Fix memory corruption in array handling

SimpleArrayData's markObjects() implementation did not mark the entries correctly. When the dequeue offset was non-zero, we would end up marking values that may have been garbage collected earlier. Task-number: QTBUG-45888 Change-Id: Iacec350ccc76399ad4d16138af50acf22b2809db Reviewed-by: Lars Knoll <lars.knoll@digia.com>
author: Simon Hausmann <simon.hausmann@theqtcompany.com> 2015-05-05 10:52:34 +0200
committer: Simon Hausmann <simon.hausmann@theqtcompany.com> 2015-05-08 04:08:16 +0000
commit: c415e6972b371acc288cd835f5635936215c615f (patch)
tree: 04b7cd5aa1dc09549248f16e39c4ae28ba6c11c1 /src/qml/jsruntime/qv4arraydata.cpp
parent: 3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 737c891f9b..afcfa00905 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -216,9 +216,8 @@ void ArrayData::ensureAttributes(Object *o)
 void SimpleArrayData::markObjects(Heap::Base *d, ExecutionEngine *e)
 {
     Heap::SimpleArrayData *dd = static_cast<Heap::SimpleArrayData *>(d);
-    uint l = dd->len;
-    for (uint i = 0; i < l; ++i)
-        dd->arrayData[i].mark(e);
+    for (uint i = 0; i < dd->len; ++i)
+        dd->arrayData[dd->mappedIndex(i)].mark(e);
 }
 
 ReturnedValue SimpleArrayData::get(const Heap::ArrayData *d, uint index)
author	Simon Hausmann <simon.hausmann@theqtcompany.com>	2015-05-05 10:52:34 +0200
committer	Simon Hausmann <simon.hausmann@theqtcompany.com>	2015-05-08 04:08:16 +0000
commit	c415e6972b371acc288cd835f5635936215c615f (patch)
tree	04b7cd5aa1dc09549248f16e39c4ae28ba6c11c1 /src/qml/jsruntime/qv4arraydata.cpp
parent	3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb (diff)