Update qpagesetupdialog_win.cpp by oPavel · Pull Request #3 · qt/qtbase

oPavel · 2015-04-23T19:44:17Z

There is an error. The page margins have wrong values because of float overrange. Huge value is assigned to float and then divided by a 'multiplier'. The solution is first to divide and rhen assigne it to float.

This error was resolved in 5.3.0 or 5.3.1 version (don't remember) and then the 5.3.2 introduced it again!

There is an error. The page margins have wrong values because of float overrange. Huge value is assigned to float and then divided by a 'multiplier'. The solution is first to divide and rhen assigne it to float. This error was resolved in 5.3.0 or 5.3.1 version (don't remember) and then the 5.3.2 introduced it again! This error was reported in many many bug issues.

Only when qreal equals float (-qreal float option of Qt configuration) my previous change is necessary. This commit fix types cast.

Sometimes it works and sometimes it hangs. This is the back-trace when it hangs: FAIL! : tst_QThreadPool::expiryTimeoutRace() 'task.semaphore.tryAcquire(numTasks, 10000)' returned FALSE. () Loc: [tst_qthreadpool.cpp(380)] ========= Received signal, dumping stack ============== (lldb) process attach --pid 31360 Process 31360 stopped Executable module set to "/Users/qt/work/qt/qtbase/tests/auto/corelib/thread/qthreadpool/./tst_qthreadpool.app/Contents/MacOS/tst_qthreadpool". Architecture set to: x86_64-apple-macosx. (lldb) bt all * thread #1: tid = 0x11f82a, 0x00007fff87451716 libsystem_kernel.dylib`__psynch_cvwait + 10, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP * frame #0: 0x00007fff87451716 libsystem_kernel.dylib`__psynch_cvwait + 10 frame #1: 0x00007fff8102dc3b libsystem_pthread.dylib`_pthread_cond_wait + 727 frame #2: 0x000000010b160dab QtCore`QWaitConditionPrivate::wait(unsigned long) + 75 frame #3: 0x000000010b160c62 QtCore`QWaitCondition::wait(QMutex*, unsigned long) + 162 frame #4: 0x000000010b15d66a QtCore`QThreadPool::~QThreadPool() + 106 frame #5: 0x000000010b0c6bec tst_qthreadpool`tst_QThreadPool::expiryTimeoutRace() + 380 frame #6: 0x000000010b0ccabb tst_qthreadpool`tst_QThreadPool::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) + 139 frame #7: 0x000000010b3138e2 QtCore`QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const + 1026 frame #8: 0x000000010b312f0a QtCore`QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) + 2122 frame #9: 0x000000010b0ec18f QtTest`QTest::qInvokeTestMethod(char const*, char const*, QTest::WatchDog*) + 1535 frame #10: 0x000000010b0e7847 QtTest`QTest::qExec(QObject*, int, char**) + 1447 frame #11: 0x000000010b0cc954 tst_qthreadpool`main + 132 frame #12: 0x000000010b0c4e74 tst_qthreadpool`start + 52 thread #2: tid = 0x11f82c, 0x00007fff87452662 libsystem_kernel.dylib`kevent64 + 10, queue = 'com.apple.libdispatch-manager' frame #0: 0x00007fff87452662 libsystem_kernel.dylib`kevent64 + 10 frame #1: 0x00007fff88af1421 libdispatch.dylib`_dispatch_mgr_invoke + 239 frame #2: 0x00007fff88af1136 libdispatch.dylib`_dispatch_mgr_thread + 52 thread #3: tid = 0x11f82e, 0x00007fff87451e3a libsystem_kernel.dylib`__wait4_nocancel + 10, name = 'QThread' frame #0: 0x00007fff87451e3a libsystem_kernel.dylib`__wait4_nocancel + 10 frame #1: 0x00007fff81911090 libsystem_c.dylib`system + 425 frame #2: 0x000000010b0e6fa6 QtTest`stackTrace() + 150 frame #3: 0x000000010b0efd1d QtTest`QTest::WatchDog::run() + 77 frame #4: 0x000000010b15f723 QtCore`QThreadPrivate::start(void*) + 339 frame #5: 0x00007fff8102b899 libsystem_pthread.dylib`_pthread_body + 138 frame #6: 0x00007fff8102b72a libsystem_pthread.dylib`_pthread_start + 137 frame #7: 0x00007fff8102ffc9 libsystem_pthread.dylib`thread_start + 13 (lldb) quit ========= End of stack trace ============== QFATAL : tst_QThreadPool::expiryTimeoutRace() Test function timed out FAIL! : tst_QThreadPool::expiryTimeoutRace() Received a fatal error. Loc: [Unknown file(0)] Change-Id: I12a61496e101c1bc04bb7f1141c4f6318e8238e4 Reviewed-by: Morten Johan Sørvig <morten.sorvig@theqtcompany.com> Reviewed-by: Lars Knoll <lars.knoll@digia.com>

If the data fits inline, let's store it using the dummy member. GCC, Clang and ICC optimize the code on all architectures I tested to one single store. Previously, the function for "return QVersionNumber(5,4,0);" was: x86-64: movb $7, (%rdi) movb $5, 1(%rdi) movb $4, 2(%rdi) movb $0, 3(%rdi) x86: movb $7, (%eax) movb $5, 1(%eax) movb $4, 2(%eax) movb $0, 3(%eax) ia64: addl r17 = 7, r0 adds r16 = 1, in0 adds r15 = 2, in0 adds r14 = 3, in0 st1 [in0] = r17 addl r17 = 5, r0 ;; st1 [r16] = r17 addl r16 = 4, r0 ;; st1 [r15] = r16 st1 [r14] = r0 armv7a: mov r1, #7 mov r2, #5 strb r1, [r0] mov r1, #4 strb r2, [r0, #1] mov r2, #0 strb r1, [r0, #2] strb r2, [r0, #3] mips32: li $3,7 # 0x7 sb $3,3($4) li $3,5 # 0x5 sb $3,0($4) li $3,4 # 0x4 sb $3,1($4) sb $0,2($4) mips64: li $3,7 # 0x7 sb $3,7($4) li $3,5 # 0x5 sb $3,0($4) li $3,4 # 0x4 sb $3,1($4) sb $0,2($4) ppc32: li 10,7 stb 10,3(3) li 10,5 stb 10,0(3) li 10,4 stb 10,1(3) li 10,0 stb 10,2(3) ppc64: li 10,7 stb 10,7(3) li 10,5 stb 10,0(3) li 10,4 stb 10,1(3) li 10,0 stb 10,2(3) Now it is: x86-64: movq $263431, (%rdi) x86: movl $263431, (%eax) ia64: addl r14 = 263431, r0 ;; st8 [in0] = r14 armv7a: movw r3, #1287 movt r3, 4 str r3, [r0] mips32: li $3,84148224 # 0x5040000 addiu $3,$3,7 sw $3,0($4) mips64: li $3,321 # 0x141 dsll $3,$3,50 daddiu $3,$3,7 sd $3,0($4) ppc64: lis 9,0x504 sldi 9,9,32 ori 9,9,7 std 9,0(3) ppc32: lis 9,0x504 ori 9,9,7 stw 9,0(3) All assembly listings from GCC 4.8.1, but the Clang and ICC outputs are identical or at least very similar (I tested Clang for ARM, MIPS and PowerPC). Both MIPS and PowerPC were compiled in big-endian mode and this listing shows that the 64-bit implementation is correct. Additionally, the output is also the same for GCC when using brace initialization (that is, return QVersionNumber{5,4,0}). Clang and ICC couldn't optimize that. Change-Id: I9a4a4c9fc83f1182401f63fd2da829c935a8c9da Reviewed-by: Keith Gardner <kreios4004@gmail.com> Reviewed-by: Marc Mutz <marc.mutz@kdab.com>

Before actually deleting QTreeWidgetItems from QTree{Model,Widget{,Item}} dtors, their 'view' members need to be set to nullptr, lest they attempt to delist themselves from the list of top-level items. For the QTreeModel::headerItem, this was forgottten. Found by UBSan: qtreewidget.cpp:1488:70: runtime error: member call on address 0x7ffd843dd470 which does not point to an object of type 'QAbstractItemView' 0x7ffd843dd470: note: object is of type 'QWidget' #0 0x2b83d5b48323 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1488 #1 0x2b83d5b48860 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1535 #2 0x2b83d5b41659 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:143 #3 0x2b83d5b41bc0 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:146 #4 0x2b83df220747 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:2010 #5 0x2b83d4603dd0 in QWidget::~QWidget() src/widgets/kernel/qwidget.cpp:1675 #6 0x2b83d4d76066 in QFrame::~QFrame() src/widgets/widgets/qframe.cpp:256 #7 0x2b83d5270442 in QAbstractScrollArea::~QAbstractScrollArea() src/widgets/widgets/qabstractscrollarea.cpp:575 #8 0x2b83d5733eb9 in QAbstractItemView::~QAbstractItemView() src/widgets/itemviews/qabstractitemview.cpp:617 #9 0x2b83d598b216 in QTreeView::~QTreeView() src/widgets/itemviews/qtreeview.cpp:206 #10 0x2b83d5b218b6 in QTreeWidget::~QTreeWidget() src/widgets/itemviews/qtreewidget.cpp:2549 #11 0x4eef42 in tst_QTreeWidgetItemIterator::updateIfModifiedFromWidget() tests/auto/widgets/itemviews/qtreewidgetitemiterator/tst_qtreewidgetitemiterator.cpp:1089 Change-Id: I57c277adee8c99eb07b274d6d8ea1f6fbf3575be Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>

