QJsonObject: add missing detach2() calls

The refactoring to use CBOR missed two places where we could assign from
the same object and thus cause corruption. In fixing this issue, I found
a design flaw in QJsonObject, see Q_EXPECT_FAILing unit test and task
QTBUG-83398.

[ChangeLog][QtCore][QJsonObject] Fixed a regression from 5.13 that
incorrect results when assigning elements from an object to itself.

Fixes: QTBUG-83366
Change-Id: Ibdc95e9af7bd456a94ecfffd1603df24b06713aa
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>

1 files changed, 3 insertions, 0 deletions

diff --git a/src/corelib/serialization/qjsonobject.cpp b/src/corelib/serialization/qjsonobject.cpp
index b76e50e2d2..850e878571 100644
--- a/src/corelib/serialization/qjsonobject.cpp
+++ b/src/corelib/serialization/qjsonobject.cpp
@@ -452,9 +452,11 @@ QJsonValueRef QJsonObject::atImpl(T key)
     bool keyExists = false;
     int index = indexOf(o, key, &keyExists);
     if (!keyExists) {
+        detach2(o->elements.length() / 2 + 1);
         o->insertAt(index, key);
         o->insertAt(index + 1, QCborValue::fromJsonValue(QJsonValue()));
     }
+    // detaching will happen if and when this QJsonValueRef is assigned to
     return QJsonValueRef(this, index / 2);
 }
 
@@ -1469,6 +1471,7 @@ QJsonValue QJsonObject::valueAt(int i) const
 void QJsonObject::setValueAt(int i, const QJsonValue &val)
 {
     Q_ASSERT(o && i >= 0 && 2 * i + 1 < o->elements.length());
+    detach2();
     if (val.isUndefined()) {
         o->removeAt(2 * i + 1);
         o->removeAt(2 * i);