Passing nullptr as the second argument of memcpy/memmove
constitutes undefined behavior, even if the length argument
is zero at the same time.
Fix by protecting mem{cpy,move,chr} from nullptrs.
Found by UBSan:
qtbase/src/corelib/io/qiodevice_p.h:105:33: runtime error: null pointer passed as argument 2, which is declared to never be null
qtbase/src/corelib/io/qiodevice_p.h:175:53: runtime error: null pointer passed as argument 2, which is declared to never be null
Change-Id: I979158b0a74169ca4eb459928398ebc40f77dfb5
Reviewed-by: Alex Trotsenko <alex1973tr@gmail.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Passing nullptr as the 2nd argument of memcpy
constitutes undefined behavior.
Fix by protecting the block with 'if (len)',
which, presumably, is the only valid case
where 'data' may be nullptr.
Change-Id: I7647d7e0808b1f26444ea3cf8bbf5cda9ddc9e6c
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Apparently, it is considered valid to call the function with
'data' set to nullptr, and 'len' to zero. But doing so
invokes undefined behavior because nullptr is passed to
fwrite().
Fix by protecting the loops with 'if (len)'.
Found by UBSan:
qtbase/src/corelib/io/qfsfileengine.cpp:732:84: runtime error: null pointer passed as argument 1, which is declared to never be null
Change-Id: Idfe23875c868ebb21d2164550de3304d2f01e9df
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
'currentType' was not sanitized before being used as a shift.
Fix by checking for a valid shift amount before shifting.
Also change the shifted value from 1 (int) to 1U (uint).
It's just the right thing to do.
Found by UBSan:
qtbase/src/corelib/kernel/qvariant.cpp:3131:59: runtime error: shift exponent 1114 is too large for 32-bit type 'unsigned int'
Change-Id: Id3910d6d7f166fd7c80adf5ce1699f0eeb453562
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@theqtcompany.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
glXGetCurrentDisplay can return NULL so need to check
for that.
Change-Id: I1b85a5c575d1deb24dcce4719b6f737283adeabe
Reviewed-by: Błażej Szczygieł <spaz16@wp.pl>
Reviewed-by: Laszlo Agocs <laszlo.agocs@theqtcompany.com>
If CountedStruct is passed a GetSenderObject object,
it will attempt to call a member on it from within
its own destructor.
That works usually quite well, but in this test case,
which tests for function object leaks when a connection
is torn down because the sender object is destroyed,
the destruction of the CountedStruct happens when all
connections are severed in ~QObject. At that point,
what used to be a GetSenderObject instance no longer
is one and the call into one of its member functions
invokes undefined behavior.
Fix by making QObject::sender() public by a using
declaration instead of a wrapper function.
Found by UBSan:
tests/auto/corelib/kernel/qobject/tst_qobject.cpp:6007:104: runtime error: member call on address 0x7ffc6e7538b0 which does not point to an object of type 'GetSenderObject'
0x7ffc6e7538b0: note: object is of type 'QObject'
Change-Id: Ia973140037b3c1b5a670a8a3949d09b956f40349
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
'local' is treated as a command, so its arguments need to be quoted,
unlike in a real variable assignment.
amends 4b557751e.
Change-Id: I5a4c929e52e2344a6129c8e9dd4c0c80cd408ff0
Reviewed-by: Joerg Bornemann <joerg.bornemann@theqtcompany.com>
Binding a reference to the nullptr is undefined
behavior.
Just skip that particular test when 'ptr' is null.
Found by UBSan:
tests/auto/corelib/tools/qsharedpointer/tst_qsharedpointer.cpp:258:32: runtime error: reference binding to null pointer of type 'struct Data'
Change-Id: I125588b9d269a6f76716d660d03142f409513885
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@theqtcompany.com>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Don't cast a QDialog to a subclass it is not.
Fix by creating it as the required subclass in the
first place.
Found by UBSan:
tests/auto/widgets/dialogs/qdialog/tst_qdialog.cpp:203:20: runtime error: downcast of address 0x2b5f5000ad40 which does not point to an object of type 'DummyDialog'
tests/auto/widgets/dialogs/qdialog/tst_qdialog.cpp:203:46: runtime error: member call on address 0x2b5f5000ad40 which does not point to an object of type 'DummyDialog'
Change-Id: I63ae7e782bda6a78d11af5c2bc2f7d88aacd0ac0
Reviewed-by: David Faure <david.faure@kdab.com>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
If QObjectPrivate::declarativeData is set, it is
in various places in Qt expected to point to a
QAbstractDeclarativeDataImpl, from which ownedByQml1
is unconditionally read.
In noDeclarativeParentChangedOnDestruction(), the
declarativeData pointer is, however, set to a local
QAbstractDeclarativeData instance, which, being an
empty class, has size 1 and alignment 1.
Depending on the compiler's idea of bit field order,
this code either read uninitialized data from the
dummy object, or else some random stack memory outside
any (valid) object.
What caught UBSan's attention, though, was the
difference in alignment between the two classes:
src/corelib/kernel/qobject.cpp:917:9: runtime error: member access within misaligned address 0x7fffc9cf706f for type 'struct QAbstractDeclarativeDataImpl', which requires 4 byte alignment
Fix by providing a properly initialized object of the
correct type.
Change-Id: Iae83a949ee5a7bc98df13e35ea614c063085fa13
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@theqtcompany.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Don't pass around meta-type IDs in QMetaType::Type
variables. It leads to reading values from an enum
variable that are invalid.
Fix by passing the IDs around as int.
Found by UBSan:
tests/auto/corelib/kernel/qmetatype/tst_qmetatype.cpp:408:5: runtime error: load of value 4028, which is not a valid value for type 'Type'
Change-Id: Idd106ee3d7960fe3d8fefc0fc5830fc22d38a513
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
The reinterpret cast from a QTcpSocket → QAbstractSocket → QIODevice
to MyIODevice → QIODevice was undefined.
Fix by simply instantiating a MyIODevice, which must then inherit
from QTcpSocket, of course.
Instead of fixing the class name in the overridden setOpenMode()
method, simply make the base class' implementation public with
a using declaration.
Found by UBSan:
qtbase/tests/auto/corelib/io/qiodevice/tst_qiodevice.cpp:84:22: runtime error: member call on address 0x7ffcca2d23f0 which does not point to an object of type 'MyIODevice'
0x7ffcca2d23f0: note: object is of type 'QTcpSocket'
Change-Id: I939b3548949b9b5765df4a6cc81875e169fd69dd
Reviewed-by: Alex Trotsenko <alex1973tr@gmail.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
While a native dialog is open, the application message queue is
handled by the native event loop which is external to Qt. In this
case, QEventDispatcherWin32::processEvents() does not run and socket
notifiers will not be activated. So, this patch moves the notifier
activation code into the window procedure, which enables socket
event processing with native dialogs.
Task-number: QTBUG-49782
Task-number: QTBUG-48901
Change-Id: Icbdd96b2e80c50b73505f4fe74957575b83d6cf1
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Kai Koehne <kai.koehne@theqtcompany.com>
Reviewed-by: Joerg Bornemann <joerg.bornemann@theqtcompany.com>
When a high-priority event is posted in overrided
'QStateMachine::beginSelectTransitions', the event may be remained in
event queue, and be not dispatched until another event posted.
Change-Id: Ifda288d9c00ac7985e426b9cc02bda382ebaac35
Reviewed-by: Erik Verbruggen <erik.verbruggen@theqtcompany.com>
This reverts commit 56aad2ad60.
QWidget::mapFromGlobal() does not work correctly when the widget is
a child widget of another widget embedded into a QGraphicsView with a
transformation (scaling/rotation). It starts applying offsets going
up the widget tree (just as mapToGlobal) until it hits the embedded widget
not taking into account the transformation.