…in Private::canBeNativeDialog() Found by UBSan: qfontdialog_p.h:77:5: runtime error: downcast of address 0x7ffc3ceadc90 which does not point to an object of type 'QFontDialog' 0x7ffc3ceadc90: note: object is of type 'QDialog' fc 7f 00 00 38 5f a8 27 fc 2a 00 00 60 e2 14 02 00 00 00 00 10 61 a8 27 fc 2a 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2afc24d29490 in QFontDialogPrivate::q_func() const qfontdialog_p.h:77 #1 0x2afc24d29490 in QFontDialogPrivate::canBeNativeDialog() const qfontdialog.cpp:1033 #2 0x2afc24c93f56 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2afc24c7b27a in QDialog::~QDialog() qdialog.cpp:357 #4 0x2afc24d286a6 in QFontDialog::~QFontDialog() qfontdialog.cpp:339 #5 0x2afc24d481a2 in QFontDialogPrivate::getFont(bool*, QFont const&, QWidget*, QString const&, QFlags<QFontDialog::FontDialogOption>) qfontdialog.cpp:402 #6 0x2afc24d483f1 in QFontDialog::getFont(bool*, QWidget*) qfontdialog.cpp:396 #7 0x407652 in tst_QFontDialog::testGetFont() tst_qfontdialog.cpp:120 qcolordialog.cpp:86:5: runtime error: downcast of address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog' 0x7ffdf50c1ec0: note: object is of type 'QDialog' fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2ab720e4ec97 in QColorDialogPrivate::q_func() const qcolordialog.cpp:86 #1 0x2ab720e4ec97 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1865 #2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357 #4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187 #5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148 #6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176 #7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118 qfiledialog_p.h:112:5: runtime error: downcast of address 0x7ffd6858cc60 which does not point to an object of type 'QFileDialog' 0x7ffd6858cc60: note: object is of type 'QDialog' a1 2b 00 00 d8 1e 5e 0c a1 2b 00 00 b0 af 01 20 a1 2b 00 00 b0 20 5e 0c a1 2b 00 00 00 00 46 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2ba10980a9e7 in QFileDialogPrivate::q_func() const qfiledialog_p.h:112 #1 0x2ba10980a9e7 in QFileDialogPrivate::canBeNativeDialog() const qfiledialog.cpp:695 #2 0x2ba1097efe36 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2ba1097d715a in QDialog::~QDialog() qdialog.cpp:357 #4 0x2ba109854c4b in QFileDialog::~QFileDialog() qfiledialog.cpp:380 #5 0x4179dc in tst_QFiledialog::init() tst_qfiledialog.cpp:175 Fix by replacing Q_Q with the the equivalent expression for QDialog. We can't re-use QDialogPrivate::q_func() here, since that is private, and probably should stay like that. Also fix an invalid member call in QColorDialogPrivate::canBeNativeDialog(): qcolordialog.cpp:2050:5: runtime error: member call on address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog' 0x7ffdf50c1ec0: note: object is of type 'QDialog' fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2ab720e4e5ea in QColorDialog::options() const qcolordialog.cpp:2050 #1 0x2ab720e4e8c8 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1870 #2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357 #4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187 #5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148 #6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176 #7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118 by accessing the data member directly instead of through the Public API. Fix the same code in QFileDialog, even though the autotest coverage is too limited for UBSan to point that one out explicitly. Change-Id: Idd278744961435e417d91fb2f89b6d91a94e0c71 Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>

Found by UBSan: qgraphicsscene.cpp:1000:40: runtime error: downcast of address 0x2af0d4072b00 which does not point to an object of type 'QGraphicsWidget' 0x2af0d4072b00: note: object is of type 'QGraphicsObject' 00 00 00 00 30 f5 26 bd f0 2a 00 00 90 e1 05 d4 f0 2a 00 00 a8 e3 26 bd f0 2a 00 00 d0 33 0f d4 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2af0badf1305 in QGraphicsScenePrivate::ungrabMouse(QGraphicsItem*, bool) qgraphicsscene.cpp:1000 #1 0x2af0bae0fc24 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:692 #2 0x2af0bacd21f6 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555 #3 0x2af0bacd4c48 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766 #4 0x2af0baf7e99c in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231 #5 0x2af0baf7f8c0 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:282 #6 0x2af0badcee34 in QGraphicsScene::clear() qgraphicsscene.cpp:2388 #7 0x2af0badcf3fc in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682 #8 0x4b26f0 in tst_QGraphicsWidget::popupMouseGrabber() tst_qgraphicswidget.cpp:47 Fix by using the existing graphics widget pointer, determined a line above to be equivalent to 'item', for the removePopup() function call instead of casting 'item' itself. The rest of removePopup() appears to be well-behaved and doesn't trigger any more UBSan errors, so it was indeed just the cast which was undefined, no member calls. Change-Id: Ia54da90262a7a02f527914a90b0208be0ffc0f0b Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

…ivate::canBeNativeDialog() Found by UBSan: qcolordialog.cpp:86:5: runtime error: downcast of address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog' 0x7ffdf50c1ec0: note: object is of type 'QDialog' fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2ab720e4ec97 in QColorDialogPrivate::q_func() const qcolordialog.cpp:86 #1 0x2ab720e4ec97 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1865 #2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357 #4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187 #5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148 #6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176 #7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118 qfiledialog_p.h:112:5: runtime error: downcast of address 0x7ffd6858cc60 which does not point to an object of type 'QFileDialog' 0x7ffd6858cc60: note: object is of type 'QDialog' a1 2b 00 00 d8 1e 5e 0c a1 2b 00 00 b0 af 01 20 a1 2b 00 00 b0 20 5e 0c a1 2b 00 00 00 00 46 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2ba10980a9e7 in QFileDialogPrivate::q_func() const qfiledialog_p.h:112 #1 0x2ba10980a9e7 in QFileDialogPrivate::canBeNativeDialog() const qfiledialog.cpp:695 #2 0x2ba1097efe36 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2ba1097d715a in QDialog::~QDialog() qdialog.cpp:357 #4 0x2ba109854c4b in QFileDialog::~QFileDialog() qfiledialog.cpp:380 #5 0x4179dc in tst_QFiledialog::init() tst_qfiledialog.cpp:175 Fix by replacing Q_Q with the the equivalent expression for QDialog. We can't re-use QDialogPrivate::q_func() here, since that is private, and probably should stay like that. Also fix an invalid member call in QColorDialogPrivate::canBeNativeDialog(): qcolordialog.cpp:2050:5: runtime error: member call on address 0x7ffdf50c1ec0 which does not point to an object of type 'QColorDialog' 0x7ffdf50c1ec0: note: object is of type 'QDialog' fd 7f 00 00 d8 6e c7 23 b7 2a 00 00 50 c1 af 01 00 00 00 00 b0 70 c7 23 b7 2a 00 00 00 00 1a 1e ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x2ab720e4e5ea in QColorDialog::options() const qcolordialog.cpp:2050 #1 0x2ab720e4e8c8 in QColorDialogPrivate::canBeNativeDialog() const qcolordialog.cpp:1870 #2 0x2ab720e84ed6 in QDialog::setVisible(bool) qdialog.cpp:696 #3 0x2ab720e6c1fa in QDialog::~QDialog() qdialog.cpp:357 #4 0x2ab720e2b276 in QColorDialog::~QColorDialog() qcolordialog.cpp:2187 #5 0x2ab720e5e2c6 in QColorDialog::getColor(QColor const&, QWidget*, QString const&, QFlags<QColorDialog::ColorDialogOption>) qcolordialog.cpp:2148 #6 0x2ab720e5e473 in QColorDialog::getRgba(unsigned int, bool*, QWidget*) qcolordialog.cpp:2176 #7 0x407180 in tst_QColorDialog::testGetRgba() tst_qcolordialog.cpp:118 by accessing the data member directly instead of through the Public API. Fix the same code in QFileDialog, even though the autotest coverage is too limited for UBSan to point that one out explicitly. This commit amends abe8b4a, in which it should have been included in the first place... Change-Id: Iff0538eba61d2381359f0b61f35918d643f7aa0c Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

Found by UBSan: qstackedlayout.cpp:261:98: runtime error: downcast of address 0x60400003cd10 which does not point to an object of type 'QtFriendlyLayoutWidget' 0x60400003cd10: note: object is of type 'QWidget' 0e 00 80 76 70 0b 06 3f d6 2a 00 00 00 99 00 00 50 61 00 00 20 0d 06 3f d6 2a 00 00 00 00 be be ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QWidget' #0 0x2ad637b8f58f in qt_wasDeleted qstackedlayout.cpp:261 #1 0x2ad637b8f58f in QStackedLayout::takeAt(int) qstackedlayout.cpp:285 #2 0x2ad637b4afcb in QLayout::removeWidget(QWidget*) qlayout.cpp:1369 #3 0x413534 in tst_QStackedLayout::testCase() tst_qstackedlayout.cpp:155 Caused by using a struct to get access to QWidgetPrivate::wasDeleted using a cast. That cast is invalid, of course, so simply use QWidgetPrivate::get(). Caveat: we need a const version of that function, but that didn't exist, yet, so added one. Change-Id: I27d449b90be7e2072646d950c676b500ef698349 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

Found by UBSan: qlayout.cpp:612:50: runtime error: downcast of address 0x7ffcd4c39a70 which does not point to an object of type 'QWidget' 0x7ffcd4c39a70: note: object is of type 'QObject' 00 00 00 00 b0 43 4c 7b f5 2a 00 00 70 c9 28 02 00 00 00 00 08 93 9a 77 f5 2a 00 00 00 00 c3 d4 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QObject' #0 0x2af56f189960 in QLayout::widgetEvent(QEvent*) qlayout.cpp:612 #1 0x2af56f037660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3732 #2 0x2af56f06ae5b in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704 #3 0x2af57989e383 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988 #4 0x2af5799c1696 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231 #5 0x2af5799c1696 in QObjectPrivate::setParent_helper(QObject*) qobject.cpp:2043 #6 0x2af5799c4823 in QObject::~QObject() qobject.cpp:1095 #7 0x2af56f2d205d in QWidget::~QWidget() qwidget.cpp:1549 #8 0x2af56f9c1366 in QFrame::~QFrame() qframe.cpp:262 #9 0x2af56f9e76cb in QLabel::~QLabel() qlabel.cpp:247 #10 0x458077 in tst_QStyleSheetStyle::emptyStyleSheet() tst_qstylesheetstyle.cpp:1400 Fix by not casting at all (or, to be precise, casting implicitly up instead of explicitly down). Change-Id: Ic19fd29e0cabd1aee5b1c93ca4c0fc70bc7a5927 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

