Details
-
Type:
Bug
-
Status: Closed
-
Priority:
P1: Critical
-
Resolution: Done
-
Affects Version/s: 5.13.2
-
Fix Version/s: 5.14.1, 5.15.0 Alpha
-
Component/s: QML: Declarative and Javascript Engine
-
Labels:
-
Commits:cbf97ccf8bb46c720de01a79f39b335dc74db71b (qt/qtdeclarative/5.14)
Description
Here is another fun Array.sort crash, not unlike QTBUG-81106 (but this time on a simple non-sparse array). If I try to sort an array that contains a Symbol such as Symbol.iterator, the engine crashes.
const v4 = [Symbol.iterator, 1]; const v5 = v4.sort();
This appears to happen because the fallback code for the array element comparators (e.g. ArrayElementLessThan, here at qv4arraydata.cpp:660) assumes that the object can be converted to a string — and if it can't, it uses the resulting nullptr anyways and tries to call p1s->toQString() on it.
Attachments
For Gerrit Dashboard: QTBUG-81108 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
285695,5 | V4: Don't crash when sorting arrays with non-stringifyable entries | 5.14 | qt/qtdeclarative | Status: MERGED | +2 | 0 |