From b7090f1334ac7b8ad2548f084c749eda4fa82451 Mon Sep 17 00:00:00 2001
From: Robin Burchell <robin.burchell@crimson.no>
Date: Fri, 3 Feb 2017 08:45:12 +0100
Subject: Fix a crash in setInternalClass

Revealed by the ES6 testsuite, ./test/built-ins/Object/freeze/15.2.3.9-2-1.js
and probably others. We cannot unconditionally dereference memberData,
it may not always exist.

ES6 tests test/built-ins/Object/freeze before:
    === Summary ===
     - Ran 92 tests
     - Passed 66 tests (71.7%)
     - Failed 26 tests (28.3%)

after:
    === Summary ===
     - Ran 92 tests
     - Passed 90 tests (97.8%)
     - Failed 2 tests (2.2%)

Change-Id: I22a6c9ca081394ba15edfde09f73769eb3ce47b3
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/qml/jsruntime/qv4object.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/qml/jsruntime/qv4object.cpp b/src/qml/jsruntime/qv4object.cpp
index 2f664c6398..12157af728 100644
--- a/src/qml/jsruntime/qv4object.cpp
+++ b/src/qml/jsruntime/qv4object.cpp
@@ -61,7 +61,8 @@ DEFINE_OBJECT_VTABLE(Object);
 void Object::setInternalClass(InternalClass *ic)
 {
     d()->internalClass = ic;
-    if ((!d()->memberData && ic->size) || (d()->memberData->size < ic->size))
+    bool hasMD = d()->memberData != nullptr;
+    if ((!hasMD && ic->size) || (hasMD && d()->memberData->size < ic->size))
         d()->memberData = MemberData::allocate(ic->engine, ic->size, d()->memberData);
 }
 
-- 
cgit v1.2.3