From e13eece273195a9f39d29712a233a8dd00ddf71b Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@qt.io>
Date: Sat, 22 Oct 2016 12:07:24 +0200
Subject: Fix crash with v4 lookups on changing objects

When lookups are enabled for property access and the property exists, we
change the type of the lookup from the generic fallback to a more
specialized direct property access. When upon subsequent access the
internal class has changed, we fall back to the case of two alternating
classes/shapes. If during that fallback we fail to find the property
altogether, then we should revert back to the overall fallback, instead
of continuing with an invalid property data index.

Ran into this while running the typescript compiler in V4 itself.

Change-Id: If5975d6c18ff41b9fb21c40f0cbaeed37da4b489
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/qml/jsruntime/qv4lookup.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/qml/jsruntime/qv4lookup.cpp b/src/qml/jsruntime/qv4lookup.cpp
index 42e561bc7c..84755a6402 100644
--- a/src/qml/jsruntime/qv4lookup.cpp
+++ b/src/qml/jsruntime/qv4lookup.cpp
@@ -306,7 +306,7 @@ ReturnedValue Lookup::getterTwoClasses(Lookup *l, ExecutionEngine *engine, const
             ReturnedValue v = o->getLookup(l);
             Lookup l2 = *l;
 
-            if (l2.getter == Lookup::getter0 || l2.getter == Lookup::getter1) {
+            if (l->index != UINT_MAX && (l2.getter == Lookup::getter0 || l2.getter == Lookup::getter1)) {
                 // if we have a getter0, make sure it comes first
                 if (l2.getter == Lookup::getter0)
                     qSwap(l1, l2);
-- 
cgit v1.2.3