From 8aee86b8ce4700f48b8a30752cb2293860957bb7 Mon Sep 17 00:00:00 2001 From: Kent Hansen Date: Tue, 9 Nov 2010 09:20:36 +0100 Subject: Fix GC-related crash in QScriptValue::setData() Yet another missing API shim. When converting the QScriptValue to JSC, a JSCell may be allocated, which can cause the GC to trigger. If an identifier (JSC::Identifier) is then garbage collected, the destructor will try to remove itself from the currentIdentifierTable(). Because the API shim was missing, the identifier table was 0. It's difficult to create a bulletproof test for this case, but the attached test is a best effort (it crashes on my machine without the fix). Task-number: QTBUG-15144 Reviewed-by: Jedrzej Nowacki --- src/script/api/qscriptvalue.cpp | 1 + tests/auto/qscriptvalue/tst_qscriptvalue.cpp | 13 +++++++++++++ tests/auto/qscriptvalue/tst_qscriptvalue.h | 1 + 3 files changed, 15 insertions(+) diff --git a/src/script/api/qscriptvalue.cpp b/src/script/api/qscriptvalue.cpp index f494106..e40458b 100644 --- a/src/script/api/qscriptvalue.cpp +++ b/src/script/api/qscriptvalue.cpp @@ -2036,6 +2036,7 @@ void QScriptValue::setData(const QScriptValue &data) Q_D(QScriptValue); if (!d || !d->isObject()) return; + QScript::APIShim shim(d->engine); JSC::JSValue other = d->engine->scriptValueToJSCValue(data); if (d->jscValue.inherits(&QScriptObject::info)) { QScriptObject *scriptObject = static_cast(JSC::asObject(d->jscValue)); diff --git a/tests/auto/qscriptvalue/tst_qscriptvalue.cpp b/tests/auto/qscriptvalue/tst_qscriptvalue.cpp index 639df36..53e2699 100644 --- a/tests/auto/qscriptvalue/tst_qscriptvalue.cpp +++ b/tests/auto/qscriptvalue/tst_qscriptvalue.cpp @@ -2253,6 +2253,19 @@ void tst_QScriptValue::getSetData() QVERIFY(!object.data().isValid()); } +void tst_QScriptValue::setData_QTBUG15144() +{ + QScriptEngine eng; + QScriptValue obj = eng.newObject(); + for (int i = 0; i < 10000; ++i) { + // Create an object with property 'fooN' on it, and immediately kill + // the reference to the object so it and the property name become garbage. + eng.evaluate(QString::fromLatin1("o = {}; o.foo%0 = 10; o = null;").arg(i)); + // Setting the data will cause a JS string to be allocated, which could + // trigger a GC. This should not cause a crash. + obj.setData("foodfight"); + } +} class TestScriptClass : public QScriptClass { public: diff --git a/tests/auto/qscriptvalue/tst_qscriptvalue.h b/tests/auto/qscriptvalue/tst_qscriptvalue.h index 462749a..aa6bc6c 100644 --- a/tests/auto/qscriptvalue/tst_qscriptvalue.h +++ b/tests/auto/qscriptvalue/tst_qscriptvalue.h @@ -216,6 +216,7 @@ private slots: void getSetProperty(); void arrayElementGetterSetter(); void getSetData(); + void setData_QTBUG15144(); void getSetScriptClass(); void call(); void construct(); -- cgit v0.12