From 8fdf466741f31bc9f33db7b5d09c2e282f0b6bbe Mon Sep 17 00:00:00 2001 From: Lars Knoll Date: Thu, 15 Feb 2018 15:39:01 +0100 Subject: Fix crash when changing from a simple to a sparse array After that change, if we ran out of slots in the freeList, the last entry would point to the first Value in the value array, not indicating that we ran out of free slots. Conflicts: src/qml/jsruntime/qv4sparsearray_p.h Task-number: QTBUG-65828 Change-Id: I3e57bb7a0c2dc29172a485a6ea957b6ab5ac962e (cherry picked from commit 16ca5eab9bdd31774dc8e657f217e044640eecff) Reviewed-by: Lars Knoll --- src/qml/jsruntime/qv4arraydata.cpp | 2 +- src/qml/jsruntime/qv4arraydata_p.h | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp index dac899e23f..0944e6d271 100644 --- a/src/qml/jsruntime/qv4arraydata.cpp +++ b/src/qml/jsruntime/qv4arraydata.cpp @@ -214,8 +214,8 @@ void ArrayData::realloc(Object *o, Type newType, uint requested, bool enforceAtt sparse->arrayData[i].setEmpty(); lastFree = &sparse->arrayData[i].rawValueRef(); } - storeValue(lastFree, UINT_MAX); } + storeValue(lastFree, UINT_MAX); Q_ASSERT(Value::fromReturnedValue(sparse->freeList).isEmpty()); // ### Could explicitly free the old data diff --git a/src/qml/jsruntime/qv4arraydata_p.h b/src/qml/jsruntime/qv4arraydata_p.h index daf8c36814..ac6087891d 100644 --- a/src/qml/jsruntime/qv4arraydata_p.h +++ b/src/qml/jsruntime/qv4arraydata_p.h @@ -156,6 +156,10 @@ struct SimpleArrayData : public ArrayData { V4_ASSERT_IS_TRIVIAL(SimpleArrayData) struct SparseArrayData : public ArrayData { + void init() { + ArrayData::init(); + freeList = Primitive::emptyValue(UINT_MAX).asReturnedValue(); + } void destroy() { delete sparse; ArrayData::destroy(); -- cgit v1.2.3