QtQml: Check for locals in metatypes stack frame before accessing them

ulfhermannqt · Qt Cherry-pick Bot · commit 1f89af3cfdb4 · 2025-09-12T03:27:53.000Z
ScopedStackFrame has no locals and we don't want to crash if we manage to run the GC while e.g. initializing a component. Amends commmit 2d016a2 Fixes: QTBUG-140057 Pick-to: 6.8 Change-Id: I7aeb39d6cb1f0ca0a661b8cfa2e7c159f968e224 Reviewed-by: Sami Shalayel <sami.shalayel@qt.io> (cherry picked from commit 024e43c) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit c4bf8c9)
diff --git a/src/qml/memory/qv4mm.cpp b/src/qml/memory/qv4mm.cpp
@@ -1480,13 +1480,13 @@ void MemoryManager::collectFromJSStack(MarkStack *markStack) const
         if (!frame->isMetaTypesFrame())
             continue;
 
-        const QQmlPrivate::AOTTrackedLocalsStorage *locals
-                = static_cast<const MetaTypesStackFrame *>(frame)->locals();
-
-        // locals have to be initialized first thing when calling the function
-        Q_ASSERT(locals);
-
-        locals->markObjects(markStack);
+        if (const QQmlPrivate::AOTTrackedLocalsStorage *locals
+                = static_cast<const MetaTypesStackFrame *>(frame)->locals()) {
+            // Actual AOT-compiled functions initialize the locals firsth thing when they
+            // are called. However, the ScopedStackFrame has no locals, but still uses a
+            // MetaTypesStackFrame.
+            locals->markObjects(markStack);
+        }
     }
 }
 
diff --git a/tests/auto/qml/qv4mm/tst_qv4mm.cpp b/tests/auto/qml/qv4mm/tst_qv4mm.cpp
@@ -57,6 +57,8 @@ private slots:
     void scopedConvertToObjectFromReturnedValueDoesNotAccessGarbageOnTheStackOnAllocation();
     void scopedConvertToStringFromValueDoesNotAccessGarbageOnTheStackOnAllocation();
     void scopedConvertToObjectFromValueDoesNotAccessGarbageOnTheStackOnAllocation();
+
+    void dontCrashOnScopedStackFrame();
 };
 
 tst_qv4mm::tst_qv4mm()
@@ -1019,6 +1021,17 @@ void tst_qv4mm::scopedConvertToObjectFromValueDoesNotAccessGarbageOnTheStackOnAl
     QV4::ScopedObject object(scope, QV4::StaticValue::fromBoolean(true).asValue<QV4::Value>(), QV4::ScopedObject::Convert);
 }
 
+void tst_qv4mm::dontCrashOnScopedStackFrame()
+{
+    QJSEngine jsengine;
+    QV4::ExecutionEngine *engine = jsengine.handle();
+
+    QV4::Scope scope(engine);
+    QV4::ScopedStackFrame frame(scope, engine->rootContext());
+
+    jsengine.collectGarbage();
+}
+
 QTEST_MAIN(tst_qv4mm)
 
 #include "tst_qv4mm.moc"
