[Development] QtCore missing check for memory allocation

Thiago Macieira thiago.macieira at intel.com
Wed Feb 25 17:01:54 CET 2015

On Wednesday 25 February 2015 16:48:44 Ulf Hermann wrote:
> >> We should thus do Q_CHECK_PTR on every memory allocation in Qt and we
> >> should fix Q_CHECK_PTR so that it works under all circumstances.
> > 
> > I disagree on both accounts.
> Could you elaborate a bit?

I disagree that we should do Q_CHECK_PTR after every memory allocation and I 
disagree that Q_CHECK_PTR should do something in all circumstances.

> That "every memory allocation" may be relaxed a bit as there might be places
> where the code can deal with 0 or where we pass the pointer straight on to
> user code and can expect the user to check it. The default should be
> checking for 0, though.

I really disagree. If we wanted to find bad memory allocations, we should turn 
exceptions back on and write exception-safe code. Anything else is putting the 
burden on the common code path.

> > That's undefined behaviour. If you write code:
> > 	if (!p)
> > 	
> > 		*(char*)p = 42;		// crash
> I'm not saying we should access p in this case, but rather some fixed place
> of which we know we cannot access it, to *reliably* raise a segfault. Maybe
> there is even a more elegant way to trigger a segfault than accessing
> invalid memory.

The only reliable way of causing a segfault is raise(SIGSEGV). You can't 
reliably trigger a memory problem because, by the very definition of it, the 
compiler is allowed to assume it doesn't happen.

> The point is this: With the current behavior you're not actually guaranteed
> to get a segfault. The client code might not access *p, but rather p[<some
> large number>], and that might hit valid memory. Or it might store p, do
> whatever funny arithmetic on it with the assumption that it's not 0, and
> run into some other incorrect behavior. An attacker could specifically
> search for such a case and overwrite some important piece of information
> like this. We don't want that. Q_CHECK_PTR should mean "If the pointer is 0
> either throw an exception or abort right away. Don't just continue."

I understand your arguments, but I still disagree we should act.

Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

More information about the Development mailing list