From 1168c215d1daf2765a24d950079b1d5538305417 Mon Sep 17 00:00:00 2001
From: Fabrice Bellard <fabrice@bellard.org>
Date: Mon, 25 Aug 2025 14:50:04 +0200
Subject: [PATCH] fixed crash in OP_add_loc if the variable is modified in
 JS_ToPrimitiveFree()

---
 quickjs.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/quickjs.c b/quickjs.c
index 647d273..29fd830 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -18646,12 +18646,10 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj,
                     *pv = __JS_NewFloat64(ctx, JS_VALUE_GET_FLOAT64(*pv) +
                                                JS_VALUE_GET_FLOAT64(op2));
                     sp--;
-                } else if (JS_VALUE_GET_TAG(*pv) == JS_TAG_STRING) {
+                } else if (JS_VALUE_GET_TAG(*pv) == JS_TAG_STRING &&
+                           JS_VALUE_GET_TAG(op2) == JS_TAG_STRING) {
                     sp--;
                     sf->cur_pc = pc;
-                    op2 = JS_ToPrimitiveFree(ctx, op2, HINT_NONE);
-                    if (JS_IsException(op2))
-                        goto exception;
                     if (JS_ConcatStringInPlace(ctx, JS_VALUE_GET_STRING(*pv), op2)) {
                         JS_FreeValue(ctx, op2);
                     } else {