It would need to go in from to top to bottom or better be reimplemented
such that a QTransform for mapping coordinates from/to global is determined
which is then applied in reverse.
Task-number: QTBUG-50030
Task-number: QTBUG-50136
Change-Id: Iadeb891d793be1938c64942bfbf38d541a281c33
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Mimicking what QTableView is already doing correctly, the header's
height needs to be constrained by its own minimum/maximum height.
Task-number: QTBUG-49277
Change-Id: I695a4398991b738c4b4c924716176b9ad2152e87
Reviewed-by: Thorbjørn Lund Martsum <tmartsum@gmail.com>
Reviewed-by: David Faure <david.faure@kdab.com>
When a datagram is sent to a closed host/port combination, the host will
likely send back an ICMP error message. In the regular socket API, there
isn't a good way of actually receiving this error, so some Windows kernels
wired that message back up to the call to WSARecvFrom() as a synthetic
datagram. Reading this datagram results in a WSAECONNRESET error code,
which should reported to the user as a refused connection attempt.
To make the errors a bit more informative, the native error strings for
WSAECONNRESET and WSAENETRESET were also added.
Task-number: QTBUG-49301
Change-Id: If659be54ba1b39965b5f481f0c0cb9eeea0a06d2
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
The system call is not present on earlier releases, and since the 9.x
series will be supported until the end of 2016, add a check for the
__FreeBSD_version macro and only enable pipe2 support if the value is
high enough.
Change-Id: I5633531cec7e95d42ff5f4b14afe772ae8d7d66d
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This is a follow-up to c8c4ad0 ("forkfd: Define __BSD_VISIBLE and
_NETBSD_SOURCE").
Defining those macros in forkfd.c is not enough: forkfd_qt.cpp also sets
_POSIX_C_SOURCE, and sys/cdefs.h can be included implicitly via Qt's
headers (<algorithm> ends up pulling unistd.h that leads to sys/cdefs.h
and sys/types.h with both libstdc++ and older libc++ versions). In this
case, __BSD_VISIBLE/_NETBSD_SOURCE are not defined, _POSIX_C_SOURCE is,
several type definitions are omitted and by the time we include
sys/time.h in forkfd.c the build fails. On FreeBSD < 11, the error looks
like this:
In file included from io/../../3rdparty/forkfd/forkfd.c:36,
from io/forkfd_qt.cpp:80:
/usr/include/sys/time.h:94: error: 'u_int' has not been declared
Change-Id: I01fa2f5861027d99936d3026faeee9f0db3ecabd
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
pipe2's availability on BSD operating systems depends on the
__BSD_VISIBLE macro on FreeBSD and OpenBSD and _NETBSD_SOURCE on
NetBSD (DragonFly BSD appears to define it unconditionally).
Those two macros are generally set by default, except when
_POSIX_C_SOURCE is set. Since we consciously set _POSIX_C_SOURCE but
need pipe2, explicitly define the visibility macros.
This fixes the -no-pch build on FreeBSD at least.
Change-Id: Icc77f6b5d1f9a5bf7bd8048cabbb01f8f89397cc
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
In bind+connect scenario, rejected connection can trigger a read
notification while the socket is opened. But unlike UDP, reading from
the socket engine or emitting a readyRead() signal is not allowed for
the TCP socket in bound or connecting state.
To make a bind+connect scenario work properly, disable the read
notifications until a connection is established.
Task-number: QTBUG-50124
Change-Id: I7b3d015b0f6021fb9ff9f83560478aa5545f41f5
Reviewed-by: Richard J. Moore <rich@kde.org>
install_sys_qpa() is called for each QSystemTrayIcon::show(),
leading to spurious calls of user slots if the signal isn't
disconnected on remove_sys_qpa().
Task-number: QTBUG-48068
Change-Id: Ic830250c71fee6b584550ab5aabf54289e478fcb
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Reviewed-by: Richard Rondu <rondu.richard@gmail.com>
Reviewed-by: Shawn Rutledge <shawn.rutledge@theqtcompany.com>
This partially reverts commit 025d6a778c.
