SaveableUnitPointer::saveToDisk restores flags incorrectly at cleanup

SaveableUnitPointer::saveToDisk function uses XOR to restore flags,
which causes the existing flags to be reset instead of restored.

This can have major side effects, such as deallocation of StaticData
units from static data cache (which should never be freed).

Fixes: QTBUG-96275
Pick-to: 6.2 5.15
Change-Id: I09c06f2854fe07a12a2d97290a3e39604a25fd9a
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Andrei Golubev <andrei.golubev@qt.io>
Reviewed-by: Jarkko Koivikko <jarkko.koivikko@code-q.fi>

1 files changed, 12 insertions, 0 deletions

diff --git a/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp b/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp
index 02a57abf45..f5d784140d 100644
--- a/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp
+++ b/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp
@@ -37,6 +37,7 @@
 #include <QLoggingCategory>
 #include <private/qqmlcomponent_p.h>
 #include <private/qqmlscriptdata_p.h>
+#include <private/qv4compileddata_p.h>
 #include <qtranslator.h>
 #include <qqmlscriptstring.h>
 #include <QString>
@@ -86,6 +87,7 @@ private slots:
     void posthocRequired();
 
     void scriptStringCachegenInteraction();
+    void saveableUnitPointer();
 };
 
 // A wrapper around QQmlComponent to ensure the temporary reference counts
@@ -765,7 +767,17 @@ void tst_qmlcachegen::scriptStringCachegenInteraction()
     QVERIFY(ok);
 }
 
+void tst_qmlcachegen::saveableUnitPointer()
+{
+    QV4::CompiledData::Unit unit;
+    unit.flags = QV4::CompiledData::Unit::StaticData | QV4::CompiledData::Unit::IsJavascript;
+    const auto flags = unit.flags;
+
+    QV4::CompiledData::SaveableUnitPointer pointer(&unit);
 
+    QVERIFY(pointer.saveToDisk<char>([](const char *, quint32) { return true; }));
+    QCOMPARE(unit.flags, flags);
+}
 
 const QQmlScriptString &ScriptStringProps::undef() const
 {