From 8d7c74f560c263b3933b21d780c6a1980425a4ba Mon Sep 17 00:00:00 2001 From: Aaron Kennedy Date: Mon, 9 Nov 2009 11:33:14 +1000 Subject: During a GC mark the scope chain of QScriptContexts It appears that simply being in the scope chain of an existant frame isn't sufficient to be marked. This can lead to a QScriptContext scope chain that contains a JSObject that has been collected. For example, this code: QScriptContext *ctxt = engine->pushContext(); ctxt.pushScope(engine->newObject()); previouslyCreatedFunctionObject.call(); // causes a GC can lead to the object added to the scope chain to have become invalid. This leads to hilarity later on. Reviewed-by: Kent Hansen --- src/script/api/qscriptengine.cpp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/script/api/qscriptengine.cpp b/src/script/api/qscriptengine.cpp index 2b60a46..f41b4e2 100644 --- a/src/script/api/qscriptengine.cpp +++ b/src/script/api/qscriptengine.cpp @@ -1093,6 +1093,8 @@ void QScriptEnginePrivate::setContextFlags(JSC::ExecState *exec, uint flags) void QScriptEnginePrivate::mark(JSC::MarkStack& markStack) { + Q_Q(QScriptEngine); + markStack.append(originalGlobalObject()); markStack.append(globalObject()); if (originalGlobalObjectProxy) @@ -1130,6 +1132,22 @@ void QScriptEnginePrivate::mark(JSC::MarkStack& markStack) markStack.append((*it)->prototype); } } + + { + QScriptContext *context = q->currentContext(); + + while (context) { + JSC::ScopeChainNode *node = frameForContext(context)->scopeChain(); + JSC::ScopeChainIterator it(node); + for (it = node->begin(); it != node->end(); ++it) { + JSC::JSObject *object = *it; + if (object) + markStack.append(object); + } + + context = context->parentContext(); + } + } } bool QScriptEnginePrivate::isCollecting() const -- cgit v0.12