Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.15.10, 6.2.3, 6.3.0 Alpha, 6.3, 5.15, 6.2
Affects Version/s: 5.15.3
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf
- qmlnext

Commits:
dde1d86baabac1eddd84a11b7d2ed49e26c511bd (qt/qtdeclarative/dev) 762e70ea2ec028d0ce1659ed4ae8fc2ec47d950f (qt/qtdeclarative/6.2) 0e88794676 (qt/tqtc-qtdeclarative/5.15)

Description

This code :

function *a() {
    (function() { yield 1; })();
}
let it = a();
it.next();

is accepted as valid syntax leading to a crash when JIT kicks in :

QV4::JIT::BaselineJIT::generate_Yield()
QV4::Moth::ByteCodeHandler::decode(const char * code, unsigned int len)
QV4::JIT::BaselineJIT::generate()

PS: I wasn't able to crash the app with the code above which is derived from our real world crash and fix knowledge on this.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Qt Qml Team User

Reporter:: Vincent Rouillé

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15 Nov '21 17:05

Updated:: 08 May '22 05:55

Resolved:: 18 Nov '21 10:23

Gerrit Reviews

There are no open Gerrit changes

Show There are 3 closed Gerrit changes

Hide There are 3 closed Gerrit changes

QML/JS: Reject yield expression not directly in generator functions: Gerrit Review:

QML/JS: Reject yield expression not directly in generator functions: Gerrit Review:

QML/JS: Reject yield expression not directly in generator functions: Gerrit Review: