From 0e5cb85a1021815c1a3d38a67e936d90b59ddf45 Mon Sep 17 00:00:00 2001
From: Jarkko Koivikko <jarkko.koivikko@code-q.fi>
Date: Tue, 14 Sep 2021 15:25:32 +0300
Subject: SaveableUnitPointer::saveToDisk restores flags incorrectly at cleanup

SaveableUnitPointer::saveToDisk function uses XOR to restore flags,
which causes the existing flags to be reset instead of restored.

This can have major side effects, such as deallocation of StaticData
units from static data cache (which should never be freed).

Fixes: QTBUG-96275
Change-Id: I09c06f2854fe07a12a2d97290a3e39604a25fd9a
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Andrei Golubev <andrei.golubev@qt.io>
Reviewed-by: Jarkko Koivikko <jarkko.koivikko@code-q.fi>
(cherry picked from commit 0645cf8e30e2311cc3d90cc2cb7abc7a27e91624)
---
 src/qml/common/qv4compileddata_p.h             |  3 ++-
 tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/qml/common/qv4compileddata_p.h b/src/qml/common/qv4compileddata_p.h
index 381a5735d3..231cd16d68 100644
--- a/src/qml/common/qv4compileddata_p.h
+++ b/src/qml/common/qv4compileddata_p.h
@@ -1330,7 +1330,8 @@ public:
     template<typename Char>
     bool saveToDisk(const std::function<bool(const Char *, quint32)> &writer) const
     {
-        auto cleanup = qScopeGuard([this]() { mutableFlags() ^= temporaryFlags; });
+        const quint32_le oldFlags = mutableFlags();
+        auto cleanup = qScopeGuard([this, oldFlags]() { mutableFlags() = oldFlags; });
         mutableFlags() |= temporaryFlags;
         return writer(data<Char>(), size());
     }
diff --git a/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp b/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp
index 3810f505b3..65137c65a2 100644
--- a/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp
+++ b/tests/auto/qml/qmlcachegen/tst_qmlcachegen.cpp
@@ -37,6 +37,7 @@
 #include <QLoggingCategory>
 #include <private/qqmlcomponent_p.h>
 #include <private/qqmlscriptdata_p.h>
+#include <private/qv4compileddata_p.h>
 #include <qtranslator.h>
 
 #include "../../shared/util.h"
@@ -78,6 +79,8 @@ private slots:
     void parameterAdjustment();
     void inlineComponent();
     void posthocRequired();
+
+    void saveableUnitPointer();
 };
 
 // A wrapper around QQmlComponent to ensure the temporary reference counts
@@ -713,6 +716,18 @@ void tst_qmlcachegen::posthocRequired()
     QVERIFY(component.errorString().contains(QStringLiteral("Required property x was not initialized")));
 }
 
+void tst_qmlcachegen::saveableUnitPointer()
+{
+    QV4::CompiledData::Unit unit;
+    unit.flags = QV4::CompiledData::Unit::StaticData | QV4::CompiledData::Unit::IsJavascript;
+    const auto flags = unit.flags;
+
+    QV4::CompiledData::SaveableUnitPointer pointer(&unit);
+
+    QVERIFY(pointer.saveToDisk<char>([](const char *, quint32) { return true; }));
+    QCOMPARE(unit.flags, flags);
+}
+
 QTEST_GUILESS_MAIN(tst_qmlcachegen)
 
 #include "tst_qmlcachegen.moc"
-- 
cgit v1.2.3