P1: Critical When such excerpt in the Java Script is passed as an argument to C++ function
[,"Argument Two","Argument Three"]
it is called Qt SDK
C:\Qt\4.7.4\src\script\api\qscriptengine.cpp
QStringList QScriptEnginePrivate::stringListFromArray(JSC::ExecState *exec, JSC::JSValue arr)
{
QStringList lst;
uint len = toUInt32(exec, property(exec, arr, exec->propertyNames().length));
for (uint i = 0; i < len; ++i)
lst.append(toString(exec, property(exec, arr, i)));
return lst;
}
then
C:\Qt\4.7.4\src\3rdparty\javascriptcore\JavaScriptCore\runtime\JSString.h
inline UString JSValue::toString(ExecState* exec) const
{
if (isString())
return static_cast<JSString*>(asCell())->value(exec);
if (isInt32())
return exec->globalData().numericStrings.add(asInt32());
if (isDouble())
return exec->globalData().numericStrings.add(asDouble());
if (isTrue())
return "true";
if (isFalse())
return "false";
if (isNull())
return "null";
if (isUndefined())
return "undefined";
ASSERT(isCell());
return asCell()->toString(exec); <=this line causes crash, because asCell() returns NULL
}
There is a missing condition to check before
return asCell()->toString(exec);
because
tag() == EmptyValueTag (-7)
Regards 
| For Gerrit Dashboard: QTBUG-21896 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 27777,1 | Fix crash when converting invalid JSValue to string | master | qt/qtscript | Status: MERGED | +2 | 0 |
| 32121,1 | Fix crash when converting invalid JSValue to string | 4.8 | qt/qt | Status: MERGED | +2 | 0 |