Fix removal of members from the InternalClass

Removing identifiers from the propertyhash could cause subtle issues if there was an identifier that hashed to the same value as the identifier being removed stored in the hash afterwards. This identifier could end up in a state where it could not be found anymore. Amends ea164ca4a8 Change-Id: I2881865ee83833b6364d9be55579b8fc7d7c5016 Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
2018-04-18 09:48:58 +02:00 · 2018-04-18 09:48:58 +02:00 · 0dd479fc8d
parent 4615ffda64
commit 0dd479fc8d
1 changed files with 22 additions and 11 deletions
--- a/src/qml/jsruntime/qv4internalclass.cpp
+++ b/src/qml/jsruntime/qv4internalclass.cpp
@ -88,19 +88,30 @@ void PropertyHash::addEntry(const PropertyHash::Entry &entry, int classSize)

 int PropertyHash::removeIdentifier(Identifier *identifier, int classSize)
 {
-    detach(false, classSize);
-    uint idx = identifier->hashValue % d->alloc;
-    while (1) {
-        if (d->entries[idx].identifier == identifier) {
-            int val = d->entries[idx].index;
-            d->entries[idx] = { nullptr, 0 };
-            return val;
+    int val = -1;
+    PropertyHashData *dd = new PropertyHashData(d->numBits);
+    for (int i = 0; i < d->alloc; ++i) {
+        const Entry &e = d->entries[i];
+        if (!e.identifier || e.index >= static_cast<unsigned>(classSize))
+            continue;
+        if (e.identifier == identifier) {
+            val = e.index;
+            continue;
        }
-
-        ++idx;
-        idx %= d->alloc;
+        uint idx = e.identifier->hashValue % dd->alloc;
+        while (dd->entries[idx].identifier) {
+            ++idx;
+            idx %= dd->alloc;
+        }
+        dd->entries[idx] = e;
    }
-    Q_UNREACHABLE();
+    dd->size = classSize;
+    if (!--d->refCount)
+        delete d;
+    d = dd;
+
+    Q_ASSERT(val != -1);
+    return val;
 }

 void PropertyHash::detach(bool grow, int classSize)