From 3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb Mon Sep 17 00:00:00 2001 From: Simon Hausmann Date: Tue, 28 Apr 2015 15:38:09 +0200 Subject: Fix memory corruption when multiple QML engines have JavaScript wrappers for the same QObject It's possible that the same QObject is exposed to multiple JavaScript environments, for which we have this "extra" hack in the form of a QMap. The common case is that QQmlData has a QV4::WeakValue that points to the JS wrapper for the object. However in the rare case of multiple exposure, a map in the other engines stores those references. That map was erroneously storing pointers to temporary values on the JS stack instead of heap pointers. Change-Id: I8587f9921a9b4f9efd288326d00cebc25ad0bc12 Task-number: QTBUG-45051 Reviewed-by: Lars Knoll --- src/qml/qml/qqmldata_p.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/qml/qml/qqmldata_p.h') diff --git a/src/qml/qml/qqmldata_p.h b/src/qml/qml/qqmldata_p.h index c7654be545..04c42b638d 100644 --- a/src/qml/qml/qqmldata_p.h +++ b/src/qml/qml/qqmldata_p.h @@ -74,7 +74,7 @@ class Q_QML_PRIVATE_EXPORT QQmlData : public QAbstractDeclarativeData public: QQmlData() : ownedByQml1(false), ownMemory(true), ownContext(false), indestructible(true), explicitIndestructibleSet(false), - hasTaintedV8Object(false), isQueuedForDeletion(false), rootObjectInCreation(false), + hasTaintedV4Object(false), isQueuedForDeletion(false), rootObjectInCreation(false), hasVMEMetaObject(false), parentFrozen(false), bindingBitsSize(0), bindingBits(0), notifyList(0), context(0), outerContext(0), bindings(0), signalHandlers(0), nextContextObject(0), prevContextObject(0), lineNumber(0), columnNumber(0), jsEngineId(0), compiledData(0), deferredData(0), @@ -112,7 +112,7 @@ public: quint32 ownContext:1; quint32 indestructible:1; quint32 explicitIndestructibleSet:1; - quint32 hasTaintedV8Object:1; + quint32 hasTaintedV4Object:1; quint32 isQueuedForDeletion:1; /* * rootObjectInCreation should be true only when creating top level CPP and QML objects, -- cgit v1.2.3