Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-15079

Returning default constructed QScriptValue from QScriptClass::property() leads to crash, when the QScriptValue is converted to string

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: P1: Critical P1: Critical
    • 4.7.2
    • 4.6.2, 4.6.3
    • Qt Script
    • None
    • 626f13421baf258407f03e3bf21ed67138d55ea4

      The attached example causes a crash with QtScript based on JavaScriptCore

      The problem is that MyObjectClass::property(...) returns a default-constructed QScriptValue, which is converted to a default constructed JSC::JSValue in QScriptEnginePrivate::scriptValueToJSCValue(...). A default-constructed JSC::JSValue has tag EmptyValueTag. Now there is an EmptyValueTag-tagged JSValue in the wild, which the example later tries to print causing JSValue::toString(...) to be called, which is not prepared to deal with the EmptyValueTag causing it to invoke JSValue::asCell() which then goes boom.

      If MyObjectClass::property(...) is modified to return QScriptValue(QScriptValue::UndefinedValue) the problem goes away.

      Probably the (invalid) default constructed QScriptValue returned from the QScriptClass::property(...) specialization should be converted to an undefined rather than an empty JSC::JSValue.

      Perhaps JSValue::toString(..) should be equipped to either turn an empty value into a string or contain a note that empty JSValue's are not supposed to be let loose.

        1. minimal.cc
          1 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            kenthans Kent Hansen (Inactive)
            ts Thomas Sondergaard
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes