qt/qtdeclarative.git/src/qml/compiler/qv4codegen_p.h, branch dev Qt Declarative (Quick 2) qv4codegen: Don't access local memory of returned stack frames 2026-06-12T11:02:12+00:00 Olivier De Cannière olivier.decanniere@qt.io 2026-06-11T12:06:30+00:00 20ce458324dccf44ab39965159c07494923fefb1 ~Jump performs a check to ensure that it was indeed linked to a label. This check can cause issues in cases where the codegen is aborted due to an error. Because Jumps hold on to references to the bytecode generator and because they can outlive it due to how they are stored in m_optionalChainsStates, we attempt to access memory from a stack frame that has already returned. This triggers ASAN but could also cause actual memory errors at runtime. However, the logic is wrapped in a Q_ASSERT so it was at least never shipped. Fix this issue by following the existing pattern in defineFunction to fix lifetime issues and by adding a hasError field we can check to the generator. Found by libFuzzer and ASAN. Amends 86c48761dc7ba5bcac7dc6740e94efbfb8678403 Pick-to: 6.12 6.11 6.8 Change-Id: Ia3505b9066ba04a3d56850d7bdee39e1165fd891 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> 
~Jump performs a check to ensure that it was indeed linked to a label.
This check can cause issues in cases where the codegen is aborted due to
an error. Because Jumps hold on to references to the bytecode generator
and because they can outlive it due to how they are stored in
m_optionalChainsStates, we attempt to access memory from a stack frame
that has already returned. This triggers ASAN but could also cause
actual memory errors at runtime. However, the logic is wrapped in a
Q_ASSERT so it was at least never shipped.

Fix this issue by following the existing pattern in defineFunction to
fix lifetime issues and by adding a hasError field we can check to the
generator.

Found by libFuzzer and ASAN.

Amends 86c48761dc7ba5bcac7dc6740e94efbfb8678403

Pick-to: 6.12 6.11 6.8
Change-Id: Ia3505b9066ba04a3d56850d7bdee39e1165fd891
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
CRA: review src/qml/compiler 2026-02-06T18:14:48+00:00 Sami Shalayel sami.shalayel@qt.io 2026-02-06T09:06:40+00:00 22e40334a65d0e4bce55d50f7932168577c3ba52 All files get default significance: they do no parsing, no code execution, no cryptography and no network protocols implementation. Note that the compiler classes use the QML parser from src/qml/parser, and therefore do no parsing themselves. Pick-to: 6.11 6.10 6.8 Fixes: QTBUG-143929 Change-Id: If1d4b896ec4a70fa2d4348a484464dcd4d8ef017 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> 
All files get default significance: they do no parsing, no code
execution, no cryptography and no network protocols
implementation.

Note that the compiler classes use the QML parser from src/qml/parser,
and therefore do no parsing themselves.

Pick-to: 6.11 6.10 6.8
Fixes: QTBUG-143929
Change-Id: If1d4b896ec4a70fa2d4348a484464dcd4d8ef017
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Qml: Rename Expression to CommaExpression in the AST 2025-05-16T14:59:49+00:00 Olivier De Cannière olivier.decanniere@qt.io 2025-05-09T10:38:12+00:00 138889eab042fda149e13ed1d2c86d543da003d0 Expression is confusing. Pick-to: 6.9 6.8 6.5 Change-Id: I365ce06a266e24a506b14734fef8b977d6794a72 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> 
Expression is confusing.

Pick-to: 6.9 6.8 6.5
Change-Id: I365ce06a266e24a506b14734fef8b977d6794a72
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
qmllint: warn about unreachable code 2025-04-25T12:32:03+00:00 Sami Shalayel sami.shalayel@qt.io 2025-03-26T14:23:42+00:00 f8e3ad0b097de4efa7e838ac6d0ae41b133e5822 The compiler is very polite and does not tell the user about its useless code. Codegen::statementList(StatementList *ast) silently discards unreachable statements during byte code generation. Warn the user that their code is unreachable. Don't warn about function definitions because these ones are "hoisted" up, which means that their definition is supposed to be pushed up, so that they can be used even if they are behind a "return" or "throw" statement. Don't use the qqmljsbasicblock analysis for that, it reports too many "false positives" where the compiler generates dead code that can't be fixed by the user. Task-number: QTBUG-129307 Change-Id: Ia26e8af1adf4e63b26dcaa7fb10be73b7eb084d7 Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io> 
The compiler is very polite and does not tell the user about its useless
code. Codegen::statementList(StatementList *ast) silently discards
unreachable statements during byte code generation.

Warn the user that their code is unreachable. Don't warn about
function definitions because these ones are "hoisted" up,
which means that their definition is supposed to be pushed up, so that
they can be used even if they are behind a "return" or "throw"
statement.

Don't use the qqmljsbasicblock analysis for that, it reports too many
"false positives" where the compiler generates dead code that can't be
fixed by the user.

Task-number: QTBUG-129307
Change-Id: Ia26e8af1adf4e63b26dcaa7fb10be73b7eb084d7
Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io>
qmllint: Implement WarnFunctionUsedBeforeDeclaration 2025-04-24T12:45:48+00:00 Sami Shalayel sami.shalayel@qt.io 2025-03-31T14:27:06+00:00 9b2cff650a5452d38b45c6e40f8b7eea7a048d77 Warn about functions used before their declaration. Its not technically an error like the "var used before declaration" because functions are "hoisted up" and therefore available even before their declaration, so create a new warning category for it instead of reusing the "var used before declaration" category. Disable the warning by default: Qt Creator used to have it as default, while other tools like eslint don't. For the same reason, don't warn about functions used before declaration during codegen, and add a method to warn about it in CodeGenWarningInterface. The code for "var used before declaration" can be reused by function declarations by adding a sourcelocation for function declarations in the "addLocalVar"-call, so make sure to differentiate between functions and vars by adding an extra member to Context::ResolvedName. Task-number: QTBUG-129307 Change-Id: I83a4f8cd00c120db23a0cec3365a00ed44de2836 Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io> 
Warn about functions used before their declaration. Its not technically
an error like the "var used before declaration" because functions are
"hoisted up" and therefore available even before their declaration, so
create a new warning category for it instead of reusing the "var used
before declaration" category. Disable the warning by default: Qt Creator
used to have it as default, while other tools like eslint don't.

For the same reason, don't warn about functions used before declaration
during codegen, and add a method to warn about it in
CodeGenWarningInterface. The code for "var used before declaration"
can be reused by function declarations by adding a sourcelocation for
function declarations in the "addLocalVar"-call, so make sure to
differentiate between functions and vars by adding an extra member to
Context::ResolvedName.

Task-number: QTBUG-129307
Change-Id: I83a4f8cd00c120db23a0cec3365a00ed44de2836
Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io>
Codegen: Make defineFunction non-virtual 2025-02-18T19:02:01+00:00 Fabian Kosmale fabian.kosmale@qt.io 2025-02-05T14:45:16+00:00 275cdddb7daccdd8b16dd1a0af4cf4ed5894eb6b Nothing overrides it (anymore?). Change-Id: I8704c0f2a853c9ff3b102e11b7dab20e7e35cc94 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> 
Nothing overrides it (anymore?).

Change-Id: I8704c0f2a853c9ff3b102e11b7dab20e7e35cc94
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
QtQml: Fix assignment of fileName and URL during compilation 2025-02-04T15:49:20+00:00 Ulf Hermann ulf.hermann@qt.io 2025-01-24T14:30:16+00:00 c9778d2e9c41036cbd59976c51927d746bb78bcc We need to assign them right away when creating the module. If we do it later on, there are a lot of different code paths to cover and in fact we were missing some. Pick-to: 6.9 6.8 Task-number: QTBUG-133053 Change-Id: I57e381c787f504eb9bcd8c2041e41b4f1d1f8b53 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> 
We need to assign them right away when creating the module. If we do it
later on, there are a lot of different code paths to cover and in fact
we were missing some.

Pick-to: 6.9 6.8
Task-number: QTBUG-133053
Change-Id: I57e381c787f504eb9bcd8c2041e41b4f1d1f8b53
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
QtQml: Generalize the global/illegal names 2024-12-17T19:49:39+00:00 Ulf Hermann ulf.hermann@qt.io 2024-12-11T15:36:10+00:00 ce0a16c0800fb1d5bb64783c424274b0a8bd4d43 Instead of passing them around everywhere, use the ones we statically know and only validate them when creating a new engine. Task-number: QTBUG-131721 Change-Id: I7fb93d15eb6e4194c46249727bcf7a48f5dce730 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> 
Instead of passing them around everywhere, use the ones we statically
know and only validate them when creating a new engine.

Task-number: QTBUG-131721
Change-Id: I7fb93d15eb6e4194c46249727bcf7a48f5dce730
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
QtQml: Model native modules as compilation units 2024-12-06T16:39:19+00:00 Ulf Hermann ulf.hermann@qt.io 2024-12-04T10:53:32+00:00 dc60c305a20d518012d4f034c4fa2a7395ebf31f QQmlTypeLoader::injectedScript() was unsafe and impossible to fix because it had to query the engine from the type loader thread in order to find out whether to load a script from an actual file. By removing the whole special-casing of native modules, we can make the script loading thread safe. A native module is now also a compilation unit, with a regular QV4::Module as value. This means we can remove a lot of code that deals with the native modules in the engine. The downside is that native modules are now a lot larger than before. However, given that they don't appear in any examples and hardly any bugs have been filed about native modules since their introduction, we can assume that they are not a very popular feature. The reduction in complexity and the removal of the native modules map in the engine is expected to outweigh the extra memory overhead for native modules. Task-number: QTBUG-131721 Pick-to: 6.8 Change-Id: Ia7388d7ba8d71637559a791d874257fba4646330 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> 
QQmlTypeLoader::injectedScript() was unsafe and impossible to fix
because it had to query the engine from the type loader thread in order
to find out whether to load a script from an actual file.

By removing the whole special-casing of native modules, we can make the
script loading thread safe. A native module is now also a compilation
unit, with a regular QV4::Module as value. This means we can remove a
lot of code that deals with the native modules in the engine.

The downside is that native modules are now a lot larger than before.
However, given that they don't appear in any examples and hardly any
bugs have been filed about native modules since their introduction, we
can assume that they are not a very popular feature. The reduction in
complexity and the removal of the native modules map in the engine is
expected to outweigh the extra memory overhead for native modules.

Task-number: QTBUG-131721
Pick-to: 6.8
Change-Id: Ia7388d7ba8d71637559a791d874257fba4646330
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
qv4codegen: Store the location of binary expressions 2024-04-22T13:50:28+00:00 Olivier De Cannière olivier.decanniere@qt.io 2024-04-19T08:34:05+00:00 04eca69846a531ec26c8bb9be20dddd75fb111fe This location is then used later, for example, to improve the accuracy of warnings. OLD Warning: Main.qml:22:30: function without return type annotation returns double of double [compiler] function type() { return 1 + 1 } ^^^^^^ NEW Warning: Main.qml:22:30: function without return type annotation returns double of double [compiler] function type() { return 1 + 1 } ^^^^^ The location stored is the combined locations of the left operand, the operator, and the right operator. We should investigate if this is the right approach. Created QTBUG-124548. Task-number: QTBUG-124548 Task-number: QTBUG-124220 Pick-to: 6.7 Change-Id: Icac335d53349c05d0e9ee6e436bc6ab08ad970d2 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> 
This location is then used later, for example, to improve the accuracy
of warnings.

OLD
Warning: Main.qml:22:30: function without return type annotation returns
double of double [compiler]
    function type() { return 1 + 1 }
                      ^^^^^^

NEW
Warning: Main.qml:22:30: function without return type annotation returns
double of double [compiler]
    function type() { return 1 + 1 }
                             ^^^^^

The location stored is the combined locations of the left operand, the
operator, and the right operator. We should investigate if this is the
right approach. Created QTBUG-124548.

Task-number: QTBUG-124548
Task-number: QTBUG-124220
Pick-to: 6.7
Change-Id: Icac335d53349c05d0e9ee6e436bc6ab08ad970d2
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>