<feed xmlns='http://www.w3.org/2005/Atom'>
<title>qt/qtdeclarative.git/src/qml/jsruntime/qv4objectiterator_p.h, branch dev</title>
<subtitle>Qt Declarative (Quick 2)
</subtitle>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/'/>
<entry>
<title>CRA review qml/jsruntime</title>
<updated>2025-09-16T13:17:44+00:00</updated>
<author>
<name>Fabian Kosmale</name>
<email>fabian.kosmale@qt.io</email>
</author>
<published>2025-08-26T15:35:24+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=22df353c14800d2e9b6d57a9a0cb9c6baa337999'/>
<id>22df353c14800d2e9b6d57a9a0cb9c6baa337999</id>
<content type='text'>
This relies heavily on the documented fact that we only support trusted
QML/JS content, meaning most files are only significant, not critical.
This also extends to the handling of qmlc files (as in
compilationunitmapper), as we store them in a user owned, non-shared
cache directory – so any vulnerability there would already mean that an
attacker has write-priviledges on user data.

An exception is ArrayBuffer, which can be used with arbitrary user data,
and should create a valid QBA.

Fixes: QTBUG-136970
Pick-to: 6.10 6.9 6.8
QUIP: 23
Change-Id: I22033fe6ab4acf8362a8183e25b92331d45cb32c
Reviewed-by: Ulf Hermann &lt;ulf.hermann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This relies heavily on the documented fact that we only support trusted
QML/JS content, meaning most files are only significant, not critical.
This also extends to the handling of qmlc files (as in
compilationunitmapper), as we store them in a user owned, non-shared
cache directory – so any vulnerability there would already mean that an
attacker has write-priviledges on user data.

An exception is ArrayBuffer, which can be used with arbitrary user data,
and should create a valid QBA.

Fixes: QTBUG-136970
Pick-to: 6.10 6.9 6.8
QUIP: 23
Change-Id: I22033fe6ab4acf8362a8183e25b92331d45cb32c
Reviewed-by: Ulf Hermann &lt;ulf.hermann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Reduce access to uninitialized scoped allocations</title>
<updated>2025-07-08T13:44:47+00:00</updated>
<author>
<name>Luca Di Sera</name>
<email>luca.disera@qt.io</email>
</author>
<published>2025-07-04T13:04:39+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=54687acb65547bcacb448eeb3bf4fa0602fd8a1a'/>
<id>54687acb65547bcacb448eeb3bf4fa0602fd8a1a</id>
<content type='text'>
`Scope` provides a mean of performing uninitialized scoped allocations
on the JS stack.

This can generally be unsafe as this form of allocation temporarily
leaves an element representing garbage memory on the JS stack, which
could be accessed by other parts of the program.

Indeed, a set of bugs related to this kind of behavior was recently
solved.

Hence, to reduce the surface of those kind of bugs, the usages of
uninitialized scoped allocations were reduced to a minimum.

The solution to the recent set of bugs related to uninitialized scoped
allocations introduced a series of `construct` methods that ensure that
the uninitialized allocation and the initialization of the allocated
elements are performed as a single step of computation, reducing the
surface for incorrect usages of those kind of allocations.

The solution was expanded by the introduction of new `construct` methods
that cover initialization from other types and some different means of
initialization that were used around the code-base to work with
uninitialized scoped allocations.

Similarly, the various allocation methods in `Scope` were subsumed by
the new `construct` methods, with the only remaining means of allocation
being the uninitialized one that is used as a building block for the
`construct` methods.

In particular, `Scope` provided three forms of allocation under the
various `alloc` methods.
The aforementioned uninitialized allocation and an allocation that
performed initialization to either the Undefined or the Empty value.

The latter two forms of allocation were converted to forms of
`construct`.
Since they directly map to the same concept of allocation plus
initialization, the conversion avoids having two names for the same
concept.

More specifically, the form of allocation that initialized to the
Undefined value was converted to the new `constructUndefined` which
keeps the same behavior.
The different naming from the basic `construct` methods is justified by
the different interface, which doesn't require choosing a initial value,
and the different implementation which is built on the more general
`construct` methods rather than the lower level allocation routines.

