Invalidate QScriptPrograms when engine is destroyed

If the engine is destroyed before the program, the program
must be invalidated; otherwise the program destructor will
access a stale engine pointer, which can cause a crash
(it crashes on Symbian, but "only" gives a Valgrind warning
on Linux for our autotests).

We need to keep track of all associated programs, just like
we already do for values and strings. This fix follows the
exact same pattern, but uses a QSet to keep the patch minimal.

No new tests, but the evaluateProgram() test runs successfully
on Symbian now, and there are no more Valgrind warnings.

Task-number: QTBUG-16987
Reviewed-by: Olivier Goffart

4 files changed, 42 insertions, 7 deletions

diff --git a/src/script/api/qscriptengine.cpp b/src/script/api/qscriptengine.cpp
index 9e338d4667..54039c0759 100644
--- a/src/script/api/qscriptengine.cpp
+++ b/src/script/api/qscriptengine.cpp
@@ -1022,6 +1022,7 @@ QScriptEnginePrivate::~QScriptEnginePrivate()
     while (!ownedAgents.isEmpty())
         delete ownedAgents.takeFirst();
 
+    detachAllRegisteredScriptPrograms();
     detachAllRegisteredScriptValues();
     detachAllRegisteredScriptStrings();
     qDeleteAll(m_qobjectData);
@@ -1576,6 +1577,14 @@ bool QScriptEnginePrivate::scriptDisconnect(JSC::JSValue signal, JSC::JSValue re
 
 #endif
 
+void QScriptEnginePrivate::detachAllRegisteredScriptPrograms()
+{
+    QSet<QScriptProgramPrivate*>::const_iterator it;
+    for (it = registeredScriptPrograms.constBegin(); it != registeredScriptPrograms.constEnd(); ++it)
+        (*it)->detachFromEngine();
+    registeredScriptPrograms.clear();
+}
+
 void QScriptEnginePrivate::detachAllRegisteredScriptValues()
 {
     QScriptValuePrivate *it;
diff --git a/src/script/api/qscriptengine_p.h b/src/script/api/qscriptengine_p.h
index 05a8901c59..f8144e9155 100644
--- a/src/script/api/qscriptengine_p.h
+++ b/src/script/api/qscriptengine_p.h
@@ -87,6 +87,7 @@ class QScriptEngineAgent;
 class QScriptEnginePrivate;
 class QScriptSyntaxCheckResult;
 class QScriptEngine;
+class QScriptProgramPrivate;
 
 namespace QScript
 {
@@ -273,6 +274,10 @@ public:
     static QScriptSyntaxCheckResult checkSyntax(const QString &program);
     static bool canEvaluate(const QString &program);
 
+    inline void registerScriptProgram(QScriptProgramPrivate *program);
+    inline void unregisterScriptProgram(QScriptProgramPrivate *program);
+    void detachAllRegisteredScriptPrograms();
+
     inline QScriptValuePrivate *allocateScriptValuePrivate(size_t);
     inline void freeScriptValuePrivate(QScriptValuePrivate *p);
 
@@ -368,6 +373,7 @@ public:
     static const int maxFreeScriptValues = 256;
     int freeScriptValuesCount;
     QScriptStringPrivate *registeredScriptStrings;
+    QSet<QScriptProgramPrivate*> registeredScriptPrograms;
     QHash<int, QScriptTypeInfo*> m_typeInfos;
     int processEventsInterval;
     QScriptValue abortResult;
@@ -566,6 +572,18 @@ inline QByteArray convertToLatin1(const JSC::UString &str)
 
 } // namespace QScript
 
+inline void QScriptEnginePrivate::registerScriptProgram(QScriptProgramPrivate *program)
+{
+    Q_ASSERT(!registeredScriptPrograms.contains(program));
+    registeredScriptPrograms.insert(program);
+}
+
+inline void QScriptEnginePrivate::unregisterScriptProgram(QScriptProgramPrivate *program)
+{
+    Q_ASSERT(registeredScriptPrograms.contains(program));
+    registeredScriptPrograms.remove(program);
+}
+
 inline QScriptValuePrivate *QScriptEnginePrivate::allocateScriptValuePrivate(size_t size)
 {
     if (freeScriptValues) {
diff --git a/src/script/api/qscriptprogram.cpp b/src/script/api/qscriptprogram.cpp
index da103bb850..31af9a0fdd 100644
--- a/src/script/api/qscriptprogram.cpp
+++ b/src/script/api/qscriptprogram.cpp
@@ -64,6 +64,7 @@ QScriptProgramPrivate::~QScriptProgramPrivate()
     if (engine) {
         QScript::APIShim shim(engine);
         _executable.clear();
+        engine->unregisterScriptProgram(this);
     }
 }
 
@@ -78,7 +79,10 @@ JSC::EvalExecutable *QScriptProgramPrivate::executable(JSC::ExecState *exec,
     if (_executable) {
         if (eng == engine)
             return _executable.get();
-        _executable = 0;
+        // "Migrating" to another engine; clean up old state
+        QScript::APIShim shim(engine);
+        _executable.clear();
+        engine->unregisterScriptProgram(this);
     }
     WTF::PassRefPtr<QScript::UStringSourceProviderWithFeedback> provider
         = QScript::UStringSourceProviderWithFeedback::create(sourceCode, fileName, firstLineNumber, eng);
@@ -86,10 +90,19 @@ JSC::EvalExecutable *QScriptProgramPrivate::executable(JSC::ExecState *exec,
     JSC::SourceCode source(provider, firstLineNumber); //after construction of SourceCode provider variable will be null.
     _executable = JSC::EvalExecutable::create(exec, source);
     engine = eng;
+    engine->registerScriptProgram(this);
     isCompiled = false;
     return _executable.get();
 }
 
+void QScriptProgramPrivate::detachFromEngine()
+{
+    _executable.clear();
+    sourceId = -1;
+    isCompiled = false;
+    engine = 0;
+}
+
 /*!
   Constructs a null QScriptProgram.
 */
@@ -122,9 +135,6 @@ QScriptProgram::QScriptProgram(const QScriptProgram &other)
 */
 QScriptProgram::~QScriptProgram()
 {
-    //    Q_D(QScriptProgram);
-    //    if (d->engine && (d->ref == 1))
-    //      d->engine->unregisterScriptProgram(d);
 }
 
 /*!
@@ -132,9 +142,6 @@ QScriptProgram::~QScriptProgram()
 */
 QScriptProgram &QScriptProgram::operator=(const QScriptProgram &other)
 {
-  //    if (d_func() && d_func()->engine && (d_func()->ref == 1))
-      //        d_func()->engine->unregisterScriptProgram(d_func());
-  //    }
     d_ptr = other.d_ptr;
     return *this;
 }
diff --git a/src/script/api/qscriptprogram_p.h b/src/script/api/qscriptprogram_p.h
index d2fd234232..e7809abbfd 100644
--- a/src/script/api/qscriptprogram_p.h
+++ b/src/script/api/qscriptprogram_p.h
@@ -61,6 +61,7 @@ public:
 
     JSC::EvalExecutable *executable(JSC::ExecState *exec,
                                     QScriptEnginePrivate *engine);
+    void detachFromEngine();
 
     QBasicAtomicInt ref;