Don't crash when marking arguments object of native context

JSC assumes that the callee is always valid, since JSC::Arguments
is used for JS frames, which must have a callee.
But we use JSC::Arguments for arguments object of
pushContext()-created contexts, and then there is no callee.
But the callee member can't be null, so now we put a fake callee
there and make sure it doesn't bleed up to the public API.

Alternative solution: Add "if (d->callee)" to
JSC::Arguments::markChildren(), then no other changes would be
needed. But we don't want to patch JSC any more.

Non-solution: Subclass JSC::Arguments and reimplement
markChildren() to temporarily set a dummy callee during marking.
Can't be done, as JSC::Arguments::d is private (again, we don't
want to patch JSC).

Task-number: QTBUG-17788
Reviewed-by: Olivier Goffart

1 files changed, 11 insertions, 0 deletions

diff --git a/tests/auto/qscriptengine/tst_qscriptengine.cpp b/tests/auto/qscriptengine/tst_qscriptengine.cpp
index 8de6fbc..6c89bcb 100644
--- a/tests/auto/qscriptengine/tst_qscriptengine.cpp
+++ b/tests/auto/qscriptengine/tst_qscriptengine.cpp
@@ -169,6 +169,7 @@ private slots:
     void nativeFunctionScopes();
     void evaluateProgram();
     void collectGarbageAfterConnect();
+    void collectGarbageAfterNativeArguments();
     void promoteThisObjectToQObjectInConstructor();
 
     void qRegExpInport_data();
@@ -5040,6 +5041,16 @@ void tst_QScriptEngine::collectGarbageAfterConnect()
     QVERIFY(widget == 0);
 }
 
+void tst_QScriptEngine::collectGarbageAfterNativeArguments()
+{
+    // QTBUG-17788
+    QScriptEngine eng;
+    QScriptContext *ctx = eng.pushContext();
+    QScriptValue arguments = ctx->argumentsObject();
+    // Shouldn't crash when marking the arguments object.
+    collectGarbage_helper(eng);
+}
+
 static QScriptValue constructQObjectFromThisObject(QScriptContext *ctx, QScriptEngine *eng)
 {
     Q_ASSERT(ctx->isCalledAsConstructor());