The form of allocation that initialized to the Empty value was removed
as it was found to be unused in the code-base.

The converted allocation methods generally provides the same interface
and behavior with the exception of always requiring the user to specify
the amount of allocate objects.
This is a change compared to the previous interface which allowed a
zero-argument version that allocated a single element.
The writer of the patch considered the additional terseness
inconsequential compared to the required additional code so that the
possibility was not preserved.

The code related to the converted allocation forms was removed as a
consequence of the conversion.

The remaining uninitialized allocation form was made private, to avoid
general usage outside of `Scope`, and favoring usages of the substitute
`construct` methods.
A comment that was related to usages of uninitialized scoped allocations
was moved to the lower level `jsAlloca`, which forms the basis for those
allocations and creates the abovementioned issues, where it was expanded
upon.

Usages of the non-uninitialized allocation forms around the code-base
were modified to use the new `constructUndefined` method.

Most usages of the uninitialized allocation form were modified to use
the new `construct` methods that were added to replace them.
Exceptions were made for those cases where the initialization routine is
either very complex or depends on details that shouldn't belong to
`Scope` such that they cannot be trivially encapsulated in a `construct`
method.
Instead, the relevant function or object was friended by `Scope` to
allow accesses to the now private form of allocation.

Those usages were previously checked and are supposed to be safe but
should be scrutinized if they are modified or the code around them is
modified.

One of the friended functions, `callDatafromJs`, previously offered a
default argument that was not made use of in the code-base.
The default value for the argument was removed to simplify friending the
function, considering the difficulty the language has with friended
function with default arguments and considering that it would have
required the default value to be moved out of the function definition
into a forward declaration in the unrelated header that defines `Scope`.

It is expected that the changes will reduce the surface of usage of
uninitialized scoped allocations in favor of a slightly safer approach,
make the issue that those usages can produce more apparent and generally
centralize the usages as much as possible to make them easier to
evaluate and keep track of.

Change-Id: I351329f2c139201e0728791df6da297698170f55
Reviewed-by: Ulf Hermann &lt;ulf.hermann@qt.io&gt;
Reviewed-by: Sami Shalayel &lt;sami.shalayel@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
`Scope` provides a mean of performing uninitialized scoped allocations
on the JS stack.

This can generally be unsafe as this form of allocation temporarily
leaves an element representing garbage memory on the JS stack, which
could be accessed by other parts of the program.

Indeed, a set of bugs related to this kind of behavior was recently
solved.

Hence, to reduce the surface of those kind of bugs, the usages of
uninitialized scoped allocations were reduced to a minimum.

The solution to the recent set of bugs related to uninitialized scoped
allocations introduced a series of `construct` methods that ensure that
the uninitialized allocation and the initialization of the allocated
elements are performed as a single step of computation, reducing the
surface for incorrect usages of those kind of allocations.

The solution was expanded by the introduction of new `construct` methods
that cover initialization from other types and some different means of
initialization that were used around the code-base to work with
uninitialized scoped allocations.

Similarly, the various allocation methods in `Scope` were subsumed by
the new `construct` methods, with the only remaining means of allocation
being the uninitialized one that is used as a building block for the
`construct` methods.

In particular, `Scope` provided three forms of allocation under the
various `alloc` methods.
The aforementioned uninitialized allocation and an allocation that
performed initialization to either the Undefined or the Empty value.

The latter two forms of allocation were converted to forms of
`construct`.
Since they directly map to the same concept of allocation plus
initialization, the conversion avoids having two names for the same
concept.

More specifically, the form of allocation that initialized to the
Undefined value was converted to the new `constructUndefined` which
keeps the same behavior.
The different naming from the basic `construct` methods is justified by
the different interface, which doesn't require choosing a initial value,
and the different implementation which is built on the more general
`construct` methods rather than the lower level allocation routines.

The form of allocation that initialized to the Empty value was removed
as it was found to be unused in the code-base.

The converted allocation methods generally provides the same interface
and behavior with the exception of always requiring the user to specify
the amount of allocate objects.
This is a change compared to the previous interface which allowed a
zero-argument version that allocated a single element.
The writer of the patch considered the additional terseness
inconsequential compared to the required additional code so that the
possibility was not preserved.

The code related to the converted allocation forms was removed as a
consequence of the conversion.

The remaining uninitialized allocation form was made private, to avoid
general usage outside of `Scope`, and favoring usages of the substitute
`construct` methods.
A comment that was related to usages of uninitialized scoped allocations
was moved to the lower level `jsAlloca`, which forms the basis for those
allocations and creates the abovementioned issues, where it was expanded
upon.

Usages of the non-uninitialized allocation forms around the code-base
were modified to use the new `constructUndefined` method.

Most usages of the uninitialized allocation form were modified to use
the new `construct` methods that were added to replace them.
Exceptions were made for those cases where the initialization routine is
either very complex or depends on details that shouldn't belong to
`Scope` such that they cannot be trivially encapsulated in a `construct`
method.
Instead, the relevant function or object was friended by `Scope` to
allow accesses to the now private form of allocation.

Those usages were previously checked and are supposed to be safe but
should be scrutinized if they are modified or the code around them is
modified.

One of the friended functions, `callDatafromJs`, previously offered a
default argument that was not made use of in the code-base.
The default value for the argument was removed to simplify friending the
function, considering the difficulty the language has with friended
function with default arguments and considering that it would have
required the default value to be moved out of the function definition
into a forward declaration in the unrelated header that defines `Scope`.

It is expected that the changes will reduce the surface of usage of
uninitialized scoped allocations in favor of a slightly safer approach,
make the issue that those usages can produce more apparent and generally
centralize the usages as much as possible to make them easier to
evaluate and keep track of.

Change-Id: I351329f2c139201e0728791df6da297698170f55
Reviewed-by: Ulf Hermann &lt;ulf.hermann@qt.io&gt;
Reviewed-by: Sami Shalayel &lt;sami.shalayel@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Use SPDX license identifiers</title>
<updated>2022-06-11T06:05:15+00:00</updated>
<author>
<name>Lucie Gérard</name>
<email>lucie.gerard@qt.io</email>
</author>
<published>2022-05-13T13:12:05+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=0dc4fd240a2897c5c443a0ef6d84c416843e4938'/>
<id>0dc4fd240a2897c5c443a0ef6d84c416843e4938</id>
<content type='text'>
Replace the current license disclaimer in files by
a SPDX-License-Identifier.
Files that have to be modified by hand are modified.
License files are organized under LICENSES directory.

Pick-to: 6.4
Task-number: QTBUG-67283
Change-Id: I63563bbeb6f60f89d2c99660400dca7fab78a294
Reviewed-by: Shawn Rutledge &lt;shawn.rutledge@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace the current license disclaimer in files by
a SPDX-License-Identifier.
Files that have to be modified by hand are modified.
License files are organized under LICENSES directory.

Pick-to: 6.4
Task-number: QTBUG-67283
Change-Id: I63563bbeb6f60f89d2c99660400dca7fab78a294
Reviewed-by: Shawn Rutledge &lt;shawn.rutledge@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Include symbols in getOwnPropertyKeys</title>
<updated>2018-09-09T15:52:10+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-09-08T21:07:31+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=bcc9aa7daf197e8f2befe215902443d608e07b6a'/>
<id>bcc9aa7daf197e8f2befe215902443d608e07b6a</id>
<content type='text'>
And fix getOwnPropertySymbols and getOwnPropertyDescriptors.

Change-Id: Ie0e4c3d308ffe8a904e9a6ab9242b2cda59d779f
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
And fix getOwnPropertySymbols and getOwnPropertyDescriptors.

Change-Id: Ie0e4c3d308ffe8a904e9a6ab9242b2cda59d779f
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Fix ownKey iteration over Proxy objects</title>
<updated>2018-09-09T15:52:02+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-09-08T20:29:47+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=009a125d07448428a00abec70a894febe759adec'/>
<id>009a125d07448428a00abec70a894febe759adec</id>
<content type='text'>
Change-Id: I045a4844c06df9232cc8b04485ab0a39bb990e3f
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Change-Id: I045a4844c06df9232cc8b04485ab0a39bb990e3f
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Simplify ObjectIterator::next</title>
<updated>2018-08-04T09:16:06+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-08-02T21:02:08+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=60eab28305e7b51fe8efcb828628001674919408'/>
<id>60eab28305e7b51fe8efcb828628001674919408</id>
<content type='text'>
Use PropertyKey instead of two out pointers

Change-Id: I4f57bcb36fd412f19f0ed116042f7b094b5785dc
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Use PropertyKey instead of two out pointers

Change-Id: I4f57bcb36fd412f19f0ed116042f7b094b5785dc
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Implement ObjectIterator using the new iteration mechanism</title>
<updated>2018-08-02T20:25:55+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-08-02T14:54:59+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=a88f01364e147d9ea093bf0fdc639b45feef1788'/>
<id>a88f01364e147d9ea093bf0fdc639b45feef1788</id>
<content type='text'>
And with that get rid of the old advanceIterator methods.

Change-Id: I969fa89d25df8992a4b08c8c081b91c92ffdfddd
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
And with that get rid of the old advanceIterator methods.

Change-Id: I969fa89d25df8992a4b08c8c081b91c92ffdfddd
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Remove support for iterating over the proto chain from ObjectIterator</title>
<updated>2018-08-02T20:25:49+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-08-02T14:16:09+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=0d63c22eee293fe59d7691608deaaf3468045eb3'/>
<id>0d63c22eee293fe59d7691608deaaf3468045eb3</id>
<content type='text'>
This will simplify moving over to the new iteration model. It implies
a very small behavioral change in a few places where we used to
iterate over the proto chain before.

Change-Id: Ia62c9c51712d6b45e69ca63becdbefab6fa4bf3f
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This will simplify moving over to the new iteration model. It implies
a very small behavioral change in a few places where we used to
iterate over the proto chain before.

Change-Id: Ia62c9c51712d6b45e69ca63becdbefab6fa4bf3f
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Introduce a new mechanism to iterate over object properties</title>
<updated>2018-08-02T20:25:41+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-08-02T13:44:12+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=0754f55287f4652382332bce42cd8c7d27846ef1'/>
<id>0754f55287f4652382332bce42cd8c7d27846ef1</id>
<content type='text'>
The old advanceIterator schema was extremely ugly and in addition
not flexible enough to support the requirements for Proxy.ownKeys
and some of the methods in Object

Implemented a new scheme through a OwnPropertyKeys method in the
Object VTable that creates and returns an iterator object. Ported
QJSValueIterator and for-in to use the new mechanism.

There's still many places where we use the old ObjectIterator (that
relies on advanceIterator). Those will be ported in subsequent
commits.

Change-Id: I091a9bea9ff6b2b63630cc336814700757a718be
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The old advanceIterator schema was extremely ugly and in addition
not flexible enough to support the requirements for Proxy.ownKeys
and some of the methods in Object

Implemented a new scheme through a OwnPropertyKeys method in the
Object VTable that creates and returns an iterator object. Ported
QJSValueIterator and for-in to use the new mechanism.

There's still many places where we use the old ObjectIterator (that
relies on advanceIterator). Those will be ported in subsequent
commits.

Change-Id: I091a9bea9ff6b2b63630cc336814700757a718be
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Cleanup JS stack allocations</title>
<updated>2018-05-26T06:49:04+00:00</updated>
<author>
<name>Lars Knoll</name>
<email>lars.knoll@qt.io</email>
</author>
<published>2018-05-25T07:03:51+00:00</published>
<link rel='alternate' type='text/html' href='https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=6cbc287c06dd61988f2d4f4de253d89103919d2e'/>
<id>6cbc287c06dd61988f2d4f4de253d89103919d2e</id>
<content type='text'>
Avoid double writes to the stack, and use scope.alloc() for
most allocations on the stack.

Change-Id: I8b89273c1b6796d955fc8eeb72c67cff208ef786
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Avoid double writes to the stack, and use scope.alloc() for
most allocations on the stack.

Change-Id: I8b89273c1b6796d955fc8eeb72c67cff208ef786
Reviewed-by: Simon Hausmann &lt;simon.hausmann@qt.io&gt;
</pre>
</div>
</content>
</entry>
</feed>
