82 in QUtf8::convertFromUnicode(char*, QStringView, QStringConverterBase::State*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/text/qstringconverter.cpp:543:27
#1 0x515940 in QStringEncoder::encodeAsByteArray(QStringView) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/text/qstringconverter.h:84:15
#2 0x4d6a8c in QStringEncoder::DecodedData<QStringView>::operator QByteArray() const /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/text/qstringconverter.h:50:55
#3 0x4d6a8c in tst_QStringConverter::roundtrip() /home/cc-runs/src/qt/qt5/qtbase/tests/auto/corelib/text/qstringconverter/tst_qstringconverter.cpp:370:26
#4 0x51147d in tst_QStringConverter::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/corelib/text/qstringconverter/tst_qstringconverter_autogen/include/tst_qstringconverter.moc:175:21
#5 0x7f7b229de11e in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.cpp:2357:13
#6 0x7f7b235bad37 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.h:90:16
#7 0x7f7b235bad37 in QTest::TestMethods::invokeTestOnData(int) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1120:45
#8 0x7f7b235bcd1f in QTest::TestMethods::invokeTest(int, QLatin1String, QTest::WatchDog*) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1379:17
#9 0x7f7b235c03c4 in QTest::TestMethods::invokeTests(QObject*) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1718:33
#10 0x7f7b235c2633 in QTest::qRun() /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:2283:14
#11 0x7f7b235c0df4 in QTest::qExec(QObject*, int, char**) /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:2183:15
#12 0x51121d in main /home/cc-runs/src/qt/qt5/qtbase/tests/auto/corelib/text/qstringconverter/tst_qstringconverter.cpp:2123:1
#13 0x7f7b2212b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x41e82d in _start (/home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/corelib/text/qstringconverter/tst_qstringconverter+0x41e82d)
Address 0x7ffd886744b0 is located in stack of thread T0 at offset 976 in frame
#0 0x7f7b229dd27f in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.cpp:2274
This frame has 21 object(s):
[32, 48) 'val0.byval'
[64, 80) 'val1.byval'
[96, 112) 'val2.byval'
[128, 144) 'val3.byval'
[160, 176) 'val4.byval'
[192, 208) 'val5.byval'
[224, 240) 'val6.byval'
[256, 272) 'val7.byval'
[288, 304) 'val8.byval'
[320, 336) 'val9.byval'
[352, 376) 'normalized' (line 2285)
[416, 424) 'ref.tmp' (line 2289)
[448, 536) 'typeNames' (line 2296)
[576, 664) 'param' (line 2337)
[704, 736) 'ref.tmp133' (line 2364)
[768, 772) 'argIndex' (line 2373)
[784, 800) 'argv' (line 2378)
[816, 848) 'ref.tmp182' (line 2382)
[880, 888) 'ref.tmp200' (line 2388)
[912, 944) 'ref.tmp237' (line 2397)
[976, 984) 'semaphore' (line 2402) <== Memory access at offset 976 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /home/cc-runs/src/qt/qt5/qtbase/src/corelib/text/qstringconverter.cpp:543:27 in QUtf8::convertFromUnicode(char*, QStringView, QStringConverterBase::State*)
Shadow bytes around the buggy address:
0x1000310c6840: 00 00 f2 f2 00 00 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
0x1000310c6850: f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f2
0x1000310c6860: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f2
0x1000310c6870: f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f8 f8
0x1000310c6880: f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f8
=>0x1000310c6890: f8 f8 f2 f2 f2 f2[f8]f3 f3 f3 f3 f3 00 00 00 00
0x1000310c68a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000310c68b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000310c68c0: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2
0x1000310c68d0: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2
0x1000310c68e0: f8 f8 f2 f2 f8 f8 f2 f2 00 00 f2 f2 00 00 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1793072==ABORTING
| For Gerrit Dashboard: QTBUG-104261 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 416277,2 | QStringConverter: fix use-after-free in the stack in the test | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 416635,2 | QStringConverter: fix use-after-free in the stack in the test | 6.4 | qt/qtbase | Status: MERGED | +2 | 0 |
| 416636,1 | QStringConverter: fix use-after-free in the stack in the test | 6.3 | qt/qtbase | Status: ABANDONED | 0 | 0 |