[QTBUG-81108] Array.sort crashes with arrays containing Symbols - Qt Bug Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: P1: Critical
Resolution: Done
Affects Version/s: 5.13.2
Fix Version/s: 5.14.1, 5.15.0 Alpha
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf

Commits:
cbf97ccf8bb46c720de01a79f39b335dc74db71b (qt/qtdeclarative/5.14)

Description

Here is another fun Array.sort crash, not unlike QTBUG-81106 (but this time on a simple non-sparse array). If I try to sort an array that contains a Symbol such as Symbol.iterator, the engine crashes.

const v4 = [Symbol.iterator, 1];
const v5 = v4.sort();

This appears to happen because the fallback code for the array element comparators (e.g. ArrayElementLessThan, here at qv4arraydata.cpp:660) assumes that the object can be converted to a string — and if it can't, it uses the resulting nullptr anyways and tries to call p1s->toQString() on it.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Attachments

symbol-sort.js
0.1 kB
06 Jan '20 16:06

Options
- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

Gerrit Reviews

For Gerrit Dashboard: QTBUG-81108
#	Subject	Branch	Project	Status	CR	V
285695,5	V4: Don't crash when sorting arrays with non-stringifyable entries	5.14	qt/qtdeclarative	Status: MERGED	+2	0

Activity

People

Assignee:: Qt Quick and Widgets Team

Reporter:: Tobias Holl

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 06 Jan '20 16:07

Updated:: 09 Jan '20 18:18

Resolved:: 08 Jan '20 10:30

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

V4: Don't crash when sorting arrays with non-stringifyable entries: Gerrit Review: