Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.0.0
-
None
-
30662b5d64ff633f57d89290da2a85507d561187
Description
In some cases, v8 will assert during creation of a QHashedV8String:
import QtQuick 2.0 Item { id: root width: 300 height: 300 property string propName: width function slotA () { height = width; } Component.onCompleted: root[propName + "Changed"].connect(slotA); }
The result of the concatenation is placed on the stack, the QV8QObjectWrapper's Getter interceptor is entered, and a QHashedV8String is constructed from the property (name). During construction, v8 asserts:
#5 0xb5c2f9b2 in CheckHelper (file=0xb5ff65b0 "../3rdparty/v8/src/objects-inl.h", line=2050, source=0xb5ff685e "object->IsSmi()",
condition=false) at ../3rdparty/v8/src/checks.h:60
#6 0xb5c33af2 in v8::internal::Smi::cast (object=0xdeadbeef) at ../3rdparty/v8/src/objects-inl.h:2050
#7 0xb5c5b832 in v8::internal::SeqString::symbol_id (this=0x2c7c0fc5) at ../3rdparty/v8/src/objects-inl.h:2102
#8 0xb5c4bcab in v8::String::CompleteHash (this=0x80f3930) at ../3rdparty/v8/src/api.cc:3734
#9 0xb6b938b6 in QHashedV8String (this=0xbfffb998, string=...)
at ../../include/QtDeclarative/5.0.0/QtDeclarative/private/../../../../../src/declarative/qml/ftw/qhashedstring_p.h:876
#10 0xb6cef76f in QV8QObjectWrapper::Getter (property=..., info=...) at qml/v8/qv8qobjectwrapper.cpp:702
Which suggests either that the string has wrongly been tagged as a SeqString or that the memory for the symbol_id was not allocated correctly.
/edit: some more test cases to illuminate the cause of the problem:
// works fine import QtQuick 2.0 Item { id: root width: 300 height: 300 property int someRandom: 50 Component.onCompleted: { console.log(root["some" + "Random"]); } }
// produces undefined (as expected) but doesn't crash import QtQuick 2.0 Item { id: root width: 300 height: 300 property int someRandom: 50 Component.onCompleted: { console.log(root["somerandom"]); } }
// crashes import QtQuick 2.0 Item { id: root width: 300 height: 300 property int someRandom: 50 Component.onCompleted: { console.log(root["some" + "random"]); } }