]> git.kaiwu.me - quickjs.git/commitdiff
fixed crash in OP_add_loc if the variable is modified in JS_ToPrimitiveFree()
authorFabrice Bellard <fabrice@bellard.org>
Mon, 25 Aug 2025 12:50:04 +0000 (14:50 +0200)
committerFabrice Bellard <fabrice@bellard.org>
Mon, 25 Aug 2025 12:50:04 +0000 (14:50 +0200)
quickjs.c

index 647d273bfc82df9c198b8f3b0b2c07587b7ffce3..29fd830e8d87ed67ed127d757e060d9df8494b22 100644 (file)
--- a/quickjs.c
+++ b/quickjs.c
@@ -18646,12 +18646,10 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj,
                     *pv = __JS_NewFloat64(ctx, JS_VALUE_GET_FLOAT64(*pv) +
                                                JS_VALUE_GET_FLOAT64(op2));
                     sp--;
-                } else if (JS_VALUE_GET_TAG(*pv) == JS_TAG_STRING) {
+                } else if (JS_VALUE_GET_TAG(*pv) == JS_TAG_STRING &&
+                           JS_VALUE_GET_TAG(op2) == JS_TAG_STRING) {
                     sp--;
                     sf->cur_pc = pc;
-                    op2 = JS_ToPrimitiveFree(ctx, op2, HINT_NONE);
-                    if (JS_IsException(op2))
-                        goto exception;
                     if (JS_ConcatStringInPlace(ctx, JS_VALUE_GET_STRING(*pv), op2)) {
                         JS_FreeValue(ctx, op2);
                     } else {