…nize() As found by UBSan: qstandardgestures.cpp:511:67: runtime error: downcast of address 0x7ffc9beb1b90 which does not point to an object of type 'QTouchEvent' 0x7ffc9beb1b90: note: object is of type 'QPlatformSurfaceEvent' fc 7f 00 00 08 93 b1 6f f5 2a 00 00 00 00 00 00 00 00 00 00 d9 00 ec 9b 00 00 00 00 49 01 c1 5e ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QPlatformSurfaceEvent' #0 0x2af55edfa66a in QTapAndHoldGestureRecognizer::recognize(QGesture*, QObject*, QEvent*) qstandardgestures.cpp:511 #1 0x2af55ee3d9bb in QGestureManager::filterEventThroughContexts(QMultiMap<QObject*, Qt::GestureType> const&, QEvent*) qgesturemanager.cpp:276 #2 0x2af55ee4565b in QGestureManager::filterEvent(QWidget*, QEvent*) qgesturemanager.cpp:512 #3 0x2af55ee53945 in QGestureManager::filterEvent(QObject*, QEvent*) qgesturemanager.cpp:556 #4 0x2af55ea1b83a in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3053 #5 0x2af573949d0f in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988 #6 0x2af56982ff94 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231 #7 0x2af56982ff94 in QWindowPrivate::create(bool) qwindow.cpp:435 #8 0x2af55ecd10fe in QWidgetPrivate::create_sys(unsigned long long, bool, bool) qwidget.cpp:1471 #9 0x2af55ecc770e in QWidget::create(unsigned long long, bool, bool) qwidget.cpp:1333 #10 0x2af55ed80618 in QWidget::setVisible(bool) qwidget.cpp:8156 #11 0x4feec4 in tst_QWidget::touchEventsForGesturePendingWidgets() tst_qwidget.cpp:9824 qstandardgestures.cpp:512:67: runtime error: downcast of address 0x7ffc9beb1b90 which does not point to an object of type 'QMouseEvent' 0x7ffc9beb1b90: note: object is of type 'QPlatformSurfaceEvent' fc 7f 00 00 08 93 b1 6f f5 2a 00 00 00 00 00 00 00 00 00 00 d9 00 ec 9b 00 00 00 00 49 01 c1 5e ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QPlatformSurfaceEvent' #0 0x2af55edfaa19 in QTapAndHoldGestureRecognizer::recognize(QGesture*, QObject*, QEvent*) qstandardgestures.cpp:512 [... skipping common lines ...] qstandardgestures.cpp:514:95: runtime error: downcast of address 0x 0x7ffc9beb1b90: note: object is of type 'QPlatformSurfaceEvent' fc 7f 00 00 08 93 b1 6f f5 2a 00 00 00 00 00 00 00 00 00 00 d9 00 ec 9b 00 00 00 0 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QPlatformSurfaceEvent' #0 0x2af55edfa966 in QTapAndHoldGestureRecognizer::recognize(QGesture*, QObject*, QEvent*) qstandardgestures.cpp:514 [... skipping common lines ...] The problem is that the casts are done outside the switch that determines the event's type, so for any given event object, at least any two of the casts are invalid. This could actually be a real problem, because it's trivial for a compiler to prove that these three lines unconditionally invoke UB, so it has all the right in the world to decide to drop the complete rest of the function, using this line of reasoning: 1. The only way for these three casts not to be UB is if event == nullptr. 2. If event == nullptr, then event->type() invokes UB, so event cannot be nullptr. 3. The only way both can be true is if this code path is never taken. I can thus assume that object == state && event->type() == QEvent::Timer is always true, drop the check and execute the if block unconditionally (I need to call QEvent::type(), to satisfy the as-if-rule, but I needn't check its return value). Fix by moving the casts where they belong: into each case of the switch, where the type of the event has been checked to match the target type of the cast. Change-Id: I3aee8e213dc19d2f51636bcc5221cc92b3142e58 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

The slot is invoked from QObject::destroyed(), which is emitted from ~QObject. By that time the object is no longer a QShortcut, so the static_cast it invalid. Found by UBSan: tst_qshortcut.cpp:1210:53: runtime error: downcast of address 0x6020000289d0 which does not point to an object of type 'QShortcut' 0x6020000289d0: note: object is of type 'QObject' 10 00 80 17 c0 ce 63 df 93 2b 00 00 b0 02 00 00 d0 60 00 00 02 00 00 00 ff ff ff 04 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QObject' #0 0x42b3bb in tst_QShortcut::shortcutDestroyed(QObject*) tst_qshortcut.cpp:1210 #1 0x446cc9 in tst_QShortcut::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/tst_qshortcut.moc:186 #2 0x2b93dba52c86 in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3787 #3 0x2b93dba55400 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #4 0x2b93dba8d80d in QObject::~QObject() qobject.cpp:967 #5 0x2b93c6b6e032 in QShortcut::~QShortcut() qshortcut.cpp:476 #6 0x2b93c6b6e370 in QShortcut::~QShortcut() qshortcut.cpp:481 #7 0x42a5de in void qDeleteAll<QList<QShortcut*>::const_iterator>(QList<QShortcut*>::const_iterator, QList<QShortcut*>::const_iterator) qalgorithms.h:317 #8 0x42a5de in void qDeleteAll<QList<QShortcut*> >(QList<QShortcut*> const&) qalgorithms.h:325 #9 0x42a5de in tst_QShortcut::clearAllShortcuts() tst_qshortcut.cpp:1136 Fix by replacing QVector::replaceAll() with the erase-remove idiom, which does not require the cast, because it can perform mixed-type lookups. Change-Id: I4251c1895fa4398023f489dbfd7108d90c1a6c94 Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>

Found by UBSan: qgraphicswidget_p.h:72:5: runtime error: downcast of address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::q_func() qgraphicswidget_p.h:72 #1 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:775 #2 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 #3 0x2ab68f024f73 in QGraphicsItem::setParentItem(QGraphicsItem*) qgraphicsitem.cpp:1781 #4 0x2ab68f168401 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:620 #5 0x2ab68f02c166 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555 #6 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766 #7 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231 #8 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #9 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #10 0x2ab68f02c9ec in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1550 #11 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766 #12 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231 #13 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #14 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #15 0x2ab68f128da4 in QGraphicsScene::clear() qgraphicsscene.cpp:2388 #16 0x2ab68f12936c in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682 #17 0x44d44c in tst_QGraphicsWidget::focusWidget() /tst_qgraphicswidget.cpp:435 qgraphicswidget_p.cpp:805:24: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdc68 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:805 #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 [... identical lines omitted ...] qgraphicswidget_p.cpp:806:23: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdb6b in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:806 #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 [... identical lines omitted ...] qgraphicswidget_p.cpp:827:26: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdf91 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:827 #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 [... identical lines omitted ...] Fix by moving the setParentItem(nullptr) call up the call stack into ~QGraphicsWidget(), ensuring that the object is still a QGraphicsWidget when these calls are made. Change-Id: I264779e33098e9752de9a312a146fb203578a3cc Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>

…ventFilter() Found by UBSan: tst_qwidget.cpp:10207:29: runtime error: member access within address 0x6060000e8880 which does not point to an object of type 'EnterTestModalDialog' 0x6060000e8880: note: object is of type 'QWidget' eb 00 80 45 10 4b 32 ab 11 2b 00 00 80 df 08 00 60 61 00 00 c0 4c 32 ab 11 2b 00 00 00 00 be be ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QWidget' #0 0x6ca13f in EnterTestMainDialog::eventFilter(QObject*, QEvent*) tst_qwidget.cpp:10207 #1 0x2b11b8bc90c3 in QCoreApplicationPrivate::sendThroughApplicationEventFilters(QObject*, QEvent*) qcoreapplication.cpp:1081 #2 0x2b11a3c49b4a in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3716 #3 0x2b11a3c8ec72 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704 #4 0x2b11b8bccd0f in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988 #5 0x2b11aea5c34d in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231 #6 0x2b11aea5c34d in QGuiApplicationPrivate::_q_updateFocusObject(QObject*) qguiapplication.cpp:3690 #7 0x2b11aea61360 in QGuiApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qguiapplication.cpp:177 #8 0x2b11b8d1dc86 in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3787 #9 0x2b11aea784a3 in QWindow::focusObjectChanged(QObject*) .moc/moc_qwindow.cpp:760 #10 0x2b11a3fb24f2 in QWidget::clearFocus() qwidget.cpp:6705 #11 0x2b11a3fc87b1 in QWidget::~QWidget() qwidget.cpp:1608 #12 0x2b11a526688c in QDialog::~QDialog() qdialog.cpp:352 #13 0x6c43e2 in EnterTestModalDialog::~EnterTestModalDialog() tst_qwidget.cpp:10160 #14 0x6c43e2 in EnterTestModalDialog::~EnterTestModalDialog() tst_qwidget.cpp:10160 #15 0x492be3 in EnterTestMainDialog::buttonPressed() tst_qwidget.cpp:10188 #16 0x492be3 in EnterTestMainDialog::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/tst_qwidget.moc:2056 #17 0x2b11b8d1dc86 in QMetaObject::activate(QObject*, int, int, void**) qobject.cpp:3787 #18 0x2b11a45cb833 in QAbstractButton::clicked(bool) .moc/moc_qabstractbutton.cpp:307 #19 0x2b11a45cd54b in QAbstractButtonPrivate::emitClicked() qabstractbutton.cpp:411 #20 0x2b11a45df73a in QAbstractButtonPrivate::click() qabstractbutton.cpp:404 [...] #41 0x6bb2cf in tst_QWidget::taskQTBUG_27643_enterEvents() tst_qwidget.cpp:10249 [...] Fix by checking the event type first, and accessing modal->button only if it's QEvent::Enter. Change-Id: I2c7df3a1f43ecbfe14741b5861729078a91a32d6 Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>

Found by UBSan: qnetworkreplyhttpimpl.cpp:457:29: runtime error: member call on address 0x602000009cf0 which does not point to an object of type 'QNetworkReplyHttpImpl' 0x602000009cf0: note: object is of type 'QObject' 1e 00 80 18 20 e0 bb 12 54 7f 00 00 00 f2 00 00 70 61 00 00 02 00 00 00 ff ff ff 06 08 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QObject' #0 0x7f541461b71b in QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate() qnetworkreplyhttpimpl.cpp:457 #1 0x7f541461b7f0 in QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate() qnetworkreplyhttpimpl.cpp:458 #2 0x7f540f26df1a in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) qscopedpointer.h:54 #3 0x7f540f26df1a in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() qscopedpointer.h:101 #4 0x7f540f26df1a in QObject::~QObject() qobject.cpp:940 #5 0x7f540e915f6e in QIODevice::~QIODevice() qiodevice.cpp:416 #6 0x7f5414599bae in QNetworkReply::~QNetworkReply() qnetworkreply.cpp:444 #7 0x7f54145e6f5e in QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl() qnetworkreplyhttpimpl.cpp:239 #8 0x7f54145e6f5e in QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl() qnetworkreplyhttpimpl.cpp:242 #9 0x7f54144b3539 in void qDeleteAll<QList<QNetworkReply*>::const_iterator>(QList<QNetworkReply*>::const_iterator, QList<QNetworkReply*>::const_iterator) qalgorithms.h:317 #10 0x7f54144b3539 in void qDeleteAll<QList<QNetworkReply*> >(QList<QNetworkReply*> const&) qalgorithms.h:325 #11 0x7f54144b3539 in QNetworkAccessManager::~QNetworkAccessManager() qnetworkaccessmanager.cpp:496 Fix by moving the emission of the QNetworkReplyHttpImpl::abortHttpRequest() signal from ~Private, when the public object is merely a QObject anymore, to ~QNetworkReplyHttpImpl(), when the public class is still itself. Change-Id: Ifb3b19f6d180452bdf3fc26f54629ef780a5d9d9 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>

QString::toUtf8() returns QByteArray, which got implicitly converted to C strings and promptly deleted. Instead, return the QByteArray to the caller. Found by ASAN: ==13935==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000dffb8 at pc 0x7f764f27320b bp 0x7ffd49b11bb0 sp 0x7ffd49b11358 READ of size 7 at 0x6060000dffb8 thread T0 #1 0x7f7649d174e2 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x684e2) #2 0x7f763f7abe5b (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x39e5b) #3 0x7f763f78915a in g_object_new_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1715a) #4 0x7f763f789520 in g_object_new (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x17520) #5 0x7f7640f6bcb0 in gtk_dialog_add_button (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x186cb0) #6 0x7f7640f8d2c9 in gtk_file_chooser_dialog_new (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1a82c9) #7 0x7f7641727281 (/opt/Qt5.8.0/5.8/gcc_64/plugins/platformthemes/libqgtk3.so+0x13281) Task-number: QTBUG-59611 Change-Id: I37cc967e689f4523b504fffd14adbf944b53b754 Reviewed-by: J-P Nurmi <jpnurmi@qt.io>

Delete the QGraphicsEffect from the QWidget destructor instead of from the QWidgetPrivate destructor. The destructor of QGraphicsEffect still access methods of the QWidget, but the QObjectPrivate being destroyed from ~QObject, the pointer is no longer a QWidget. Fix warning with UB sanitizer in tst_QWidget::setGraphicsEffect qwidget_p.h:900:23: runtime error: member call on address 0x000001d822c0 which does not point to an object of type 'QWidget' 0x000001d822c0: note: object is of type 'QObject' 00 00 00 00 b0 46 5f 40 e5 7f 00 00 00 23 d8 01 00 00 00 00 f0 e6 00 44 e5 7f 00 00 00 00 74 47 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QObject' #0 0x7fe54767db76 in QWidgetEffectSourcePrivate::detach() #1 0x7fe548f29815 in QGraphicsEffect::~QGraphicsEffect() #2 0x7fe548f2a1b7 in QGraphicsBlurEffect::~QGraphicsBlurEffect() #3 0x7fe548f2a208 in QGraphicsBlurEffect::~QGraphicsBlurEffect() #4 0x7fe5475cd463 in QWidgetPrivate::~QWidgetPrivate() #5 0x7fe5475ce62c in QWidgetPrivate::~QWidgetPrivate() #6 0x7fe5400d0dda in QObject::~QObject() #7 0x7fe54763d411 in QWidget::~QWidget() #8 0x7fe54763d7f4 in QWidget::~QWidget() #9 0x4cc309 in QScopedPointerDeleter<QWidget>::cleanup(QWidget*) #10 0x4cc309 in QScopedPointer<QWidget, QScopedPointerDeleter<QWidget> >::reset(QWidget*) #11 0x4cc309 in tst_QWidget::setGraphicsEffect() Change-Id: I19c049e979cfce2adda908af8336cb4adac8f6c4 Reviewed-by: Marc Mutz <marc.mutz@kdab.com>

I'm getting crashes in Akonadi processes due to libproxy. I don't have direct evidence that this was caused by a threading condition, but it's clear from the source code of libproxy that the plugins it runs for expanding PAC scripts are not thread-safe. To overcome this problem, we only run libproxy functions in one thread only. #0 0x00007f745f0ac1d8 in JSC::HeapTimer::timerDidFire() () at /usr/lib64/libjavascriptcoregtk-4.0.so.18 #1 0x00007f745f0ac287 in () at /usr/lib64/libjavascriptcoregtk-4.0.so.18 #2 0x00007f748e5ae9c5 in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0 #3 0x00007f748e5aed88 in () at /usr/lib64/libglib-2.0.so.0 #4 0x00007f748e5aee1c in g_main_context_iteration () at /usr/lib64/libglib-2.0.so.0 #5 0x00007f7494f4268f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5 #6 0x00007f7494eeb35a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/libQt5Core.so.5 #7 0x00007f7494d1b31a in QThread::exec() () at /usr/lib64/libQt5Core.so.5 #8 0x00007f7494d1fd2e in () at /usr/lib64/libQt5Core.so.5 #9 0x00007f74913174e7 in start_thread () at /lib64/libpthread.so.0 The pacrunner implementation of libproxy uses libdbus-1 which (officially) is thread-safe, but experience tells that it has problems. Since it is not running a JS engine, we don't need a thread, but we do need to lock around it. Change-Id: I84e45059a888497fb55ffffd14d2f638f21e807d Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>

NSOpenGLContext should be re-entrant, but is not in practice, resulting in deadlocks when there are two render threads, eg: thread #23, name = 'QSGRenderThread' frame #0: 0x00007fff5c6dda4e libsystem_kernel.dylib`__psynch_mutexwait + 10 frame #1: 0x00007fff5c8a5b9d libsystem_pthread.dylib`_pthread_mutex_lock_wait + 83 frame #2: 0x00007fff5c8a34c8 libsystem_pthread.dylib`_pthread_mutex_lock_slow + 253 frame #3: 0x00007fff31ebb52e AppKit`flush_notify + 110 frame #4: 0x00007fff3e75ee2a GLEngine`glSwap_Exec + 186 frame #5: 0x00007fff3e740797 OpenGL`CGLFlushDrawable + 59 frame #6: 0x00007fff31ad43ac AppKit`-[NSOpenGLContext flushBuffer] + 27 ... Task-number: QTBUG-69040 Change-Id: I6f28b4cc5faf61ae93f66353ce2abdf8c223d994 Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

Calling setView or update on NSOpenGLContext results in recreating the internal GL surfaces of the view. Unfortunately there seems to be a fixed amount of these surfaces available, so if we spin a loop where we for some reason end up recreating them, we'll easily run out, and lock up the whole window system: thread #6, name = 'SwapThread' frame #0: 0x00007fff7b45220a libsystem_kernel.dylib`mach_msg_trap + 10 frame #1: 0x00007fff7b451724 libsystem_kernel.dylib`mach_msg + 60 frame #2: 0x00007fff751c1675 SkyLight`SLSBindSurface + 247 frame #3: 0x00007fff5d9c4328 OpenGL`___lldb_unnamed_symbol29$$OpenGL + 255 frame #4: 0x00007fff6bf42c33 libGPUSupportMercury.dylib`gldAttachDrawable + 364 frame #5: 0x00007fff5d9e61e7 GLEngine`gliAttachDrawableWithOptions + 257 frame #6: 0x00007fff5d9c4bb0 OpenGL`___lldb_unnamed_symbol38$$OpenGL + 969 frame #7: 0x00007fff5d9c8b0e OpenGL`___lldb_unnamed_symbol57$$OpenGL + 82 frame #8: 0x00007fff5d9c8e55 OpenGL`CGLSetSurface + 330 frame #9: 0x00007fff50d0eb2c AppKit`NSOpenGLContextAttachOffScreenViewSurface + 352 This can happen e.g. when resizing the application, where AppKit itself spins a loop where we don't end up back in QCocoaEventDispatcher::processEvents() for each pass (where we do have a local pool). Or it can happen in the render-loop of a render-thread that doesn't use the event dispatcher. Change-Id: Iaf2f879dd01e3d807d0f35705ccc978dbc89036b Reviewed-by: Morten Johan Sørvig <morten.sorvig@qt.io> Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

By making the hardcoded values unsigned image/qppmhandler.cpp:126:36: runtime error: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' #0 0x4cef10 in scale_pbm_color(unsigned short, unsigned short, unsigned short, unsigned short) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:126:36 #1 0x4cb1d5 in read_pbm_body(QIODevice*, char, int, int, int, QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:274:39 #2 0x4ca3d8 in QPpmHandler::read(QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:509:10 #3 0x4b238d in QImageReader::read(QImage*) /src/qt/qtbase/src/gui/image/qimagereader.cpp:1253:22 #4 0x4b1b61 in QImageReader::read() /src/qt/qtbase/src/gui/image/qimagereader.cpp:1201:12 #5 0x486f66 in QImage::fromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3624:37 #6 0x486cd8 in QImage::loadFromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3590:13 #7 0x434b2e in LLVMFuzzerTestOneInput /src/qimage_fuzzer.cc:28:7 #8 0x44b167 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15 #9 0x43c8bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #10 0x4407bb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #11 0x434bf8 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #12 0x7fd4d93b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x409bb8 in _start (/out/qimage_fuzzer+0x409bb8) Change-Id: I56674d0c2e59a30095552eb84aba17d7b516dd4a Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

When the font changes in NSFontPanel, it notifies NSFontManager via -[NSFontManager modifyFontViaPanel:], which in turn sends the font manager's action (by default changeFont:) to its target (nil, unless set). Sending the action in -[NSApplication(NSResponder) sendAction:to:from:] will sanitize the 'to' argument via _NSTargetForSendAction. If the argument is non-nill (if we've set the NSFontManager target explicitly), and we're running in an app-modal session (which we are), the target is checked for worksWhenModal -- a property which is defined on NSWindow, and only supposed to be set for subclasses of NSPanel. Since our QNSFontPanelDelegate class doesn't implement this method, the _NSTargetForSendAction function will return nil, and the action is never sent. If we don't set the NSFontManager target (leaving it as nil), the function will skip the worksWhenModal check, and fall back to resolving the target via the responder chain, which includes taking the NSPanel's delegate into account: #0 -[NSWindow delegate] () #1 -[NSWindow(NSEventRouting) supplementalTargetForAction:sender:] () #2 _objectFromResponderChainWhichRespondsToAction () #3 _NSTargetForSendAction () #4 -[NSApplication(NSResponder) sendAction:to:from:] () #5 -[NSFontManager sendAction] () ... Since we want to end up in the QNSFontPanelDelegate, we can rely on the default logic to resolve the target based on the responder chain. But in case _NSTargetForSendAction will at some point also check the resolved target for worksWhenModal, we also implement the worksWhenModal method, to be on the safe side. Fixes: QTBUG-69878 Change-Id: Ie739d016fe0efd17b3d8a99cc1fb1ace81807aff Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

image/qppmhandler.cpp:77:25: runtime error: signed integer overflow: 10 * 300000000 cannot be represented in type 'int' #0 0x4cecb5 in read_pbm_int(QIODevice*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:77:25 #1 0x4cb1ac in read_pbm_body(QIODevice*, char, int, int, int, QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:271:29 #2 0x4ca3d8 in QPpmHandler::read(QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:509:10 #3 0x4b238d in QImageReader::read(QImage*) /src/qt/qtbase/src/gui/image/qimagereader.cpp:1253:22 #4 0x4b1b61 in QImageReader::read() /src/qt/qtbase/src/gui/image/qimagereader.cpp:1201:12 #5 0x486f66 in QImage::fromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3624:37 #6 0x486cd8 in QImage::loadFromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3590:13 #7 0x434b2e in LLVMFuzzerTestOneInput /src/qimage_fuzzer.cc:28:7 #8 0x44b167 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15 #9 0x44a535 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3 #10 0x44c428 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19 #11 0x44d1b5 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5 #12 0x440a29 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 #13 0x434bf8 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7fba939a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x409bb8 in _start (/out/qimage_fuzzer+0x409bb8) Change-Id: I9ad78afc4ea9c5c8b7530aa17013abe91202e84b Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

image/qppmhandler.cpp:260:53: runtime error: signed integer overflow: 44444444 * 255 cannot be represented in type 'int' #0 0x4cbc8a in read_pbm_body(QIODevice*, char, int, int, int, QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:260:53 #1 0x4ca3d8 in QPpmHandler::read(QImage*) /src/qt/qtbase/src/gui/image/qppmhandler.cpp:514:10 #2 0x4b238d in QImageReader::read(QImage*) /src/qt/qtbase/src/gui/image/qimagereader.cpp:1253:22 #3 0x4b1b61 in QImageReader::read() /src/qt/qtbase/src/gui/image/qimagereader.cpp:1201:12 #4 0x486f66 in QImage::fromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3624:37 #5 0x486cd8 in QImage::loadFromData(unsigned char const*, int, char const*) /src/qt/qtbase/src/gui/image/qimage.cpp:3590:13 #6 0x434b2e in LLVMFuzzerTestOneInput /src/qimage_fuzzer.cc:28:7 #7 0x44b167 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15 #8 0x44a535 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3 #9 0x44c428 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19 #10 0x44d1b5 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5 #11 0x440a29 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 #12 0x434bf8 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #13 0x7fe01697282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x409bb8 in _start (/out/qimage_fuzzer+0x409bb8) Change-Id: Ibc5df6db52639f12319910b927f6443d927206d8 Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

It crashes in the render thread: thread #7, name = 'SceneRenderingThread' frame #0: libsystem_kernel.dylib`__wait4_nocancel + 10 frame #1: libsystem_c.dylib`system + 452 frame #2: QtTest`stackTrace() + 325 frame #3: QtTest`QTest::FatalSignalHandler::signal(int) + 207 frame #4: libsystem_platform.dylib`_sigtramp + 26 frame #5: libsystem_platform.dylib`_platform_bzero$VARIANT$Base + 23 frame #6: GLRendererFloat`gldSetZero + 63 frame #7: GLRendererFloat`gldClearDrawBuffer + 3792 frame #8: GLRendererFloat`gldClearFramebufferData + 49 frame #9: GLEngine`glClear_Exec + 541 frame #10: tst_qglthreads`SceneRenderingThread::run() + 227 Task-number: QTBUG-68524 Change-Id: I6bc67cb342f77dc1a590a25af535f9bb7f0d325a Reviewed-by: Morten Johan Sørvig <morten.sorvig@qt.io>

- Remove unimplemented CT of QTabletEvent Task-number: QTBUG-72173 Change-Id: I22f88bc2962f2cf92cf33c9cba7081c0436affe6 Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>

...encountered in the command list. Move all, previously local, tracking variables into a struct. This allows creating helper functions to reduce error-prone repetition in the executeCommandBuffer() function body. The only real change in the patch is in the handling of Command::BufferSubData and Command::GetBufferSubData: here, instead of calling glBindBuffer directly, use a helper function that also resets the relevant state tracking variables. A subsequent Command::BindVertexBuffer or BindIndexBuffer will therefore correctly rebind the appropriate buffers. This is particularly relevant with certain command stream patterns exercised by some Qt Quick 3D scenes: - A View3D renders a mesh, - another View3D has some 2D Qt Quick content, as well as a model with the same mesh. When both View3Ds use the default Offscreen render mode, the resulting command list consists of segments along the lines of: 1. prepare resources for first View3D 2. render content for first View3D - this binds the vertex and index buffers for the mesh (state is tracked; all 1-4 steps are within the same command list, processed by a single call to executeCommandBuffer()) 3. prepare the content for the "inline" 2D Qt Quick scene - this may update vertex and index buffers, that may lead to adding BufferSubData commands to the list (tracked state (last vertex/index buffer) may need invalidation/updating - and that's where our problem lies) 4. the second View3Ds 3D content is rendered: a model with the same mesh as the last (Quick)3D draw call, so same vertex and index buffers. If #3 did not invalidate and/or update the tracked state, the glBindBuffer calls are (incorrectly) skipped. Fixes: QTBUG-89780 Pick-to: 6.0 Change-Id: Icc933252f3993b8727d192e7ba4aa0f842bab51e Reviewed-by: Andy Nichols <andy.nichols@qt.io>

...encountered in the command list. Move all, previously local, tracking variables into a struct. This allows creating helper functions to reduce error-prone repetition in the executeCommandBuffer() function body. The only real change in the patch is in the handling of Command::BufferSubData and Command::GetBufferSubData: here, instead of calling glBindBuffer directly, use a helper function that also resets the relevant state tracking variables. A subsequent Command::BindVertexBuffer or BindIndexBuffer will therefore correctly rebind the appropriate buffers. This is particularly relevant with certain command stream patterns exercised by some Qt Quick 3D scenes: - A View3D renders a mesh, - another View3D has some 2D Qt Quick content, as well as a model with the same mesh. When both View3Ds use the default Offscreen render mode, the resulting command list consists of segments along the lines of: 1. prepare resources for first View3D 2. render content for first View3D - this binds the vertex and index buffers for the mesh (state is tracked; all 1-4 steps are within the same command list, processed by a single call to executeCommandBuffer()) 3. prepare the content for the "inline" 2D Qt Quick scene - this may update vertex and index buffers, that may lead to adding BufferSubData commands to the list (tracked state (last vertex/index buffer) may need invalidation/updating - and that's where our problem lies) 4. the second View3Ds 3D content is rendered: a model with the same mesh as the last (Quick)3D draw call, so same vertex and index buffers. If #3 did not invalidate and/or update the tracked state, the glBindBuffer calls are (incorrectly) skipped. Fixes: QTBUG-89780 Change-Id: Icc933252f3993b8727d192e7ba4aa0f842bab51e Reviewed-by: Andy Nichols <andy.nichols@qt.io> (cherry picked from commit 5f8efb2) Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org> Reviewed-by: Laszlo Agocs <laszlo.agocs@qt.io>

Says ASAN: Direct leak of 524 byte(s) in 1 object(s) allocated from: #0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196 qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65 qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45 qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54 qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435 qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139 qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285 qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94 qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98 [...] The pointer returned in the out-parameter of a i2d_DHparams() call is supposed to be OPENSSL_free()ed by the user (this is not at all obvious from the docs¹, but an SO answer² indicates that's how it should be (as well as asan stopping from complaining with this patch applied)). ¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html ² https://stackoverflow.com/a/53563669. Amends 2cf63c7. [ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of PEM-encoded Diffie-Hellman parameters. Pick-to: 6.6 6.5 6.2 5.15 Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> (cherry picked from commit 676087e)

This reverts commit f20adcd. The implementation had the right idea, but this is not expected to work reliably in C++. It's jumping out of several frames without cleaning them out properly and our ASan-based memory leak-checker has started complaining (the next commit will move this test elsewhere). ==19313==ERROR: LeakSanitizer: detected memory leaks Direct leak of 258 byte(s) in 1 object(s) allocated from: #0 0x7ffa505c8e48 in __interceptor_malloc (/usr/lib64/libasan.so.5+0x109e48) #1 0x7ffa4f2d7ff9 (/home/qt/work/install/lib/libQt6Core.so.6+0x896ff9) #2 0x7ffa4f2d834d in QArrayData::allocate(QArrayData**, long long, long long, long long, QArrayData::AllocationOption) (/home/qt/work/install/lib/libQt6Core.so.6+0x89734d) #3 0x7ffa4f23b700 (/home/qt/work/install/lib/libQt6Core.so.6+0x7fa700) #4 0x7ffa4f1f6cc8 in QString::reallocData(long long, QArrayData::AllocationOption) (/home/qt/work/install/lib/libQt6Core.so.6+0x7b5cc8) #5 0x7ffa4f1f68a7 in QString::resize(long long) (/home/qt/work/install/lib/libQt6Core.so.6+0x7b58a7) #6 0x7ffa4f2092ff (/home/qt/work/install/lib/libQt6Core.so.6+0x7c82ff) #7 0x7ffa4f209e09 in QString::vasprintf(char const*, __va_list_tag*) (/home/qt/work/install/lib/libQt6Core.so.6+0x7c8e09) #8 0x7ffa4ed0d83d (/home/qt/work/install/lib/libQt6Core.so.6+0x2cc83d) #9 0x7ffa4ed114a9 in QMessageLogger::fatal(char const*, ...) const (/home/qt/work/install/lib/libQt6Core.so.6+0x2d04a9) #10 0x5641d2604c40 in tst_Silent::messages() /home/qt/work/qt/qtbase/tests/auto/testlib/selftests/silent/tst_silent.cpp:77 #11 0x5641d26050fb in tst_Silent::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/testlib/selftests/silent/silent_autogen/include/tst_silent.moc:118 The restoration of the signal handler (which QtTest now has) is also wrong: this needed to use sigaction() instead. Change-Id: Ifa1111900d6945ea8e05fffd177f14fbc09a1d7d Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>

Says ASAN: Direct leak of 524 byte(s) in 1 object(s) allocated from: #0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 qt#1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196 qt#2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65 qt#3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45 qt#4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54 qt#5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435 qt#6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139 qt#7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285 qt#8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94 qt#9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98 [...] The pointer returned in the out-parameter of a i2d_DHparams() call is supposed to be OPENSSL_free()ed by the user (this is not at all obvious from the docs¹, but an SO answer² indicates that's how it should be (as well as asan stopping from complaining with this patch applied)). ¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html ² https://stackoverflow.com/a/53563669. Amends 2cf63c7. [ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of PEM-encoded Diffie-Hellman parameters. Pick-to: 6.6 6.5 6.2 5.15 Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> (cherry picked from commit 676087e)

