Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-48394

ListView with binding to contentItem.childrenRect.height can cause seg fault

    XMLWordPrintable

Details

    • db6f1440cbe78018e442c1fb961310a4e619e8fe

    Description

      To reproduce, run:

      import QtQuick 2.5

Item {
    width: 400
    height: 600

    ListView {
        id: listView

        width: parent.width
        height: listView.contentItem.childrenRect.height

        model: [
            {name: "test0"},
            {name: "test1"}
        ]
        delegate: Text {
            width: parent.width
            text: modelData.name
        }
    }

    Timer {
        interval: 500;
        running: true;
        repeat: false;

        onTriggered: {
            var newModel = [
                {name: "test0"},
                {name: "test2"},
            ];

            listView.model = newModel;
        }
    }
}

      When the timer expires, QQuickItemView::setModel() is called. This begins to release all FxViewItem* elements in QQuickListViewPrivate::visibleItems in a loop.
      Releasing each of these elements causes a chain of signals ending up with that the ListView changes its height because of the binding to contentItem.childrenRect.
      This change causes QQuickListViewPrivate::originPosition() to be called, that tries to dereference the first FxViewItem* in the aforementioned QQuickListViewPrivate::visibleItems list. When the first pointer has been deleted, the inevitable seg fault happens.

      Stack trace:

      #0  0x000000000047a940 in ?? ()
#1  0x00007ffff7b49de8 in QQuickListViewPrivate::originPosition (this=0x872430) at items/qquicklistview.cpp:419
#2  0x00007ffff7ba9240 in QQuickItemViewPrivate::startPosition (this=0x872430) at items/qquickitemview.cpp:1543
#3  0x00007ffff7ba66d8 in QQuickItemViewPrivate::minExtentForAxis (this=0x872430, axisData=..., forXAxis=false) at items/qquickitemview.cpp:1057
#4  0x00007ffff7ba8280 in QQuickItemView::minYExtent (this=0x86fb70) at items/qquickitemview.cpp:1359
#5  0x00007ffff7ba6fd5 in QQuickItemViewPrivate::maxExtentForAxis (this=0x872430, axisData=..., forXAxis=false) at items/qquickitemview.cpp:1125
#6  0x00007ffff7ba8348 in QQuickItemView::maxYExtent (this=0x86fb70) at items/qquickitemview.cpp:1373
#7  0x00007ffff7b40d85 in QQuickFlickablePrivate::fixupY (this=0x872430) at items/qquickflickable.cpp:388
#8  0x00007ffff7b461e9 in QQuickFlickable::geometryChanged (this=0x86fb70, newGeometry=..., oldGeometry=...) at items/qquickflickable.cpp:1644
#9  0x00007ffff7ba81f3 in QQuickItemView::geometryChanged (this=0x86fb70, newGeometry=..., oldGeometry=...) at items/qquickitemview.cpp:1349
#10 0x00007ffff7b547f4 in QQuickListView::geometryChanged (this=0x86fb70, newGeometry=..., oldGeometry=...) at items/qquicklistview.cpp:2965
#11 0x00007ffff7a8194d in QQuickItem::setHeight (this=0x86fb70, h=15) at items/qquickitem.cpp:6230
#12 0x00007ffff7a876da in QQuickItem::qt_static_metacall (_o=0x86fb70, _c=QMetaObject::WriteProperty, _id=8, _a=0x7fffffffc100) at .moc/moc_qquickitem.cpp:875
#13 0x00007ffff7a87ab0 in QQuickItem::qt_metacall (this=0x86fb70, _c=QMetaObject::WriteProperty, _id=8, _a=0x7fffffffc100) at .moc/moc_qquickitem.cpp:946
#14 0x00007ffff7c2fc24 in QQuickFlickable::qt_metacall (this=0x86fb70, _c=QMetaObject::WriteProperty, _id=9, _a=0x7fffffffc100) at .moc/moc_qquickflickable_p.cpp:778
#15 0x00007ffff7c4497a in QQuickItemView::qt_metacall (this=0x86fb70, _c=QMetaObject::WriteProperty, _id=9, _a=0x7fffffffc100) at .moc/moc_qquickitemview_p.cpp:846
#16 0x00007ffff7c3152c in QQuickListView::qt_metacall (this=0x86fb70, _c=QMetaObject::WriteProperty, _id=9, _a=0x7fffffffc100) at .moc/moc_qquicklistview_p.cpp:618
#17 0x00007ffff600202f in QMetaObject::metacall (object=0x86fb70, cl=QMetaObject::WriteProperty, idx=9, argv=0x7fffffffc100) at kernel/qmetaobject.cpp:296
#18 0x00007ffff758ccb8 in QQmlPropertyPrivate::writeBinding (object=0x86fb70, core=..., context=0x86ae30, expression=0x874850, result=..., isUndefined=false, flags=...) at qml/qqmlproperty.cpp:1512
#19 0x00007ffff760f4c2 in QQmlBinding::update (this=0x874830, flags=...) at qml/qqmlbinding.cpp:199
#20 0x00007ffff760fef2 in QQmlBinding::update (this=0x874830) at qml/qqmlbinding_p.h:97
#21 0x00007ffff760fa06 in QQmlBinding::expressionChanged (e=0x874850) at qml/qqmlbinding.cpp:260
#22 0x00007ffff7607f28 in QQmlJavaScriptExpressionGuard_callback (e=0x877708) at qml/qqmljavascriptexpression.cpp:361
#23 0x00007ffff75e7a85 in QQmlNotifier::emitNotify (endpoint=0x877708, a=0x7fffffffc550) at qml/qqmlnotifier.cpp:73
#24 0x00007ffff7572833 in QQmlData::signalEmitted (object=0x872be0, index=3, a=0x7fffffffc550) at qml/qqmlengine.cpp:751
#25 0x00007ffff603736f in QMetaObject::activate (sender=0x872be0, signalOffset=3, local_signal_index=0, argv=0x7fffffffc550) at kernel/qobject.cpp:3604
#26 0x00007ffff603716c in QMetaObject::activate (sender=0x872be0, m=0x7ffff7dba900 <QQuickItem::staticMetaObject>, local_signal_index=0, argv=0x7fffffffc550) at kernel/qobject.cpp:3583
#27 0x00007ffff7a87b3d in QQuickItem::childrenRectChanged (this=0x872be0, _t1=...) at .moc/moc_qquickitem.cpp:967
#28 0x00007ffff7a8961d in QQuickItemPrivate::emitChildrenRectChanged (this=0x86aaf0, rect=...) at ../../include/QtQuick/5.5.0/QtQuick/private/../../../../../src/quick/items/qquickitem_p.h:531
#29 0x00007ffff7a73c46 in QQuickContents::updateRect (this=0x7f1e10) at items/qquickitem.cpp:289
#30 0x00007ffff7a89384 in QQuickContents::calcGeometry (this=0x7f1e10, changed=0x0) at ../../include/QtQuick/5.5.0/QtQuick/private/../../../../../src/quick/items/qquickitem_p.h:118
#31 0x00007ffff7a73e59 in QQuickContents::itemChildRemoved (this=0x7f1e10, item=0x867080) at items/qquickitem.cpp:317
#32 0x00007ffff7a7fd51 in QQuickItemPrivate::itemChange (this=0x86aaf0, change=QQuickItem::ItemChildRemovedChange, data=...) at items/qquickitem.cpp:5685
#33 0x00007ffff7a78a90 in QQuickItemPrivate::removeChild (this=0x86aaf0, child=0x867080) at items/qquickitem.cpp:2750
#34 0x00007ffff7a77d83 in QQuickItem::setParentItem (this=0x867080, parentItem=0x0) at items/qquickitem.cpp:2513
#35 0x00007ffff7bad10f in QQuickItemViewPrivate::releaseItem (this=0x872430, item=0x8eece0) at items/qquickitemview.cpp:2360
#36 0x00007ffff7b4aeb3 in QQuickListViewPrivate::releaseItem (this=0x872430, item=0x8eece0) at items/qquicklistview.cpp:604
#37 0x00007ffff7ba9cb9 in QQuickItemViewPrivate::clear (this=0x872430) at items/qquickitemview.cpp:1689
#38 0x00007ffff7b4ab3d in QQuickListViewPrivate::clear (this=0x872430) at items/qquicklistview.cpp:553
#39 0x00007ffff7ba3bfc in QQuickItemView::setModel (this=0x86fb70, m=...) at items/qquickitemview.cpp:295
#40 0x00007ffff7c445ca in QQuickItemView::qt_static_metacall (_o=0x86fb70, _c=QMetaObject::WriteProperty, _id=0, _a=0x7fffffffcb90) at .moc/moc_qquickitemview_p.cpp:786
#41 0x00007ffff7c44a03 in QQuickItemView::qt_metacall (this=0x86fb70, _c=QMetaObject::WriteProperty, _id=0, _a=0x7fffffffcb90) at .moc/moc_qquickitemview_p.cpp:861
#42 0x00007ffff7c3152c in QQuickListView::qt_metacall (this=0x86fb70, _c=QMetaObject::WriteProperty, _id=78, _a=0x7fffffffcb90) at .moc/moc_qquicklistview_p.cpp:618
#43 0x00007ffff600202f in QMetaObject::metacall (object=0x86fb70, cl=QMetaObject::WriteProperty, idx=78, argv=0x7fffffffcb90) at kernel/qmetaobject.cpp:296
#44 0x00007ffff758bb31 in QQmlPropertyPrivate::write (object=0x86fb70, property=..., value=..., context=0x86ae30, flags=...) at qml/qqmlproperty.cpp:1313
#45 0x00007ffff75343cb in QV4::QObjectWrapper::setProperty (object=0x86fb70, ctx=0x7fffe8e6e0d0, property=0x7fffdc0452e8, value=...) at jsruntime/qv4qobjectwrapper.cpp:556
#46 0x00007ffff7534bc2 in QV4::QObjectWrapper::setProperty (this=0x7fffe8e6e0c8, ctx=0x7fffe8e6e0d0, propertyIndex=78, value=...) at jsruntime/qv4qobjectwrapper.cpp:669
#47 0x00007ffff755726a in QV4::Runtime::setQmlQObjectProperty (engine=0x7d7bb0, object=..., propertyIndex=78, value=...) at jsruntime/qv4runtime.cpp:1403
#48 0x00007fffedb2a1ba in ?? ()
#49 0x00007fffffffce60 in ?? ()
#50 0x00007ffff74d79f2 in QV4::Value::cast<QV4::SimpleScriptFunction> (this=0x7fffe8e6e008) at jsruntime/qv4value_p.h:364
#51 0x00007ffff74d4ea2 in QV4::SimpleScriptFunction::call (that=0x7fffe8e6e000, callData=0x7fffe8e6e008) at jsruntime/qv4functionobject.cpp:564
#52 0x00007ffff7414ca4 in QV4::Object::call (this=0x7fffe8e6e000, d=0x7fffe8e6e008) at ../../include/QtQml/5.5.0/QtQml/private/../../../../../src/qml/jsruntime/qv4object_p.h:302
#53 0x00007ffff7606e0a in QQmlJavaScriptExpression::evaluate (this=0x7f1790, context=0x86ae30, function=..., callData=0x7fffe8e6e008, isUndefined=0x0) at qml/qqmljavascriptexpression.cpp:158
#54 0x00007ffff759da77 in QQmlBoundSignalExpression::evaluate (this=0x7f1770, a=0x0) at qml/qqmlboundsignal.cpp:281
#55 0x00007ffff759e0ca in QQmlBoundSignal_callback (e=0x7f1708, a=0x0) at qml/qqmlboundsignal.cpp:408
#56 0x00007ffff75e7a85 in QQmlNotifier::emitNotify (endpoint=0x7f1708, a=0x0) at qml/qqmlnotifier.cpp:73
#57 0x00007ffff7572833 in QQmlData::signalEmitted (object=0x8749a0, index=3, a=0x0) at qml/qqmlengine.cpp:751
#58 0x00007ffff603736f in QMetaObject::activate (sender=0x8749a0, signalOffset=3, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3604
#59 0x00007ffff603716c in QMetaObject::activate (sender=0x8749a0, m=0x7ffff789f640 <QQmlTimer::staticMetaObject>, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3583
#60 0x00007ffff76a4dc3 in QQmlTimer::triggered (this=0x8749a0) at .moc/moc_qqmltimer_p.cpp:255
#61 0x00007ffff769071c in QQmlTimer::event (this=0x8749a0, e=0x8c0220) at types/qqmltimer.cpp:334
#62 0x00007ffff6bc2e68 in QApplicationPrivate::notify_helper (this=0x45f550, receiver=0x8749a0, e=0x8c0220) at kernel/qapplication.cpp:3717
#63 0x00007ffff6bc03b7 in QApplication::notify (this=0x7fffffffdf00, receiver=0x8749a0, e=0x8c0220) at kernel/qapplication.cpp:3161
#64 0x00007ffff5ff945e in QCoreApplication::notifyInternal (this=0x7fffffffdf00, receiver=0x8749a0, event=0x8c0220) at kernel/qcoreapplication.cpp:965
#65 0x00007ffff5ffd087 in QCoreApplication::sendEvent (receiver=0x8749a0, event=0x8c0220) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:224
#66 0x00007ffff5ffa749 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x45f420) at kernel/qcoreapplication.cpp:1593
#67 0x00007ffff5ffa0ee in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1451
#68 0x00007ffff606dff8 in postEventSourceDispatch (s=0x4996f0) at kernel/qeventdispatcher_glib.cpp:271
#69 0x00007ffff4c20e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#70 0x00007ffff4c21048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#71 0x00007ffff4c210ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#72 0x00007ffff606e799 in QEventDispatcherGlib::processEvents (this=0x48b5e0, flags=...) at kernel/qeventdispatcher_glib.cpp:418
#73 0x00007fffedbfb5ae in QPAEventDispatcherGlib::processEvents (this=0x48b5e0, flags=...) at eventdispatchers/qeventdispatcher_glib.cpp:115
#74 0x00007ffff5ff60b2 in QEventLoop::processEvents (this=0x7fffffffdd10, flags=...) at kernel/qeventloop.cpp:128
#75 0x00007ffff5ff6373 in QEventLoop::exec (this=0x7fffffffdd10, flags=...) at kernel/qeventloop.cpp:204
#76 0x00007ffff5ff9b36 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1229
#77 0x00007ffff646a026 in QGuiApplication::exec () at kernel/qguiapplication.cpp:1528
#78 0x00007ffff6bbfd95 in QApplication::exec () at kernel/qapplication.cpp:2977
#79 0x0000000000405fcb in main (argc=2, argv=0x7fffffffe158) at main.cpp:528

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            w00t Robin Burchell
            jbb Jesper Bækdahl
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes