Regression: Fix array data corruption

When inserting into a sparse JS array, we may have to re-allocate the
underlying data vector. When that happens we must reload the ArrayData
pointer, to avoid returning a wrong pointer in ArrayData::insert.

This patch also fixes the valgrind support in the memory allocator by correctly
marking the mmap'ed memory region as inaccessible.

Change-Id: I86aabc2cec74a4f3c8396463910d90c8968a741d
Task-number: QTBUG-42956
Reviewed-by: Lars Knoll <lars.knoll@digia.com>

2 files changed, 4 insertions, 2 deletions

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 35bd6e5501..0aaf50a43c 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -637,8 +637,10 @@ Property *ArrayData::insert(Object *o, uint index, bool isAccessor)
     o->initSparseArray();
     SparseArrayData *s = static_cast<SparseArrayData *>(o->arrayData());
     SparseArrayNode *n = s->sparse()->insert(index);
-    if (n->value == UINT_MAX)
+    if (n->value == UINT_MAX) {
         n->value = SparseArrayData::allocate(o, isAccessor);
+        s = static_cast<SparseArrayData *>(o->arrayData());
+    }
     return reinterpret_cast<Property *>(s->arrayData() + n->value);
 }
 
diff --git a/src/qml/jsruntime/qv4mm.cpp b/src/qml/jsruntime/qv4mm.cpp
index b9a4a55b4a..975a5d5833 100644
--- a/src/qml/jsruntime/qv4mm.cpp
+++ b/src/qml/jsruntime/qv4mm.cpp
@@ -245,7 +245,7 @@ Managed *MemoryManager::allocData(std::size_t size)
         m_d->availableItems[pos] += uint(increase);
         m_d->totalItems += int(increase);
 #ifdef V4_USE_VALGRIND
-        VALGRIND_MAKE_MEM_NOACCESS(allocation.memory, allocation.chunkSize);
+        VALGRIND_MAKE_MEM_NOACCESS(allocation.memory.base(), allocSize);
 #endif
     }