summaryrefslogtreecommitdiffstats
path: root/src/widgets
diff options
context:
space:
mode:
authorMarc Mutz <marc.mutz@kdab.com>2016-09-21 09:15:40 +0200
committerMarc Mutz <marc.mutz@kdab.com>2016-10-06 16:39:09 +0000
commit237b36a72cf0646ba28e762bfde0cb398f4041e8 (patch)
tree56228790f03159d851a799e9b7be32bc6057bd5a /src/widgets
parentdaaa1a287bcccda61ce81941f8b3a69d2371e04a (diff)
QGraphicsWidget: Fix UB (invalid member calls) in destruction sequence
Found by UBSan: qgraphicswidget_p.h:72:5: runtime error: downcast of address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::q_func() qgraphicswidget_p.h:72 #1 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:775 #2 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 #3 0x2ab68f024f73 in QGraphicsItem::setParentItem(QGraphicsItem*) qgraphicsitem.cpp:1781 #4 0x2ab68f168401 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:620 #5 0x2ab68f02c166 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555 #6 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766 #7 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231 #8 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #9 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #10 0x2ab68f02c9ec in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1550 #11 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766 #12 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231 #13 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #14 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175 #15 0x2ab68f128da4 in QGraphicsScene::clear() qgraphicsscene.cpp:2388 #16 0x2ab68f12936c in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682 #17 0x44d44c in tst_QGraphicsWidget::focusWidget() /tst_qgraphicswidget.cpp:435 qgraphicswidget_p.cpp:805:24: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdc68 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:805 #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 [... identical lines omitted ...] qgraphicswidget_p.cpp:806:23: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdb6b in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:806 #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 [... identical lines omitted ...] qgraphicswidget_p.cpp:827:26: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget' 0x2ab6a8021400: note: object is of type 'QGraphicsObject' 00 00 00 00 70 93 5c 91 b6 2a 00 00 f0 c0 01 a8 b6 2a 00 00 e8 81 5c 91 b6 2a 00 00 10 bf 01 a8 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2ab68f2fdf91 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:827 #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181 [... identical lines omitted ...] Fix by moving the setParentItem(nullptr) call up the call stack into ~QGraphicsWidget(), ensuring that the object is still a QGraphicsWidget when these calls are made. Change-Id: I264779e33098e9752de9a312a146fb203578a3cc Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
Diffstat (limited to 'src/widgets')
-rw-r--r--src/widgets/graphicsview/qgraphicswidget.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/widgets/graphicsview/qgraphicswidget.cpp b/src/widgets/graphicsview/qgraphicswidget.cpp
index 2700605a71..125174627d 100644
--- a/src/widgets/graphicsview/qgraphicswidget.cpp
+++ b/src/widgets/graphicsview/qgraphicswidget.cpp
@@ -267,6 +267,11 @@ QGraphicsWidget::~QGraphicsWidget()
// Remove this graphics widget from widgetStyles
widgetStyles()->setStyleForWidget(this, 0);
+
+ // Unset the parent here, when we're still a QGraphicsWidget.
+ // It is otherwise done in ~QGraphicsItem() where we'd be
+ // calling QGraphicsWidget members on an ex-QGraphicsWidget object
+ setParentItem(Q_NULLPTR);
}
/*!