From c415e6972b371acc288cd835f5635936215c615f Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@theqtcompany.com>
Date: Tue, 5 May 2015 10:52:34 +0200
Subject: Fix memory corruption in array handling

SimpleArrayData's markObjects() implementation did not mark the entries
correctly. When the dequeue offset was non-zero, we would end up marking values
that may have been garbage collected earlier.

Task-number: QTBUG-45888
Change-Id: Iacec350ccc76399ad4d16138af50acf22b2809db
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
---
 src/qml/jsruntime/qv4arraydata.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'src/qml/jsruntime/qv4arraydata.cpp')

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 737c891f9b..afcfa00905 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -216,9 +216,8 @@ void ArrayData::ensureAttributes(Object *o)
 void SimpleArrayData::markObjects(Heap::Base *d, ExecutionEngine *e)
 {
     Heap::SimpleArrayData *dd = static_cast<Heap::SimpleArrayData *>(d);
-    uint l = dd->len;
-    for (uint i = 0; i < l; ++i)
-        dd->arrayData[i].mark(e);
+    for (uint i = 0; i < dd->len; ++i)
+        dd->arrayData[dd->mappedIndex(i)].mark(e);
 }
 
 ReturnedValue SimpleArrayData::get(const Heap::ArrayData *d, uint index)
-- 
cgit v1.2.3