diff options
| author | Simon Hausmann <simon.hausmann@digia.com> | 2014-03-28 14:12:41 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2014-03-28 15:07:03 +0100 |
| commit | 6bbd173a9cb36021ed284522ac628400469eab2f (patch) | |
| tree | 969dfdd384ab63d2c48eea7a609d71c1dda9f424 | |
| parent | 910542eb9e3876df33d8a613333dfbccb898a11d (diff) | |
Fix crash in sparse array handling
When re-allocating the sparse array data, make sure to initialize the free list
correctly. Previously this was only done for the first allocation.
Test cases uses an object literal, as that's a reliable way to ensure
a sparse array is created.
Task-number: QTBUG-37892
Change-Id: Ib38cfce50104904af0c980f022c9dbb7461ae5f8
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
| -rw-r--r-- | src/qml/jsruntime/qv4arraydata.cpp | 25 | ||||
| -rw-r--r-- | tests/auto/qml/qjsengine/tst_qjsengine.cpp | 1 |
2 files changed, 14 insertions, 12 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp index 13a7bb281b..ed2122fb89 100644 --- a/src/qml/jsruntime/qv4arraydata.cpp +++ b/src/qml/jsruntime/qv4arraydata.cpp @@ -156,21 +156,22 @@ void ArrayData::realloc(Object *o, Type newType, uint offset, uint alloc, bool e newData->sparse = old->sparse; old->sparse = 0; newData->freeList = old->freeList; - return; + } else { + newData->sparse = new SparseArray; + uint *lastFree = &newData->freeList; + for (uint i = 0; i < toCopy; ++i) { + if (!newData->data[i].isEmpty()) { + SparseArrayNode *n = newData->sparse->insert(i); + n->value = i; + } else { + *lastFree = i; + newData->data[i].tag = Value::Empty_Type; + lastFree = &newData->data[i].uint_32; + } + } } - newData->sparse = new SparseArray; uint *lastFree = &newData->freeList; - for (uint i = 0; i < toCopy; ++i) { - if (!newData->data[i].isEmpty()) { - SparseArrayNode *n = newData->sparse->insert(i); - n->value = i; - } else { - *lastFree = i; - newData->data[i].tag = Value::Empty_Type; - lastFree = &newData->data[i].uint_32; - } - } for (uint i = toCopy; i < newData->alloc; ++i) { *lastFree = i; newData->data[i].tag = Value::Empty_Type; diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp index 3357aa7643..5e6b2dd808 100644 --- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp +++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp @@ -1033,6 +1033,7 @@ void tst_QJSEngine::evaluate_data() QTest::newRow("/a/gim") << QString("/a/gim") << -1 << false << -1; QTest::newRow("/a/gimp") << QString("/a/gimp") << 1 << true << 1; QTest::newRow("empty-array-concat") << QString("var a = []; var b = [1]; var c = a.concat(b); ") << 1 << false << -1; + QTest::newRow("object-literal") << QString("var a = {\"0\":\"#\",\"2\":\"#\",\"5\":\"#\",\"8\":\"#\",\"6\":\"#\",\"12\":\"#\",\"13\":\"#\",\"16\":\"#\",\"18\":\"#\",\"39\":\"#\",\"40\":\"#\"}") << 1 << false << -1; } void tst_QJSEngine::evaluate() |