From aa7c3b35ef9b737c574f436ea35452019a2ff29c Mon Sep 17 00:00:00 2001
From: Erik Verbruggen <erik.verbruggen@digia.com>
Date: Thu, 16 Jun 2016 13:39:57 +0200
Subject: V4: Always set the tag when boxing a pointer in QV4::Value.

All setters now store tags, so no-one can play loosy-goosy with the
boxed values (and accidentally forget to "tag" a value, resulting in
random garbage).

Change-Id: Ia0b78aa038d3ff46d5292b14bd593de310da16a0
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 src/qml/jsruntime/qv4arraydata.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/qml/jsruntime/qv4arraydata.cpp')

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index bd736d775e..ec0e6111ab 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -93,8 +93,8 @@ Q_STATIC_ASSERT(sizeof(Heap::ArrayData) == sizeof(Heap::SparseArrayData));
 
 static Q_ALWAYS_INLINE void storeValue(ReturnedValue *target, uint value)
 {
-    Value v = Value::fromReturnedValue(*target);
-    v.setValue(value);
+    Value v;
+    v.setTagValue(Value::fromReturnedValue(*target).tag(), value);
     *target = v.asReturnedValue();
 }
 
@@ -189,7 +189,7 @@ void ArrayData::realloc(Object *o, Type newType, uint requested, bool enforceAtt
                 n->value = i;
             } else {
                 storeValue(lastFree, i);
-                sparse->arrayData[i].setTag(Value::Empty_Type);
+                sparse->arrayData[i].setEmpty();
                 lastFree = &sparse->arrayData[i].rawValueRef();
             }
         }
@@ -198,7 +198,7 @@ void ArrayData::realloc(Object *o, Type newType, uint requested, bool enforceAtt
     if (toCopy < sparse->alloc) {
         for (uint i = toCopy; i < sparse->alloc; ++i) {
             storeValue(lastFree, i);
-            sparse->arrayData[i].setTag(Value::Empty_Type);
+            sparse->arrayData[i].setEmpty();
             lastFree = &sparse->arrayData[i].rawValueRef();
         }
         storeValue(lastFree, UINT_MAX);
@@ -396,7 +396,7 @@ uint SparseArrayData::allocate(Object *o, bool doubleSlot)
                 // found two slots in a row
                 uint idx = Value::fromReturnedValue(*last).uint_32();
                 Value lastV = Value::fromReturnedValue(*last);
-                lastV.setValue(dd->arrayData[lastV.value() + 1].value());
+                lastV.setTagValue(lastV.tag(), dd->arrayData[lastV.value() + 1].value());
                 *last = lastV.rawValue();
                 dd->attrs[idx] = Attr_Accessor;
                 return idx;
-- 
cgit v1.2.3