From b6c298d82293f2de3525cbbc6c26f94466bda034 Mon Sep 17 00:00:00 2001 From: Simon Hausmann Date: Wed, 23 Aug 2017 11:08:50 +0200 Subject: Fix memory corruption with type trimming When creating a composite type, we register the meta-type in the qml loader thread. However we would require linking of the compilation unit to the QML/engine thread before we would be able to also undo that registration in unlink(), because we require the engine member to be set. If that did not happen, i.e. a qml type was loaded and trimmed from the cache before it was ever linked, we would end up with a dangling pointer in m_compositeTypes. Let's handle the case of CompilationUnit referring to a QML composite type separately from it being a compilation unit resulting from a .js file or in a plain QJSEngine environment. Task-number: QTBUG-62630 Change-Id: Ia68cc46f05345702bd9ba0378f61118f1964d141 Reviewed-by: Lars Knoll --- src/qml/compiler/qv4compileddata.cpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'src/qml/compiler/qv4compileddata.cpp') diff --git a/src/qml/compiler/qv4compileddata.cpp b/src/qml/compiler/qv4compileddata.cpp index 8ca1a29b2a..32e8ee4da2 100644 --- a/src/qml/compiler/qv4compileddata.cpp +++ b/src/qml/compiler/qv4compileddata.cpp @@ -97,6 +97,7 @@ static QString cacheFilePath(const QUrl &url) CompilationUnit::CompilationUnit() : data(0) , engine(0) + , qmlEngine(0) , runtimeLookups(0) , runtimeRegularExpressions(0) , runtimeClasses(0) @@ -212,8 +213,8 @@ void CompilationUnit::unlink() if (isRegisteredWithEngine) { Q_ASSERT(data && quint32(propertyCaches.count()) > data->indexOfRootObject && propertyCaches.at(data->indexOfRootObject)); - if (engine) - QQmlEnginePrivate::get(engine)->unregisterInternalCompositeType(this); + if (qmlEngine) + qmlEngine->unregisterInternalCompositeType(this); QQmlMetaType::unregisterInternalCompositeType(this); isRegisteredWithEngine = false; } @@ -230,6 +231,7 @@ void CompilationUnit::unlink() resolvedTypes.clear(); engine = 0; + qmlEngine = 0; free(runtimeStrings); runtimeStrings = 0; delete [] runtimeLookups; @@ -259,9 +261,6 @@ void CompilationUnit::markObjects(QV4::ExecutionEngine *e) void CompilationUnit::destroy() { - QQmlEngine *qmlEngine = 0; - if (engine && engine->v8Engine) - qmlEngine = engine->v8Engine->engine(); if (qmlEngine) QQmlEnginePrivate::deleteInEngineThread(qmlEngine, this); else @@ -284,12 +283,14 @@ IdentifierHash CompilationUnit::namedObjectsPerComponent(int componentObjec return *it; } -void CompilationUnit::finalize(QQmlEnginePrivate *engine) +void CompilationUnit::finalizeCompositeType(QQmlEnginePrivate *qmlEngine) { + this->qmlEngine = qmlEngine; + // Add to type registry of composites if (propertyCaches.needsVMEMetaObject(data->indexOfRootObject)) { QQmlMetaType::registerInternalCompositeType(this); - engine->registerInternalCompositeType(this); + qmlEngine->registerInternalCompositeType(this); } else { const QV4::CompiledData::Object *obj = objectAt(data->indexOfRootObject); auto *typeRef = resolvedTypes.value(obj->inheritedTypeNameIndex); -- cgit v1.2.3