Change-Id: I7b964b0d598abe46137c22177fe2b5dcca5bb812
Task-number: QTBUG-49831
Reviewed-by: Gabriel de Dietrich <gabriel.dedietrich@theqtcompany.com>
Reviewed-by: Andy Shaw <andy.shaw@theqtcompany.com>
Commit ed0c0070 introduced qt_subtract_from_timeout but used it
incorrectly in several places.
Change-Id: I80ea16088707929a45d5a61ec6f3370f8e63d1cd
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
When the byte sequence for a BOM occurs in the middle of a utf8 stream,
it is a ZWNBSP.
When a ZWNBSP occurs in the middle of a utf8 character sequence, and the
SIMD conversion does some work (meaning: the length is at least 16
characters long), it would not recognize the fact some charactes were
already decoded. So the conversion would then strip the ZWNBSP out,
thinking it's a BOM.
The non-SIMD conversion did not have this problem: the very first
character conversion would already set the headerdone flag.
Change-Id: I39aacf607e2e068107106254021a8042d164f628
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
A few things were changed in Android 6.0
Task-number: QTBUG-49323
Change-Id: I3112d885881dce541d5c4f3a1561f6c34d75e319
Reviewed-by: Christian Stromme <christian.stromme@theqtcompany.com>
(cherry picked from commit 361e24b79e)
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
When touchpad scroll direction is inverted, verticalIncrement and
horizontalIncrement of scrollingDevice are negative, and rawDelta
remains unfilled. It leads to pixelDelta.isNull() being true in wheel
event handler even when XI2 smooth scrolling is available on the system.
Fix that and fill rawDelta with correct values when inverted scroll
direction is used.
Change-Id: I9c0bdbad2c6b9bbed765eaa895dca300c5c70e86
Reviewed-by: Shawn Rutledge <shawn.rutledge@theqtcompany.com>
Merged in the upstream version, which obsoleted some local
patches. The remaining diff to clean 1.6.19 is archived in
the qtpatches.diff file.
Change-Id: I676df2dab2c52c7fe576de284d472d70206f0a8c
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
Reviewed-by: aavit <eirik.aavitsland@theqtcompany.com>
When increaseCost() is called then it will convert from bytes to kilobytes
so we need to specify the cache_cost to be in bytes.
Task-number: QTBUG-47812
Change-Id: I842514c9ab4d86b60b2beb6c80979156ea0de59c
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
It was possible for the cache to increase too quickly since it was
relying on the timer to decrease which caused problems with FreeType.
So by checking if it will be increased to be over the limit first before
adding the new font, we can decrease it earlier in preparation.
Task-number: QTBUG-47812
Task-number: QTBUG-49535
Change-Id: Iedc042d8903949140aa8c5257a9d54cde31a51be
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
Change-Id: I3485501643c60f28ef188100146ac305e3ef9073
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@theqtcompany.com>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
Without deleting m_inputDeviceManager instance it will remain
in process and causes crash when creating+destroying QGuiApplication
multiple times in process. Crash happens because m_inputDeviceManager
already exists when creating new instance of QGuiApplication and
metadata for QInputDeviceManager is not anymore valid and crash when
accessing it e.g. using connect() function.
Change-Id: I5acb1c5f6ce2ba9665fa893047210a913debe4e4
Reviewed-by: Laszlo Agocs <laszlo.agocs@theqtcompany.com>
Memory leak occurs when 'release' pointer variable is overwritten
for second use without releasing resources it is currently pointing
to. Leak occurs only in specific edge case depending on
client/server versions.
Task-number: QTBUG-49789
Change-Id: Ie5be8996ed158309f20dbb3574f956d2eb137460
Reviewed-by: Mark Brand <mabrand@mabrand.nl>
It is filesystem dependent if flock and fcntl locks are independent or
the same underlying lock (which causes getting the second lock to fail).
