Fix a cornercase for instanceof

It's possible to define a getter function for the prototype
property of Function objects. Ensure this doesn't mess up
things by not taking shortcuts.

Change-Id: Id981f3080f5c5c0714a1b7b6de27b4af04e794c8
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

1 files changed, 7 insertions, 6 deletions

diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp
index 9523f59018..8722ff65b6 100644
--- a/src/qml/jsruntime/qv4functionobject.cpp
+++ b/src/qml/jsruntime/qv4functionobject.cpp
@@ -469,7 +469,7 @@ ReturnedValue ScriptFunction::virtualCallAsConstructor(const FunctionObject *fo,
     if (nt->d() == f->d()) {
         ic = f->classForConstructor();
     } else {
-        const Object *o = nt->d()->protoProperty();
+        ScopedObject o(scope, nt->protoProperty());
         ic = scope.engine->internalClasses(EngineBase::Class_Object);
         if (o)
             ic = ic->changePrototype(o->d());
@@ -537,14 +537,15 @@ void Heap::ScriptFunction::init(QV4::ExecutionContext *scope, Function *function
 
 Heap::InternalClass *ScriptFunction::classForConstructor() const
 {
-    const Object *o = d()->protoProperty();
-    if (d()->cachedClassForConstructor && d()->cachedClassForConstructor->prototype == o->d())
+    Scope scope(engine());
+    ScopedValue o(scope, protoProperty());
+    if (d()->cachedClassForConstructor && d()->cachedClassForConstructor->prototype == o->heapObject())
         return d()->cachedClassForConstructor;
 
-    Scope scope(engine());
     Scoped<InternalClass> ic(scope, engine()->internalClasses(EngineBase::Class_Object));
-    if (o)
-        ic = ic->changePrototype(o->d());
+    ScopedObject p(scope, o);
+    if (p)
+        ic = ic->changePrototype(p->d());
     d()->cachedClassForConstructor.set(scope.engine, ic->d());
 
     return ic->d();