JS: Ensure that array keeps valid after length changes and fix concat

This is a partial revert of 6fa617524a6d0a2bc988e2dc70e8d719d1b9c282. The reasoning there was wrong: Due to the ring structure of the array, there might be further (non-undefined) elements at the start of the allocated memory. Those need to be copied to. This patch therefore reverts the change in 6fa617524a6d0a2bc988e2dc70e8d719d1b9c282 which simply set the size, and restores the copying behavior again. The actual fix for the crash in QTBUG-81037 requires a change to how we set the array length: Previously, when the size increased, we only reinitialized the array (as a sparse array) when the new size was greater than a certain threshold. If the new size was smaller than that threshold (but larger than the current alloc value), we would end up with an inconsistent array: It was non-sparse, but had a smaller capacity than size, leading to the memory corruption in concat when the elements that should exist (but did not) were accessed. This patch ensures that we now always resize the alloc buffer if necessary. Task-number: QTBUG-81037 Fixes: QTBUG-90456 Change-Id: Ie193aa3d714121ce6e8203c4b663b9015715e025 Reviewed-by: Andrei Golubev <andrei.golubev@qt.io> Reviewed-by: Maximilian Goldstein <max.goldstein@qt.io> Reviewed-by: Lars Knoll <lars.knoll@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2021-07-22 17:03:16 +0200
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2021-07-27 13:06:18 +0200
commit: 64777c3ed9dc66e3510ce2139538b93ad68e9fbb (patch)
tree: 3bb4b4be1a12f8a6bd5085ee6e7b6030aaf06caa /src/qml/jsruntime/qv4arraydata.cpp
parent: af141f0ea484549d89f99ca7261d73e6aa2244ac (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 577cc11cf4..20501f9d03 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -563,7 +563,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         ScopedValue v(scope);
         for (uint i = 0; i < n; ++i)
             obj->arraySet(oldSize + i, (v = otherObj->get(i)));
-    } else if (other && other->isSparse()) {
+    } else if (other->isSparse()) {
         Heap::SparseArrayData *os = static_cast<Heap::SparseArrayData *>(other->d());
         if (other->hasAttributes()) {
             ScopedValue v(scope);
@@ -586,7 +586,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         obj->arrayPut(oldSize, os->values.data() + os->offset, chunk);
         toCopy -= chunk;
         if (toCopy)
-            obj->setArrayLength(oldSize + chunk + toCopy);
+            obj->arrayPut(oldSize + chunk, os->values.data(), toCopy);
     }
 
     return oldSize + n;
author	Fabian Kosmale <fabian.kosmale@qt.io>	2021-07-22 17:03:16 +0200
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2021-07-27 13:06:18 +0200
commit	64777c3ed9dc66e3510ce2139538b93ad68e9fbb (patch)
tree	3bb4b4be1a12f8a6bd5085ee6e7b6030aaf06caa /src/qml/jsruntime/qv4arraydata.cpp
parent	af141f0ea484549d89f99ca7261d73e6aa2244ac (diff)