Fix ASAN stack-use-after-scope error in CmpInstanceOf instruction

This is triggered by tst_qqmlecmascript::sequenceConversionThreads().
The call to fromReturnedValue(acc) creates a temporary value and the
as() cast call returns a pointer to the temp. That becomes a dangling
pointer when the temp goes out of scope.

Duplicating the fromReturnedValue() avoids this and at least gcc is
clever enough to collapse the isObject() code for both uses.

Change-Id: I741206b0c10d16fcc4ffdf68532a721f74c1b0dc
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

1 files changed, 2 insertions, 3 deletions

diff --git a/src/qml/jsruntime/qv4vme_moth.cpp b/src/qml/jsruntime/qv4vme_moth.cpp
index 6956112718..91558ba103 100644
--- a/src/qml/jsruntime/qv4vme_moth.cpp
+++ b/src/qml/jsruntime/qv4vme_moth.cpp
@@ -1142,14 +1142,13 @@ QV4::ReturnedValue VME::exec(const FunctionObject *fo, const Value *thisObject,
 
     MOTH_BEGIN_INSTR(CmpInstanceOf)
         // 11.8.6, 5: rval must be an Object
-        const Object *rhs = Primitive::fromReturnedValue(acc).as<Object>();
-        if (Q_UNLIKELY(!rhs)) {
+        if (Q_UNLIKELY(!Primitive::fromReturnedValue(acc).isObject())) {
            acc = engine->throwTypeError();
            goto catchException;
         }
 
         // 11.8.6, 7: call "HasInstance", which we term instanceOf, and return the result.
-        acc = rhs->instanceOf(STACK_VALUE(lhs));
+        acc = Primitive::fromReturnedValue(acc).objectValue()->instanceOf(STACK_VALUE(lhs));
         CHECK_EXCEPTION;
     MOTH_END_INSTR(CmpInstanceOf)