A temporary file in /tmp might be on a local file system and pass
while the lock file is placed on NFS and fail with:
setNativeLocks failed: Resource temporarily unavailable
Instead check for lock conflicts per path and cache the result.
Change-Id: I39c59bb240cd99ef0a0ec271243770ffd5df8a7d
Reviewed-by: David Faure <david.faure@kdab.com>
There can be a bit of confusion here regarding what removeMappings()
will do in this case so add an explicit note to be clearer.
Task-number: QTBUG-49499
Change-Id: Iabcf5cb2653f0b747727b2c92a244e95ec1836f8
Reviewed-by: Topi Reiniö <topi.reinio@theqtcompany.com>
QConfFile::isWritable() has the extra effect that it will try and
create the path where the file should be if it does not already
exist. So this cannot be omitted as 'qmake -set' may be used in a
situation where the path does not yet exist.
Change-Id: I0113644259f78d090a0687c44cf60d400be9c859
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
This was added in 5.3 in 30d199a76c.
Change-Id: I35a209fcfe417cb14605c4db19a3d2e85b67ee49
Reviewed-by: Michał Dutkiewicz
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
The C++ standard says it must, but some badly-configured toolchains seem
to be lacking support.
In particular, for some 32-bit platforms without native support for
them, GCC implements 64-bit atomics via out-of-line functions in
libatomic. If that library is missing... well, then std::atomic 64-bit
doesn't work and we mustn't try to use it.
This was found when trying to compile Qt 5.6 for MIPS 32-bit:
Linking library libQt5Core.so.5.6.0
.obj/qsimd.o: In function `std::__atomic_base<unsigned long long>::load(std::memory_order) const':
/opt/poky/1.7/sysroots/mips32r2-poky-linux/usr/include/c++/4.9.1/bits/atomic_base.h:500: undefined reference to `__atomic_load_8'
.obj/qsimd.o: In function `std::__atomic_base<unsigned long long>::store(unsigned long long, std::memory_order)':
/opt/poky/1.7/sysroots/mips32r2-poky-linux/usr/include/c++/4.9.1/bits/atomic_base.h:478: undefined reference to `__atomic_store_8'
Yocto bug report: https://bugzilla.yoctoproject.org/show_bug.cgi?id=8274
Change-Id: I42e7ef1a481840699a8dffff140224d6614e5c36
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 3d7586b760)
Reviewed-by: Dmitry Shachnev <mitya57@gmail.com>
[ChangeLog][Platform Specific Changes][OS X] Configure with -no-rpath
will now yield Qt dynamic libraries and frameworks with an absolute
install name (based in -libdir).
OS X package managers like Homebrew install Qt in a fixed location. This
change simplifies deployment for such package managers and is consistent
with the default expectation on Apple platforms for libraries with a
fixed location to also have absolute install names.
While a relocatable installation (the default) also works in this
scenario, it requires all software that depends on Qt to be aware of
this and to embed a suitable RPATH into application binaries (which is
not automatic for non-qmake builds). This might not be true for some
select fallback search locations, but as package managers on OS X tend
not to use those, embedding an RPATH becomes practically mandatory. In a
default Homebrew installation, Qt is configured such that the frameworks
end up in /usr/local/Cellar/qt5/<version>/lib and that will be later
symlinked to /usr/local/opt/qt5/lib, both of which are not searched by
the dynamic linker by default.
Task-number: QTBUG-48958
Change-Id: I4395df98771e06a2ce8a293d11dc755bdc50757f
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
The ifdef gave an impression of the code path being hit only when
texture-backed widgets are present and OpenGL-based compositing is
active. This is false. Asserting on having a context current is
wrong (as shown by autotests on the 5.6 branch).
Change-Id: I2539f0aac75b26597f49f63edcd9580428be79b7
Reviewed-by: Gunnar Sletta <gunnar@sletta.org>
