Fix corner-case counting of bits in QBitArray::count(bool)

This actually looks very wrong. First, it would try to read bits for
len == 0, which means it was actually reading the implicit NUL from
QByteArray (so valgrind would never catch the error).

Second, there was a corner case for testing the 8th bit (bit 7) in the
last byte. For len == 8 or 16 at the beginning of the last loop, it
would read bits[len / 8], which is again the implicit NUL from
QByteArray.

Compare to testBit (simplified):
    return d.constData()[1+(i>>3)] & (1 << (i & 7)) != 0;

Task-number: QTBUG-11625
Change-Id: Idb361163de596b629cab42f2367ddd09456c2a98
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
Reviewed-by: Kurt Pattyn <pattyn.kurt@gmail.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/src/corelib/tools/qbitarray.cpp b/src/corelib/tools/qbitarray.cpp
index 54c1ff8843..e432322aeb 100644
--- a/src/corelib/tools/qbitarray.cpp
+++ b/src/corelib/tools/qbitarray.cpp
@@ -174,10 +174,10 @@ int QBitArray::count(bool on) const
         bits += 3;
         numBits += int(qPopulationCount(v));
     }
-    while (len >= 0) {
-        if (bits[len / 8] & (1 << ((len - 1) & 7)))
-            ++numBits;
+    while (len > 0) {
         --len;
+        if (bits[len / 8] & (1 << (len & 7)))
+            ++numBits;
     }
 #endif
     return on ? numBits : size() - numBits;