Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81108

Array.sort crashes with arrays containing Symbols

    XMLWordPrintable

Details

    • cbf97ccf8bb46c720de01a79f39b335dc74db71b (qt/qtdeclarative/5.14)

    Description

      Here is another fun Array.sort crash, not unlike QTBUG-81106 (but this time on a simple non-sparse array). If I try to sort an array that contains a Symbol such as Symbol.iterator, the engine crashes.

      const v4 = [Symbol.iterator, 1];
const v5 = v4.sort();

      This appears to happen because the fallback code for the array element comparators (e.g. ArrayElementLessThan, here at qv4arraydata.cpp:660) assumes that the object can be converted to a string — and if it can't, it uses the resulting nullptr anyways and tries to call p1s->toQString() on it.

      Attachments

        1. symbol-sort.js
          0.1 kB
          Tobias Holl
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            qt.team.quick.subscriptions Qt Quick and Widgets Team
            hlt Tobias Holl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes