Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-88356

Memory corruption in QSignalSpy + moc-generated code

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 6.0.0 RC
    • 6.0.0 Beta2
    • Build tools: moc
    • None
    • 16d412da4c0d7ef4776604b906fccb8132a7712d (qt/qtbase/dev)

    Description

      In testlib/qsignalspy.h, there is the following code:

                      void *argv[] = { &tp, &i };
                      QMetaObject::metacall(const_cast<QObject*>(obj),
                                            QMetaObject::RegisterMethodArgumentMetaType,
                                            member.methodIndex(), argv);
      

      i is in this case the iterator of the for loop.

      Since 0161f00e5043090f22b23de9822c09062b17d675 we generate the following code in moc:

          } else if (_c == QMetaObject::RegisterMethodArgumentMetaType) {
              if (_id < 2)
                  *reinterpret_cast<QMetaType *>(_a[0]) = QMetaType();
      

      This overwrites the loop iterator with 0 if sizeof(int) < sizeof(void*), and we enter an infinite loop.

      I am assuming the code in QSignalSpy is wrong, but since it is the moc output that has changed and it causes memory corruption, I think it is better if someone who knows this code makes the call on what the right fix is.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              fabiankosmale Fabian Kosmale
              esabraha Eskil Abrahamsen Blomfeldt
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes