<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/86384>86384</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Crash in QList.append() on Windows ARM64
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
triplef
</td>
</tr>
</table>
<pre>
Using Clang 18.1.2 WoA on Windows ARM64 results in a failed assertion when adding more than 2 items to a QList due to the assertion [Q_ASSERT(!data || !data->isShared())](https://github.com/qt/qtbase/blob/98602c26fc97eb41e3dd7548194ca637420a31b9/src/corelib/tools/qarraydata.cpp#L229) failing in QArrayData::reallocateUnaligned. We reproduced the issue with both Clang 17 and 18 and Qt 6.5, 6.6, and 6.7.
```c++
QList<QString> list;
list.append("ONE");
list.append("TWO");
list.append("THREE"); // CRASH
```
In this debug session the value of the data pointer changes by `0x10` when calling ArrayData::reallocateUnaligned():
- `0x000002b224a0bdb0` before `reallocateUnaligned()`
- `0x000002b224a0bdc0` in `reallocateUnaligned()`
This pointer misalignment causes an invalid value for `ref_`, causing `isShared()` to return true.
Before:
After:
We [submitted](https://bugreports.qt.io/browse/QTBUG-123617) the bug to Qt and got the following feedback:
> `QTypedArrayData` is-a `QArrayData` so the compiler is required to adjust the pointer to the base sub-object when casting. However, in this case, we expect and require that adjustment to be zero. `QTypedArrayData` adds no other members, so it has exactly the same size and alignment requirements as `QArrayData`. In fact, we actually static_assert the size equality in one of the two screenshots.
> I actually don't think the issue is the adjustment of the base sub-object. This appears to be a codegen issue in selecting registers. Look at dataPointer at `0x18`, which is not a valid pointer, but is `sizeof(QString)`, the next parameter. objectSize is listed as 3, which is not a valid size for `QString`, but is a valid flag combination. The 0x10 difference between caller and callee is explained by the fact that it is also the difference between data and dataPointer.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJysVk1v4zgS_TX0pWBBor4PPjhOst1A786mk0aODYosWZyWSTdJxcn8-kVR8jqTSdC7wBiCZJHUq8f6eEXhvd4bxA0rr1h5vRJTGKzbBKePI_arzqqXzTevzR52ozB7yJokSzg82i1YA4_aKHvysP36z6oAh34agwdtQEAv9IgKhPfogrYGTgMaEEoR1sE6hDAIAxx0wIOHYEHA3RftA6gJ6TUM-OprVl7dfd_e3998fWC8YTxTIghg9Y7VO1he1yy_0f5-EA5VXNTSVV4z3gwhHD3Lt4zfMn6712GYukTaA-O3P0O8dcIj47fdaDvGb9umSrnkVS_bGrsiw1ypuiyarC2kqPK64KnIs65l_NY7yfittA5HTZ8Ga0dPkMI58UK8Enk8Mp5_4ZFQ9Aw5QRu429KaaxEEccu3DsU4WikCfjNipMCoBB4RHB6dVZNEFd2ivZ8QTjoM0NkwnENTgzAKsiY-7gJUScn4DqqkogcNVkmdsPSapdvlXqXzJRm_oiuOxjCwfHd3H5w2e5bfwBhHlnl6ScTxiGZ2M__tXzeMc3L2h0seHn_75ZJPX28uODCHCnZft_ef3rB9vYXPBsKgPSjspj149J7Shbz0JMYJwfbxJabL0WoT0IEchNmjh-4FWJWmzxmBzgkqxRiD8-vALBmWb1-zWc-AKf14x3kh0k51Eb7DnrKeVenHYOetvQsjI4w2_xvEfH8g15y3fdA-rj2gCSDF5NGDMKDNkxi1WvzVWzcb6L8TFt_FleQSVqVvqqtKqVAdhskZCG7CPyXXVdzwxUE8Y-VVDNM6-2VVjuPT-bE-Ovs7SipT0oNAxVWleU1lirniZZmvsW_6daFqsW7btFinqpRpwSshlSCir1ht-4DuXVL8byKVN5Usa1GsVVml6yKX-botVbOupZRFUbWiUfiG1COSwPmpO-gQUL1HpJv2Do_WBZ_8DIm2NOTsKYrW3cPVt3-sM55XWU0KQwlP1RAsyQAV_t6GONrbcbQnimaPqDohf7xJYCp2VqV3Dy9HVJcioMTzaxGn_jTqZ6GW9nDUIzrQHhz-nLQjqbIg1O-Tn02fs3CRdtJb8FO3th358Vx9PmizT-CTPeETOko_vRS4jAK9gxMCPh_pE9rYYoyaSVisxfQOFjqEP9DZ5IP9CKU8GAs2DFQbeOjQeTLgLegAg_CAz0KG8SXy9eKA4PUfGM1e6mghQP89CP8XDyXw2UAvKFMidyHDJMbxBXwQQcvvc4ubTRA6_pzEqMML7dua_-pXOFnw0iEaP9jgk0u0Pl8glTWM1wSmzY9XnUL7uZte3LOgvglCAlEvSJSF84sPBUircI_mDGbA44iSAgUO99oHdD6BL9b-ABGi0v57ibUIi8A2i5acBi0H4mNsAAGz8CyZQfPdFGiWVSk5w_aMN-cuNGsb30XiBp8DHIUTBwzoEpj535MDtY_dKp49IP_QaHT2InZnEzP-wuG8sB_FnvK700bQUYSchEBNA5Tue3RoJEKH4YRL_6CNGzX_jXzw-TgKbVBRx4llKGSYU1bPtsaljt5BjJ2L8F45dgn_Sm1y1eatWOEmq7Msa0qeFath0wletmnN2zZN87Qpy0oqUse2aGSBabbSG57yIs15nrZZnhdJJfu2qeuibRRK7ApWpHgQekxI7BLr9qsY_U1T5U2xGkWHo49nRs4NnubUoN5dXq_cJgpkN-09K1KKhb-gBB1G3Oyc8EM8AH15cwpo_3KsXE1u3PzfohwJkShHwv8JAAD__2gsdek">