From f624e9c26f91def6b54f3a72f5bb36fa490b1aae Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Mon, 22 Jan 2018 14:15:24 +0100
Subject: Fix a couple of places where we'd free used objects

Make sure all our JS objects are referenced from the JS
stack before calling into the memory manager.

Change-Id: I88d622d37b9d6cfc19db4045ebd3fadc5bb4cabe
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 src/qml/jsruntime/qv4stringobject.cpp | 7 ++++---
 src/qml/jsruntime/qv4vme_moth.cpp     | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/qml/jsruntime/qv4stringobject.cpp b/src/qml/jsruntime/qv4stringobject.cpp
index 4cc4a5c0cb..8125aa53b2 100644
--- a/src/qml/jsruntime/qv4stringobject.cpp
+++ b/src/qml/jsruntime/qv4stringobject.cpp
@@ -658,12 +658,13 @@ ReturnedValue StringPrototype::method_search(const FunctionObject *b, const Valu
 ReturnedValue StringPrototype::method_slice(const FunctionObject *b, const Value *thisObject, const Value *argv, int argc)
 {
     ExecutionEngine *v4 = b->engine();
-    Heap::String *s = thisAsString(v4, thisObject);
+    Scope scope(v4);
+    ScopedString s(scope, thisAsString(v4, thisObject));
     if (v4->hasException)
         return QV4::Encode::undefined();
     Q_ASSERT(s);
 
-    const double length = s->length();
+    const double length = s->d()->length();
 
     double start = argc ? argv[0].toInteger() : 0;
     double end = (argc < 2 || argv[1].isUndefined())
@@ -683,7 +684,7 @@ ReturnedValue StringPrototype::method_slice(const FunctionObject *b, const Value
     const int intEnd = int(end);
 
     int count = qMax(0, intEnd - intStart);
-    return Encode(v4->memoryManager->alloc<ComplexString>(s, intStart, count));
+    return Encode(v4->memoryManager->alloc<ComplexString>(s->d(), intStart, count));
 }
 
 ReturnedValue StringPrototype::method_split(const FunctionObject *b, const Value *thisObject, const Value *argv, int argc)
diff --git a/src/qml/jsruntime/qv4vme_moth.cpp b/src/qml/jsruntime/qv4vme_moth.cpp
index 8355fbca71..e248d590f7 100644
--- a/src/qml/jsruntime/qv4vme_moth.cpp
+++ b/src/qml/jsruntime/qv4vme_moth.cpp
@@ -492,6 +492,7 @@ static bool compareEqualInt(Value &accumulator, Value lhs, int rhs)
             if (val.isDouble()) \
                 d = val.doubleValue(); \
             else { \
+                STORE_ACC(); \
                 d = val.toNumberImpl(); \
                 CHECK_EXCEPTION; \
             } \
@@ -1290,9 +1291,9 @@ QV4::ReturnedValue VME::exec(const FunctionObject *fo, const Value *thisObject,
     MOTH_END_INSTR(BitXor)
 
     MOTH_BEGIN_INSTR(UShr)
-        uint l = STACK_VALUE(lhs).toUInt32();
+        VALUE_TO_INT(l, STACK_VALUE(lhs));
         VALUE_TO_INT(a, ACC);
-        acc = Encode(l >> uint(a & 0x1f));
+        acc = Encode(static_cast<uint>(l) >> uint(a & 0x1f));
     MOTH_END_INSTR(UShr)
 
     MOTH_BEGIN_INSTR(Shr)
-- 
cgit v1.2.3