V4 ArrayIterator: Protect retrieved value from GC

When constructing the iterator return object, the garbage collector may
run, and drop the element value we want to return.

Fixes: QTBUG-101700
Pick-to: 5.15 6.2 6.3
Change-Id: I60c9b0b9fbb9e784fa089a8b5bb274d02ef7fc1f
Reviewed-by: Maximilian Goldstein <max.goldstein@qt.io>
Reviewed-by: Andrei Golubev <andrei.golubev@qt.io>

1 files changed, 3 insertions, 3 deletions

diff --git a/src/qml/jsruntime/qv4arrayiterator.cpp b/src/qml/jsruntime/qv4arrayiterator.cpp
index 199b1a728a..51387edf6e 100644
--- a/src/qml/jsruntime/qv4arrayiterator.cpp
+++ b/src/qml/jsruntime/qv4arrayiterator.cpp
@@ -86,18 +86,18 @@ ReturnedValue ArrayIteratorPrototype::method_next(const FunctionObject *b, const
         return IteratorPrototype::createIterResultObject(scope.engine, Value::fromInt32(index), false);
     }
 
-    ReturnedValue elementValue = a->get(index);
+    QV4::ScopedValue elementValue(scope, a->get(index));
     CHECK_EXCEPTION();
 
     if (itemKind == ValueIteratorKind) {
-        return IteratorPrototype::createIterResultObject(scope.engine, Value::fromReturnedValue(elementValue), false);
+        return IteratorPrototype::createIterResultObject(scope.engine, elementValue, false);
     } else {
         Q_ASSERT(itemKind == KeyValueIteratorKind);
 
         ScopedArrayObject resultArray(scope, scope.engine->newArrayObject());
         resultArray->arrayReserve(2);
         resultArray->arrayPut(0, Value::fromInt32(index));
-        resultArray->arrayPut(1, Value::fromReturnedValue(elementValue));
+        resultArray->arrayPut(1, elementValue);
         resultArray->setArrayLengthUnchecked(2);
 
         return IteratorPrototype::createIterResultObject(scope.engine, resultArray, false);