From 037af615b0c936ba3d8dc4abc13b12082737437a Mon Sep 17 00:00:00 2001 From: Simon Hausmann Date: Fri, 3 Aug 2018 15:42:17 +0200 Subject: Fix language/expressions/class/scope-name-lex-close.js crashing with the JIT With a reduced test case like this: var C = 'outside'; var cls = class C { method() { return C; } }; cls.prototype the class expression is expected to return the reference to the class in the accumulator, so that the cls = assignment can store it. Between that we have to deal with the {} block, a ControlFlowBlock instances in the code generator. That one will - among other things - issue a PopContext instruction after the class creation instruction. With the JIT that clobbers the accumulator unfortunately, causing a bogus value being stored in the global object under "cls". Consequently the lookup for "cls" crashes. Change-Id: I6056b352f9d8f42fa65afe4aefcd233c3ccf31ab Reviewed-by: Lars Knoll --- src/qml/jit/qv4assembler.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/qml/jit') diff --git a/src/qml/jit/qv4assembler.cpp b/src/qml/jit/qv4assembler.cpp index 7d668950d7..efd226539e 100644 --- a/src/qml/jit/qv4assembler.cpp +++ b/src/qml/jit/qv4assembler.cpp @@ -2245,8 +2245,8 @@ void Assembler::popContext() Heap::CallContext ctx; Q_UNUSED(ctx) pasm()->loadPointerFromValue(regAddr(CallData::Context), PlatformAssembler::ScratchRegister); - pasm()->loadAccumulator(Address(PlatformAssembler::ScratchRegister, ctx.outer.offset)); - pasm()->storeAccumulator(regAddr(CallData::Context)); + pasm()->loadPtr(Address(PlatformAssembler::ScratchRegister, ctx.outer.offset), PlatformAssembler::ScratchRegister); + pasm()->storeHeapObject(PlatformAssembler::ScratchRegister, regAddr(CallData::Context)); } void Assembler::ret() -- cgit v1.2.3