diff options
author | Lars Knoll <lars.knoll@qt.io> | 2016-07-14 11:58:14 +0200 |
---|---|---|
committer | Lars Knoll <lars.knoll@qt.io> | 2016-07-14 11:29:34 +0000 |
commit | 91ed06b767aa4993d28c8b2db4900c319098b035 (patch) | |
tree | 28423682d32793ec867f28f03371a5d00c62f05b /src | |
parent | e4f7ab42c6c4f19eed76d9d0de5accda5835a3a8 (diff) |
Fix logic bug when deleting properties of JS objects
The code used the size of the internal class in an inconsistent
way. It should simply compute and work with the old internal
class size, as that reflects the old object layout.
[ChangeLog][QtQml] Fix assertion when deleting properties of JS objects
Task-number: QTBUG-54589
Change-Id: Ie3db70437e780215d08a1a96491db75f8b859754
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/qml/jsruntime/qv4internalclass.cpp | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/qml/jsruntime/qv4internalclass.cpp b/src/qml/jsruntime/qv4internalclass.cpp index 8f0b1776d7..0bc4b9a7fc 100644 --- a/src/qml/jsruntime/qv4internalclass.cpp +++ b/src/qml/jsruntime/qv4internalclass.cpp @@ -155,8 +155,8 @@ static void insertHoleIntoPropertyData(Object *object, int idx) static void removeFromPropertyData(Object *object, int idx, bool accessor = false) { int inlineSize = object->d()->inlineMemberSize; - int icSize = object->internalClass()->size; int delta = (accessor ? 2 : 1); + int oldSize = object->internalClass()->size + delta; int to = idx; int from = to + delta; if (from < inlineSize) { @@ -164,15 +164,15 @@ static void removeFromPropertyData(Object *object, int idx, bool accessor = fals to = inlineSize - delta; from = inlineSize; } - if (to < inlineSize && from < icSize) { + if (to < inlineSize && from < oldSize) { Q_ASSERT(from >= inlineSize); memcpy(object->propertyData(to), object->d()->propertyData(from), (inlineSize - to)*sizeof(Value)); to = inlineSize; from = inlineSize + delta; } - if (from < icSize + delta) { + if (from < oldSize) { Q_ASSERT(to >= inlineSize && from > to); - memmove(object->propertyData(to), object->d()->propertyData(from), (icSize + delta - to)*sizeof(Value)); + memmove(object->propertyData(to), object->d()->propertyData(from), (oldSize - to)*sizeof(Value)); } } |