From 8d03b5fdb232ddb8b5d3b27fd7627401dbd154f8 Mon Sep 17 00:00:00 2001 From: Milian Wolff Date: Mon, 16 Apr 2018 22:50:44 +0200 Subject: Prevent crashes by fixing mapping of transport to wrapped objects When an already-wrapped object was used by a secondary transport, the mapping was not updated. This could then lead to crashes when the transport was destroyed. [ChangeLog][General] Fix crash when wrapped objects are shared across multiple transports. Task-number: QTBUG-62388 Change-Id: I3c3b7302205e10f04695f1a202325704d90950d2 Reviewed-by: Kai Dohmen Reviewed-by: Simon Hausmann Reviewed-by: Frederik Gladhorn --- src/webchannel/qmetaobjectpublisher.cpp | 4 +++- tests/auto/webchannel/tst_webchannel.cpp | 33 ++++++++++++++++++++++++++++++++ tests/auto/webchannel/tst_webchannel.h | 3 ++- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/webchannel/qmetaobjectpublisher.cpp b/src/webchannel/qmetaobjectpublisher.cpp index 8e83237..d107848 100644 --- a/src/webchannel/qmetaobjectpublisher.cpp +++ b/src/webchannel/qmetaobjectpublisher.cpp @@ -563,8 +563,10 @@ QJsonValue QMetaObjectPublisher::wrapResult(const QVariant &result, QWebChannelA } else if (wrappedObjects.contains(id)) { Q_ASSERT(object == wrappedObjects.value(id).object); // check if this transport is already assigned to the object - if (transport && !wrappedObjects.value(id).transports.contains(transport)) + if (transport && !wrappedObjects.value(id).transports.contains(transport)) { wrappedObjects[id].transports.append(transport); + transportedWrappedObjects.insert(transport, id); + } classInfo = wrappedObjects.value(id).classinfo; } diff --git a/tests/auto/webchannel/tst_webchannel.cpp b/tests/auto/webchannel/tst_webchannel.cpp index b62a596..8efd2fb 100644 --- a/tests/auto/webchannel/tst_webchannel.cpp +++ b/tests/auto/webchannel/tst_webchannel.cpp @@ -1037,6 +1037,39 @@ void TestWebChannel::qtbug46548_overriddenProperties() #endif // WEBCHANNEL_TESTS_CAN_USE_JS_ENGINE } +void TestWebChannel::qtbug62388_wrapObjectMultipleTransports() +{ + QWebChannel channel; + TestObject obj; + + auto initTransport = [&channel](QWebChannelAbstractTransport *transport) { + channel.connectTo(transport); + channel.d_func()->publisher->initializeClient(transport); + }; + initTransport(m_dummyTransport); + + auto queryObjectInfo = [&channel](QObject *obj, QWebChannelAbstractTransport *transport) { + return channel.d_func()->publisher->wrapResult(QVariant::fromValue(obj), transport).toObject(); + }; + const auto objectInfo = queryObjectInfo(&obj, m_dummyTransport); + + QCOMPARE(objectInfo.length(), 3); + QVERIFY(objectInfo.contains("id")); + QVERIFY(objectInfo.contains("__QObject*__")); + QVERIFY(objectInfo.contains("data")); + QVERIFY(objectInfo.value("__QObject*__").isBool() && objectInfo.value("__QObject*__").toBool()); + + const auto id = objectInfo.value("id").toString(); + + QCOMPARE(channel.d_func()->publisher->unwrapObject(id), &obj); + + DummyTransport transport; + initTransport(&transport); + QCOMPARE(queryObjectInfo(&obj, &transport), objectInfo); + + // don't crash when the transport is destroyed +} + QTEST_MAIN(TestWebChannel) #include "tst_webchannel.moc" diff --git a/tests/auto/webchannel/tst_webchannel.h b/tests/auto/webchannel/tst_webchannel.h index 85846e7..a9f66f9 100644 --- a/tests/auto/webchannel/tst_webchannel.h +++ b/tests/auto/webchannel/tst_webchannel.h @@ -44,7 +44,7 @@ class DummyTransport : public QWebChannelAbstractTransport { Q_OBJECT public: - explicit DummyTransport(QObject *parent) + explicit DummyTransport(QObject *parent = nullptr) : QWebChannelAbstractTransport(parent) {} ~DummyTransport() {}; @@ -315,6 +315,7 @@ private slots: void benchRemoveTransport(); void qtbug46548_overriddenProperties(); + void qtbug62388_wrapObjectMultipleTransports(); private: DummyTransport *m_dummyTransport; -- cgit v1.2.1