From 7e32be87c0f53ce2e5d3c1e351a559d6c600f1bf Mon Sep 17 00:00:00 2001 From: Ulf Hermann Date: Mon, 4 Mar 2019 15:36:57 +0100 Subject: Don't keep raw pointers to SparseArrayNode The nodes are owned by the SparseArrayData and will be freed whenever an item is deleted from the array. Therefore, we have to look up the node for each iteration. This is slightly slower, but at least it doesn't crash. Fixes: QTBUG-74188 Change-Id: Id24324a8c83b00b3ad1212cdaabccabd6c8a999f Reviewed-by: Simon Hausmann Reviewed-by: Lars Knoll --- .../auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'tests/auto/qml/qqmlecmascript') diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp index eb9b05e764..a67a503f82 100644 --- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp +++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp @@ -364,6 +364,7 @@ private slots: void arrayAndException(); void numberToStringWithRadix(); void tailCallWithArguments(); + void deleteSparseInIteration(); private: // static void propertyVarWeakRefCallback(v8::Persistent object, void* parameter); @@ -8907,6 +8908,27 @@ void tst_qqmlecmascript::tailCallWithArguments() QCOMPARE(value.toInt(), 1); } +void tst_qqmlecmascript::deleteSparseInIteration() +{ + QJSEngine engine; + const QJSValue value = engine.evaluate( + "(function() {\n" + " var obj = { 1: null, 2: null, 4096: null };\n" + " var iterated = [];\n" + " for (var t in obj) {\n" + " if (t == 2)\n" + " delete obj[t];\n" + " iterated.push(t);\n" + " }\n" + " return iterated;" + "})()"); + QVERIFY(value.isArray()); + QCOMPARE(value.property("length").toInt(), 3); + QCOMPARE(value.property("0").toInt(), 1); + QCOMPARE(value.property("1").toInt(), 2); + QCOMPARE(value.property("2").toInt(), 4096); +} + QTEST_MAIN(tst_qqmlecmascript) #include "tst_qqmlecmascript.moc" -- cgit v1.2.3