Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-52176

new-delete-type-mismatch for certain DBus replies

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3: Somewhat important
    • Resolution: Done
    • Affects Version/s: 5.6.0
    • Fix Version/s: 5.6
    • Component/s: D-Bus
    • Labels:
      None
    • Environment:
      Arch Linux x86_64

      Description

      Since upgrading from Qt 5.5 to Qt 5.6, AddressSanitizer (both GCC 5.3.0 and Clang 3.7.1) start complaining. Originally found via the Open dialog of Wireshark (which in turns calls into Solid), I found another way to trigger it.

      See the reproducer, it has something to do with the response type. This is the relevant interface method (note the a{sv}):

        <interface name="org.freedesktop.DBus.Debug.Stats">
          <method name="GetStats">
            <arg direction="out" type="a{sv}"/>
          </method>
        </interface>
      

      Steps to reproduce
      1. Download the reproducer and compile it with ASAN (see the comment on top of the file).
      2. Run the reproducer

      Expected results
      No errors.

      Actual results
      ASAN violation:

      QDBusMessage(type=MethodCall, service="org.freedesktop.DBus", path="/org/freedesktop/DBus", interface="org.freedesktop.DBus.Debug.Stats", member="GetConnectionStats", signature="", contents=(":1.0") )
      =================================================================
      ==28451==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x60b00000a540 in thread T0:
        object passed to delete has wrong type:
        size of the allocated type:   104 bytes;
        size of the deallocated type: 24 bytes.
          #0 0x4da820 in operator delete(void*, unsigned long) (/tmp/solid/reproducer+0x4da820)
          #1 0x7f7656f475c0 in variantToString /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusutil.cpp:118
          #2 0x7f7656f48158 in QDBusUtil::argumentToString(QVariant const&) /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusutil.cpp:317
          #3 0x7f7656f334c5 in debugVariantList /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusmessage.cpp:809
          #4 0x7f7656f334c5 in operator<<(QDebug, QDBusMessage const&) /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusmessage.cpp:829
          #5 0x4dce7c in main /tmp/solid/reproducer.cpp:25:14
          #6 0x7f76555f470f in __libc_start_main (/usr/lib/libc.so.6+0x2070f)
          #7 0x4181f8 in _start (/tmp/solid/reproducer+0x4181f8)
      
      0x60b00000a540 is located 0 bytes inside of 104-byte region [0x60b00000a540,0x60b00000a5a8)
      allocated by thread T0 here:
          #0 0x4d9c20 in operator new(unsigned long) (/tmp/solid/reproducer+0x4d9c20)
          #1 0x7f7656f5e966 in QDBusArgumentPrivate::checkReadAndDetach(QDBusArgumentPrivate*&) /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusargument.cpp:152
          #2 0x7f7656f616f8 in QDBusArgument::beginMapEntry() const /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusargument.cpp:1063
          #3 0x7f7656f4854f in argToString /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusutil.cpp:181
          #4 0x7f7656f475b8 in variantToString /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusutil.cpp:118
          #5 0x7f7656f48158 in QDBusUtil::argumentToString(QVariant const&) /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusutil.cpp:317
          #6 0x7f7656f334c5 in debugVariantList /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusmessage.cpp:809
          #7 0x7f7656f334c5 in operator<<(QDebug, QDBusMessage const&) /build/src/qtbase-opensource-src-5.6.0/src/dbus/qdbusmessage.cpp:829
          #8 0x4dce7c in main /tmp/solid/reproducer.cpp:25:14
          #9 0x7f76555f470f in __libc_start_main (/usr/lib/libc.so.6+0x2070f)
          #10 0x4181f8 in _start (/tmp/solid/reproducer+0x4181f8)
      
      SUMMARY: AddressSanitizer: new-delete-type-mismatch (/tmp/solid/reproducer+0x4da820) in operator delete(void*, unsigned long)
      ==28451==HINT: if you don't care about these warnings you may set ASAN_OPTIONS=new_delete_type_mismatch=0
      ==28451==ABORTING
      

        Attachments

        For Gerrit Dashboard: QTBUG-52176
        # Subject Branch Project Status CR V

          Activity

            People

            • Assignee:
              Lekensteyn Peter Wu
              Reporter:
              Lekensteyn Peter Wu
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There are no open Gerrit changes