From d1de10fa2dce63cf45f7b013d00d1953415d6069 Mon Sep 17 00:00:00 2001
From: Frank Meerkoetter <frank.meerkoetter@basyskom.com>
Date: Fri, 6 Nov 2015 10:37:21 +0100
Subject: Fix crash related to BoundFunctions

This fix prevents the crash documented in QTBUG-49076.

To quote Erik on the cause of the crash:

Call stack is probably: FunctionPrototype::method_bind ->
BoundFunction::create -> mm::allocObject ->
BoundFunction::BoundFunction -> Heap::FunctionObject ->
(Scoped)FunctionObject::init -> engine::newObject ->
... -> mm::allocObject

The call to Heap::FunctionObject in BoundFunction is the
call to the parent class constructor, which causes an
allocation. But at that point, BoundFunction's target is
still zero-initialised (the real initialization happens
first thing *after* the parent class' constructor is called).

Change-Id: If256f59168867cba9c886642ebaacb1d56801da4
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
---
 src/qml/jsruntime/qv4functionobject.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/qml')

diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp
index 2944c7b421..be09a58fc9 100644
--- a/src/qml/jsruntime/qv4functionobject.cpp
+++ b/src/qml/jsruntime/qv4functionobject.cpp
@@ -729,7 +729,8 @@ ReturnedValue BoundFunction::construct(const Managed *that, CallData *dd)
 void BoundFunction::markObjects(Heap::Base *that, ExecutionEngine *e)
 {
     BoundFunction::Data *o = static_cast<BoundFunction::Data *>(that);
-    o->target->mark(e);
+    if (o->target)
+        o->target->mark(e);
     o->boundThis.mark(e);
     if (o->boundArgs)
         o->boundArgs->mark(e);
-- 
cgit v1.2.3