-
Bug
-
Resolution: Done
-
P1: Critical
-
5.5.0 Alpha
-
None
-
Linux Mint 17.1 Cinnamon 64-bit
-
c47dacde0ba4a97f5eed9dc345f8c1450000082f
SparseArray::deleteNode has a wrong oparation.
example code:
test.js
var obj = {} obj[5289] = 0 obj[5290] = 0 obj[5288] = 0 obj[5287] = 0 delete obj[5288] Object.getOwnPropertyNames(obj)
$ SHOW_EXIT_VALUE=1 qmljs test.js
exit value: 10575,5289,5290
After delete obj[5288], 5287 becomes 10575 (= 5288 + 5287).
test.js
var obj = {} obj[8187] = 0 obj[8188] = 0 delete obj[8187] Object.getOwnPropertyNames(obj)
$ SHOW_EXIT_VALUE=1 qmljs test.js
exit value: 1
After delete obj[8187], 8188 becomes 1.
The following patch would fix this problem, but it hasn't been tested well.
diff --git a/src/qml/jsruntime/qv4sparsearray.cpp b/src/qml/jsruntime/qv4sparsearray.cpp
index 01f94ee..bb1d3ae 100644
--- a/src/qml/jsruntime/qv4sparsearray.cpp
+++ b/src/qml/jsruntime/qv4sparsearray.cpp
@@ -246,15 +246,12 @@ void SparseArray::deleteNode(SparseArrayNode *z)
x->setParent(y->parent());
if (root == y)
root = x;
- else if (y->parent()->left == y) {
+ else if (y->parent()->left == y)
y->parent()->left = x;
- if (x)
- x->size_left += y->size_left;
- } else {
+ else
y->parent()->right = x;
- if (x)
- x->size_left += y->size_left;
- }
+ if (x && x == y->right)
+ x->size_left += y->size_left;
y->size_left = 0;
}
if (y->color() != SparseArrayNode::Red) {