Scope intermediate values when allocating objects

Otherwise the garbage collector might interfere and we might end up with dangling pointers in random places. Task-number: QTBUG-74190 Change-Id: I253c526ef930b8f0be14e96a42af8b66fda3b22d Reviewed-by: Lars Knoll <lars.knoll@qt.io>
author: Ulf Hermann <ulf.hermann@qt.io> 2019-03-25 15:43:13 +0100
committer: Ulf Hermann <ulf.hermann@qt.io> 2019-03-27 09:23:03 +0000
commit: b6d0ed435d2d57359b6eafb2728c024eab0b1ece (patch)
tree: 33e4f7ba12d768bbc08f461a47a6bba2f9efb824 /src
parent: 1b43149decdf42e47405a9e43840b7382076cb0d (diff)
3 files changed, 17 insertions, 7 deletions
diff --git a/src/qml/jsruntime/qv4arrayobject.cpp b/src/qml/jsruntime/qv4arrayobject.cpp
index 8637db3dfd..b5b421fa39 100644
--- a/src/qml/jsruntime/qv4arrayobject.cpp
+++ b/src/qml/jsruntime/qv4arrayobject.cpp
@@ -103,7 +103,9 @@ void ArrayPrototype::init(ExecutionEngine *engine, Object *ctor)
     ctor->defineDefaultProperty(QStringLiteral("from"), method_from, 1);
     ctor->addSymbolSpecies();
 
-    ScopedObject unscopables(scope, engine->newObject(engine->classes[EngineBase::Class_Empty]->changeVTable(QV4::Object::staticVTable())));
+    Scoped<InternalClass> ic(scope, engine->classes[EngineBase::Class_Empty]
+                                            ->changeVTable(QV4::Object::staticVTable()));
+    ScopedObject unscopables(scope, engine->newObject(ic->d()));
     ScopedString name(scope);
     defineDefaultProperty(QStringLiteral("constructor"), (o = ctor));
     defineDefaultProperty(engine->id_toString(), method_toString, 0);
diff --git a/src/qml/jsruntime/qv4engine.cpp b/src/qml/jsruntime/qv4engine.cpp
index 1d0c7c13fa..bcd577c24d 100644
--- a/src/qml/jsruntime/qv4engine.cpp
+++ b/src/qml/jsruntime/qv4engine.cpp
@@ -464,11 +464,17 @@ ExecutionEngine::ExecutionEngine(QJSEngine *jsEngine)
     jsObjects[TypeError_Ctor] = memoryManager->allocate<TypeErrorCtor>(global);
     jsObjects[URIError_Ctor] = memoryManager->allocate<URIErrorCtor>(global);
     jsObjects[IteratorProto] = memoryManager->allocate<IteratorPrototype>();
-    jsObjects[ForInIteratorProto] = memoryManager->allocObject<ForInIteratorPrototype>(newInternalClass(ForInIteratorPrototype::staticVTable(), iteratorPrototype()));
-    jsObjects[MapIteratorProto] = memoryManager->allocObject<MapIteratorPrototype>(newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype()));
-    jsObjects[SetIteratorProto] = memoryManager->allocObject<SetIteratorPrototype>(newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype()));
-    jsObjects[ArrayIteratorProto] = memoryManager->allocObject<ArrayIteratorPrototype>(newInternalClass(ArrayIteratorPrototype::staticVTable(), iteratorPrototype()));
-    jsObjects[StringIteratorProto] = memoryManager->allocObject<StringIteratorPrototype>(newInternalClass(StringIteratorPrototype::staticVTable(), iteratorPrototype()));
+
+    ic = newInternalClass(ForInIteratorPrototype::staticVTable(), iteratorPrototype());
+    jsObjects[ForInIteratorProto] = memoryManager->allocObject<ForInIteratorPrototype>(ic);
+    ic = newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype());
+    jsObjects[MapIteratorProto] = memoryManager->allocObject<MapIteratorPrototype>(ic);
+    ic = newInternalClass(SetIteratorPrototype::staticVTable(), iteratorPrototype());
+    jsObjects[SetIteratorProto] = memoryManager->allocObject<SetIteratorPrototype>(ic);
+    ic = newInternalClass(ArrayIteratorPrototype::staticVTable(), iteratorPrototype());
+    jsObjects[ArrayIteratorProto] = memoryManager->allocObject<ArrayIteratorPrototype>(ic);
+    ic = newInternalClass(StringIteratorPrototype::staticVTable(), iteratorPrototype());
+    jsObjects[StringIteratorProto] = memoryManager->allocObject<StringIteratorPrototype>(ic);
 
     str = newString(QStringLiteral("get [Symbol.species]"));
     jsObjects[GetSymbolSpecies] = FunctionObject::createBuiltinFunction(this, str, ArrayPrototype::method_get_species, 0);
diff --git a/src/qml/jsruntime/qv4generatorobject.cpp b/src/qml/jsruntime/qv4generatorobject.cpp
index 566db6fd4e..14caa6953f 100644
--- a/src/qml/jsruntime/qv4generatorobject.cpp
+++ b/src/qml/jsruntime/qv4generatorobject.cpp
@@ -139,7 +139,9 @@ void GeneratorPrototype::init(ExecutionEngine *engine, Object *ctor)
     Scope scope(engine);
     ScopedValue v(scope);
 
-    ScopedObject ctorProto(scope, engine->newObject(engine->newInternalClass(Object::staticVTable(), engine->functionPrototype())));
+    Scoped<InternalClass> ic(scope, engine->newInternalClass(
+                                            Object::staticVTable(), engine->functionPrototype()));
+    ScopedObject ctorProto(scope, engine->newObject(ic->d()));
 
     ctor->defineReadonlyConfigurableProperty(engine->id_length(), Value::fromInt32(1));
     ctor->defineReadonlyProperty(engine->id_prototype(), ctorProto);
author	Ulf Hermann <ulf.hermann@qt.io>	2019-03-25 15:43:13 +0100
committer	Ulf Hermann <ulf.hermann@qt.io>	2019-03-27 09:23:03 +0000
commit	b6d0ed435d2d57359b6eafb2728c024eab0b1ece (patch)
tree	33e4f7ba12d768bbc08f461a47a6bba2f9efb824 /src
parent	1b43149decdf42e47405a9e43840b7382076cb0d (diff)