Fix crash on Array.prototype.join.call(0)

We (incorrectly) didn't check the return value to make sure we had a valid self.
At the same time,  rename the self variable to match up with other methods.

Task-number: QTBUG-53672
Change-Id: Ia0ae5a553e49c4c3b2834c7fdf649fe6373951a2
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

2 files changed, 17 insertions, 5 deletions

diff --git a/src/qml/jsruntime/qv4arrayobject.cpp b/src/qml/jsruntime/qv4arrayobject.cpp
index 25d3d9329b..324f2c7bf2 100644
--- a/src/qml/jsruntime/qv4arrayobject.cpp
+++ b/src/qml/jsruntime/qv4arrayobject.cpp
@@ -178,6 +178,10 @@ ReturnedValue ArrayPrototype::method_join(CallContext *ctx)
 {
     Scope scope(ctx);
     ScopedValue arg(scope, ctx->argument(0));
+    ScopedObject instance(scope, ctx->thisObject().toObject(scope.engine));
+
+    if (!instance)
+        return ctx->d()->engine->newString()->asReturnedValue();
 
     QString r4;
     if (arg->isUndefined())
@@ -185,8 +189,7 @@ ReturnedValue ArrayPrototype::method_join(CallContext *ctx)
     else
         r4 = arg->toQString();
 
-    ScopedObject self(scope, ctx->thisObject());
-    ScopedValue length(scope, self->get(ctx->d()->engine->id_length()));
+    ScopedValue length(scope, instance->get(ctx->d()->engine->id_length()));
     const quint32 r2 = length->isUndefined() ? 0 : length->toUInt32();
 
     if (!r2)
@@ -195,7 +198,7 @@ ReturnedValue ArrayPrototype::method_join(CallContext *ctx)
     QString R;
 
     // ### FIXME
-    if (ArrayObject *a = self->as<ArrayObject>()) {
+    if (ArrayObject *a = instance->as<ArrayObject>()) {
         ScopedValue e(scope);
         for (uint i = 0; i < a->getLength(); ++i) {
             if (i)
@@ -212,7 +215,7 @@ ReturnedValue ArrayPrototype::method_join(CallContext *ctx)
         // crazy!
         //
         ScopedString name(scope, ctx->d()->engine->newString(QStringLiteral("0")));
-        ScopedValue r6(scope, self->get(name));
+        ScopedValue r6(scope, instance->get(name));
         if (!r6->isNullOrUndefined())
             R = r6->toQString();
 
@@ -221,7 +224,7 @@ ReturnedValue ArrayPrototype::method_join(CallContext *ctx)
             R += r4;
 
             name = Primitive::fromDouble(k).toString(scope.engine);
-            r12 = self->get(name);
+            r12 = instance->get(name);
             if (scope.hasException())
                 return Encode::undefined();
 
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 8594aec8cd..acaa6604f9 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -143,6 +143,7 @@ private slots:
 
     void arrayPop_QTBUG_35979();
     void array_unshift_QTBUG_52065();
+    void array_join_QTBUG_53672();
 
     void regexpLastMatch();
     void indexedAccesses();
@@ -3016,6 +3017,14 @@ void tst_QJSEngine::array_unshift_QTBUG_52065()
         QCOMPARE(result.property(i).toInt(), i);
 }
 
+void tst_QJSEngine::array_join_QTBUG_53672()
+{
+    QJSEngine eng;
+    QJSValue result = eng.evaluate("Array.prototype.join.call(0)");
+    QVERIFY(result.isString());
+    QCOMPARE(result.toString(), QString(""));
+}
+
 void tst_QJSEngine::regexpLastMatch()
 {
     QJSEngine eng;