RESOLVED INVALID 107477
[Qt] Crash when reading QObjectList property value 
https://bugs.webkit.org/show_bug.cgi?id=107477
Summary [Qt] Crash when reading QObjectList property value
Shady Zayat
Reported 2013-01-21 14:32:22 PST
If a QObject that have a QObjectList property is exposed to javascript using addToJavaScriptWindowObject, the program will crash when trying to read the property value if the returned list contains more than one element. The following patch fixes the crash for me. index e2ca465..37f2fd4 100644 --- a/Source/WebCore/bridge/qt/qt_runtime.cpp +++ b/Source/WebCore/bridge/qt/qt_runtime.cpp @@ -801,7 +801,7 @@ JSValueRef convertQVariantToValue(JSContextRef context, PassRefPtr<RootObject> r JSObjectRef array = JSObjectMakeArray(context, 0, 0, exception); ExecState* exec = toJS(context); for (int i = 0; i < ol.count(); ++i) { - JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root, QtInstance::QtOwnership)->createRuntimeObject(exec)); + JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root.get(), QtInstance::QtOwnership)->createRuntimeObject(exec)); JSObjectSetPropertyAtIndex(context, array, i, jsObject, /*ignored exception*/0); } return array; steps to reproduce: 1. Add the following code to a slot connected to javaScriptWindowObjectCleared MyObject * myObject = new MyObject(this); myObject->populateList(); m_webView->page()->mainFrame()->addToJavaScriptWindowObject("test", myObject, QWebFrame::QtOwnership); 2. Add the following javascript code to the loaded page: window.onload = function() { window.test.others ; } // myobject.h #ifndef MYOBJECT_H #define MYOBJECT_H #include <QObject> #include <QVariant> class MyObject : public QObject { Q_OBJECT public: MyObject(); explicit MyObject(QObject *parent = 0); Q_PROPERTY(QObjectList others READ others) void populateList(); QObjectList others(); signals: public slots: private: int m_age; QObjectList m_list; }; #endif // MYOBJECT_H // myobject.cpp #include "myobject.h" MyObject::MyObject(): QObject(0) { } MyObject::MyObject(QObject *parent) : QObject(parent) { } QObjectList MyObject::others() { return m_list; } void MyObject::populateList() { m_list << new MyObject(this); m_list << new MyObject(this); }
Attachments
Add attachment proposed patch, testcase, etc.
Andras Becsi
Comment 1 2013-01-22 02:25:40 PST
You can create a ChangeLog with Tools/Scripts/prepare-Changelog and just upload the diff manually if you have trouble with webkit-patch. CC-ing Simon. (In reply to comment #0) > If a QObject that have a QObjectList property is exposed to javascript using addToJavaScriptWindowObject, the program will crash when trying to read the property value if the returned list contains more than one element. > > The following patch fixes the crash for me. > index e2ca465..37f2fd4 100644 > --- a/Source/WebCore/bridge/qt/qt_runtime.cpp > +++ b/Source/WebCore/bridge/qt/qt_runtime.cpp > @@ -801,7 +801,7 @@ JSValueRef convertQVariantToValue(JSContextRef context, PassRefPtr<RootObject> r > JSObjectRef array = JSObjectMakeArray(context, 0, 0, exception); > ExecState* exec = toJS(context); > for (int i = 0; i < ol.count(); ++i) { > - JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root, QtInstance::QtOwnership)->createRuntimeObject(exec)); > + JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root.get(), QtInstance::QtOwnership)->createRuntimeObject(exec)); AFAICT this probably needs to be applied to line 740 of this file as well. > JSObjectSetPropertyAtIndex(context, array, i, jsObject, /*ignored exception*/0); > } > return array; >
Jocelyn Turcotte
Comment 2 2014-02-03 03:24:25 PST
=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary. If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.
Note You need to log in before you can comment on or make changes to this bug.