Fix logic bug when deleting properties of JS objects

The code used the size of the internal class in an inconsistent
way. It should simply compute and work with the old internal
class size, as that reflects the old object layout.

[ChangeLog][QtQml] Fix assertion when deleting properties of JS objects

Task-number: QTBUG-54589
Change-Id: Ie3db70437e780215d08a1a96491db75f8b859754
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

1 files changed, 4 insertions, 4 deletions

diff --git a/src/qml/jsruntime/qv4internalclass.cpp b/src/qml/jsruntime/qv4internalclass.cpp
index 8f0b1776d7..0bc4b9a7fc 100644
--- a/src/qml/jsruntime/qv4internalclass.cpp
+++ b/src/qml/jsruntime/qv4internalclass.cpp
@@ -155,8 +155,8 @@ static void insertHoleIntoPropertyData(Object *object, int idx)
 static void removeFromPropertyData(Object *object, int idx, bool accessor = false)
 {
     int inlineSize = object->d()->inlineMemberSize;
-    int icSize = object->internalClass()->size;
     int delta = (accessor ? 2 : 1);
+    int oldSize = object->internalClass()->size + delta;
     int to = idx;
     int from = to + delta;
     if (from < inlineSize) {
@@ -164,15 +164,15 @@ static void removeFromPropertyData(Object *object, int idx, bool accessor = fals
         to = inlineSize - delta;
         from = inlineSize;
     }
-    if (to < inlineSize && from < icSize) {
+    if (to < inlineSize && from < oldSize) {
         Q_ASSERT(from >= inlineSize);
         memcpy(object->propertyData(to), object->d()->propertyData(from), (inlineSize - to)*sizeof(Value));
         to = inlineSize;
         from = inlineSize + delta;
     }
-    if (from < icSize + delta) {
+    if (from < oldSize) {
         Q_ASSERT(to >= inlineSize && from > to);
-        memmove(object->propertyData(to), object->d()->propertyData(from), (icSize + delta - to)*sizeof(Value));
+        memmove(object->propertyData(to), object->d()->propertyData(from), (oldSize - to)*sizeof(Value));
     }
 }