From 0dd884aca1fffcd94fbe55006c94363415aa0965 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Thu, 14 Mar 2019 10:42:19 +0100
Subject: Baseline JIT: Save accumulator in toInt32LhsAcc()

toInt32LhsAcc convertes both the lhs and the accumulator to int32. If
the accumulator is not saved, a GC run during the conversion of the lhs
might trash its value.

Fixes: QTBUG-74058
Change-Id: Ic42693061c7d483bb430d77bcc095de6ff9a6843
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'tests/auto/qml/qqmlecmascript')

diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
index a67a503f82..f33f1d9125 100644
--- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
+++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
@@ -365,6 +365,7 @@ private slots:
     void numberToStringWithRadix();
     void tailCallWithArguments();
     void deleteSparseInIteration();
+    void saveAccumulatorBeforeToInt32();
 
 private:
 //    static void propertyVarWeakRefCallback(v8::Persistent<v8::Value> object, void* parameter);
@@ -8929,6 +8930,17 @@ void tst_qqmlecmascript::deleteSparseInIteration()
     QCOMPARE(value.property("2").toInt(), 4096);
 }
 
+void tst_qqmlecmascript::saveAccumulatorBeforeToInt32()
+{
+    QJSEngine engine;
+
+    // Infinite recursion produces a range error, but should not crash.
+    // Also, any GC runs in between should not trash the temporary results of "a+a".
+    const QJSValue value = engine.evaluate("function a(){a(a&a+a)}a()");
+    QVERIFY(value.isError());
+    QCOMPARE(value.toString(), QLatin1String("RangeError: Maximum call stack size exceeded."));
+}
+
 QTEST_MAIN(tst_qqmlecmascript)
 
 #include "tst_qqmlecmascript.moc"
-- 
cgit v1.2.3