Fix corruption when adding or changing properties of JS objects

Commit 833c99db20 introduced this regression by only moving part of the
value data to the proper offset.

Task-number: QTBUG-53261
Change-Id: I11241c57057a57794bc3ca60ee437206e524f355
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

2 files changed, 22 insertions, 4 deletions

diff --git a/src/qml/jsruntime/qv4internalclass.cpp b/src/qml/jsruntime/qv4internalclass.cpp
index 0bc4b9a7fc..65e83d848c 100644
--- a/src/qml/jsruntime/qv4internalclass.cpp
+++ b/src/qml/jsruntime/qv4internalclass.cpp
@@ -140,16 +140,20 @@ static void insertHoleIntoPropertyData(Object *object, int idx)
     int icSize = object->internalClass()->size;
     int from = qMax(idx, inlineSize);
     int to = from + 1;
-    if (from < icSize)
-        memmove(object->propertyData(to), object->propertyData(from), icSize - from - 1);
+    if (from < icSize) {
+        memmove(object->propertyData(to), object->propertyData(from),
+                (icSize - from - 1) * sizeof(Value));
+    }
     if (from == idx)
         return;
     if (inlineSize < icSize)
         *object->propertyData(inlineSize) = *object->propertyData(inlineSize - 1);
     from = idx;
     to = from + 1;
-    if (from < inlineSize - 1)
-        memmove(object->propertyData(to), object->propertyData(from), inlineSize - from - 1);
+    if (from < inlineSize - 1) {
+        memmove(object->propertyData(to), object->propertyData(from),
+                (inlineSize - from - 1) * sizeof(Value));
+    }
 }
 
 static void removeFromPropertyData(Object *object, int idx, bool accessor = false)
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index acaa6604f9..6cbafbf055 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -195,6 +195,7 @@ private slots:
     void v4FunctionWithoutQML();
 
     void withNoContext();
+    void holeInPropertyData();
 
 signals:
     void testSignal();
@@ -3858,6 +3859,19 @@ void tst_QJSEngine::withNoContext()
     engine.evaluate("with (noContext) true");
 }
 
+void tst_QJSEngine::holeInPropertyData()
+{
+    QJSEngine engine;
+    QJSValue ok = engine.evaluate(
+                "var o = {};\n"
+                "o.bar = 0xcccccccc;\n"
+                "o.foo = 0x55555555;\n"
+                "Object.defineProperty(o, 'bar', { get: function() { return 0xffffffff }});\n"
+                "o.bar === 0xffffffff && o.foo === 0x55555555;");
+    QVERIFY(ok.isBool());
+    QVERIFY(ok.toBool());
+}
+
 QTEST_MAIN(tst_QJSEngine)
 
 #include "tst_qjsengine.moc"