Fix crash when changing from a simple to a sparse array

After that change, if we ran out of slots in the freeList,
the last entry would point to the first Value in the value
array, not indicating that we ran out of free slots.

Task-number: QTBUG-65828
Change-Id: I3e57bb7a0c2dc29172a485a6ea957b6ab5ac962e

3 files changed, 3 insertions, 2 deletions

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 9b7251f3d0..5e971c8e9b 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -227,8 +227,8 @@ void ArrayData::realloc(Object *o, Type newType, uint requested, bool enforceAtt
             sparse->values.values[i].setEmpty();
             lastFree = &sparse->values.values[i].rawValueRef();
         }
-        storeValue(lastFree, UINT_MAX);
     }
+    storeValue(lastFree, UINT_MAX);
 
     Q_ASSERT(Value::fromReturnedValue(sparse->sparse->freeList).isEmpty());
     // ### Could explicitly free the old data
diff --git a/src/qml/jsruntime/qv4sparsearray.cpp b/src/qml/jsruntime/qv4sparsearray.cpp
index b7be66bc31..f295e74adc 100644
--- a/src/qml/jsruntime/qv4sparsearray.cpp
+++ b/src/qml/jsruntime/qv4sparsearray.cpp
@@ -395,6 +395,7 @@ void SparseArray::freeTree(SparseArrayNode *root, int alignment)
 SparseArray::SparseArray()
     : numEntries(0)
 {
+    freeList = Primitive::emptyValue(UINT_MAX).asReturnedValue();
     header.p = 0;
     header.left = 0;
     header.right = 0;
diff --git a/src/qml/jsruntime/qv4sparsearray_p.h b/src/qml/jsruntime/qv4sparsearray_p.h
index 6dca1e1a34..ca6abcda89 100644
--- a/src/qml/jsruntime/qv4sparsearray_p.h
+++ b/src/qml/jsruntime/qv4sparsearray_p.h
@@ -151,7 +151,7 @@ struct Q_QML_EXPORT SparseArray
 
     SparseArray(const SparseArray &other);
 
-    ReturnedValue freeList = 0;
+    ReturnedValue freeList;
 private:
     SparseArray &operator=(const SparseArray &other);