Amends e524724. Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f73b50fc1d8 in operator new(unsigned long) (/lib64/libasan.so.8+0xfc1d8) (BuildId: 1827a4c72065a9f25ba519b25166029eebbf519f) #1 0x7f73b4cc18d4 in std::__detail::_MakeUniq<QSignalSpyPrivate>::__single_object std::make_unique<QSignalSpyPrivate, QSignalSpy*>(QSignalSpy*&&) /usr/include/c++/13/bits/unique_ptr.h:1070 #2 0x7f73b4cbf0a4 in QSignalSpy::QSignalSpy(QSignalSpy::ObjectSignal) src/testlib/qsignalspy.cpp:259 #3 0x55c0e313cd7d in QSignalSpy::QSignalSpy<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>(QtPrivate::FunctionPointer<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>::Object const*, void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)) (build/tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel+0x83d7d) (BuildId: b2e416794e25fdb925a191cc4a5efe3cb04efb0e) #4 0x55c0e30eccac in tst_QFileSystemModel::prepareTestModelRoot(QFileSystemModel*, QString const&, QSignalSpy**, QSignalSpy**) tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:392 #5 0x55c0e30edacf in tst_QFileSystemModel::rowCount() tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:420 Pick-to: 6.8 6.7 6.5 6.2 Change-Id: Ia085f9235f3bec252290f4fbe5ea0958f91a5e5a Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>

Amends e524724. Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f73b50fc1d8 in operator new(unsigned long) (/lib64/libasan.so.8+0xfc1d8) (BuildId: 1827a4c72065a9f25ba519b25166029eebbf519f) #1 0x7f73b4cc18d4 in std::__detail::_MakeUniq<QSignalSpyPrivate>::__single_object std::make_unique<QSignalSpyPrivate, QSignalSpy*>(QSignalSpy*&&) /usr/include/c++/13/bits/unique_ptr.h:1070 #2 0x7f73b4cbf0a4 in QSignalSpy::QSignalSpy(QSignalSpy::ObjectSignal) src/testlib/qsignalspy.cpp:259 #3 0x55c0e313cd7d in QSignalSpy::QSignalSpy<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>(QtPrivate::FunctionPointer<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>::Object const*, void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)) (build/tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel+0x83d7d) (BuildId: b2e416794e25fdb925a191cc4a5efe3cb04efb0e) #4 0x55c0e30eccac in tst_QFileSystemModel::prepareTestModelRoot(QFileSystemModel*, QString const&, QSignalSpy**, QSignalSpy**) tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:392 #5 0x55c0e30edacf in tst_QFileSystemModel::rowCount() tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:420 Pick-to: 6.7 6.5 6.2 Change-Id: Ia085f9235f3bec252290f4fbe5ea0958f91a5e5a Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 5686af2) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

Amends e524724. Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f73b50fc1d8 in operator new(unsigned long) (/lib64/libasan.so.8+0xfc1d8) (BuildId: 1827a4c72065a9f25ba519b25166029eebbf519f) #1 0x7f73b4cc18d4 in std::__detail::_MakeUniq<QSignalSpyPrivate>::__single_object std::make_unique<QSignalSpyPrivate, QSignalSpy*>(QSignalSpy*&&) /usr/include/c++/13/bits/unique_ptr.h:1070 #2 0x7f73b4cbf0a4 in QSignalSpy::QSignalSpy(QSignalSpy::ObjectSignal) src/testlib/qsignalspy.cpp:259 #3 0x55c0e313cd7d in QSignalSpy::QSignalSpy<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>(QtPrivate::FunctionPointer<void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)>::Object const*, void (QAbstractItemModel::*)(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal)) (build/tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel+0x83d7d) (BuildId: b2e416794e25fdb925a191cc4a5efe3cb04efb0e) #4 0x55c0e30eccac in tst_QFileSystemModel::prepareTestModelRoot(QFileSystemModel*, QString const&, QSignalSpy**, QSignalSpy**) tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:392 #5 0x55c0e30edacf in tst_QFileSystemModel::rowCount() tests/auto/gui/itemmodels/qfilesystemmodel/tst_qfilesystemmodel.cpp:420 Pick-to: 6.5 6.2 Change-Id: Ia085f9235f3bec252290f4fbe5ea0958f91a5e5a Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 5686af2) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit 741c1d0)

Says ASAN: Direct leak of 524 byte(s) in 1 object(s) allocated from: #0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196 #2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65 #3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45 #4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54 #5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435 #6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139 #7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285 #8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94 #9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98 [...] The pointer returned in the out-parameter of a i2d_DHparams() call is supposed to be OPENSSL_free()ed by the user (this is not at all obvious from the docs¹, but an SO answer² indicates that's how it should be (as well as asan stopping from complaining with this patch applied)). ¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html ² https://stackoverflow.com/a/53563669. Amends 2cf63c7. [ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of PEM-encoded Diffie-Hellman parameters. Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> (cherry picked from commit 676087e)

Says ASAN: Direct leak of 524 byte(s) in 1 object(s) allocated from: #0 0x7f708f0a67cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f707d94bf9e in CRYPTO_malloc crypto/mem.c:196 #2 0x7f707d7bd248 in asn1_item_flags_i2d crypto/asn1/tasn_enc.c:65 #3 0x7f707d7bd1b7 in ASN1_item_i2d crypto/asn1/tasn_enc.c:45 #4 0x7f707d85b7be in i2d_DHparams crypto/dh/dh_asn1.c:54 #5 0x7f7075a82223 in q_i2d_DHparams(dh_st*, unsigned char**) qsslsocket_openssl_symbols.cpp:435 #6 0x7f7075a82223 in QTlsBackendOpenSSL::dhParametersFromPem(QByteArray const&, QByteArray*) const qssldiffiehellmanparameters_openssl.cpp:139 #7 0x7f708ca9b588 in QSslDiffieHellmanParametersPrivate::initFromPem(QByteArray const&) qssldiffiehellmanparameters.cpp:285 #8 0x7f708ca9b588 in QSslDiffieHellmanParameters::fromEncoded(QByteArray const&, QSsl::EncodingFormat) qssldiffiehellmanparameters.cpp:94 #9 0x55fd8a545ebe in tst_QSslDiffieHellmanParameters::constructionPEM() tst_qssldiffiehellmanparameters.cpp:98 [...] The pointer returned in the out-parameter of a i2d_DHparams() call is supposed to be OPENSSL_free()ed by the user (this is not at all obvious from the docs¹, but an SO answer² indicates that's how it should be (as well as asan stopping from complaining with this patch applied)). ¹ https://www.openssl.org/docs/man3.1/man3/i2d_DHparams.html ² https://stackoverflow.com/a/53563669. Amends 2cf63c7. [ChangeLog][QtNetwork][SSL] Fixed a memory leak in parsing of PEM-encoded Diffie-Hellman parameters. Change-Id: I9ed4a26c4676db1c0d54a1945a4fb5014ce568cd Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> (cherry picked from commit 676087e) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

Commit 1ed0dd8 ("QThread/Unix: make QThreadPrivate::finish() be called much later") introduced this problem. Commit 4fabde3 split the thread termination in two phases, but did not fix this. This re-applies commit 950b35c ("Clear the current thread data for the main thread"), which was reverted in commit 7dc6222 ("Make sure QThreadData and QAdoptedThread object is destroyed at app exit"), both from Qt 5.1. Between Qt 5.1 and 6.7, the responsibility of clearing the QAdoptedThread for the main thread was split: it could occur either in ~QCoreApplicationData if exit() was called in that thread or in ~QThreadData() if it wasn't (e.g., when the Qt "main thread" is not main()'s thread): * frame #0: 0x0000000101db8a28 QtCore`QAdoptedThread::~QAdoptedThread(this=0x000060000176c070) at qthread.cpp:139:1 frame #1: 0x0000000101db81eb QtCore`QThreadData::~QThreadData(this=0x0000600002468000) at qthread.cpp:82:5 frame #2: 0x0000000101db8379 QtCore`QThreadData::~QThreadData(this=0x0000600002468000) at qthread.cpp:57:1 frame #3: 0x0000000101db841c QtCore`QThreadData::deref(this=0x0000600002468000) at qthread.cpp:108:9 frame #4: 0x0000000101f4ec79 QtCore`destroy_current_thread_data(p=0x0000600002468000) at qthread_unix.cpp:104:11 This commit centralizes and gives ~QThreadData() the exclusive responsibility. That requires not resetting QThreadData::threadId so ~QThreadData can know it is theMainThread. Fixes: QTBUG-130895 Task-number: QTBUG-129927 Task-number: QTBUG-129846 Task-number: QTBUG-130341 Task-number: QTBUG-117996 Pick-to: 6.8 Change-Id: Ie3f3cbdc5523837b505cfffd95fba5e6498b5069 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>

Commit 1ed0dd8 ("QThread/Unix: make QThreadPrivate::finish() be called much later") introduced this problem. Commit 4fabde3 split the thread termination in two phases, but did not fix this. This re-applies commit 950b35c ("Clear the current thread data for the main thread"), which was reverted in commit 7dc6222 ("Make sure QThreadData and QAdoptedThread object is destroyed at app exit"), both from Qt 5.1. Between Qt 5.1 and 6.7, the responsibility of clearing the QAdoptedThread for the main thread was split: it could occur either in ~QCoreApplicationData if exit() was called in that thread or in ~QThreadData() if it wasn't (e.g., when the Qt "main thread" is not main()'s thread): * frame #0: 0x0000000101db8a28 QtCore`QAdoptedThread::~QAdoptedThread(this=0x000060000176c070) at qthread.cpp:139:1 frame #1: 0x0000000101db81eb QtCore`QThreadData::~QThreadData(this=0x0000600002468000) at qthread.cpp:82:5 frame #2: 0x0000000101db8379 QtCore`QThreadData::~QThreadData(this=0x0000600002468000) at qthread.cpp:57:1 frame #3: 0x0000000101db841c QtCore`QThreadData::deref(this=0x0000600002468000) at qthread.cpp:108:9 frame #4: 0x0000000101f4ec79 QtCore`destroy_current_thread_data(p=0x0000600002468000) at qthread_unix.cpp:104:11 This commit centralizes and gives ~QThreadData() the exclusive responsibility. That requires not resetting QThreadData::threadId so ~QThreadData can know it is theMainThread. Fixes: QTBUG-130895 Task-number: QTBUG-129927 Task-number: QTBUG-129846 Task-number: QTBUG-130341 Task-number: QTBUG-117996 Change-Id: Ie3f3cbdc5523837b505cfffd95fba5e6498b5069 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io> (cherry picked from commit 65093a8)

