From 713f07486de353f30fb63d2e2e3b17202a5d4a1b Mon Sep 17 00:00:00 2001
From: Kent Hansen <kent.hansen@nokia.com>
Date: Thu, 3 Feb 2011 12:28:27 +0100
Subject: [PATCH] Don't crash when creating backtrace for built-in JS function

When the JIT is enabled, NativeFunctionWrapper (used for
built-in functions such as Array.prototype.forEach) inherits
JSFunction, so we must check whether the function is
actually a JS (script) function before we start accessing
script-specific properties.

Task-number: QTBUG-17137
Reviewed-by: Olivier Goffart
(cherry picked from commit 147df10403ba280b3f04c1e3d6c4b1cf386abe5d)
---
 src/script/api/qscriptcontextinfo.cpp            |  3 ++-
 tests/auto/qscriptcontext/tst_qscriptcontext.cpp | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/script/api/qscriptcontextinfo.cpp b/src/script/api/qscriptcontextinfo.cpp
index db6b2d7..d39abe6 100644
--- a/src/script/api/qscriptcontextinfo.cpp
+++ b/src/script/api/qscriptcontextinfo.cpp
@@ -181,7 +181,8 @@ QScriptContextInfoPrivate::QScriptContextInfoPrivate(const QScriptContext *conte
     JSC::JSObject *callee = frame->callee();
     if (callee && callee->inherits(&JSC::InternalFunction::info))
         functionName = JSC::asInternalFunction(callee)->name(frame);
-    if (callee && callee->inherits(&JSC::JSFunction::info)) {
+    if (callee && callee->inherits(&JSC::JSFunction::info)
+        && !JSC::asFunction(callee)->isHostFunction()) {
         functionType = QScriptContextInfo::ScriptFunction;
         JSC::FunctionExecutable *body = JSC::asFunction(callee)->jsExecutable();
         functionStartLineNumber = body->lineNo();
diff --git a/tests/auto/qscriptcontext/tst_qscriptcontext.cpp b/tests/auto/qscriptcontext/tst_qscriptcontext.cpp
index 1a1576b..dd21555 100644
--- a/tests/auto/qscriptcontext/tst_qscriptcontext.cpp
+++ b/tests/auto/qscriptcontext/tst_qscriptcontext.cpp
@@ -860,6 +860,21 @@ void tst_QScriptContext::backtrace_data()
 
         QTest::newRow("js recursive") << source << expected;
     }
+
+    {
+        QString source = QString::fromLatin1(
+            "[0].forEach(\n"
+            "    function() {\n"
+            "        result = bt();\n"
+            "}); result");
+
+        QStringList expected;
+        expected << "<native>() at -1"
+                 << "<anonymous>(0, 0, 0) at testfile:3"
+                 << "forEach(0) at -1"
+                 << "<global>() at testfile:4";
+        QTest::newRow("js callback from built-in") << source << expected;
+    }
 }
 
 
-- 
2.1.4