-
Bug
-
Resolution: Fixed
-
P1: Critical
-
6.7
-
None
-
c6d599bf6 (dev), 6edcc992c (6.6)
I'm trying to apply QML Permission API to the Qt Bluetooth LowEnergyScanner example.
The patch is here: https://codereview.qt-project.org/c/qt/qtconnectivity/+/487328
It generally works fine, but when I try it on Linux with AddressSanitizer enabled, I get an immediate crash with the following stack trace:
=================================================================
==746553==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb7d4aca0 at pc 0x7f094b684186 bp 0x7fffb7d4ac00 sp 0x7fffb7d4abf0
WRITE of size 4 at 0x7fffb7d4aca0 thread T0
#0 0x7f094b684185 in TestQtNamespace::QQmlPrivate::AOTCompiledContext::getEnumLookup(unsigned int, void*) const /home/ivan/qt5/qtdeclarative/src/qml/qml/qqml.cpp:1961
#1 0x556647fe6e74 in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*) const /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2072
#2 0x556647fecf21 in void QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::wrapCall<QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}>(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}&&) /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:1430
#3 0x556647fe71c5 in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2066
#4 0x556647fe724c in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::_FUN(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2080
#5 0x7f094b59a22d in TestQtNamespace::QV4::Moth::VME::exec(TestQtNamespace::QV4::MetaTypesStackFrame*, TestQtNamespace::QV4::ExecutionEngine*) /home/ivan/qt5/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:503
#6 0x7f094b343386 in TestQtNamespace::QV4::Function::call(TestQtNamespace::QObject*, void**, TestQtNamespace::QMetaType const*, int, TestQtNamespace::QV4::ExecutionContext*) /home/ivan/qt5/qtdeclarative/src/qml/jsruntime/qv4function.cpp:38
#7 0x7f094b984182 in TestQtNamespace::QQmlJavaScriptExpression::evaluate(void**, TestQtNamespace::QMetaType const*, int) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:270
#8 0x7f094b6be7ee in TestQtNamespace::QQmlBinding::evaluate(void*, TestQtNamespace::QMetaType) /home/ivan/qt6-build/debug/qtbase/include/QtQml/6.7.0/QtQml/private/../../../../../../../../qt5/qtdeclarative/src/qml/qml/qqmlbinding_p.h:84
#9 0x7f094b6bc007 in TestQtNamespace::QQmlBinding::doUpdate(TestQtNamespace::QQmlJavaScriptExpression::DeleteWatcher const&, TestQtNamespace::QFlags<TestQtNamespace::QQmlPropertyData::WriteFlag>, TestQtNamespace::QV4::Scope&) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlbinding.cpp:688
#10 0x7f094b6b6239 in TestQtNamespace::QQmlBinding::update(TestQtNamespace::QFlags<TestQtNamespace::QQmlPropertyData::WriteFlag>) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlbinding.cpp:164
#11 0x7f094b6bacc2 in TestQtNamespace::QQmlBinding::setEnabled(bool, TestQtNamespace::QFlags<TestQtNamespace::QQmlPropertyData::WriteFlag>) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlbinding.cpp:619
#12 0x7f094ba54cba in TestQtNamespace::QQmlObjectCreator::finalize(TestQtNamespace::QQmlInstantiationInterrupt&) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1446
#13 0x7f094b7349df in TestQtNamespace::QQmlComponentPrivate::complete(TestQtNamespace::QQmlEnginePrivate*, TestQtNamespace::QQmlComponentPrivate::ConstructionState*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1147
#14 0x7f094b7356e3 in TestQtNamespace::QQmlComponentPrivate::completeCreate() /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1252
#15 0x7f094b735261 in TestQtNamespace::QQmlComponent::completeCreate() /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1230
#16 0x7f094b7328d3 in TestQtNamespace::QQmlComponentPrivate::createWithProperties(TestQtNamespace::QObject*, TestQtNamespace::QMap<TestQtNamespace::QString, TestQtNamespace::QVariant> const&, TestQtNamespace::QQmlContext*, TestQtNamespace::QQmlComponentPrivate::CreateBehavior) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:957
#17 0x7f094b732581 in TestQtNamespace::QQmlComponent::create(TestQtNamespace::QQmlContext*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:908
#18 0x7f094b6abcec in TestQtNamespace::QQmlApplicationEnginePrivate::finishLoad(TestQtNamespace::QQmlComponent*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:135
#19 0x7f094b6ac3ba in TestQtNamespace::QQmlApplicationEnginePrivate::ensureLoadingFinishes(TestQtNamespace::QQmlComponent*) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:162
#20 0x7f094b6ab667 in TestQtNamespace::QQmlApplicationEnginePrivate::startLoad(TestQtNamespace::QAnyStringView, TestQtNamespace::QAnyStringView) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:121
#21 0x7f094b6ad04d in TestQtNamespace::QQmlApplicationEngine::loadFromModule(TestQtNamespace::QAnyStringView, TestQtNamespace::QAnyStringView) /home/ivan/qt5/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:363
#22 0x556647f88800 in main /home/ivan/qt5/qtconnectivity/examples/bluetooth/lowenergyscanner/main.cpp:19
#23 0x7f0948a86d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#24 0x7f0948a86e3f in __libc_start_main_impl ../csu/libc-start.c:392
#25 0x556647f7ab04 in _start (/home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/lowenergyscanner+0x19b04)
Address 0x7fffb7d4aca0 is located in stack of thread T0 at offset 32 in frame
#0 0x556647fe6cad in QmlCacheGeneratedCode::_qt_qml_Scanner_Devices_qml::aotBuiltFunctions::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*, TestQtNamespace::QQmlPrivate::AOTCompiledContext const**)#18}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, TestQtNamespace::QQmlPrivate::AOTCompiledContext const*, void*) const::{lambda(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*)#1}::operator()(TestQtNamespace::QQmlPrivate::AOTCompiledContext const, void*) const /home/ivan/qt6-build/debug/qtconnectivity/examples/bluetooth/lowenergyscanner/.rcc/qmlcache/lowenergyscanner_Devices_qml.cpp:2066
This frame has 3 object(s):
[32, 33) 'r2_1' (line 2070) <== Memory access at offset 32 partially overflows this variable
[48, 49) '<unknown>'
[64, 72) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/ivan/qt5/qtdeclarative/src/qml/qml/qqml.cpp:1961 in TestQtNamespace::QQmlPrivate::AOTCompiledContext::getEnumLookup(unsigned int, void*) const
Shadow bytes around the buggy address:
0x100076fa1540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa1550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa1560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa1570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa1580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100076fa1590: f1 f1 f1 f1[01]f2 f8 f2 f8 f3 f3 f3 00 00 00 00
0x100076fa15a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa15b0: 00 00 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00
0x100076fa15c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa15d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100076fa15e0: 00 00 f1 f1 f1 f1 04 f2 04 f2 04 f2 04 f2 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==746553==ABORTING
The issue disappears if I add the NO_CACHEGEN key to the qt_add_qml_module command.
| For Gerrit Dashboard: QTBUG-114815 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 487427,4 | QmlCompiler: Use int for flag-type enums | dev | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 487576,2 | QmlCompiler: Use int for flag-type enums | 6.6 | qt/qtdeclarative | Status: MERGED | +2 | 0 |