Fix crash when changing from a simple to a sparse array

After that change, if we ran out of slots in the freeList,
the last entry would point to the first Value in the value
array, not indicating that we ran out of free slots.

 Conflicts:
	src/qml/jsruntime/qv4sparsearray_p.h

Task-number: QTBUG-65828
Change-Id: I3e57bb7a0c2dc29172a485a6ea957b6ab5ac962e
(cherry picked from commit 16ca5eab9bdd31774dc8e657f217e044640eecff)
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

2 files changed, 5 insertions, 1 deletions

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index dac899e23f..0944e6d271 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -214,8 +214,8 @@ void ArrayData::realloc(Object *o, Type newType, uint requested, bool enforceAtt
             sparse->arrayData[i].setEmpty();
             lastFree = &sparse->arrayData[i].rawValueRef();
         }
-        storeValue(lastFree, UINT_MAX);
     }
+    storeValue(lastFree, UINT_MAX);
 
     Q_ASSERT(Value::fromReturnedValue(sparse->freeList).isEmpty());
     // ### Could explicitly free the old data
diff --git a/src/qml/jsruntime/qv4arraydata_p.h b/src/qml/jsruntime/qv4arraydata_p.h
index daf8c36814..ac6087891d 100644
--- a/src/qml/jsruntime/qv4arraydata_p.h
+++ b/src/qml/jsruntime/qv4arraydata_p.h
@@ -156,6 +156,10 @@ struct SimpleArrayData : public ArrayData {
 V4_ASSERT_IS_TRIVIAL(SimpleArrayData)
 
 struct SparseArrayData : public ArrayData {
+    void init() {
+        ArrayData::init();
+        freeList = Primitive::emptyValue(UINT_MAX).asReturnedValue();
+    }
     void destroy() {
         delete sparse;
         ArrayData::destroy();