The function can be called from ~QDialog(), in which case a cast of q_ptr to QMessageBox is UB. Says UBSan: qmessagebox.cpp:182:5: runtime error: downcast of address 0x7ffdccfbda00 which does not point to an object of type 'QMessageBox' 0x7ffdccfbda00: note: object is of type 'QDialog' 88 7f 00 00 30 94 4a 73 88 7f 00 00 80 8c 00 00 90 61 00 00 08 96 4a 73 88 7f 00 00 00 00 fb cc ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f8870f9a8a3 in QMessageBoxPrivate::q_func() qmessagebox.cpp:182 #1 0x7f8870f9a8a3 in QMessageBoxPrivate::setVisible(bool) qmessagebox.cpp:1660 #2 0x7f8870c6b3b5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f886e4ad4b8 in QWidget::hide() qwidget.cpp:8179 #4 0x7f8870c6abc9 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to QMessageBox only on show(), not hide(), and otherwise cast at most to QDialog* (QWidget* actually suffices). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.9 6.8 6.5 Change-Id: Ia163483c1998924a0d9c9fd589311af24a93d1fe Reviewed-by: Axel Spoerl <axel.spoerl@qt.io>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QColorDialog is UB. Says UBSan: qcolordialog.cpp:72:5: runtime error: downcast of address 0x7ffd37909750 which does not point to an object of type 'QColorDialog' 0x7ffd37909750: note: object is of type 'QDialog' fd 7f 00 00 30 34 6e 35 4a 7f 00 00 80 b9 00 00 90 61 00 00 08 36 6e 35 4a 7f 00 00 00 00 f2 a6 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f4a32e8738a in QColorDialogPrivate::q_func() qcolordialog.cpp:72 #1 0x7f4a32e8738a in QColorDialogPrivate::setVisible(bool) qcolordialog.cpp:2154 #2 0x7f4a32ea5675 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f4a306e7768 in QWidget::hide() qwidget.cpp:8179 #4 0x7f4a32ea4e89 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to Qcolordialog only on show() (in initWidgets()), not hide(), and otherwise cast at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.9 6.8 6.5 Change-Id: I006406b6cf1012fc3c7a910abcfe14bc119a2b29 Reviewed-by: Axel Spoerl <axel.spoerl@qt.io>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QFontDialog is UB. Says UBSan: qfontdialog_p.h:43:5: runtime error: downcast of address 0x604000026b90 which does not point to an object of type 'QFontDialog' 0x604000026b90: note: object is of type 'QDialog' 00 00 00 00 30 a4 26 31 45 7f 00 00 80 b9 00 00 90 61 00 00 08 a6 26 31 45 7f 00 00 00 00 be be ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f452ecad24d in QFontDialogPrivate::q_func() qfontdialog_p.h:43 #1 0x7f452ecad24d in QFontDialogPrivate::setVisible(bool) qfontdialog.cpp:959 #2 0x7f452ea2b5f5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f452c26d768 in QWidget::hide() qwidget.cpp:8179 #4 0x7f452ea2ae09 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.9 6.8 6.5 Change-Id: Ic1a63ff02b1a1435499a6980772b1b75236f31f7 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QFileDialog is UB. Says UBSan: qfiledialog_p.h:78:5: runtime error: downcast of address 0x7ffe7a8ad5a0 which does not point to an object of type 'QFileDialog' 0x7ffe7a8ad5a0: note: object is of type 'QDialog' fe 7f 00 00 30 44 d8 fb d2 7f 00 00 80 b4 00 00 90 61 00 00 08 46 d8 fb d2 7f 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7fd2f96d7587 in QFileDialogPrivate::q_func() qfiledialog_p.h:78 #1 0x7fd2f96d7587 in QFileDialogPrivate::setVisible(bool) qfiledialog.cpp:860 #2 0x7fd2f95465f5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7fd2f6d88768 in QWidget::hide() qwidget.cpp:8179 #4 0x7fd2f9545e09 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to QFileDialog only on show() (in createWidgets()), not hide(), and otherwise cast at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.9 6.8 6.5 Change-Id: I4e206f7c36c03e8cb8a36001beae283628960073 Reviewed-by: Axel Spoerl <axel.spoerl@qt.io>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QMessageBox is UB. Says UBSan: qmessagebox.cpp:182:5: runtime error: downcast of address 0x7ffdccfbda00 which does not point to an object of type 'QMessageBox' 0x7ffdccfbda00: note: object is of type 'QDialog' 88 7f 00 00 30 94 4a 73 88 7f 00 00 80 8c 00 00 90 61 00 00 08 96 4a 73 88 7f 00 00 00 00 fb cc ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f8870f9a8a3 in QMessageBoxPrivate::q_func() qmessagebox.cpp:182 #1 0x7f8870f9a8a3 in QMessageBoxPrivate::setVisible(bool) qmessagebox.cpp:1660 #2 0x7f8870c6b3b5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f886e4ad4b8 in QWidget::hide() qwidget.cpp:8179 #4 0x7f8870c6abc9 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to QMessageBox only on show(), not hide(), and otherwise cast at most to QDialog* (QWidget* actually suffices). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.8 6.5 Change-Id: Ia163483c1998924a0d9c9fd589311af24a93d1fe Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit 8b4900b) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QColorDialog is UB. Says UBSan: qcolordialog.cpp:72:5: runtime error: downcast of address 0x7ffd37909750 which does not point to an object of type 'QColorDialog' 0x7ffd37909750: note: object is of type 'QDialog' fd 7f 00 00 30 34 6e 35 4a 7f 00 00 80 b9 00 00 90 61 00 00 08 36 6e 35 4a 7f 00 00 00 00 f2 a6 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f4a32e8738a in QColorDialogPrivate::q_func() qcolordialog.cpp:72 #1 0x7f4a32e8738a in QColorDialogPrivate::setVisible(bool) qcolordialog.cpp:2154 #2 0x7f4a32ea5675 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f4a306e7768 in QWidget::hide() qwidget.cpp:8179 #4 0x7f4a32ea4e89 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to Qcolordialog only on show() (in initWidgets()), not hide(), and otherwise cast at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.8 6.5 Change-Id: I006406b6cf1012fc3c7a910abcfe14bc119a2b29 Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit 0be1ca0) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QFontDialog is UB. Says UBSan: qfontdialog_p.h:43:5: runtime error: downcast of address 0x604000026b90 which does not point to an object of type 'QFontDialog' 0x604000026b90: note: object is of type 'QDialog' 00 00 00 00 30 a4 26 31 45 7f 00 00 80 b9 00 00 90 61 00 00 08 a6 26 31 45 7f 00 00 00 00 be be ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f452ecad24d in QFontDialogPrivate::q_func() qfontdialog_p.h:43 #1 0x7f452ecad24d in QFontDialogPrivate::setVisible(bool) qfontdialog.cpp:959 #2 0x7f452ea2b5f5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f452c26d768 in QWidget::hide() qwidget.cpp:8179 #4 0x7f452ea2ae09 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.8 6.5 Change-Id: Ic1a63ff02b1a1435499a6980772b1b75236f31f7 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 41480db) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QFileDialog is UB. Says UBSan: qfiledialog_p.h:78:5: runtime error: downcast of address 0x7ffe7a8ad5a0 which does not point to an object of type 'QFileDialog' 0x7ffe7a8ad5a0: note: object is of type 'QDialog' fe 7f 00 00 30 44 d8 fb d2 7f 00 00 80 b4 00 00 90 61 00 00 08 46 d8 fb d2 7f 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7fd2f96d7587 in QFileDialogPrivate::q_func() qfiledialog_p.h:78 #1 0x7fd2f96d7587 in QFileDialogPrivate::setVisible(bool) qfiledialog.cpp:860 #2 0x7fd2f95465f5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7fd2f6d88768 in QWidget::hide() qwidget.cpp:8179 #4 0x7fd2f9545e09 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to QFileDialog only on show() (in createWidgets()), not hide(), and otherwise cast at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.8 6.5 Change-Id: I4e206f7c36c03e8cb8a36001beae283628960073 Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit a6743bd) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QMessageBox is UB. Says UBSan: qmessagebox.cpp:182:5: runtime error: downcast of address 0x7ffdccfbda00 which does not point to an object of type 'QMessageBox' 0x7ffdccfbda00: note: object is of type 'QDialog' 88 7f 00 00 30 94 4a 73 88 7f 00 00 80 8c 00 00 90 61 00 00 08 96 4a 73 88 7f 00 00 00 00 fb cc ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f8870f9a8a3 in QMessageBoxPrivate::q_func() qmessagebox.cpp:182 #1 0x7f8870f9a8a3 in QMessageBoxPrivate::setVisible(bool) qmessagebox.cpp:1660 #2 0x7f8870c6b3b5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f886e4ad4b8 in QWidget::hide() qwidget.cpp:8179 #4 0x7f8870c6abc9 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to QMessageBox only on show(), not hide(), and otherwise cast at most to QDialog* (QWidget* actually suffices). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.5 Change-Id: Ia163483c1998924a0d9c9fd589311af24a93d1fe Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit 8b4900b) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit f988f8f)

The function can be called from ~QDialog(), in which case a cast of q_ptr to QColorDialog is UB. Says UBSan: qcolordialog.cpp:72:5: runtime error: downcast of address 0x7ffd37909750 which does not point to an object of type 'QColorDialog' 0x7ffd37909750: note: object is of type 'QDialog' fd 7f 00 00 30 34 6e 35 4a 7f 00 00 80 b9 00 00 90 61 00 00 08 36 6e 35 4a 7f 00 00 00 00 f2 a6 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f4a32e8738a in QColorDialogPrivate::q_func() qcolordialog.cpp:72 #1 0x7f4a32e8738a in QColorDialogPrivate::setVisible(bool) qcolordialog.cpp:2154 #2 0x7f4a32ea5675 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f4a306e7768 in QWidget::hide() qwidget.cpp:8179 #4 0x7f4a32ea4e89 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to Qcolordialog only on show() (in initWidgets()), not hide(), and otherwise cast at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.5 Change-Id: I006406b6cf1012fc3c7a910abcfe14bc119a2b29 Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit 0be1ca0) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit c50d67e)

The function can be called from ~QDialog(), in which case a cast of q_ptr to QFontDialog is UB. Says UBSan: qfontdialog_p.h:43:5: runtime error: downcast of address 0x604000026b90 which does not point to an object of type 'QFontDialog' 0x604000026b90: note: object is of type 'QDialog' 00 00 00 00 30 a4 26 31 45 7f 00 00 80 b9 00 00 90 61 00 00 08 a6 26 31 45 7f 00 00 00 00 be be ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f452ecad24d in QFontDialogPrivate::q_func() qfontdialog_p.h:43 #1 0x7f452ecad24d in QFontDialogPrivate::setVisible(bool) qfontdialog.cpp:959 #2 0x7f452ea2b5f5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f452c26d768 in QWidget::hide() qwidget.cpp:8179 #4 0x7f452ea2ae09 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.5 Change-Id: Ic1a63ff02b1a1435499a6980772b1b75236f31f7 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 41480db) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit 96aa723)

