From b528f9b1c62ca55ee2376e6f3d3db7ffbe5dd978 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Thu, 13 Jul 2023 10:23:59 +0200 Subject: [PATCH] tst_QFuture: fix UB (call of member function on wrong object) By the time QObject::destroyed() is emitted from ~QObject(), sender no longer is-a SenderObject, only a QObject, so calling a SenderObject member function on it is UB. Says UBSan: tst_qfuture.cpp:3854:84: runtime error: member call on address 0x60200000e550 which does not point to an object of type 'SenderObject' 0x60200000e550: note: object is of type 'QObject' 00 00 00 00 e8 3f 96 c9 51 7f 00 00 80 3e 00 00 c0 60 00 00 02 11 00 00 08 00 00 00 16 00 00 72 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QObject' Fix by removing the QObject::connect(). This, of course, breaks the test's WHEN, but I don't see how to keep that WHEN without the UB. At least the THEN part is not invalidated, and there doesn't appear to be another test that tests that destroying objects before signal emission results in a cancelled future. Amends 612f6999c81a500a024f128bdf739342d659754a. Change-Id: I38ca4611c071e8fd200393b600210e36d4030bc6 Reviewed-by: Ivan Solovev (cherry picked from commit 4b0261fed08dc766a7eeeb1e41121f8634e9b8cb) Reviewed-by: Qt Cherry-pick Bot --- tests/auto/corelib/thread/qfuture/tst_qfuture.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp b/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp index 19a67af1e42..0bdeb96b141 100644 --- a/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp +++ b/tests/auto/corelib/thread/qfuture/tst_qfuture.cpp @@ -3850,8 +3850,6 @@ void tst_QFuture::signalConnect() QSignalSpy spy(sender, &QObject::destroyed); sender->deleteLater(); - // emit the signal when sender is being destroyed - QObject::connect(sender, &QObject::destroyed, [sender] { sender->emitIntArg(42); }); spy.wait(); QVERIFY(future.isCanceled());