QScript: Fix strange bugs and crashes.

I was assuming that the default return value register was always set
to 0 for native calls. But this is not the case.  So we must ensure this.

Also be consistend in the way the stackframe grow and shrink. This expose
another bug in the way the call frame is created in JSC

Reviewed-by: Kent Hansen

2 files changed, 12 insertions, 8 deletions

diff --git a/src/script/api/qscriptengine.cpp b/src/script/api/qscriptengine.cpp
index 78bbf5f855..b27d1be33c 100644
--- a/src/script/api/qscriptengine.cpp
+++ b/src/script/api/qscriptengine.cpp
@@ -2353,23 +2353,25 @@ JSC::CallFrame *QScriptEnginePrivate::pushContext(JSC::CallFrame *exec, JSC::JSV
     //build a frame
     JSC::CallFrame *newCallFrame = exec;
     if (callee == 0 //called from  public QScriptEngine::pushContext
-        || exec->returnPC() == 0 || (contextFlags(exec) & NativeContext)  //called from native-native call
+        || exec->returnPC() == 0 || (contextFlags(exec) & NativeContext) //called from native-native call
         || (exec->codeBlock() && exec->callee() != callee)) { //the interpreter did not build a frame for us.
         //We need to check if the Interpreter might have already created a frame for function called from JS.
         JSC::Interpreter *interp = exec->interpreter();
         JSC::Register *oldEnd = interp->registerFile().end();
         int argc = args.size() + 1; //add "this"
         JSC::Register *newEnd = oldEnd + argc + JSC::RegisterFile::CallFrameHeaderSize;
-        if (!interp->registerFile().grow(newEnd))
+        //Without + argc + JSC::RegisterFile::CallFrameHeaderSize, it crashes.
+        //It seems that JSC is not consistant with the way the callframe is crated
+        if (!interp->registerFile().grow(newEnd + argc + JSC::RegisterFile::CallFrameHeaderSize))
             return 0; //### Stack overflow
-        newCallFrame = JSC::CallFrame::create(oldEnd);
+        newCallFrame = JSC::CallFrame::create(newEnd);
         newCallFrame[0] = thisObject;
         int dst = 0;
         JSC::ArgList::const_iterator it;
         for (it = args.begin(); it != args.end(); ++it)
             newCallFrame[++dst] = *it;
         newCallFrame += argc + JSC::RegisterFile::CallFrameHeaderSize;
-        newCallFrame->init(0, /*vPC=*/0, exec->scopeChain(), exec, flags, argc, callee);
+        newCallFrame->init(0, /*vPC=*/0, exec->scopeChain(), exec, flags | ShouldRestoreCallFrame, argc, callee);
     } else {
         setContextFlags(newCallFrame, flags);
 #if ENABLE(JIT)
@@ -2411,18 +2413,19 @@ void QScriptEngine::popContext()
  */
 void QScriptEnginePrivate::popContext()
 {
-    bool hasScope = contextFlags(currentFrame) & HasScopeContext;
-    if (currentFrame->returnPC() == 0) { //normal case
+    uint flags = contextFlags(currentFrame);
+    bool hasScope = flags & HasScopeContext;
+    if (flags & ShouldRestoreCallFrame) { //normal case
         JSC::RegisterFile &registerFile = currentFrame->interpreter()->registerFile();
         JSC::Register *const newEnd = currentFrame->registers() - JSC::RegisterFile::CallFrameHeaderSize - currentFrame->argumentCount();
         if (hasScope)
             currentFrame->scopeChain()->pop()->deref();
-        currentFrame = currentFrame->callerFrame();
         registerFile.shrink(newEnd);
     } else if(hasScope) { //the stack frame was created by the Interpreter, we don't need to rewind it.
         currentFrame->setScopeChain(currentFrame->scopeChain()->pop());
         currentFrame->scopeChain()->deref();
     }
+    currentFrame = currentFrame->callerFrame();
 }
 
 /*!
diff --git a/src/script/api/qscriptengine_p.h b/src/script/api/qscriptengine_p.h
index c43ca610f8..b8b805edab 100644
--- a/src/script/api/qscriptengine_p.h
+++ b/src/script/api/qscriptengine_p.h
@@ -170,7 +170,8 @@ public:
     enum ContextFlags {
         NativeContext = 1,
         CalledAsConstructorContext = 2,
-        HasScopeContext = 4
+        HasScopeContext = 4, // Specifies that the is a QScriptActivationObject
+        ShouldRestoreCallFrame = 8
     };
     static uint contextFlags(JSC::ExecState *);
     static void setContextFlags(JSC::ExecState *, uint);