summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorUlf Hermann <ulf.hermann@qt.io>2019-03-25 15:43:13 +0100
committerUlf Hermann <ulf.hermann@qt.io>2019-03-27 09:23:03 +0000
commitb6d0ed435d2d57359b6eafb2728c024eab0b1ece (patch)
tree33e4f7ba12d768bbc08f461a47a6bba2f9efb824
parent1b43149decdf42e47405a9e43840b7382076cb0d (diff)
Scope intermediate values when allocating objects
Otherwise the garbage collector might interfere and we might end up with dangling pointers in random places. Task-number: QTBUG-74190 Change-Id: I253c526ef930b8f0be14e96a42af8b66fda3b22d Reviewed-by: Lars Knoll <lars.knoll@qt.io>
-rw-r--r--src/qml/jsruntime/qv4arrayobject.cpp4
-rw-r--r--src/qml/jsruntime/qv4engine.cpp16
-rw-r--r--src/qml/jsruntime/qv4generatorobject.cpp4
-rw-r--r--tests/auto/qml/qjsengine/tst_qjsengine.cpp13
4 files changed, 30 insertions, 7 deletions
diff --git a/src/qml/jsruntime/qv4arrayobject.cpp b/src/qml/jsruntime/qv4arrayobject.cpp
index 8637db3dfd..b5b421fa39 100644
--- a/src/qml/jsruntime/qv4arrayobject.cpp
+++ b/src/qml/jsruntime/qv4arrayobject.cpp
@@ -103,7 +103,9 @@ void ArrayPrototype::init(ExecutionEngine *engine, Object *ctor)
ctor->defineDefaultProperty(QStringLiteral("from"), method_from, 1);
ctor->addSymbolSpecies();
- ScopedObject unscopables(scope, engine->newObject(engine->classes[EngineBase::Class_Empty]->changeVTable(QV4::Object::staticVTable())));
+ Scoped<InternalClass> ic(scope, engine->classes[EngineBase::Class_Empty]
+ ->changeVTable(QV4::Object::staticVTable()));
+ ScopedObject unscopables(scope, engine->newObject(ic->d()));
ScopedString name(scope);
defineDefaultProperty(QStringLiteral("constructor"), (o = ctor));
defineDefaultProperty(engine->id_toString(), method_toString, 0);
diff --git a/src/qml/jsruntime/qv4engine.cpp b/src/qml/jsruntime/qv4engine.cpp
index 1d0c7c13fa..bcd577c24d 100644
--- a/src/qml/jsruntime/qv4engine.cpp
+++ b/src/qml/jsruntime/qv4engine.cpp
@@ -464,11 +464,17 @@ ExecutionEngine::ExecutionEngine(QJSEngine *jsEngine)
jsObjects[TypeError_Ctor] = memoryManager->allocate<TypeErrorCtor>(global);
jsObjects[URIError_Ctor] = memoryManager->allocate<URIErrorCtor>(global);
jsObjects[IteratorProto] = memoryManager->allocate<IteratorPrototype>();
- jsObjects[ForInIteratorProto] = memoryManager->allocObject<ForInIteratorPrototype>(newInternalClass(ForInIteratorPrototype::staticVTable(), iteratorPrototype()));
- jsObjects[MapIteratorProto] = memoryManager->allocObject<MapIteratorPrototype>(newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype()));
- jsObjects[SetIteratorProto] = memoryManager->allocObject<SetIteratorPrototype>(newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype()));
- jsObjects[ArrayIteratorProto] = memoryManager->allocObject<ArrayIteratorPrototype>(newInternalClass(ArrayIteratorPrototype::staticVTable(), iteratorPrototype()));
- jsObjects[StringIteratorProto] = memoryManager->allocObject<StringIteratorPrototype>(newInternalClass(StringIteratorPrototype::staticVTable(), iteratorPrototype()));
+
+ ic = newInternalClass(ForInIteratorPrototype::staticVTable(), iteratorPrototype());
+ jsObjects[ForInIteratorProto] = memoryManager->allocObject<ForInIteratorPrototype>(ic);
+ ic = newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype());
+ jsObjects[MapIteratorProto] = memoryManager->allocObject<MapIteratorPrototype>(ic);
+ ic = newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype());
+ jsObjects[SetIteratorProto] = memoryManager->allocObject<SetIteratorPrototype>(ic);
+ ic = newInternalClass(ArrayIteratorPrototype::staticVTable(), iteratorPrototype());
+ jsObjects[ArrayIteratorProto] = memoryManager->allocObject<ArrayIteratorPrototype>(ic);
+ ic = newInternalClass(StringIteratorPrototype::staticVTable(), iteratorPrototype());
+ jsObjects[StringIteratorProto] = memoryManager->allocObject<StringIteratorPrototype>(ic);
str = newString(QStringLiteral("get [Symbol.species]"));
jsObjects[GetSymbolSpecies] = FunctionObject::createBuiltinFunction(this, str, ArrayPrototype::method_get_species, 0);
diff --git a/src/qml/jsruntime/qv4generatorobject.cpp b/src/qml/jsruntime/qv4generatorobject.cpp
index 566db6fd4e..14caa6953f 100644
--- a/src/qml/jsruntime/qv4generatorobject.cpp
+++ b/src/qml/jsruntime/qv4generatorobject.cpp
@@ -139,7 +139,9 @@ void GeneratorPrototype::init(ExecutionEngine *engine, Object *ctor)
Scope scope(engine);
ScopedValue v(scope);
- ScopedObject ctorProto(scope, engine->newObject(engine->newInternalClass(Object::staticVTable(), engine->functionPrototype())));
+ Scoped<InternalClass> ic(scope, engine->newInternalClass(
+ Object::staticVTable(), engine->functionPrototype()));
+ ScopedObject ctorProto(scope, engine->newObject(ic->d()));
ctor->defineReadonlyConfigurableProperty(engine->id_length(), Value::fromInt32(1));
ctor->defineReadonlyProperty(engine->id_prototype(), ctorProto);
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 0491ccd473..0b1f1e0bca 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -236,6 +236,7 @@ private slots:
void importExportErrors();
void equality();
+ void aggressiveGc();
public:
Q_INVOKABLE QJSValue throwingCppMethod1();
@@ -4632,6 +4633,18 @@ void tst_QJSEngine::equality()
QCOMPARE(ok.toString(), QString("ok"));
}
+void tst_QJSEngine::aggressiveGc()
+{
+ const QByteArray origAggressiveGc = qgetenv("QV4_MM_AGGRESSIVE_GC");
+ qputenv("QV4_MM_AGGRESSIVE_GC", "true");
+ {
+ QJSEngine engine; // ctor crashes if core allocation methods don't properly scope things.
+ QJSValue obj = engine.newObject();
+ QVERIFY(obj.isObject());
+ }
+ qputenv("QV4_MM_AGGRESSIVE_GC", origAggressiveGc);
+}
+
QTEST_MAIN(tst_QJSEngine)
#include "tst_qjsengine.moc"