diff options
author | Simon Hausmann <simon.hausmann@theqtcompany.com> | 2015-05-05 10:52:34 +0200 |
---|---|---|
committer | Simon Hausmann <simon.hausmann@theqtcompany.com> | 2015-05-08 04:08:16 +0000 |
commit | c415e6972b371acc288cd835f5635936215c615f (patch) | |
tree | 04b7cd5aa1dc09549248f16e39c4ae28ba6c11c1 /src/qml/jsruntime/qv4arraydata.cpp | |
parent | 3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb (diff) |
Fix memory corruption in array handling
SimpleArrayData's markObjects() implementation did not mark the entries
correctly. When the dequeue offset was non-zero, we would end up marking values
that may have been garbage collected earlier.
Task-number: QTBUG-45888
Change-Id: Iacec350ccc76399ad4d16138af50acf22b2809db
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Diffstat (limited to 'src/qml/jsruntime/qv4arraydata.cpp')
-rw-r--r-- | src/qml/jsruntime/qv4arraydata.cpp | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp index 737c891f9b..afcfa00905 100644 --- a/src/qml/jsruntime/qv4arraydata.cpp +++ b/src/qml/jsruntime/qv4arraydata.cpp @@ -216,9 +216,8 @@ void ArrayData::ensureAttributes(Object *o) void SimpleArrayData::markObjects(Heap::Base *d, ExecutionEngine *e) { Heap::SimpleArrayData *dd = static_cast<Heap::SimpleArrayData *>(d); - uint l = dd->len; - for (uint i = 0; i < l; ++i) - dd->arrayData[i].mark(e); + for (uint i = 0; i < dd->len; ++i) + dd->arrayData[dd->mappedIndex(i)].mark(e); } ReturnedValue SimpleArrayData::get(const Heap::ArrayData *d, uint index) |