diff options
| author | Kent Hansen <kent.hansen@nokia.com> | 2010-11-09 08:20:36 (GMT) |
|---|---|---|
| committer | Kent Hansen <kent.hansen@nokia.com> | 2010-11-09 10:00:13 (GMT) |
| commit | 8aee86b8ce4700f48b8a30752cb2293860957bb7 (patch) | |
| tree | 277d71ec3021aaba33108aa3dd660eebb0a1a434 /src/script/api | |
| parent | 6b8a95b2521d843ec2b3f7c787c15b92e4ea686f (diff) | |
| download | Qt-8aee86b8ce4700f48b8a30752cb2293860957bb7.zip Qt-8aee86b8ce4700f48b8a30752cb2293860957bb7.tar.gz Qt-8aee86b8ce4700f48b8a30752cb2293860957bb7.tar.bz2 | |
Fix GC-related crash in QScriptValue::setData()
Yet another missing API shim.
When converting the QScriptValue to JSC, a JSCell may be allocated,
which can cause the GC to trigger.
If an identifier (JSC::Identifier) is then garbage collected, the
destructor will try to remove itself from the currentIdentifierTable().
Because the API shim was missing, the identifier table was 0.
It's difficult to create a bulletproof test for this case, but the
attached test is a best effort (it crashes on my machine without the
fix).
Task-number: QTBUG-15144
Reviewed-by: Jedrzej Nowacki
Diffstat (limited to 'src/script/api')
| -rw-r--r-- | src/script/api/qscriptvalue.cpp | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/script/api/qscriptvalue.cpp b/src/script/api/qscriptvalue.cpp index f494106..e40458b 100644 --- a/src/script/api/qscriptvalue.cpp +++ b/src/script/api/qscriptvalue.cpp @@ -2036,6 +2036,7 @@ void QScriptValue::setData(const QScriptValue &data) Q_D(QScriptValue); if (!d || !d->isObject()) return; + QScript::APIShim shim(d->engine); JSC::JSValue other = d->engine->scriptValueToJSCValue(data); if (d->jscValue.inherits(&QScriptObject::info)) { QScriptObject *scriptObject = static_cast<QScriptObject*>(JSC::asObject(d->jscValue)); |