The function can be called from ~QDialog(), in which case a cast of q_ptr to QFileDialog is UB. Says UBSan: qfiledialog_p.h:78:5: runtime error: downcast of address 0x7ffe7a8ad5a0 which does not point to an object of type 'QFileDialog' 0x7ffe7a8ad5a0: note: object is of type 'QDialog' fe 7f 00 00 30 44 d8 fb d2 7f 00 00 80 b4 00 00 90 61 00 00 08 46 d8 fb d2 7f 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7fd2f96d7587 in QFileDialogPrivate::q_func() qfiledialog_p.h:78 #1 0x7fd2f96d7587 in QFileDialogPrivate::setVisible(bool) qfiledialog.cpp:860 #2 0x7fd2f95465f5 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7fd2f6d88768 in QWidget::hide() qwidget.cpp:8179 #4 0x7fd2f9545e09 in QDialog::~QDialog() qdialog.cpp:398 Fix by casting to QFileDialog only on show() (in createWidgets()), not hide(), and otherwise cast at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.5 Change-Id: I4e206f7c36c03e8cb8a36001beae283628960073 Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit a6743bd) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit cbc2f2a)

When the test functions runs off the end (or returns from a failed QCOMPARE/QVERIFY), `activeMenu` is destroyed while it's the QMenuBarPrivate::activeMenu, and the following focusInEvent() on the QMenuBar causes QMenuBarPrivate::setCurrentAction() to access `activeMenu` when it has already ceased to be a QMenu. Says UBSan: qpointer.h:75:14: runtime error: downcast of address 0x7fff87934860 which does not point to an object of type 'QMenu' 0x7fff87934860: note: object is of type 'QWidget' 00 00 00 00 08 f1 0e be 17 7f 00 00 80 c8 00 00 90 61 00 00 b8 f2 0e be 17 7f 00 00 00 00 62 c6 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QWidget' #0 0x7f17baf57be5 in QPointer<QMenu>::data() const qpointer.h:75 #1 0x7f17baf57be5 in QPointer<QMenu>::operator QMenu*() const qpointer.h:83 #2 0x7f17baf57be5 in QMenuBarPrivate::setCurrentAction(QAction*, bool, bool) qmenubar.cpp:351 #3 0x7f17baf5a200 in QMenuBarPrivate::focusFirstAction() qmenubar.cpp:245 #4 0x7f17baf5b727 in QMenuBarPrivate::focusFirstAction() qmenubar.cpp:1260 #5 0x7f17baf5b727 in QMenuBar::focusInEvent(QFocusEvent*) qmenubar.cpp:1259 [...] #34 0x7f17b93373d6 in QWidget::~QWidget() qwidget.cpp:1508 #35 0x7f17badb4658 in QMenu::~QMenu() qmenu.cpp:1789 Since I couldn't fix the problem on short notice, I created QTBUG-135151 to track it. For now, simply close the QMenuBar on all exists from the test function to avoid this code path. Task-number: QTBUG-135151 Pick-to: 6.9 6.8 6.5 Change-Id: Id8c9ee090d8bbc5ec22ce3f2ff7485766640ab43 Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@qt.io>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QErrorMessage is UB. Says UBSan: errormessage.cpp:33:5: runtime error: downcast of address 0x7fff5089a6e0 which does not point to an object of type 'QErrorMessage' 0x7fff5089a6e0: note: object is of type 'QDialog' 00 00 00 00 30 74 4e 6a 12 7f 00 00 80 aa 00 00 90 61 00 00 08 76 4e 6a 12 7f 00 00 00 00 e0 1a ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f1267ce7d12 in QErrorMessagePrivate::q_func() qerrormessage.cpp:33 #1 0x7f1267ce7d12 in QErrorMessagePrivate::setVisible(bool) qerrormessage.cpp:410 #2 0x7f1267caaa25 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f12654efb28 in QWidget::hide() qwidget.cpp:8179 #4 0x7f1267caa239 in QDialog::~QDialog() qdialog.cpp:398 #5 0x7f1267ce72f8 in QErrorMessage::~QErrorMessage() qerrormessage.cpp:287 Fix by casting at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.9 6.8 6.5 Change-Id: I61a8692f073c2d2f379ea02fa580f7fe46691c1c Reviewed-by: Axel Spoerl <axel.spoerl@qt.io>

When the test functions runs off the end (or returns from a failed QCOMPARE/QVERIFY), `activeMenu` is destroyed while it's the QMenuBarPrivate::activeMenu, and the following focusInEvent() on the QMenuBar causes QMenuBarPrivate::setCurrentAction() to access `activeMenu` when it has already ceased to be a QMenu. Says UBSan: qpointer.h:75:14: runtime error: downcast of address 0x7fff87934860 which does not point to an object of type 'QMenu' 0x7fff87934860: note: object is of type 'QWidget' 00 00 00 00 08 f1 0e be 17 7f 00 00 80 c8 00 00 90 61 00 00 b8 f2 0e be 17 7f 00 00 00 00 62 c6 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QWidget' #0 0x7f17baf57be5 in QPointer<QMenu>::data() const qpointer.h:75 #1 0x7f17baf57be5 in QPointer<QMenu>::operator QMenu*() const qpointer.h:83 #2 0x7f17baf57be5 in QMenuBarPrivate::setCurrentAction(QAction*, bool, bool) qmenubar.cpp:351 #3 0x7f17baf5a200 in QMenuBarPrivate::focusFirstAction() qmenubar.cpp:245 #4 0x7f17baf5b727 in QMenuBarPrivate::focusFirstAction() qmenubar.cpp:1260 #5 0x7f17baf5b727 in QMenuBar::focusInEvent(QFocusEvent*) qmenubar.cpp:1259 [...] #34 0x7f17b93373d6 in QWidget::~QWidget() qwidget.cpp:1508 #35 0x7f17badb4658 in QMenu::~QMenu() qmenu.cpp:1789 Since I couldn't fix the problem on short notice, I created QTBUG-135151 to track it. For now, simply close the QMenuBar on all exists from the test function to avoid this code path. Task-number: QTBUG-135151 Pick-to: 6.8 6.5 Change-Id: Id8c9ee090d8bbc5ec22ce3f2ff7485766640ab43 Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@qt.io> (cherry picked from commit 83af06b) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

The function can be called from ~QDialog(), in which case a cast of q_ptr to QErrorMessage is UB. Says UBSan: errormessage.cpp:33:5: runtime error: downcast of address 0x7fff5089a6e0 which does not point to an object of type 'QErrorMessage' 0x7fff5089a6e0: note: object is of type 'QDialog' 00 00 00 00 30 74 4e 6a 12 7f 00 00 80 aa 00 00 90 61 00 00 08 76 4e 6a 12 7f 00 00 00 00 e0 1a ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QDialog' #0 0x7f1267ce7d12 in QErrorMessagePrivate::q_func() qerrormessage.cpp:33 #1 0x7f1267ce7d12 in QErrorMessagePrivate::setVisible(bool) qerrormessage.cpp:410 #2 0x7f1267caaa25 in QDialog::setVisible(bool) qdialog.cpp:757 #3 0x7f12654efb28 in QWidget::hide() qwidget.cpp:8179 #4 0x7f1267caa239 in QDialog::~QDialog() qdialog.cpp:398 #5 0x7f1267ce72f8 in QErrorMessage::~QErrorMessage() qerrormessage.cpp:287 Fix by casting at most to QDialog* (QWidget* would actually have sufficed). Add a code comment. Amends e0bb9e8 (I think; it might have been present in a different form before that). Pick-to: 6.8 6.5 Change-Id: I61a8692f073c2d2f379ea02fa580f7fe46691c1c Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> (cherry picked from commit 0e322aa) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

When the test functions runs off the end (or returns from a failed QCOMPARE/QVERIFY), `activeMenu` is destroyed while it's the QMenuBarPrivate::activeMenu, and the following focusInEvent() on the QMenuBar causes QMenuBarPrivate::setCurrentAction() to access `activeMenu` when it has already ceased to be a QMenu. Says UBSan: qpointer.h:75:14: runtime error: downcast of address 0x7fff87934860 which does not point to an object of type 'QMenu' 0x7fff87934860: note: object is of type 'QWidget' 00 00 00 00 08 f1 0e be 17 7f 00 00 80 c8 00 00 90 61 00 00 b8 f2 0e be 17 7f 00 00 00 00 62 c6 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QWidget' #0 0x7f17baf57be5 in QPointer<QMenu>::data() const qpointer.h:75 #1 0x7f17baf57be5 in QPointer<QMenu>::operator QMenu*() const qpointer.h:83 #2 0x7f17baf57be5 in QMenuBarPrivate::setCurrentAction(QAction*, bool, bool) qmenubar.cpp:351 #3 0x7f17baf5a200 in QMenuBarPrivate::focusFirstAction() qmenubar.cpp:245 #4 0x7f17baf5b727 in QMenuBarPrivate::focusFirstAction() qmenubar.cpp:1260 #5 0x7f17baf5b727 in QMenuBar::focusInEvent(QFocusEvent*) qmenubar.cpp:1259 [...] #34 0x7f17b93373d6 in QWidget::~QWidget() qwidget.cpp:1508 #35 0x7f17badb4658 in QMenu::~QMenu() qmenu.cpp:1789 Since I couldn't fix the problem on short notice, I created QTBUG-135151 to track it. For now, simply close the QMenuBar on all exists from the test function to avoid this code path. Task-number: QTBUG-135151 Pick-to: 6.5 Change-Id: Id8c9ee090d8bbc5ec22ce3f2ff7485766640ab43 Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@qt.io> (cherry picked from commit 83af06b) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit c6ae521)

oPavel added 2 commits April 23, 2015 20:20

Fix calculation for qreal equals float or double

75f7438

Only when qreal equals float (-qreal float option of Qt configuration) my previous change is necessary. This commit fix types cast.

oPavel closed this Apr 23, 2015

oPavel deleted the patch-1 branch April 23, 2015 20:05

qtprojectorg pushed a commit that referenced this pull request Jul 14, 2020

QtGui: Clean up event headers, #3

a158dc2

- Remove unimplemented CT of QTabletEvent Task-number: QTBUG-72173 Change-Id: I22f88bc2962f2cf92cf33c9cba7081c0436affe6 Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update qpagesetupdialog_win.cpp#3

Update qpagesetupdialog_win.cpp#3
oPavel wants to merge 2 commits intoqt:5.5from
oPavel:patch-1

oPavel commented Apr 23, 2015

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

Conversation

oPavel commented Apr 23, 2015

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant