From 69d18d9c2922894a7d0d39f6cc6bbc1a0a0e44b5 Mon Sep 17 00:00:00 2001
From: Robert Reif <reif@earthlink.net>
Date: Thu, 20 Apr 2017 10:03:29 -0400
Subject: [PATCH] Fix #7963: crash; Variable::setFlag ; gecko-dev ,
 dom/canvas/WebGLTransformFeedback.cpp

---
 lib/symboldatabase.cpp      | 13 ++++++++-----
 test/testsymboldatabase.cpp | 24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp
index 14f382721..8652f96de 100644
--- a/lib/symboldatabase.cpp
+++ b/lib/symboldatabase.cpp
@@ -4739,11 +4739,14 @@ void SymbolDatabase::setValueType(Token *tok, const ValueType &valuetype)
                     if (isconst)
                         varvt.constness |= 1;
                     setValueType(parent->previous(), varvt);
-                    const_cast<Variable *>(parent->previous()->variable())->setFlags(varvt);
-                    const Type * type = typeStart->tokAt(4)->type();
-                    if (type && type->classScope && type->classScope->definedType) {
-                        autoToken->type(type->classScope->definedType);
-                        const_cast<Variable *>(parent->previous()->variable())->type(type->classScope->definedType);
+                    Variable * var = const_cast<Variable *>(parent->previous()->variable());
+                    if (var) {
+                        var->setFlags(varvt);
+                        const Type * type = typeStart->tokAt(4)->type();
+                        if (type && type->classScope && type->classScope->definedType) {
+                            autoToken->type(type->classScope->definedType);
+                            var->type(type->classScope->definedType);
+                        }
                     }
                 }
             }
diff --git a/test/testsymboldatabase.cpp b/test/testsymboldatabase.cpp
index 2d2d32e9e..830a43ccc 100644
--- a/test/testsymboldatabase.cpp
+++ b/test/testsymboldatabase.cpp
@@ -326,6 +326,7 @@ private:
         TEST_CASE(auto3);
         TEST_CASE(auto4);
         TEST_CASE(auto5);
+        TEST_CASE(auto6); // #7963 (segmentation fault)
     }
 
     void array() {
@@ -4862,6 +4863,29 @@ private:
         ASSERT(db && vartok && vartok->variable() && vartok->variable()->typeStartToken()->str() == "int");
     }
 
+    void auto6() {  // #7963 (segmentation fault)
+        GET_SYMBOL_DB("class WebGLTransformFeedback final\n"
+                      ": public nsWrapperCache\n"
+                      ", public WebGLRefCountedObject < WebGLTransformFeedback >\n"
+                      ", public LinkedListElement < WebGLTransformFeedback >\n"
+                      "{\n"
+                      "private :\n"
+                      "std :: vector < IndexedBufferBinding > mIndexedBindings ;\n"
+                      "} ;\n"
+                      "struct IndexedBufferBinding\n"
+                      "{\n"
+                      "IndexedBufferBinding ( ) ;\n"
+                      "} ;\n"
+                      "const decltype ( WebGLTransformFeedback :: mBuffersForTF ) &\n"
+                      "WebGLTransformFeedback :: BuffersForTF ( ) const\n"
+                      "{\n"
+                      "mBuffersForTF . clear ( ) ;\n"
+                      "for ( const auto & cur : mIndexedBindings ) {}\n"
+                      "return mBuffersForTF ;\n"
+                      "}");
+        ASSERT_EQUALS(true,  db != nullptr); // not null
+    }
+
 };
 
 REGISTER_TEST(TestSymbolDatabase)