| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This relies heavily on the documented fact that we only support trusted
QML/JS content, meaning most files are only significant, not critical.
This also extends to the handling of qmlc files (as in
compilationunitmapper), as we store them in a user owned, non-shared
cache directory – so any vulnerability there would already mean that an
attacker has write-priviledges on user data.
An exception is ArrayBuffer, which can be used with arbitrary user data,
and should create a valid QBA.
Fixes: QTBUG-136970
Pick-to: 6.10 6.9 6.8
QUIP: 23
Change-Id: I22033fe6ab4acf8362a8183e25b92331d45cb32c
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`Scope` provides a mean of performing uninitialized scoped allocations
on the JS stack.
This can generally be unsafe as this form of allocation temporarily
leaves an element representing garbage memory on the JS stack, which
could be accessed by other parts of the program.
Indeed, a set of bugs related to this kind of behavior was recently
solved.
Hence, to reduce the surface of those kind of bugs, the usages of
uninitialized scoped allocations were reduced to a minimum.
The solution to the recent set of bugs related to uninitialized scoped
allocations introduced a series of `construct` methods that ensure that
the uninitialized allocation and the initialization of the allocated
elements are performed as a single step of computation, reducing the
surface for incorrect usages of those kind of allocations.
The solution was expanded by the introduction of new `construct` methods
that cover initialization from other types and some different means of
initialization that were used around the code-base to work with
uninitialized scoped allocations.
Similarly, the various allocation methods in `Scope` were subsumed by
the new `construct` methods, with the only remaining means of allocation
being the uninitialized one that is used as a building block for the
`construct` methods.
In particular, `Scope` provided three forms of allocation under the
various `alloc` methods.
The aforementioned uninitialized allocation and an allocation that
performed initialization to either the Undefined or the Empty value.
The latter two forms of allocation were converted to forms of
`construct`.
Since they directly map to the same concept of allocation plus
initialization, the conversion avoids having two names for the same
concept.
More specifically, the form of allocation that initialized to the
Undefined value was converted to the new `constructUndefined` which
keeps the same behavior.
The different naming from the basic `construct` methods is justified by
the different interface, which doesn't require choosing a initial value,
and the different implementation which is built on the more general
`construct` methods rather than the lower level allocation routines.
The form of allocation that initialized to the Empty value was removed
as it was found to be unused in the code-base.
The converted allocation methods generally provides the same interface
and behavior with the exception of always requiring the user to specify
the amount of allocate objects.
This is a change compared to the previous interface which allowed a
zero-argument version that allocated a single element.
The writer of the patch considered the additional terseness
inconsequential compared to the required additional code so that the
possibility was not preserved.
The code related to the converted allocation forms was removed as a
consequence of the conversion.
The remaining uninitialized allocation form was made private, to avoid
general usage outside of `Scope`, and favoring usages of the substitute
`construct` methods.
A comment that was related to usages of uninitialized scoped allocations
was moved to the lower level `jsAlloca`, which forms the basis for those
allocations and creates the abovementioned issues, where it was expanded
upon.
Usages of the non-uninitialized allocation forms around the code-base
were modified to use the new `constructUndefined` method.
Most usages of the uninitialized allocation form were modified to use
the new `construct` methods that were added to replace them.
Exceptions were made for those cases where the initialization routine is
either very complex or depends on details that shouldn't belong to
`Scope` such that they cannot be trivially encapsulated in a `construct`
method.
Instead, the relevant function or object was friended by `Scope` to
allow accesses to the now private form of allocation.
Those usages were previously checked and are supposed to be safe but
should be scrutinized if they are modified or the code around them is
modified.
One of the friended functions, `callDatafromJs`, previously offered a
default argument that was not made use of in the code-base.
The default value for the argument was removed to simplify friending the
function, considering the difficulty the language has with friended
function with default arguments and considering that it would have
required the default value to be moved out of the function definition
into a forward declaration in the unrelated header that defines `Scope`.
It is expected that the changes will reduce the surface of usage of
uninitialized scoped allocations in favor of a slightly safer approach,
make the issue that those usages can produce more apparent and generally
centralize the usages as much as possible to make them easier to
evaluate and keep track of.
Change-Id: I351329f2c139201e0728791df6da297698170f55
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Reviewed-by: Sami Shalayel <sami.shalayel@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
We need to assign them right away when creating the module. If we do it
later on, there are a lot of different code paths to cover and in fact
we were missing some.
Pick-to: 6.9 6.8
Task-number: QTBUG-133053
Change-Id: I57e381c787f504eb9bcd8c2041e41b4f1d1f8b53
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
| |
The name of a bound function cannot be null.
Amends commit 8b6a9403bf2e04d34b9b07d2780186029fab99d0
Change-Id: I8a32d4c2cc8170f1b5d722cd8c5b823aa2211975
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are really rather generic type traits that shouldn't be stored in
individual objects. Moving them away slims down FunctionObject even
more.
FunctionObject doesn't add any extra overhead on top of Object anymore.
You also cannot easily cast an object that doesn't implement any call
methods to FunctionObject anymore. Therefore, we can derive from
FunctionObject even if we only need to implement call methods in a
further derived class.
The fact that ProxyObject is not a FunctionObject but its derivatives
are is already tested as part of the ecmascript test suite.
Task-number: QTBUG-124662
Change-Id: I5632de8c54ac1d6a4b15c4926c655b87b475db49
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most FunctionObjects do not actually need their custom jsCall members.
They will only call the functions from the vtable anyway. FunctionObject
can therefore be split into a static and a dynamic variant. Only the
dyanmic variant needs to carry (and invoke) the extra pointer. The
jsCallWithMetaTypes pointer is completely pointless because none of the
dynamic functions actually implement it.
Furthermore, the QV4::Function and QV4::ExecutionContext pointers in
FunctionObject are only needed by actual JavaScript functions. The
builtins that like to be dynamic functions never need them. Therefore,
split out another class for this.
In the generic FunctionObject, we need the capability to decide at run
time whether the function shall be a constructor or not. Add a flag to
replace the check for jsCallAsConstructor.
Also, where we can, avoid the pessimization of checking whether a
function is a constructor before trying to call it as constructor.
Rather have the default implementation throw the exception.
As a side effect, for most functions we don't need an ExecutionContext
anymore. The engine is enough.
Task-number: QTBUG-124662
Change-Id: Iac657fa71288dd6ec230a33de2986ba3bcf4628c
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pass the metatypes of the contained types rather than the stored types.
[ChangeLog][QtQml][Important Behavior Changes] The AOT compiled code for
type-annotated JavaScript functions does not let you pass or return
values of the wrong type anymore.
Fixes: QTBUG-119885
Change-Id: I685d398c0745d32a999a3abd76c622a2c0d6651f
Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Put the newly created FunctionObject into a Scope.
This isn't actually needed, but acts as a safeguard in case
FunctionObject::function is changed in the future to allocate memory.
Change-Id: I5bcd888cd8bd5cb8c727eb3b29222981c851d4fe
Reviewed-by: Sami Shalayel <sami.shalayel@qt.io>
Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io>
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
You can produce multiple CUs for the same URL with createQmlObject() and
friends. They need to be marked during garbage collection and therefore
the engine needs to keep track of them.
With the multihash there can be a lot of CUs of the same URL. Searching
through them can take a lot of time. However, there is no point in
searching for an existing executable CU if we've just freshly compiled
the base CU. So, in those cases, insert directly instead.
Fixes: QTBUG-121436
Change-Id: I804dbc74d2ade118f6680a7fbde3f234699ccbc3
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
| |
This is in preparation for letting the engine cache the executable CUs.
Change-Id: Ideac10d8dda0784b41304b58f9b9fbd106173ea6
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't want floating unlinked executable CUs. They should always be
tied to an engine, and the engine should not change. This gives us one
definite point where to register them with the engine (to be done in
subsequent change).
Unfortunately, due to the refcounting, we need to remove the engine from
any still-referenced CUs when the engine itself is destructed. We will
be able to drop the refcounting and make the engine fully own its
executable CUs once we can hold base CUs in most places.
Change-Id: I9a53e83d5c4746c2b2bca896b51baa4fe7fee757
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We can use the same mechanism we have in place when calling typed
JavaScript functions. The type coercion is generalized and moved to
qv4jscall_p.h. We also use the correct JavaScript coercion in the rare
fallback case where the types are actually different.
Fixes: QTBUG-113258
Change-Id: I30404ee0122433b47227b2fc0dc4b0e3862a99c7
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
| |
We do not have to coerce via the C++ type. Rather, we match the
JavaScript representations of the types and coerce as needed.
Task-number: QTBUG-113527
Change-Id: Id5c30cd46293f2d7aedd699f141a9fe19511b622
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
| |
We're going to call the JavaScript-typed functions a different name.
Change-Id: If92c3fb1b16b1b0bd7d009e7dd712ae6405e1232
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
| |
They cause clashes in CMake Unity (Jumbo) builds.
Pick-to: 6.5
Task-number: QTBUG-109394
Change-Id: I0408c01d3e6f0f4dc74904e12a3036a855cc3225
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, the QML engine does not enforce signatures given as type
annotations to functions. By passing different types than the function
declares, you can get different behavior between the interpreter/JIT and
the AOT-compiled code. In addition, in interpreted or JIT'ed mode, we
pass all non-primitive value types as references. This means, if you
modify them within the called function, the modifications are propagated
back to the place where the value was loaded from.
Enforcing the signature prevents all of this, at a run time cost. Since
we have to coerce all arguments to the desired types, the function call
overhead grows. This change introduces a pragma
"FunctionSignatureBehavior" which you can set to "Ignored" or "Enforced"
to choose one way or the other as universal way of handling type
annotations.
Fixes: QTBUG-106819
Change-Id: I50e9b2bd6702907da44974cd9e05b48a96bb609e
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling alloc with a qint64 parameter is a good indicator that we got
that value from Object::getLength. In that case, the value needs to be
sanitized with safeForAllocLength.
As a consequence, we notice that method_stringify did indeed use alloc
in an usasafe way; this is now fixed.
In a few other places, variables had to be changed from unsigned to
signed int (as the conversion is now ambiguous).
An even stricter check would be to only accepd a value of (not yet
existing) "sanitized_size_t" type. However, that requires more effort,
at it would each and every call-site, and is thus left as an exercise
for later.
Pick-to: 6.4 6.2 5.15
Fixes: QTBUG-107619
Change-Id: I3bba9be1e0aea72e11ccb6c168219b4591eb8f5b
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
This extracts the check from Function.prototype.apply into a shared
function, and uses it in Reflect.apply, which has the same issue.
Pick-to: 6.4 6.2 5.15
Task-number: QTBUG-107619
Change-Id: I899464c86554f9bbb5270a95bbe3fe27531e9a27
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
|
|
|
| |
We want to use the aotFunction member also for typed JavaScript
functions.
Change-Id: Iad6d12ebed3ad3069832484137ed8e4d9e7a7cf4
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop unnecessary includes detected by clangd-iwyu.
Add new includes due to the transitive includes. Also, some of the
includes were detected as unused even if they were actually in use.
In those cases, use angular brackets instead of "" which deceives
the tool not to complain.
Affected subfolders: Debugger, Compiler, JsApi, JsRuntime, Memory,
Parser
Task-number: QTBUG-106473
Change-Id: I01d996a2a2ba31cbbc5f60f5454c8f850298f528
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace the current license disclaimer in files by
a SPDX-License-Identifier.
Files that have to be modified by hand are modified.
License files are organized under LICENSES directory.
Pick-to: 6.4
Task-number: QTBUG-67283
Change-Id: I63563bbeb6f60f89d2c99660400dca7fab78a294
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
|
| |
|
|
|
|
|
|
| |
If we call an AOT-compiled function we never need the JavaScript call
frame. We can just skip its setup and save some overhead.
Change-Id: I39dc2ca6eea5b5a66f3b87b642a310534cecf6cd
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When called via the metaobject system, parameters and return values are
passed as void*, with accompanying type information in the form of
QMetaType. The same format is expected when calling an AOT
compiled function.
Previously, we would first convert all the parameters to QV4::Value,
just to convert them back the moment we notice that there is an AOT
compiled function. This is wasteful.
This change provides a second call infrastructure that accepts void* and
QMetaType as parameter and return value format, and passes them as-is
all the way to any AOT compiled functions. If there is no AOT compiled
function, the conversion is done when detecting this, rather than when
initiating the call. This also passes the information "ignore return
value" all the way down to the actual function call. If the caller is
not interested in the return value, we don't have to marshal it back at
all.
For now, we only add the extra "callWithMetaTypes" vtable entry to
ArrowFunction. However, other callables could also receive variants
optimized for calling with void*/int rather than V4 values.
This required changing the way how function arguments are stored in the
property cache. We squeeze the return type into
QQmlPropertyCacheMethodArguments now, and we use QMetaType instead of
integers. In turn, we remove some unused bits.
Change-Id: I946e603e623d9d985c54d3a15f6f4b7c7b7d8c60
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We either have pre-populated arguments and thisObject, then we can just
use them and keep them const. Or, we want to allocate and populate the
arguments and the thisObject. Then, do allocate them in a separate
object, and transform that into JSCallData afterwards if necessary.
Furthermore, avoid alloc(0) as that just returns the current stack top.
Writing to it will clobber other data. Rather, just use nullptr and
crash if it's written to.
Also, remove the useless operator-> from JSCallData. That one just
confuses the reader.
Change-Id: I8310911fcfe005b05a07b78fcb3791d991a0c2ce
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
| |
Task-number: QTBUG-84319
Change-Id: I2dcfb8a2db98282c7a1acdad1e6f4f949f26df15
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
|
|
|
|
|
|
| |
If the call resulted in an exception the return value is undefined.
Task-number: QTBUG-81581
Change-Id: Ibfdd5e1229cf5437f270232d3b1a91308adeec72
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
|
| |
We could just crash there, assuming unlimited memory, but as this
particular place seems to be a very attractive target for various
mischief, let's just plug it.
Change-Id: I3b0369ceb34dafd12ce8dc1f189fc5f9ee82c169
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
| |
|
|
|
|
|
|
| |
Provide different export macros and different top level headers for
each, don't include runtime headers from compiler sources.
Change-Id: I7dc3f8c95839a00a871ba045ec65af87123154be
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
| |
We need a CompilationUnit that only holds the data needed for
compilation and another one that is executable by the runtime.
Change-Id: I704d859ba028576a18460f5e3a59f210f64535d3
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
| |
Task-number: QTBUG-72407
Change-Id: I98b96852309fc783a945797185f666196513d24b
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Respect the newTarget passed into those constructors and make
sure we set up the proto chain correctly.
Change-Id: I3d12c7dbef4b33660a6715d73e9fb0f89105167a
Fixes: QTBUG-71138
Reviewed-by: Erik Verbruggen <erik.verbruggen@qt.io>
|
| |
|
|
|
| |
Change-Id: If1629109722496b3fd10b36b2376548440f2fee9
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce a shortcut if the rhs is a functionobject with the
regular function proto as prototype.
Add an optimized instanceOf implementation when we already have some
checks done, and inline some methods.
Change-Id: Iab9b648ae7bbec749b319e883b6ae90a23875454
Reviewed-by: Erik Verbruggen <erik.verbruggen@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Specialize find() into several methods for different purposes.
Prepares for further cleanups and being able to split up
getter and setter for accessor properties.
Change-Id: Id4ec5509ac1a1361e2170bbfc2347b89b520c782
Reviewed-by: Erik Verbruggen <erik.verbruggen@qt.io>
|
| |
|
|
|
|
|
|
| |
Give Arrow functions their own representation. This also prepares
for further optimizations especially for the instanceof operator.
Change-Id: I1f70c0271169a237e1acdeb7fe855be957ba2ea5
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: I913f9429a9238860a5b4e9dc84d217ec824f25c1
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: I1f2c796b50d05c238fad36434b2545604a401fbf
Reviewed-by: Erik Verbruggen <erik.verbruggen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Get rid of Primitive and move the corresponding methods
directly into Value. Mark many methods in Value as
constexpr and turn Value into a POD type again.
Keep Primitive as a pure alias to Value for source
compatibility of other modules that might be using it.
Change-Id: Icb47458947dd3482c8852e95782123ea4346f5ec
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: I78cd0224399865e2b87bbf2771f70009a9374866
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
| |
And return the correct this object from the subclass constructor.
Change-Id: I8d68f07c3080f8c5ff8b10ad2cc85e017bf710d8
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: Icbc25f1f723fe45a8c265f1b4bdf5f3fad3c4775
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: I19eb4012c8fee51a7e5bf264d11ab5337ac2a88d
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
| |
Only functions that are constructors should have a prototype
property.
Change-Id: Ifcf6f8b6c38de055d871d57ada38a23432974263
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Super properties work in a rather special way by
accessing a 'home object' on the function object,
and reading from it's prototype.
Change-Id: I666334c9c27048c6c2ba6770dd8c9f56aecbee14
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
|
| |
As per spec, this should be uninitialized in derived
constructors, and the base constructor needs to get
called exactly once.
Change-Id: If31804e58d7ba62efde8fbf6cd852674f8da4495
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
| |
Use the jsConstruct member in the function object for this
and set it to a nullptr for methods that are not a constructor.
Change-Id: I63d2971b23b2596a8e3b6d2781f0d9ed3208693b
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: I5e394ef8d4d6d87bedb26070d51660e3ebe3ab1b
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: I01b7774097a447520c85ae6766e6ca1162e921ba
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
|
|
|
|
| |
It's possible to define a getter function for the prototype
property of Function objects. Ensure this doesn't mess up
things by not taking shortcuts.
Change-Id: Id981f3080f5c5c0714a1b7b6de27b4af04e794c8
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
| |
|
|
|
| |
Change-Id: Idf4b77fe6f99e02345920908b9242cee911c0c7b
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
|
