Fix crash when changing from a simple to a sparse array

After that change, if we ran out of slots in the freeList, the last entry would point to the first Value in the value array, not indicating that we ran out of free slots. Conflicts: src/qml/jsruntime/qv4sparsearray_p.h Task-number: QTBUG-65828 Change-Id: I3e57bb7a0c2dc29172a485a6ea957b6ab5ac962e (cherry picked from commit 16ca5eab9bdd31774dc8e657f217e044640eecff) Reviewed-by: Lars Knoll <lars.knoll@qt.io>
sailfishos · Feb 16, 2018 · 8fdf466 · 8fdf466
1 parent 557e762
commit 8fdf466
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
@@ -214,8 +214,8 @@ void ArrayData::realloc(Object *o, Type newType, uint requested, bool enforceAtt
             sparse->arrayData[i].setEmpty();
             lastFree = &sparse->arrayData[i].rawValueRef();
         }
-        storeValue(lastFree, UINT_MAX);
     }
+    storeValue(lastFree, UINT_MAX);
 
     Q_ASSERT(Value::fromReturnedValue(sparse->freeList).isEmpty());
     // ### Could explicitly free the old data

diff --git a/src/qml/jsruntime/qv4arraydata_p.h b/src/qml/jsruntime/qv4arraydata_p.h
@@ -156,6 +156,10 @@ struct SimpleArrayData : public ArrayData {
 V4_ASSERT_IS_TRIVIAL(SimpleArrayData)
 
 struct SparseArrayData : public ArrayData {
+    void init() {
+        ArrayData::init();
+        freeList = Primitive::emptyValue(UINT_MAX).asReturnedValue();
+    }
     void destroy() {
         delete sparse;
         ArrayData::destroy();