From fdabe1c8ac9c43648718b66bfb4194439a3e6abb Mon Sep 17 00:00:00 2001 From: Lars Knoll Date: Thu, 9 Feb 2017 14:57:21 +0100 Subject: Fix a potential crash in pushWithScope toObject() can potentially allocate a new object. If a GC accurs between that allocation and newWithContext(), we'd free the withObject Fixes a crash on test262 ch12/12.10/12.10-2-1 when running it with aggressive GC. Change-Id: Id8e957a748658a8f31ae39ff83509e9574ed51f7 Reviewed-by: Robin Burchell --- src/qml/jsruntime/qv4runtime.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/qml') diff --git a/src/qml/jsruntime/qv4runtime.cpp b/src/qml/jsruntime/qv4runtime.cpp index 7f184f8221..6590054bf3 100644 --- a/src/qml/jsruntime/qv4runtime.cpp +++ b/src/qml/jsruntime/qv4runtime.cpp @@ -1264,12 +1264,16 @@ ReturnedValue Runtime::method_unwindException(ExecutionEngine *engine) */ void Runtime::method_pushWithScope(const Value &o, NoThrowEngine *engine) { - engine->pushContext(engine->currentContext->newWithContext(o.toObject(engine))); + QV4::Value *v = engine->jsAlloca(1); + Heap::Object *withObject = o.toObject(engine); + *v = withObject; + engine->pushContext(engine->currentContext->newWithContext(withObject)); Q_ASSERT(engine->jsStackTop == engine->currentContext + 2); } void Runtime::method_pushCatchScope(NoThrowEngine *engine, int exceptionVarNameIndex) { + engine->jsAlloca(1); // keep this symmetric with pushWithScope ExecutionContext *c = engine->currentContext; engine->pushContext(c->newCatchContext(c->d()->compilationUnit->runtimeStrings[exceptionVarNameIndex], engine->catchException(0))); Q_ASSERT(engine->jsStackTop == engine->currentContext + 2); @@ -1279,7 +1283,7 @@ void Runtime::method_popScope(NoThrowEngine *engine) { Q_ASSERT(engine->jsStackTop == engine->currentContext + 2); engine->popContext(); - engine->jsStackTop -= 2; + engine->jsStackTop -= 3; } void Runtime::method_declareVar(ExecutionEngine *engine, bool deletable, int nameIndex) -- cgit v1.2.3