Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-123596

Crash JS for x in o { delete o[x] } if o is a sparsearray

    XMLWordPrintable

Details

    • Android
    • e221e1e94 (dev), 590db8ac1 (6.7), 08a318b3d (tqtc/lts-6.5), 1a5ffffcb (tqtc/lts-6.2), f4e493a9c (tqtc/lts-5.15)

    Description

      The following code crashes only on arm64 (not tested on armv7) without JIT:

      let o = [];
      o[10000] = 10;
      o[20000] = 20;
      for (let k in o)
          delete o[k]
      

      but not

      let o = {};
      o.a = 10;
      o.b = 20;
      for (let k in o)
          delete o[k]
      

      The difference is that in the first case, we are dealing with a SparseArray optimization.

      The destructor of SparseArray shows that root() is nullable:

      ~SparseArray() {
          if (root())
              freeTree(header.left, Q_ALIGNOF(SparseArrayNode));
      }
      inline const SparseArrayNode *SparseArray::lowerBound(uint akey) const
      {
          const SparseArrayNode *lb = root()->lowerBound(akey);
          ...
      }
      inline SparseArrayNode *SparseArrayNode::lowerBound(uint akey)
      {
          SparseArrayNode *n = this;
          SparseArrayNode *last = nullptr;
          while (n) {
            ...
          }
          return last;
      }
      

      In debug mode, it probably will never crash because root()->lowerBound(akey) never dereferences this if this is null.

      However, in release mode, the compiler knows that this is not nullable, so it can optimize the first `while( n )` check to `do {} while( n )` which it does on arm64 at least

      Attachments

        For Gerrit Dashboard: QTBUG-123596
        # Subject Branch Project Status CR V

        Activity

          People

            ulherman Ulf Hermann
            vrouille Vincent Rouillé
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes