Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-72734

[REG Qt 5.11.3 -> Qt 5.12.0] Crash in QJSEngine::evaluate

    XMLWordPrintable

Details

    • 885e4af1f4ba3f047c3d932a1a780ddbba481170 (qt/qtdeclarative/5.12)

    Description

      1. Have a simple program running QJSEngine::evaluate (evaluate-cli.zip). 
        #include <QCoreApplication>
#include <QFile>
#include <QJSEngine>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    if (argc < 2)
        return -1;
    QFile inFile(argv[1]);
    inFile.open(QFile::ReadOnly);
    QJSEngine().evaluate(inFile.readAll());
    return 0;
}
      1. Build it on Qt 5.12.
      2. Run the program passing the QTBUG-72734.js as parameter.
        The program crashes.

      When built on Qt 5.11.3, the program does not seem to crash.

      Edit (Simon): This is the code that causes the crash:

      =class{;n(){}

      Backtrace:

      Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc0ae4 in QQmlJS::AST::ClassElementList::append (this=0x0, n=0x625000005230) at /home/simon/dev/qt-5.12/asan/qtbase/include/QtQml/5.12.0/QtQml/private/../../../../../../qtdeclarative/src/qml/parser/qqmljsast_p.h:2294
2294            n->next = next;
Traceback (most recent call last):
  File "<string>", line 180, in <lambda>
  File "<string>", line 191, in on_stop
  File "<string>", line 222, in display
  File "<string>", line 582, in lines
ValueError: invalid literal for int() with base 10: "Specified first line '2289' is ambiguous:"
>>> bt
#0  0x00007ffff7bc0ae4 in QQmlJS::AST::ClassElementList::append (this=0x0, n=0x625000005230) at /home/simon/dev/qt-5.12/asan/qtbase/include/QtQml/5.12.0/QtQml/private/../../../../../../qtdeclarative/src/qml/parser/qqmljsast_p.h:2294
#1  0x00007ffff7baf26c in QQmlJS::Parser::parse (this=0x7fffffffc650, startToken=119) at parser/qqmljs.g:3967
#2  0x00007ffff720f00a in QQmlJS::Parser::parseProgram (this=0x7fffffffc650) at parser/qqmljs.g:328
#3  0x00007ffff720c5e7 in QV4::Script::parse (this=0x607000000bf0) at jsruntime/qv4script.cpp:106

      Attachments

        1. backtrace.txt
          16 kB
        2. evaluate-cli.zip
          0.6 kB
        3. QTBUG-72734.js
          0.0 kB

        Issue Links

          is required for

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-71580 The QML engine needs systematic fuzz testing

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          For Gerrit Dashboard: QTBUG-72734
          # Subject Branch Project Status CR V
          245301,10 Add libfuzzer test for QJSEngine::evaluate() dev qt/qtdeclarative Status: MERGED +2 0
          253449,3 QML: Don't crash the parser on certain kinds of bad input 5.12 qt/qtdeclarative Status: MERGED +2 0
          253494,2 fuzzing: Add file which triggered a crash in QJSEngine::evaluate master qt/qtqa Status: MERGED +2 0

          Activity

            People

              ulherman Ulf Hermann
              rlohning Robert Löhning
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes