Fix and test for assert/crash in v8 inlining of local functions in qml modev5.1.0-rc1

When v8 tries to inline a local function which has been flagged
is_qml_global, the assert "CHECK(location_ != __null)" fails.

This happens because of the early out in RecordTypeFeedback for
is_qml_global.  I've limited the early out to UNALLOCATED
variables with is_qml_global.

bug: https://bugreports.qt-project.org/browse/QTBUG-31366

Change-Id: I360ef1a05a970589159686cf3100cb70de9ae29d
Reviewed-by: Alan Alpert <aalpert@blackberry.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>

5 files changed, 43 insertions, 1 deletions

diff --git a/src/3rdparty/v8/src/ast.cc b/src/3rdparty/v8/src/ast.cc
index 3015b1e..5d7baf2 100644
--- a/src/3rdparty/v8/src/ast.cc
+++ b/src/3rdparty/v8/src/ast.cc
@@ -566,7 +566,7 @@ void Call::RecordTypeFeedback(TypeFeedbackOracle* oracle,
   Property* property = expression()->AsProperty();
   if (property == NULL) {
     if (VariableProxy *proxy = expression()->AsVariableProxy()) {
-        if (proxy->var()->is_qml_global())
+        if (proxy->var()->IsUnallocated() && proxy->var()->is_qml_global())
             return;
     }
 
diff --git a/tests/auto/v8/tst_v8.cpp b/tests/auto/v8/tst_v8.cpp
index 7461ce3..d4193e4 100644
--- a/tests/auto/v8/tst_v8.cpp
+++ b/tests/auto/v8/tst_v8.cpp
@@ -69,6 +69,7 @@ private slots:
     void completehash();
     void stringhashcomparison();
     void qmlmodevariables();
+    void qmlmodeinlinelocal();
 };
 
 void tst_v8::eval()
@@ -146,6 +147,11 @@ void tst_v8::qmlmodevariables()
     QVERIFY(v8test_qmlmodevariables());
 }
 
+void tst_v8::qmlmodeinlinelocal()
+{
+    QVERIFY(v8test_qmlmodeinlinelocal());
+}
+
 int main(int argc, char *argv[])
 {
     V8::SetFlagsFromCommandLine(&argc, argv, true);
diff --git a/tests/auto/v8/v8main.cpp b/tests/auto/v8/v8main.cpp
index 5ec41ad..21440fd 100644
--- a/tests/auto/v8/v8main.cpp
+++ b/tests/auto/v8/v8main.cpp
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
     RUN_TEST(fallbackpropertyhandler_nonempty);
     RUN_TEST(completehash);
     RUN_TEST(qmlmodevariables);
+    RUN_TEST(qmlmodeinlinelocal);
 
     return exit_status;
 }
diff --git a/tests/auto/v8/v8test.cpp b/tests/auto/v8/v8test.cpp
index 6621846..6429cd7 100644
--- a/tests/auto/v8/v8test.cpp
+++ b/tests/auto/v8/v8test.cpp
@@ -1210,3 +1210,37 @@ cleanup:
 
     ENDTEST();
 }
+
+// test for https://bugreports.qt-project.org/browse/QTBUG-31366
+// assert/crash when inlining local functions in qml mode
+bool v8test_qmlmodeinlinelocal()
+{
+    BEGINTEST();
+
+    HandleScope handle_scope;
+    Persistent<Context> context = Context::New();
+    Context::Scope context_scope(context);
+
+    Local<Object> qmlglobal = Object::New();
+
+    Local<String> source = String::New(
+        "function func() {"
+            "function local_function () {"
+            "}"
+            // high enough to get it to opt; 10000 seems to be too low
+            "for (var i = 0; i < 100000; ++i) local_function();"
+        "}"
+        "func();"
+      );
+
+    Local<Script> script = Script::Compile(source, NULL, NULL, Handle<String>(), Script::QmlMode);
+
+    TryCatch tc;
+    script->Run(qmlglobal);
+    VERIFY(!tc.HasCaught());
+
+cleanup:
+    context.Dispose();
+
+    ENDTEST();
+}
diff --git a/tests/auto/v8/v8test.h b/tests/auto/v8/v8test.h
index 2db655c..e9fc8f6 100644
--- a/tests/auto/v8/v8test.h
+++ b/tests/auto/v8/v8test.h
@@ -63,6 +63,7 @@ bool v8test_fallbackpropertyhandler_nonempty();
 bool v8test_completehash();
 bool v8test_stringhashcomparison();
 bool v8test_qmlmodevariables();
+bool v8test_qmlmodeinlinelocal();
 
 #endif // V8TEST_H