Fix thisObject() of QScriptable argument for String(), etc

When `String(object)` is evaluated, and `object` is a QObject or some
custom object with native prototype, then `object.toString()` will be
called with incorrect `this`. This also applies for Number(), Boolean()
and other built-in constructors.

Change-Id: I0219f0e119c1e29d80e4c0f856421352715e9e6e
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>

4 files changed, 48 insertions, 3 deletions

diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.cpp
index 9f60761..f9f77b1 100644
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.cpp
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.cpp
@@ -1762,7 +1762,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_call_NotJSFunction)
         CallFrame* previousCallFrame = stackFrame.callFrame;
         CallFrame* callFrame = CallFrame::create(previousCallFrame->registers() + registerOffset);
 
-        callFrame->init(0, static_cast<Instruction*>((STUB_RETURN_ADDRESS).value()), previousCallFrame->scopeChain(), previousCallFrame, 0, argCount, 0);
+        callFrame->init(0, static_cast<Instruction*>((STUB_RETURN_ADDRESS).value()), previousCallFrame->scopeChain(), previousCallFrame, 0, argCount, asObject(funcVal));
         stackFrame.callFrame = callFrame;
 
         Register* argv = stackFrame.callFrame->registers() - RegisterFile::CallFrameHeaderSize - argCount;
diff --git a/src/script/api/qscriptengine.cpp b/src/script/api/qscriptengine.cpp
index c5f437b..5bd399f 100644
--- a/src/script/api/qscriptengine.cpp
+++ b/src/script/api/qscriptengine.cpp
@@ -2837,7 +2837,7 @@ JSC::CallFrame *QScriptEnginePrivate::pushContext(JSC::CallFrame *exec, JSC::JSV
     JSC::CallFrame *newCallFrame = exec;
     if (callee == 0 //called from  public QScriptEngine::pushContext
         || exec->returnPC() == 0 || (contextFlags(exec) & NativeContext) //called from native-native call
-        || (exec->codeBlock() && exec->callee() != callee)) { //the interpreter did not build a frame for us.
+        || exec->callee() != callee) { //the interpreter did not build a frame for us.
         //We need to check if the Interpreter might have already created a frame for function called from JS.
         JSC::Interpreter *interp = exec->interpreter();
         JSC::Register *oldEnd = interp->registerFile().end();
diff --git a/tests/auto/qscriptable/tst_qscriptable.cpp b/tests/auto/qscriptable/tst_qscriptable.cpp
index 1a0fbe1..b800613 100644
--- a/tests/auto/qscriptable/tst_qscriptable.cpp
+++ b/tests/auto/qscriptable/tst_qscriptable.cpp
@@ -73,6 +73,9 @@ public slots:
     QScriptValue getArguments();
     int getArgumentCount();
 
+    QString toString() const;
+    int valueOf() const;
+
 signals:
     void sig(int);
 
@@ -172,6 +175,16 @@ bool MyScriptable::isBar()
     return str.contains(QLatin1Char('@'));
 }
 
+QString MyScriptable::toString() const
+{
+    return thisObject().property("objectName").toString();
+}
+
+int MyScriptable::valueOf() const
+{
+    return thisObject().property("baz").toInt32();
+}
+
 class tst_QScriptable : public QObject
 {
     Q_OBJECT
@@ -188,6 +201,8 @@ private slots:
     void thisObject();
     void arguments();
     void throwError();
+    void stringConstructor();
+    void numberConstructor();
 
 private:
     QScriptEngine m_engine;
@@ -386,5 +401,35 @@ void tst_QScriptable::throwError()
     QCOMPARE(ret.toString(), QString("Error: MyScriptable.foo"));
 }
 
+void tst_QScriptable::stringConstructor()
+{
+    m_scriptable.setObjectName("TestObject");
+
+    m_engine.globalObject().setProperty("js_obj", m_engine.newObject());
+    m_engine.evaluate(
+        "js_obj.str = scriptable.toString();"
+        "js_obj.toString = function() { return this.str }");
+
+    QCOMPARE(m_engine.evaluate("String(scriptable)").toString(),
+             m_engine.evaluate("String(js_obj)").toString());
+
+    QCOMPARE(m_engine.evaluate("String(scriptable)").toString(),
+             m_engine.evaluate("scriptable.toString()").toString());
+}
+
+void tst_QScriptable::numberConstructor()
+{
+    m_engine.globalObject().setProperty("js_obj", m_engine.newObject());
+    m_engine.evaluate(
+        "js_obj.num = scriptable.valueOf();"
+        "js_obj.valueOf = function() { return this.num }");
+
+    QCOMPARE(m_engine.evaluate("Number(scriptable)").toInt32(),
+             m_engine.evaluate("Number(js_obj)").toInt32());
+
+    QCOMPARE(m_engine.evaluate("Number(scriptable)").toInt32(),
+             m_engine.evaluate("scriptable.valueOf()").toInt32());
+}
+
 QTEST_MAIN(tst_QScriptable)
 #include "tst_qscriptable.moc"
diff --git a/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp b/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
index e199d71..58fee07 100644
--- a/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
+++ b/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
@@ -1354,7 +1354,7 @@ void tst_QScriptExtQObject::callQtInvokable2()
 
     // first time we expect failure because the metatype is not registered
     m_myObject->resetQtFunctionInvoked();
-    QCOMPARE(QMetaType::type("QVector<CustomType>"), QMetaType::UnknownType); // this type should not be registered yet
+    QCOMPARE(QMetaType::Type(QMetaType::type("QVector<CustomType>")), QMetaType::UnknownType); // this type should not be registered yet
     QCOMPARE(m_engine->evaluate("myObject.myInvokableReturningVectorOfCustomType()").isError(), true);
     QCOMPARE(m_myObject->qtFunctionInvoked(), -1);