diff options
| author | Maximilian Goldstein <max.goldstein@qt.io> | 2021-03-04 14:51:30 +0100 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-03-08 16:21:42 +0000 |
| commit | 18b1e8266fd98c3099724de3baf4e9a014fb72d5 (patch) | |
| tree | f6bedfd2c07be8d028431dfbe8177fdbad70f935 /tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp | |
| parent | d43b92b0a91daefde95f3fa9bf8aad94412d19f3 (diff) | |
qv4generatorobject: Fix crash when creating new properties
Previously HeapObject::GeneratorObject utilized a ValueArray member to store stack information.
As we rely on all HeapObject members to have a constant size in order for QV4Table::inlinePropertyOffset
to remain accurate, this lead to a memory conflict when a user defined his own property on the Generator.
Please do not use ValueArray for any types that are user accessible or that you intend to add properties to.
Now the stack information is stored into ArrayObjects instead which circumvents the issue.
Fixes: QTBUG-91491
Change-Id: Id6f638bf36a3ae3c9320ac99e67214c48dc81226
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Andrei Golubev <andrei.golubev@qt.io>
(cherry picked from commit 7ea690c61dabd2485e80e7fae9aed392ba02c846)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp')
| -rw-r--r-- | tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp index 9198d3bebf..3c3a2a7a99 100644 --- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp +++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp @@ -239,6 +239,7 @@ private slots: void eval(); void function(); void topLevelGeneratorFunction(); + void generatorCrashNewProperty(); void qtbug_10696(); void qtbug_11606(); void qtbug_11600(); @@ -6489,6 +6490,21 @@ void tst_qqmlecmascript::topLevelGeneratorFunction() QCOMPARE(it.property("next").callWithInstance(it).property("value").toInt(), 1); } +// QTBUG-91491 +void tst_qqmlecmascript::generatorCrashNewProperty() +{ + QQmlEngine engine; + QQmlComponent component(&engine, testFileUrl("generatorCrashNewProperty.qml")); + + QScopedPointer<QObject> o(component.create()); + + QVERIFY2(o != nullptr, qPrintable(component.errorString())); + + QCOMPARE(o->property("a").toInt(), 42); + QCOMPARE(o->property("b").toInt(), 12); + QCOMPARE(o->property("c").toInt(), 42); +} + // Test the "Qt.include" method void tst_qqmlecmascript::include() { |