From 0ee2d9be1f8ab706a193e4f0cf095ee79e8210a8 Mon Sep 17 00:00:00 2001 From: Simon Hausmann Date: Fri, 27 Apr 2018 15:47:52 +0200 Subject: Fix heap-use-after-free Commit a1e5364b492610adf0636fefa3fc400558e211b6 introduced the use of AST elements at qml compilation unit generation time, which uncovered the issue that for scripts imported from qml files, the memory pool for the AST was local to QV4::Script::precompile. Therefore the memory where the AST stored was freed afterwards and any use after ::precompile() would produce ASAN errors. There's no good reason for Script::precompile to have its own local memory pool. Change-Id: I4f8eb5ee4e9d62d8874241bc95fc71a912e26cea Reviewed-by: Simon Hausmann --- src/qml/jsruntime/qv4script_p.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/qml/jsruntime/qv4script_p.h') diff --git a/src/qml/jsruntime/qv4script_p.h b/src/qml/jsruntime/qv4script_p.h index 0d1bce6f06..e7189664e2 100644 --- a/src/qml/jsruntime/qv4script_p.h +++ b/src/qml/jsruntime/qv4script_p.h @@ -62,6 +62,10 @@ QT_BEGIN_NAMESPACE class QQmlContextData; +namespace QQmlJS { +class Engine; +} + namespace QV4 { struct Q_QML_EXPORT Script { @@ -97,10 +101,9 @@ struct Q_QML_EXPORT Script { Function *function(); - static QQmlRefPointer precompile( - QV4::Compiler::Module *module, Compiler::JSUnitGenerator *unitGenerator, + static QQmlRefPointer precompile(QV4::Compiler::Module *module, QQmlJS::Engine *jsEngine, Compiler::JSUnitGenerator *unitGenerator, const QString &fileName, const QString &finalUrl, const QString &source, - QList *reportedErrors = nullptr, QQmlJS::Directives *directivesCollector = nullptr); + QList *reportedErrors = nullptr); static Script *createFromFileOrCache(ExecutionEngine *engine, QmlContext *qmlContext, const QString &fileName, const QUrl &originalUrl, QString *error); static ReturnedValue evaluate(ExecutionEngine *engine, const QString &script, QmlContext *qmlContext); -- cgit v1.2.3