Fix crash in sparse array handling

When re-allocating the sparse array data, make sure to initialize the free list
correctly. Previously this was only done for the first allocation.

Test cases uses an object literal, as that's a reliable way to ensure
a sparse array is created.

Task-number: QTBUG-37892
Change-Id: Ib38cfce50104904af0c980f022c9dbb7461ae5f8
Reviewed-by: Lars Knoll <lars.knoll@digia.com>

1 files changed, 13 insertions, 12 deletions

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 13a7bb281b..ed2122fb89 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -156,21 +156,22 @@ void ArrayData::realloc(Object *o, Type newType, uint offset, uint alloc, bool e
         newData->sparse = old->sparse;
         old->sparse = 0;
         newData->freeList = old->freeList;
-        return;
+    } else {
+        newData->sparse = new SparseArray;
+        uint *lastFree = &newData->freeList;
+        for (uint i = 0; i < toCopy; ++i) {
+            if (!newData->data[i].isEmpty()) {
+                SparseArrayNode *n = newData->sparse->insert(i);
+                n->value = i;
+            } else {
+                *lastFree = i;
+                newData->data[i].tag = Value::Empty_Type;
+                lastFree = &newData->data[i].uint_32;
+            }
+        }
     }
 
-    newData->sparse = new SparseArray;
     uint *lastFree = &newData->freeList;
-    for (uint i = 0; i < toCopy; ++i) {
-        if (!newData->data[i].isEmpty()) {
-            SparseArrayNode *n = newData->sparse->insert(i);
-            n->value = i;
-        } else {
-            *lastFree = i;
-            newData->data[i].tag = Value::Empty_Type;
-            lastFree = &newData->data[i].uint_32;
-        }
-    }
     for (uint i = toCopy; i < newData->alloc; ++i) {
         *lastFree = i;
         newData->data[i].tag = Value::Empty_Type;