Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-59721

QString crash attempt to free() shared_null static variable

    XMLWordPrintable

Details

    • Bug
    • Resolution: Out of scope
    • P1: Critical
    • None
    • 5.8.0 Alpha
    • None

    Description

      In the latest Qt5.8 checkout the usage of QString crashes when the string is empty or moved away using move-assignment or move-construction. This is because the shared_null of QArrayData does not have a refCount of -1, causing the deallocate() method to assume it cannot be dereferenced, triggering a heap free.

      Example of crash is the QUtf8::convertToUnicode routine because it uses move-construction in Visual Studio 2017 compilation mode.

      Compiled from source using params:

      call configure.bat -static -static-runtime -debug-and-release -mp ^
          -platform win32-msvc2017 ^
          -opensource -nomake examples -nomake tests ^
          -opengl desktop -prefix %_TMPOUTPATH%
      

      Example code of crash:

      static const QRegExp testExp( "meow string" ); // this should crash because of a complicated callstack where it calls QUtf8::convertToUnicode
      
      int main( int argc, char *argv[] )
      {
          QString emptyString;
          {
              QString evilString;
              emptyString = std::move( evilString );
              // In DEBUG MODE, it should crash here with heap error.
          }
          return 0;
      }
      

      Attachments

        Issue Links

          Activity

            People

              thiago Thiago Macieira
              the_gta Rick Sandiego
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: