From 089bdc0fcc1d87c6f5fe0835a4f723a6677e9a01 Mon Sep 17 00:00:00 2001
From: Edward Welbourne <edward.welbourne@qt.io>
Date: Tue, 20 Aug 2019 11:15:22 +0200
Subject: Catch invalid simple type that was causing a crash

Although the type passes a check that's supposed to find all types
with a simple type, and appears to be of a simple type, its primitive
type is apparently null. This was causing a segmentation fault.

Apparently the code fails to correctly set the primitive type of a
pattern-type instance of a union type. Document the known limitation
by a QEXPECT_FAIL() in the test; I was unable to find where the
primitive type should be set.

Task-number: QTBUG-77620
Change-Id: I56b95ed815366c508f71b8af03b6f2a653d338c5
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
---
 src/xmlpatterns/schema/qxsdschemahelper.cpp        |  2 +-
 .../schema/qxsdvalidatinginstancereader.cpp        | 10 ++++++
 .../qxmlschemavalidator/testdata/QTBUG-77620.xml   |  6 ++++
 .../qxmlschemavalidator/testdata/QTBUG-77620.xsd   | 36 ++++++++++++++++++++++
 .../tst_qxmlschemavalidator.cpp                    | 23 ++++++++++++++
 5 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xml
 create mode 100644 tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xsd

diff --git a/src/xmlpatterns/schema/qxsdschemahelper.cpp b/src/xmlpatterns/schema/qxsdschemahelper.cpp
index cdaa1c2..ce99ea7 100644
--- a/src/xmlpatterns/schema/qxsdschemahelper.cpp
+++ b/src/xmlpatterns/schema/qxsdschemahelper.cpp
@@ -518,7 +518,7 @@ bool XsdSchemaHelper::constructAndCompare(const DerivedString<TypeString>::Ptr &
                                           const ReportContext::Ptr &context,
                                           const SourceLocationReflection *const sourceLocationReflection)
 {
-    Q_ASSERT_X(type->category() == SchemaType::SimpleTypeAtomic, Q_FUNC_INFO,
+    Q_ASSERT_X(type && type->category() == SchemaType::SimpleTypeAtomic, Q_FUNC_INFO,
                "We can only compare atomic values.");
 
     // we can not cast a xs:String to a xs:QName, so lets go the safe way
diff --git a/src/xmlpatterns/schema/qxsdvalidatinginstancereader.cpp b/src/xmlpatterns/schema/qxsdvalidatinginstancereader.cpp
index 7e60667..de772e5 100644
--- a/src/xmlpatterns/schema/qxsdvalidatinginstancereader.cpp
+++ b/src/xmlpatterns/schema/qxsdvalidatinginstancereader.cpp
@@ -1113,6 +1113,7 @@ bool XsdValidatingInstanceReader::selectNodeSets(const XsdElement::Ptr&, const Q
 
                 const QXmlNodeModelIndex index = fieldItem.toNodeModelIndex();
                 const SchemaType::Ptr type = m_model->assignedType(index);
+                Q_ASSERT(type);
 
                 bool typeOk = true;
                 if (type->isComplexType()) {
@@ -1136,6 +1137,15 @@ bool XsdValidatingInstanceReader::selectNodeSets(const XsdElement::Ptr&, const Q
                         targetType = XsdSimpleType::Ptr(type)->primitiveType();
                     else
                         targetType = XsdComplexType::Ptr(type)->contentType()->simpleType();
+
+                    if (!targetType) {
+                        // QTBUG-77620: pattern type within a union doesn't get
+                        // its primitive type set.  FIXME: find root cause and
+                        // fix that, so we can remove this (and an XFAIL).
+                        error(QtXmlPatterns::tr("Field %1 is missing its simple type.")
+                                                        .arg(formatData(field->expression())));
+                        return false;
+                    }
                 } else {
                     if (BuiltinTypes::xsAnySimpleType->name(m_namePool) == type->name(m_namePool)) {
                         targetType = BuiltinTypes::xsString;
diff --git a/tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xml b/tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xml
new file mode 100644
index 0000000..1bde466
--- /dev/null
+++ b/tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<root>
+  <item key="KEY1" />
+  <item key="KEY2" />
+  <item key="CUSTOM_KEY1" />
+</root>
diff --git a/tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xsd b/tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xsd
new file mode 100644
index 0000000..33657c7
--- /dev/null
+++ b/tests/auto/qxmlschemavalidator/testdata/QTBUG-77620.xsd
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <xs:simpleType name="pattern_type">
+    <xs:restriction base="xs:string">
+      <xs:pattern value="CUSTOM_[0-9a-zA-Z]+" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="enum_type">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="KEY1" />
+      <xs:enumeration value="KEY2" />
+      <!-- Note: *no* matching entry for key "CUSTOM_KEY1" -->
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="union_type">
+    <xs:union memberTypes="enum_type pattern_type" />
+  </xs:simpleType>
+
+  <xs:element name="root">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="item" maxOccurs="unbounded">
+          <xs:complexType>
+            <xs:attribute name="key" type="union_type" use="required" />
+          </xs:complexType>
+        </xs:element>
+      </xs:sequence>
+    </xs:complexType>
+    <xs:key name="primary_key">
+      <xs:selector xpath="./item" />
+      <xs:field xpath="@key" />
+    </xs:key>
+  </xs:element>
+</xs:schema>
diff --git a/tests/auto/qxmlschemavalidator/tst_qxmlschemavalidator.cpp b/tests/auto/qxmlschemavalidator/tst_qxmlschemavalidator.cpp
index b128bef..51ef07d 100644
--- a/tests/auto/qxmlschemavalidator/tst_qxmlschemavalidator.cpp
+++ b/tests/auto/qxmlschemavalidator/tst_qxmlschemavalidator.cpp
@@ -74,6 +74,8 @@ private Q_SLOTS:
     void uriResolverSignature() const;
     void uriResolverDefaultValue() const;
     void uriResolver() const;
+
+    void unionCrash() const;
 };
 
 static QXmlSchema createValidSchema()
@@ -456,6 +458,27 @@ void tst_QXmlSchemaValidator::uriResolver() const
     }
 }
 
+void tst_QXmlSchemaValidator::unionCrash() const
+{
+    // Regression test for QTBUG-77620 (segfault on nullptr dereference).
+    const QString path = QFINDTESTDATA("testdata/");
+    QXmlSchema schema;
+
+    const QString filePath = path + QLatin1String("QTBUG-77620.xsd");
+
+    QFile file(filePath);
+    QVERIFY(file.open(QIODevice::ReadOnly));
+
+    schema.load(file.readAll(), QUrl(filePath));
+    QVERIFY2(schema.isValid(), "Schema should be found valid.");
+    // Validate instance
+    QXmlSchemaValidator validator(schema);
+    QEXPECT_FAIL("", "QTBUG-77620: " // Fixed crash, but not underlying problem:
+                 "the code fails to record the CUSTOM_KEY's primitive type as pattern_type", Continue);
+    QVERIFY2(validator.validate(QUrl(path + QLatin1String("QTBUG-77620.xml"))),
+             "Document should be found valid");
+}
+
 QTEST_MAIN(tst_QXmlSchemaValidator)
 
 #include "tst_qxmlschemavalidator.moc"
-- 
cgit v1.2.1