Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-114815

qmlcachegen triggers AddressSanitizer stack-buffer-overflow error

    XMLWordPrintable

Details

    • c6d599bf6 (dev), 6edcc992c (6.6)

    Description

      I'm trying to apply QML Permission API to the Qt Bluetooth LowEnergyScanner example.
      The patch is here: https://codereview.qt-project.org/c/qt/qtconnectivity/+/487328

      It generally works fine, but when I try it on Linux with AddressSanitizer enabled, I get an immediate crash with the following stack trace:

      =================================================================
==746553==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb7d4aca0 at pc 0x7f094b684186 bp 0x7fffb7d4ac00 sp 0x7fffb7d4abf0
WRITE of size 4 at 0x7fffb7d4aca0 thread T0
    #0 0x7f094b684185 in TestQtNamespace::QQmlPrivate::AOTCompiledContext::getEnumLookup(unsigned int, void*) const /home/ivan/qt5/qtdeclarative/src/qml/qml/qqml.cpp:1961
    #1 0x556647fe6e74 in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*) const /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2072
    #2 0x556647fecf21 in void QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::wrapCall<QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}>(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}&&) /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:1430
    #3 0x556647fe71c5 in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2066
    #4 0x556647fe724c in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::_FUN(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2080
    #5 0x7f094b59a22d in TestQtNamespace::QV4::Moth::VME::exec(TestQtNamespace::QV4::MetaTypesStackFrame*, TestQtNamespace::QV4::ExecutionEngine*) /home/ivan/qt5/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:503
    #6 0x7f094b343386 in TestQtNamespace::QV4::Function::call(TestQtNamespace::QObject*, void**, TestQtNamespace::QMetaType const*, int, TestQtNamespace::QV4::ExecutionContext*) /home/ivan/qt5/qtdeclarative/src/qml/jsruntime/qv4function.cpp:38
    #7 0x7f094b984182 in TestQtNamespace::QQmlJavaScriptExpression::evaluate(void**, TestQtNamespace::QMetaType const*, int) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:270
    #8 0x7f094b6be7ee in TestQtNamespace::QQmlBinding::evaluate(void*, TestQtNamespace::QMetaType) /home/ivan/qt6-build/debug/qtbase/include/QtQml/6.7.0/QtQml/private/../../../../../../../../qt5/qtdeclarative/src/qml/qml/qqmlbinding_p.h:84
    #9 0x7f094b6bc007 in TestQtNamespace::QQmlBinding::doUpdate(TestQtNamespace::QQmlJavaScriptExpression::DeleteWatcher const&, TestQtNamespace::QFlags<TestQtNamespace::QQmlPropertyData::WriteFlag>, TestQtNamespace::QV4::Scope&) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlbinding.cpp:688
    #10 0x7f094b6b6239 in TestQtNamespace::QQmlBinding::update(TestQtNamespace::QFlags<TestQtNamespace::QQmlPropertyData::WriteFlag>) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlbinding.cpp:164
    #11 0x7f094b6bacc2 in TestQtNamespace::QQmlBinding::setEnabled(bool, TestQtNamespace::QFlags<TestQtNamespace::QQmlPropertyData::WriteFlag>) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlbinding.cpp:619
    #12 0x7f094ba54cba in TestQtNamespace::QQmlObjectCreator::finalize(TestQtNamespace::QQmlInstantiationInterrupt&) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1446
    #13 0x7f094b7349df in TestQtNamespace::QQmlComponentPrivate::complete(TestQtNamespace::QQmlEnginePrivate*, TestQtNamespace::QQmlComponentPrivate::ConstructionState*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1147
    #14 0x7f094b7356e3 in TestQtNamespace::QQmlComponentPrivate::completeCreate() /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1252
    #15 0x7f094b735261 in TestQtNamespace::QQmlComponent::completeCreate() /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1230
    #16 0x7f094b7328d3 in TestQtNamespace::QQmlComponentPrivate::createWithProperties(TestQtNamespace::QObject*, TestQtNamespace::QMap<TestQtNamespace::QString, TestQtNamespace::QVariant> const&, TestQtNamespace::QQmlContext*, TestQtNamespace::QQmlComponentPrivate::CreateBehavior) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:957
    #17 0x7f094b732581 in TestQtNamespace::QQmlComponent::create(TestQtNamespace::QQmlContext*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:908
    #18 0x7f094b6abcec in TestQtNamespace::QQmlApplicationEnginePrivate::finishLoad(TestQtNamespace::QQmlComponent*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:135
    #19 0x7f094b6ac3ba in TestQtNamespace::QQmlApplicationEnginePrivate::ensureLoadingFinishes(TestQtNamespace::QQmlComponent*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:162
    #20 0x7f094b6ab667 in TestQtNamespace::QQmlApplicationEnginePrivate::startLoad(TestQtNamespace::QAnyStringView, TestQtNamespace::QAnyStringView) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:121
    #21 0x7f094b6ad04d in TestQtNamespace::QQmlApplicationEngine::loadFromModule(TestQtNamespace::QAnyStringView, TestQtNamespace::QAnyStringView) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:363
    #22 0x556647f88800 in main /home/ivan/qt5/qtconnectivity/examples/bluetooth/lowenergyscanner/main.cpp:19
    #23 0x7f0948a86d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #24 0x7f0948a86e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #25 0x556647f7ab04 in _start (/home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/lowenergyscanner+0x19b04)

Address 0x7fffb7d4aca0 is located in stack of thread T0 at offset 32 in frame
    #0 0x556647fe6cad in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*) const /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2066

  This frame has 3 object(s):
    [32, 33) 'r2_1' (line 2070) <== Memory access at offset 32 partially overflows this variable
    [48, 49) '<unknown>'
    [64, 72) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/ivan/qt5/qtdeclarative/src/qml/qml/qqml.cpp:1961 in TestQtNamespace::QQmlPrivate::AOTCompiledContext::getEnumLookup(unsigned int, void*) const
Shadow bytes around the buggy address:
  0x100076fa1540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa1550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa1560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa1570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa1580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100076fa1590: f1 f1 f1 f1[01]f2 f8 f2 f8 f3 f3 f3 00 00 00 00
  0x100076fa15a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa15b0: 00 00 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00
  0x100076fa15c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa15d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076fa15e0: 00 00 f1 f1 f1 f1 04 f2 04 f2 04 f2 04 f2 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==746553==ABORTING

      The issue disappears if I add the NO_CACHEGEN key to the qt_add_qml_module command.

      Attachments

        For Gerrit Dashboard: QTBUG-114815
        # Subject Branch Project Status CR V
        487427,4 QmlCompiler: Use int for flag-type enums dev qt/qtdeclarative Status: MERGED +2 0
        487576,2 QmlCompiler: Use int for flag-type enums 6.6 qt/qtdeclarative Status: MERGED +2 0

        Activity

          People

            ulherman Ulf Hermann
            ivan.solovev Ivan Solovev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes