From f89a0b12b02bf6d74993e1b750a9fc210c5fa30c Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@digia.com>
Date: Tue, 22 Jan 2013 17:24:25 +0100
Subject: [PATCH] Fix memory corruption in the MM

We never free objects ourselves anymore, and the code here
would only lead us appending the last object in the free
list a second time.

Change-Id: I2aa7bd10fbb0990c990d6948124443d222cf82f5
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
---
 qv4mm.cpp              |  8 ++------
 tests/TestExpectations | 24 ------------------------
 2 files changed, 2 insertions(+), 30 deletions(-)

diff --git a/qv4mm.cpp b/qv4mm.cpp
index c3e5270..6521ff5 100644
--- a/qv4mm.cpp
+++ b/qv4mm.cpp
@@ -202,7 +202,7 @@ std::size_t MemoryManager::sweep()
 
 std::size_t MemoryManager::sweep(char *chunkStart, std::size_t chunkSize, size_t size)
 {
-//    qDebug("chunkStart @ %p, size=%x", chunkStart, size);
+//    qDebug("chunkStart @ %p, size=%x, pos=%x (%x)", chunkStart, size, size>>4, m_d->smallItems[size >> 4]);
     std::size_t freedCount = 0;
 
     Managed **f = &m_d->smallItems[size >> 4];
@@ -219,7 +219,7 @@ std::size_t MemoryManager::sweep(char *chunkStart, std::size_t chunkSize, size_t
             if (m->markBit) {
                 m->markBit = 0;
             } else {
-//                qDebug() << "-- collecting it." << m << reinterpret_cast<VM::Managed *>(&m->data);
+//                qDebug() << "-- collecting it." << m << *f << &m->nextFree;
                 m->~Managed();
 
                 m->nextFree = *f;
@@ -227,10 +227,6 @@ std::size_t MemoryManager::sweep(char *chunkStart, std::size_t chunkSize, size_t
                 //scribble(m, 0x99, size);
                 ++freedCount;
             }
-        } else if (!m->nextFree) {
-            m->nextFree = *f;
-            f = &m->nextFree;
-            ++freedCount;
         }
     }
 
diff --git a/tests/TestExpectations b/tests/TestExpectations
index 82e49a5..d719b5b 100644
--- a/tests/TestExpectations
+++ b/tests/TestExpectations
@@ -283,18 +283,6 @@ S15.12.2_A1 failing
 15.12.3-11-13 failing
 15.12.3-11-14 failing
 15.12.3-11-15 failing
-S15.1.3.1_A1.13_T1 failing
-S15.1.3.1_A1.13_T2 failing
-S15.1.3.1_A1.14_T1 failing
-S15.1.3.1_A1.14_T2 failing
-S15.1.3.1_A1.14_T3 failing
-S15.1.3.1_A1.14_T4 failing
-S15.1.3.1_A1.15_T1 failing
-S15.1.3.1_A1.15_T2 failing
-S15.1.3.1_A1.15_T3 failing
-S15.1.3.1_A1.15_T4 failing
-S15.1.3.1_A1.15_T5 failing
-S15.1.3.1_A1.15_T6 failing
 15.12.3-11-2 failing
 15.12.3-11-26 failing
 15.12.3-11-3 failing
@@ -343,18 +331,6 @@ S15.1.3.4_A6_T1 failing
 S15.1.3.1_A2.3_T1 failing
 S15.1.3.1_A2.4_T1 failing
 S15.1.3.1_A4_T2 failing
-S15.1.3.2_A1.13_T1 failing
-S15.1.3.2_A1.13_T2 failing
-S15.1.3.2_A1.14_T1 failing
-S15.1.3.2_A1.14_T2 failing
-S15.1.3.2_A1.14_T3 failing
-S15.1.3.2_A1.14_T4 failing
-S15.1.3.2_A1.15_T1 failing
-S15.1.3.2_A1.15_T2 failing
-S15.1.3.2_A1.15_T3 failing
-S15.1.3.2_A1.15_T4 failing
-S15.1.3.2_A1.15_T5 failing
-S15.1.3.2_A1.15_T6 failing
 S15.1.3.2_A2.3_T1 failing
 S15.1.3.2_A2.4_T1 failing
 S15.1.3.2_A4_T2 failing
-- 
2.7.4