From e13eece273195a9f39d29712a233a8dd00ddf71b Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@qt.io>
Date: Sat, 22 Oct 2016 12:07:24 +0200
Subject: Fix crash with v4 lookups on changing objects

When lookups are enabled for property access and the property exists, we
change the type of the lookup from the generic fallback to a more
specialized direct property access. When upon subsequent access the
internal class has changed, we fall back to the case of two alternating
classes/shapes. If during that fallback we fail to find the property
altogether, then we should revert back to the overall fallback, instead
of continuing with an invalid property data index.

Ran into this while running the typescript compiler in V4 itself.

Change-Id: If5975d6c18ff41b9fb21c40f0cbaeed37da4b489
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'tests/auto')

diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 479584af54..d95d4ed59e 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -125,6 +125,7 @@ private slots:
     void jsIncDecNonObjectProperty();
     void JSONparse();
     void arraySort();
+    void lookupOnDisappearingProperty();
 
     void qRegExpInport_data();
     void qRegExpInport();
@@ -2964,6 +2965,22 @@ void tst_QJSEngine::arraySort()
                  "crashMe();");
 }
 
+void tst_QJSEngine::lookupOnDisappearingProperty()
+{
+    QJSEngine eng;
+    QJSValue func = eng.evaluate("(function(){\"use strict\"; return eval(\"function(obj) { return obj.someProperty; }\")})()");
+    QVERIFY(func.isCallable());
+
+    QJSValue o = eng.newObject();
+    o.setProperty(QStringLiteral("someProperty"), 42);
+
+    QCOMPARE(func.call(QJSValueList()<< o).toInt(), 42);
+
+    o = eng.newObject();
+    QVERIFY(func.call(QJSValueList()<< o).isUndefined());
+    QVERIFY(func.call(QJSValueList()<< o).isUndefined());
+}
+
 static QRegExp minimal(QRegExp r) { r.setMinimal(true); return r; }
 
 void tst_QJSEngine::qRegExpInport_data()
-- 
cgit v1.2.3