Fix memory corruption when multiple QML engines have JavaScript wrappers for the same QObject

It's possible that the same QObject is exposed to multiple JavaScript environments, for which we have this "extra" hack in the form of a QMap. The common case is that QQmlData has a QV4::WeakValue that points to the JS wrapper for the object. However in the rare case of multiple exposure, a map in the other engines stores those references. That map was erroneously storing pointers to temporary values on the JS stack instead of heap pointers. Change-Id: I8587f9921a9b4f9efd288326d00cebc25ad0bc12 Task-number: QTBUG-45051 Reviewed-by: Lars Knoll <lars.knoll@digia.com>
author: Simon Hausmann <simon.hausmann@theqtcompany.com> 2015-04-28 15:38:09 +0200
committer: Simon Hausmann <simon.hausmann@theqtcompany.com> 2015-05-08 04:08:10 +0000
commit: 3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb (patch)
tree: 8b67170484d8675366f72d14af43e62849878a15 /src/qml/jsruntime/qv4qobjectwrapper.cpp
parent: d0dc7cec78e182f04726c5a2adade80dc2983bcf (diff)
1 files changed, 13 insertions, 9 deletions
diff --git a/src/qml/jsruntime/qv4qobjectwrapper.cpp b/src/qml/jsruntime/qv4qobjectwrapper.cpp
index 50efff001d..353f4023ca 100644
--- a/src/qml/jsruntime/qv4qobjectwrapper.cpp
+++ b/src/qml/jsruntime/qv4qobjectwrapper.cpp
@@ -589,7 +589,7 @@ ReturnedValue QObjectWrapper::wrap(ExecutionEngine *engine, QObject *object)
     } else if (ddata->jsWrapper.isUndefined() &&
                (ddata->jsEngineId == engine->m_engineId || // We own the QObject
                 ddata->jsEngineId == 0 ||    // No one owns the QObject
-                !ddata->hasTaintedV8Object)) { // Someone else has used the QObject, but it isn't tainted
+                !ddata->hasTaintedV4Object)) { // Someone else has used the QObject, but it isn't tainted
 
         QV4::ScopedValue rv(scope, create(engine, object));
         ddata->jsWrapper.set(scope.engine, rv);
@@ -600,11 +600,11 @@ ReturnedValue QObjectWrapper::wrap(ExecutionEngine *engine, QObject *object)
         // If this object is tainted, we have to check to see if it is in our
         // tainted object list
         ScopedObject alternateWrapper(scope, (Object *)0);
-        if (engine->m_multiplyWrappedQObjects && ddata->hasTaintedV8Object)
+        if (engine->m_multiplyWrappedQObjects && ddata->hasTaintedV4Object)
             alternateWrapper = engine->m_multiplyWrappedQObjects->value(object);
 
         // If our tainted handle doesn't exist or has been collected, and there isn't
-        // a handle in the ddata, we can assume ownership of the ddata->v8object
+        // a handle in the ddata, we can assume ownership of the ddata->jsWrapper
         if (ddata->jsWrapper.isUndefined() && !alternateWrapper) {
             QV4::ScopedValue result(scope, create(engine, object));
             ddata->jsWrapper.set(scope.engine, result);
@@ -616,8 +616,8 @@ ReturnedValue QObjectWrapper::wrap(ExecutionEngine *engine, QObject *object)
             alternateWrapper = create(engine, object);
             if (!engine->m_multiplyWrappedQObjects)
                 engine->m_multiplyWrappedQObjects = new MultiplyWrappedQObjectMap;
-            engine->m_multiplyWrappedQObjects->insert(object, alternateWrapper);
-            ddata->hasTaintedV8Object = true;
+            engine->m_multiplyWrappedQObjects->insert(object, alternateWrapper->d());
+            ddata->hasTaintedV4Object = true;
         }
 
         return alternateWrapper.asReturnedValue();
@@ -1908,16 +1908,20 @@ Heap::QmlSignalHandler::QmlSignalHandler(QV4::ExecutionEngine *engine, QObject *
 
 DEFINE_OBJECT_VTABLE(QmlSignalHandler);
 
-void MultiplyWrappedQObjectMap::insert(QObject *key, Object *value)
+void MultiplyWrappedQObjectMap::insert(QObject *key, Heap::Object *value)
 {
-    QHash<QObject*, Object*>::insert(key, value);
+    QV4::WeakValue v;
+    v.set(value->internalClass->engine, value);
+    QHash<QObject*, QV4::WeakValue>::insert(key, v);
     connect(key, SIGNAL(destroyed(QObject*)), this, SLOT(removeDestroyedObject(QObject*)));
 }
 
+
+
 MultiplyWrappedQObjectMap::Iterator MultiplyWrappedQObjectMap::erase(MultiplyWrappedQObjectMap::Iterator it)
 {
     disconnect(it.key(), SIGNAL(destroyed(QObject*)), this, SLOT(removeDestroyedObject(QObject*)));
-    return QHash<QObject*, Object*>::erase(it);
+    return QHash<QObject*, QV4::WeakValue>::erase(it);
 }
 
 void MultiplyWrappedQObjectMap::remove(QObject *key)
@@ -1930,7 +1934,7 @@ void MultiplyWrappedQObjectMap::remove(QObject *key)
 
 void MultiplyWrappedQObjectMap::removeDestroyedObject(QObject *object)
 {
-    QHash<QObject*, Object*>::remove(object);
+    QHash<QObject*, QV4::WeakValue>::remove(object);
 }
 
 QT_END_NAMESPACE
author	Simon Hausmann <simon.hausmann@theqtcompany.com>	2015-04-28 15:38:09 +0200
committer	Simon Hausmann <simon.hausmann@theqtcompany.com>	2015-05-08 04:08:10 +0000
commit	3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb (patch)
tree	8b67170484d8675366f72d14af43e62849878a15 /src/qml/jsruntime/qv4qobjectwrapper.cpp
parent	d0dc7cec78e182f04726c5a2adade80dc2983bcf (diff)