[Webkit-unassigned] [Bug 107477] New: [Qt] Crash when reading QObjectList property value

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 21 14:30:31 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=107477

           Summary: [Qt] Crash when reading QObjectList property value
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P3
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: shadyzay at gmail.com


If a QObject that have a QObjectList property is exposed to javascript using addToJavaScriptWindowObject, the program will crash when trying to read the property value if the returned list contains more than one element.

The following patch fixes the crash for me.
index e2ca465..37f2fd4 100644
--- a/Source/WebCore/bridge/qt/qt_runtime.cpp
+++ b/Source/WebCore/bridge/qt/qt_runtime.cpp
@@ -801,7 +801,7 @@ JSValueRef convertQVariantToValue(JSContextRef context, PassRefPtr<RootObject> r
         JSObjectRef array = JSObjectMakeArray(context, 0, 0, exception);
         ExecState* exec = toJS(context);
         for (int i = 0; i < ol.count(); ++i) {
-            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root, QtInstance::QtOwnership)->createRuntimeObject(exec));
+            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root.get(), QtInstance::QtOwnership)->createRuntimeObject(exec));
             JSObjectSetPropertyAtIndex(context, array, i, jsObject, /*ignored exception*/0);
         }
         return array;

steps to reproduce:
1. Add the following code to a slot connected to javaScriptWindowObjectCleared 
    MyObject * myObject = new MyObject(this);
    myObject->populateList();
    m_webView->page()->mainFrame()->addToJavaScriptWindowObject("test", myObject, QWebFrame::QtOwnership);
2. Add the following javascript code to the loaded page:
    window.onload = function() { window.test.others ; } 


// myobject.h 
#ifndef MYOBJECT_H
#define MYOBJECT_H

#include <QObject>
#include <QVariant>

class MyObject : public QObject
{
    Q_OBJECT
public:
    MyObject();
    explicit MyObject(QObject *parent = 0);

    Q_PROPERTY(QObjectList others READ others)

    void populateList();
    QObjectList others();

signals:

public slots:

private:
    int m_age;
    QObjectList m_list;
};

#endif // MYOBJECT_H


// myobject.cpp
#include "myobject.h"

MyObject::MyObject():
    QObject(0)
{
}

MyObject::MyObject(QObject *parent) :
    QObject(parent)
{
}

QObjectList MyObject::others()
{
    return m_list;
}

void MyObject::populateList()
{
    m_list << new MyObject(this);
    m_list << new MyObject(this);
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list