From b991134fe4d90fcd46bab50ba164f2c28b8942db Mon Sep 17 00:00:00 2001
From: Kent Hansen <kent.hansen@nokia.com>
Date: Wed, 2 Mar 2011 08:43:54 +0100
Subject: Don't allow non-Object values to be set as prototype

It should only be possible to set an object or null as
prototype. This is consistent with both JSC and V8.
Additionally, it keeps JSC from asserting in debug mode.

Task-number: QTBUG-15154
Reviewed-by: Jedrzej Nowacki
---
 src/script/api/qscriptvalue.cpp              | 8 ++++++--
 tests/auto/qscriptvalue/tst_qscriptvalue.cpp | 5 +----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/script/api/qscriptvalue.cpp b/src/script/api/qscriptvalue.cpp
index e0dc385..4772fa1 100644
--- a/src/script/api/qscriptvalue.cpp
+++ b/src/script/api/qscriptvalue.cpp
@@ -531,7 +531,12 @@ void QScriptValue::setPrototype(const QScriptValue &prototype)
     Q_D(QScriptValue);
     if (!d || !d->isObject())
         return;
-    if (prototype.isValid() && QScriptValuePrivate::getEngine(prototype)
+
+    JSC::JSValue other = d->engine->scriptValueToJSCValue(prototype);
+    if (!other || !(other.isObject() || other.isNull()))
+        return;
+
+    if (QScriptValuePrivate::getEngine(prototype)
         && (QScriptValuePrivate::getEngine(prototype) != d->engine)) {
         qWarning("QScriptValue::setPrototype() failed: "
                  "cannot set a prototype created in "
@@ -539,7 +544,6 @@ void QScriptValue::setPrototype(const QScriptValue &prototype)
         return;
     }
     JSC::JSObject *thisObject = JSC::asObject(d->jscValue);
-    JSC::JSValue other = d->engine->scriptValueToJSCValue(prototype);
 
     // check for cycle
     JSC::JSValue nextPrototypeValue = other;
diff --git a/tests/auto/qscriptvalue/tst_qscriptvalue.cpp b/tests/auto/qscriptvalue/tst_qscriptvalue.cpp
index 9014241..6686e2d 100644
--- a/tests/auto/qscriptvalue/tst_qscriptvalue.cpp
+++ b/tests/auto/qscriptvalue/tst_qscriptvalue.cpp
@@ -2328,8 +2328,7 @@ void tst_QScriptValue::getSetPrototype_invalidPrototype()
     inv.setPrototype(object);
     QCOMPARE(inv.prototype().isValid(), false);
     object.setPrototype(inv);
-    // FIXME should it be invalid or proto?
-    QVERIFY(object.prototype().strictlyEquals(inv));
+    QVERIFY(object.prototype().strictlyEquals(proto));
 }
 
 void tst_QScriptValue::getSetPrototype_twoEngines()
@@ -2367,8 +2366,6 @@ void tst_QScriptValue::getSetPrototype_notObjectOrNull()
     QScriptValue object = eng.newObject();
     QScriptValue originalProto = object.prototype();
 
-    QEXPECT_FAIL("", "QTBUG-15154: QScriptValue::setPrototype() allows a non-Object value to be set as prototype", Abort);
-
     // bool
     object.setPrototype(true);
     QVERIFY(object.prototype().equals(originalProto));
-- 
cgit v0.12