Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-23126

Computing a stringhash on QObject property lookup can cause V8 to assert

    XMLWordPrintable

Details

    • 30662b5d64ff633f57d89290da2a85507d561187

    Description

      In some cases, v8 will assert during creation of a QHashedV8String:

      import QtQuick 2.0
      
      Item {
          id: root
          width: 300
          height: 300
          property string propName: width
          function slotA () {
              height = width;
          }
          Component.onCompleted: root[propName + "Changed"].connect(slotA);
      }
      

      The result of the concatenation is placed on the stack, the QV8QObjectWrapper's Getter interceptor is entered, and a QHashedV8String is constructed from the property (name). During construction, v8 asserts:

      #5 0xb5c2f9b2 in CheckHelper (file=0xb5ff65b0 "../3rdparty/v8/src/objects-inl.h", line=2050, source=0xb5ff685e "object->IsSmi()",
      condition=false) at ../3rdparty/v8/src/checks.h:60
      #6 0xb5c33af2 in v8::internal::Smi::cast (object=0xdeadbeef) at ../3rdparty/v8/src/objects-inl.h:2050
      #7 0xb5c5b832 in v8::internal::SeqString::symbol_id (this=0x2c7c0fc5) at ../3rdparty/v8/src/objects-inl.h:2102
      #8 0xb5c4bcab in v8::String::CompleteHash (this=0x80f3930) at ../3rdparty/v8/src/api.cc:3734
      #9 0xb6b938b6 in QHashedV8String (this=0xbfffb998, string=...)
      at ../../include/QtDeclarative/5.0.0/QtDeclarative/private/../../../../../src/declarative/qml/ftw/qhashedstring_p.h:876
      #10 0xb6cef76f in QV8QObjectWrapper::Getter (property=..., info=...) at qml/v8/qv8qobjectwrapper.cpp:702

      Which suggests either that the string has wrongly been tagged as a SeqString or that the memory for the symbol_id was not allocated correctly.

      /edit: some more test cases to illuminate the cause of the problem:

      // works fine
      import QtQuick 2.0
      Item {
          id: root
          width: 300
          height: 300
          property int someRandom: 50
          Component.onCompleted: {
              console.log(root["some" + "Random"]);
          }
      }
      
      // produces undefined (as expected) but doesn't crash
      import QtQuick 2.0
      Item {
          id: root
          width: 300
          height: 300
          property int someRandom: 50
          Component.onCompleted: {
              console.log(root["somerandom"]);
          }
      }
      
      // crashes
      import QtQuick 2.0
      Item {
          id: root
          width: 300
          height: 300
          property int someRandom: 50
          Component.onCompleted: {
              console.log(root["some" + "random"]);
          }
      }
      

      Attachments

        1. symbol_id.patch
          2 kB
          Aaron Kennedy
        For Gerrit Dashboard: QTBUG-23126
        # Subject Branch Project Status CR V

        Activity

          People

            chriadam Christopher Adams (closed Nokia identity) (Inactive)
            chriadam Christopher Adams (closed Nokia identity) (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes